Edit tour

Windows Analysis Report
eWlldJYfLc

Overview

General Information

Sample Name:	eWlldJYfLc (renamed file extension from none to dll)
Analysis ID:	595308
MD5:	d098d01cbea52f858bce6d0d9faa5b26
SHA1:	952ce9cd899108c2821bf488b98387b6db8424b8
SHA256:	82c89b2a758177c7cfb7c1763b0444281c6b670deef015a886c866f18dbd8370
Tags:	Dridexexe
Infos:

Detection

Dridex

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes memory attributes in foreign processes to executable or writable

Machine Learning detection for sample

Sigma detected: Suspicious Svchost Process

Queues an APC in another process (thread injection)

Sigma detected: Suspicious Call by Ordinal

Machine Learning detection for dropped file

Accesses ntoskrnl, likely to find offsets for exploits

Contains functionality to automate explorer (e.g. start an application)

Contains functionality to prevent local Windows debugging

Uses Atom Bombing / ProGate to inject into other processes

PE file contains section with special chars

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Queries the installation date of Windows

Detected potential crypto function

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Found evasive API chain checking for process token information

Binary contains a suspicious time stamp

PE file contains more sections than normal

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 7088 cmdline: loaddll64.exe "C:\Users\user\Desktop\eWlldJYfLc.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)

cmd.exe (PID: 7112 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 7132 cmdline: rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 7120 cmdline: rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,IsInteractiveUserSession MD5: 73C519F050C20580F8A62C849D49215A)

explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

svchost.exe (PID: 5604 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

sdclt.exe (PID: 3960 cmdline: C:\Windows\system32\sdclt.exe MD5: 0632A8402C6504CD541AC93676AAD0F5)

CloudNotifications.exe (PID: 5876 cmdline: C:\Windows\system32\CloudNotifications.exe MD5: D9FF4C8DBC1682E0508322307CB89C0F)

CloudNotifications.exe (PID: 2928 cmdline: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe MD5: D9FF4C8DBC1682E0508322307CB89C0F)

systemreset.exe (PID: 6544 cmdline: C:\Windows\system32\systemreset.exe MD5: 872AE9FE08ED1AA78208678967BE2FEF)

Dxpserver.exe (PID: 3500 cmdline: C:\Windows\system32\Dxpserver.exe MD5: DCCB1D350193BE0A26CEAFF602DB848E)

Dxpserver.exe (PID: 1740 cmdline: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe MD5: DCCB1D350193BE0A26CEAFF602DB848E)

mfpmp.exe (PID: 5604 cmdline: C:\Windows\system32\mfpmp.exe MD5: 7C3D09D6DB5DB4A272FCF4C1BB3986BD)

mfpmp.exe (PID: 3464 cmdline: C:\Users\user\AppData\Local\bj1HT\mfpmp.exe MD5: 7C3D09D6DB5DB4A272FCF4C1BB3986BD)

msra.exe (PID: 1908 cmdline: C:\Windows\system32\msra.exe MD5: 3240CC226FB8AC41A0431A8F3B9DD770)

mstsc.exe (PID: 7132 cmdline: C:\Windows\system32\mstsc.exe MD5: 3FBB5CD8829E9533D0FF5819DB0444C0)

mstsc.exe (PID: 3176 cmdline: C:\Users\user\AppData\Local\n0R5g\mstsc.exe MD5: 3FBB5CD8829E9533D0FF5819DB0444C0)

SndVol.exe (PID: 5936 cmdline: C:\Windows\system32\SndVol.exe MD5: CDD7C7DF2D0859AC3F4088423D11BD08)

SndVol.exe (PID: 5900 cmdline: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe MD5: CDD7C7DF2D0859AC3F4088423D11BD08)

rundll32.exe (PID: 5384 cmdline: rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,QueryActiveSession MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 3156 cmdline: rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,QueryUserToken MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.274772551.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000023.00000002.574221343.00007FFC74C21000.00000020.00000001.01000000.00000013.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000002.00000002.382839680.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000001D.00000002.500951495.00007FFC74C21000.00000020.00000001.01000000.0000000E.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000001A.00000002.465961019.00007FFC74C21000.00000020.00000001.01000000.0000000C.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000003.00000002.260901088.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000006.00000002.267568902.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000021.00000002.543380049.00007FFC74C21000.00000020.00000001.01000000.00000011.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
33.2.mstsc.exe.7ffc74c20000.3.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
35.2.SndVol.exe.7ffc74c20000.3.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
20.2.CloudNotifications.exe.7ffc74c20000.3.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
8.2.rundll32.exe.7ffc670c0000.2.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
2.2.rundll32.exe.7ffc670c0000.2.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
6.2.rundll32.exe.7ffc670c0000.2.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
26.2.Dxpserver.exe.7ffc74c20000.3.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
29.2.mfpmp.exe.7ffc74c20000.3.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0.2.loaddll64.exe.7ffc670c0000.2.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
3.2.rundll32.exe.7ffc670c0000.2.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Svchost Process

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3968, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 5604

Sigma detected: Suspicious Call by Ordinal

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7112, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1, ProcessId: 7132

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3968, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 5604

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\explorer.exe, ProcessId: 3968, TargetFilename: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: eWlldJYfLc.dll	Virustotal: Detection: 67%	Perma Link
Source: eWlldJYfLc.dll	Metadefender: Detection: 60%	Perma Link
Source: eWlldJYfLc.dll	ReversingLabs: Detection: 88%

Antivirus / Scanner detection for submitted sample

Source: eWlldJYfLc.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\vFRJtv0CU\ACTIVEDS.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\4O9p1cGN\dwmapi.dll	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dll	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dll	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\bj1HT\MFPlat.DLL	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\EQ0DjT2sP\DUI70.dll	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen4
Source: C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\n0R5g\Secur32.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen

Machine Learning detection for sample

Source: eWlldJYfLc.dll

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\vFRJtv0CU\ACTIVEDS.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\4O9p1cGN\dwmapi.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\bj1HT\MFPlat.DLL	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\EQ0DjT2sP\DUI70.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\n0R5g\Secur32.dll	Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF61310EFCC memset,CreateFileW,CryptCATAdminCalcHashFromFileHandle,CryptCATAdminCalcHashFromFileHandle,SetFilePointer,GetLastError,memset,WinVerifyTrustEx,WTHelperProvDataFromStateData,WTHelperGetProvSignerFromChain,CertVerifyCertificateChainPolicy,WinVerifyTrustEx,CloseHandle,	26_2_00007FF61310EFCC
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF61310F224 CreateFileW,CryptCATAdminCalcHashFromFileHandle,CryptCATAdminCalcHashFromFileHandle,GetLastError,CloseHandle,GetLastError,CryptCATAdminAcquireContext,CryptCATAdminEnumCatalogFromHash,memset,CryptCATCatalogInfoFromContext,CryptCATAdminReleaseCatalogContext,CryptCATAdminReleaseContext,GetLastError,GetLastError,	26_2_00007FF61310F224
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B877F52C CryptProtectData,LocalAlloc,LocalFree,	33_2_00007FF7B877F52C
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B877F8FC CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,	33_2_00007FF7B877F8FC

Exploits

Accesses ntoskrnl, likely to find offsets for exploits

Source: C:\Windows\explorer.exe

File opened: C:\Windows\system32\ntkrnlmp.exe

Jump to behavior

Source: eWlldJYfLc.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000023.00000000.548108875.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe, 00000023.00000002.574100528.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe.4.dr
Source:	Binary string: SppExtComObj.pdb source: SppExtComObj.Exe.4.dr
Source:	Binary string: MFPMP.pdb source: mfpmp.exe, 0000001D.00000000.471765821.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe, 0000001D.00000002.500806173.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe.4.dr
Source:	Binary string: CloudNotifications.pdb source: CloudNotifications.exe, 00000014.00000000.405037506.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe, 00000014.00000002.430793146.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe.4.dr
Source:	Binary string: deviceenroller.pdb source: DeviceEnroller.exe.4.dr
Source:	Binary string: MFPMP.pdbUGP source: mfpmp.exe, 0000001D.00000000.471765821.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe, 0000001D.00000002.500806173.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe.4.dr
Source:	Binary string: DXPServer.pdbGCTL source: Dxpserver.exe, 0000001A.00000000.442933050.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe, 0000001A.00000002.465912323.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe.4.dr
Source:	Binary string: mstsc.pdbGCTL source: mstsc.exe, 00000021.00000000.509159807.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe, 00000021.00000002.535164127.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe.4.dr
Source:	Binary string: CameraSettingsUIHost.pdbGCTL source: CameraSettingsUIHost.exe.4.dr
Source:	Binary string: CameraSettingsUIHost.pdb source: CameraSettingsUIHost.exe.4.dr
Source:	Binary string: SppExtComObj.pdbUGP source: SppExtComObj.Exe.4.dr
Source:	Binary string: mstsc.pdb source: mstsc.exe, 00000021.00000000.509159807.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe, 00000021.00000002.535164127.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe.4.dr
Source:	Binary string: DDODiag.pdbGCTL source: ddodiag.exe.4.dr
Source:	Binary string: DDODiag.pdb source: ddodiag.exe.4.dr
Source:	Binary string: SndVol.pdb source: SndVol.exe, 00000023.00000000.548108875.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe, 00000023.00000002.574100528.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe.4.dr
Source:	Binary string: CloudNotifications.pdbGCTL source: CloudNotifications.exe, 00000014.00000000.405037506.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe, 00000014.00000002.430793146.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe.4.dr
Source:	Binary string: DXPServer.pdb source: Dxpserver.exe, 0000001A.00000000.442933050.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe, 0000001A.00000002.465912323.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe.4.dr
Source:	Binary string: deviceenroller.pdbGCTL source: DeviceEnroller.exe.4.dr

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6711ED10 FindFirstFileExW,	0_2_00007FFC6711ED10
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C7ED10 FindFirstFileExW,	20_2_00007FFC74C7ED10
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF6130E1914 SHCreateDirectory,memset,FindFirstFileW,CompareStringOrdinal,CompareStringOrdinal,CompareStringOrdinal,CompareStringOrdinal,SHCreateDirectory,CompareStringOrdinal,CreateFileW,CloseHandle,GetLastError,SetFileAttributesW,CopyFileExW,GetLastError,CoCreateGuid,StringFromGUID2,MoveFileW,GetLastError,CopyFileExW,GetLastError,FindNextFileW,FindClose,GetLastError,	26_2_00007FF6130E1914

Source: explorer.exe, 00000004.00000000.324436158.000000000DA7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000004.00000000.324436158.000000000DA7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: svchost.exe, 0000000B.00000002.321751772.000001BB8E613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000B.00000003.320495277.000001BB8E669000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.321905396.000001BB8E66B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000B.00000002.321820678.000001BB8E643000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.321051969.000001BB8E642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000B.00000002.321820678.000001BB8E643000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.321051969.000001BB8E642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=
Source: DeviceEnroller.exe.4.dr	String found in binary or memory: https://login.windows.net-%s
Source: svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.321751772.000001BB8E613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000003.320980194.000001BB8E646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.321244735.000001BB8E63A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

E-Banking Fraud

Yara detected Dridex unpacked file

Source: Yara match	File source: 33.2.mstsc.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.SndVol.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.CloudNotifications.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.Dxpserver.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.mfpmp.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.274772551.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.574221343.00007FFC74C21000.00000020.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.382839680.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.500951495.00007FFC74C21000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.465961019.00007FFC74C21000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.260901088.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.267568902.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.543380049.00007FFC74C21000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY

System Summary

PE file contains section with special chars

Source: SppExtComObj.Exe.4.dr

Static PE information: section name: ?g_Encry

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC671097D0	0_2_00007FFC671097D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F5020	0_2_00007FFC670F5020
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6711DDC0	0_2_00007FFC6711DDC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67127650	0_2_00007FFC67127650
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712D520	0_2_00007FFC6712D520
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6710A2C0	0_2_00007FFC6710A2C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F59F0	0_2_00007FFC670F59F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670FAA70	0_2_00007FFC670FAA70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6710CA50	0_2_00007FFC6710CA50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E7880	0_2_00007FFC670E7880
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67113150	0_2_00007FFC67113150
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6713B7A0	0_2_00007FFC6713B7A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670C6790	0_2_00007FFC670C6790
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712C780	0_2_00007FFC6712C780
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6713EF80	0_2_00007FFC6713EF80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670EE7B0	0_2_00007FFC670EE7B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670DA7D0	0_2_00007FFC670DA7D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67134FF0	0_2_00007FFC67134FF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670D8FC0	0_2_00007FFC670D8FC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E6FE0	0_2_00007FFC670E6FE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67140820	0_2_00007FFC67140820
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670C1010	0_2_00007FFC670C1010
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E4800	0_2_00007FFC670E4800
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670EC030	0_2_00007FFC670EC030
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F0020	0_2_00007FFC670F0020
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E5050	0_2_00007FFC670E5050
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6710F870	0_2_00007FFC6710F870
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67115840	0_2_00007FFC67115840
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670FF870	0_2_00007FFC670FF870
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670C6E90	0_2_00007FFC670C6E90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712A6B0	0_2_00007FFC6712A6B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670C7E80	0_2_00007FFC670C7E80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670EF6B0	0_2_00007FFC670EF6B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F06A0	0_2_00007FFC670F06A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67127EC0	0_2_00007FFC67127EC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67120F30	0_2_00007FFC67120F30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E872B	0_2_00007FFC670E872B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67125760	0_2_00007FFC67125760
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E2F50	0_2_00007FFC670E2F50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6713BF6F	0_2_00007FFC6713BF6F
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67120770	0_2_00007FFC67120770
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670DE770	0_2_00007FFC670DE770
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6713C590	0_2_00007FFC6713C590
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670CC5A0	0_2_00007FFC670CC5A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670D95C0	0_2_00007FFC670D95C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F25C0	0_2_00007FFC670F25C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670D65E0	0_2_00007FFC670D65E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E3610	0_2_00007FFC670E3610
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F2E10	0_2_00007FFC670F2E10
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670CDE20	0_2_00007FFC670CDE20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670C1620	0_2_00007FFC670C1620
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670D8670	0_2_00007FFC670D8670
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67110650	0_2_00007FFC67110650
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712E49D	0_2_00007FFC6712E49D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67122CA0	0_2_00007FFC67122CA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712E4A6	0_2_00007FFC6712E4A6
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712E4AD	0_2_00007FFC6712E4AD
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712E4B6	0_2_00007FFC6712E4B6
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670EAC80	0_2_00007FFC670EAC80
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712E48B	0_2_00007FFC6712E48B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712A490	0_2_00007FFC6712A490
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712E494	0_2_00007FFC6712E494
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670D3CD0	0_2_00007FFC670D3CD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F5CD0	0_2_00007FFC670F5CD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F3CF0	0_2_00007FFC670F3CF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67118D20	0_2_00007FFC67118D20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F0D10	0_2_00007FFC670F0D10
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F1D30	0_2_00007FFC670F1D30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E3D50	0_2_00007FFC670E3D50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670ED550	0_2_00007FFC670ED550
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670D9D70	0_2_00007FFC670D9D70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67124390	0_2_00007FFC67124390
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67114BC0	0_2_00007FFC67114BC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670D23F0	0_2_00007FFC670D23F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670D7410	0_2_00007FFC670D7410
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712E400	0_2_00007FFC6712E400
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6713FC00	0_2_00007FFC6713FC00
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67129410	0_2_00007FFC67129410
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670D5420	0_2_00007FFC670D5420
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670C5C20	0_2_00007FFC670C5C20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC671282A0	0_2_00007FFC671282A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712AAA0	0_2_00007FFC6712AAA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670EDAA0	0_2_00007FFC670EDAA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67122AE0	0_2_00007FFC67122AE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67127AF0	0_2_00007FFC67127AF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E92C0	0_2_00007FFC670E92C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC671122C0	0_2_00007FFC671122C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6711F2C0	0_2_00007FFC6711F2C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E82E0	0_2_00007FFC670E82E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670FBAE0	0_2_00007FFC670FBAE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670EA310	0_2_00007FFC670EA310
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F0300	0_2_00007FFC670F0300
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F1B30	0_2_00007FFC670F1B30
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670CBB20	0_2_00007FFC670CBB20
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670C5350	0_2_00007FFC670C5350
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E3340	0_2_00007FFC670E3340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670D8340	0_2_00007FFC670D8340
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67125B50	0_2_00007FFC67125B50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F4360	0_2_00007FFC670F4360
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F9990	0_2_00007FFC670F9990
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670C2980	0_2_00007FFC670C2980
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670DE9B0	0_2_00007FFC670DE9B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E11B0	0_2_00007FFC670E11B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670EE9A0	0_2_00007FFC670EE9A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F21D0	0_2_00007FFC670F21D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E69C0	0_2_00007FFC670E69C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670EF1F0	0_2_00007FFC670EF1F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F91F0	0_2_00007FFC670F91F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F89F0	0_2_00007FFC670F89F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712B260	0_2_00007FFC6712B260
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670FB250	0_2_00007FFC670FB250
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670C7A40	0_2_00007FFC670C7A40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670DD890	0_2_00007FFC670DD890
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6713C8B1	0_2_00007FFC6713C8B1
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670D08B0	0_2_00007FFC670D08B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6713C0EB	0_2_00007FFC6713C0EB
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670C18D0	0_2_00007FFC670C18D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670DE110	0_2_00007FFC670DE110
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E3910	0_2_00007FFC670E3910
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670CB100	0_2_00007FFC670CB100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670F6130	0_2_00007FFC670F6130
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712B960	0_2_00007FFC6712B960
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC670E4140	0_2_00007FFC670E4140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67126950	0_2_00007FFC67126950
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FF740782908	20_2_00007FF740782908
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C8D520	20_2_00007FFC74C8D520
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C55CD0	20_2_00007FFC74C55CD0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C87650	20_2_00007FFC74C87650
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C7DDC0	20_2_00007FFC74C7DDC0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C55020	20_2_00007FFC74C55020
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C697D0	20_2_00007FFC74C697D0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C73150	20_2_00007FFC74C73150
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C47880	20_2_00007FFC74C47880
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C6CA50	20_2_00007FFC74C6CA50
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C5AA70	20_2_00007FFC74C5AA70
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C559F0	20_2_00007FFC74C559F0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C6A2C0	20_2_00007FFC74C6A2C0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C5BAE0	20_2_00007FFC74C5BAE0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C4D550	20_2_00007FFC74C4D550
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C43D50	20_2_00007FFC74C43D50
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C39D70	20_2_00007FFC74C39D70
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C50D10	20_2_00007FFC74C50D10
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C51D30	20_2_00007FFC74C51D30
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C78D20	20_2_00007FFC74C78D20
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C33CD0	20_2_00007FFC74C33CD0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C53CF0	20_2_00007FFC74C53CF0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C8E494	20_2_00007FFC74C8E494
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C8A490	20_2_00007FFC74C8A490
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C4AC80	20_2_00007FFC74C4AC80
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C8E48B	20_2_00007FFC74C8E48B
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C8E4B6	20_2_00007FFC74C8E4B6
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C8E4AD	20_2_00007FFC74C8E4AD
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C8E4A6	20_2_00007FFC74C8E4A6
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C82CA0	20_2_00007FFC74C82CA0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C8E49D	20_2_00007FFC74C8E49D
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C70650	20_2_00007FFC74C70650
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C38670	20_2_00007FFC74C38670
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C52E10	20_2_00007FFC74C52E10
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C43610	20_2_00007FFC74C43610
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C21620	20_2_00007FFC74C21620
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C2DE20	20_2_00007FFC74C2DE20
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C525C0	20_2_00007FFC74C525C0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C395C0	20_2_00007FFC74C395C0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C365E0	20_2_00007FFC74C365E0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C9C590	20_2_00007FFC74C9C590
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C2C5A0	20_2_00007FFC74C2C5A0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C42F50	20_2_00007FFC74C42F50
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C80770	20_2_00007FFC74C80770
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C3E770	20_2_00007FFC74C3E770
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C9BF6F	20_2_00007FFC74C9BF6F
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C85760	20_2_00007FFC74C85760
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C80F30	20_2_00007FFC74C80F30
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C4872B	20_2_00007FFC74C4872B
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C87EC0	20_2_00007FFC74C87EC0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C26E90	20_2_00007FFC74C26E90
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C27E80	20_2_00007FFC74C27E80
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C4F6B0	20_2_00007FFC74C4F6B0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C8A6B0	20_2_00007FFC74C8A6B0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C506A0	20_2_00007FFC74C506A0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C45050	20_2_00007FFC74C45050
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C75840	20_2_00007FFC74C75840
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C5F870	20_2_00007FFC74C5F870
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C6F870	20_2_00007FFC74C6F870
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C21010	20_2_00007FFC74C21010
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C44800	20_2_00007FFC74C44800
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C4C030	20_2_00007FFC74C4C030
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C50020	20_2_00007FFC74C50020
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74CA0820	20_2_00007FFC74CA0820
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C3A7D0	20_2_00007FFC74C3A7D0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C38FC0	20_2_00007FFC74C38FC0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C94FF0	20_2_00007FFC74C94FF0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C46FE0	20_2_00007FFC74C46FE0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C26790	20_2_00007FFC74C26790
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C8C780	20_2_00007FFC74C8C780
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C9EF80	20_2_00007FFC74C9EF80
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C4E7B0	20_2_00007FFC74C4E7B0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C9B7A0	20_2_00007FFC74C9B7A0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C86950	20_2_00007FFC74C86950
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C44140	20_2_00007FFC74C44140
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C8B960	20_2_00007FFC74C8B960
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C3E110	20_2_00007FFC74C3E110
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C43910	20_2_00007FFC74C43910
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C2B100	20_2_00007FFC74C2B100
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C56130	20_2_00007FFC74C56130
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C218D0	20_2_00007FFC74C218D0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C9C0EB	20_2_00007FFC74C9C0EB
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C3D890	20_2_00007FFC74C3D890
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C308B0	20_2_00007FFC74C308B0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C9C8B1	20_2_00007FFC74C9C8B1
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C5B250	20_2_00007FFC74C5B250
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C27A40	20_2_00007FFC74C27A40
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C8B260	20_2_00007FFC74C8B260
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C521D0	20_2_00007FFC74C521D0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C469C0	20_2_00007FFC74C469C0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C4F1F0	20_2_00007FFC74C4F1F0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C591F0	20_2_00007FFC74C591F0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C589F0	20_2_00007FFC74C589F0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C59990	20_2_00007FFC74C59990
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C22980	20_2_00007FFC74C22980
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C3E9B0	20_2_00007FFC74C3E9B0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C411B0	20_2_00007FFC74C411B0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C4E9A0	20_2_00007FFC74C4E9A0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C85B50	20_2_00007FFC74C85B50
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C25350	20_2_00007FFC74C25350
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C43340	20_2_00007FFC74C43340
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C38340	20_2_00007FFC74C38340
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C54360	20_2_00007FFC74C54360
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C4A310	20_2_00007FFC74C4A310
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C50300	20_2_00007FFC74C50300
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C51B30	20_2_00007FFC74C51B30
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C2BB20	20_2_00007FFC74C2BB20
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C492C0	20_2_00007FFC74C492C0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C722C0	20_2_00007FFC74C722C0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C7F2C0	20_2_00007FFC74C7F2C0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C87AF0	20_2_00007FFC74C87AF0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C482E0	20_2_00007FFC74C482E0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C82AE0	20_2_00007FFC74C82AE0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C4DAA0	20_2_00007FFC74C4DAA0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C882A0	20_2_00007FFC74C882A0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C8AAA0	20_2_00007FFC74C8AAA0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C37410	20_2_00007FFC74C37410
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C89410	20_2_00007FFC74C89410
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C8E400	20_2_00007FFC74C8E400
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C9FC00	20_2_00007FFC74C9FC00
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C25C20	20_2_00007FFC74C25C20
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C35420	20_2_00007FFC74C35420
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C74BC0	20_2_00007FFC74C74BC0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C323F0	20_2_00007FFC74C323F0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C84390	20_2_00007FFC74C84390
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF61310BC70	26_2_00007FF61310BC70
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF6130F3C38	26_2_00007FF6130F3C38
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF6130FA064	26_2_00007FF6130FA064
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF6130FF460	26_2_00007FF6130FF460
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF6130EAC8C	26_2_00007FF6130EAC8C
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF6130F8CC0	26_2_00007FF6130F8CC0
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF6130E5CB8	26_2_00007FF6130E5CB8
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF6130E1914	26_2_00007FF6130E1914
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF613102900	26_2_00007FF613102900
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF613106740	26_2_00007FF613106740
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF613100790	26_2_00007FF613100790
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF613108BE0	26_2_00007FF613108BE0
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF61310EFCC	26_2_00007FF61310EFCC
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF6130E7404	26_2_00007FF6130E7404
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF613101000	26_2_00007FF613101000
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF613104A44	26_2_00007FF613104A44
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF6130E4A44	26_2_00007FF6130E4A44
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF613103E80	26_2_00007FF613103E80
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF6130EB2C0	26_2_00007FF6130EB2C0
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF61310D6F0	26_2_00007FF61310D6F0
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF6130F1B14	26_2_00007FF6130F1B14
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF6130E5330	26_2_00007FF6130E5330
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF6130F3554	26_2_00007FF6130F3554
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF6130E2950	26_2_00007FF6130E2950
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF6130F7170	26_2_00007FF6130F7170
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF613105DC0	26_2_00007FF613105DC0
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF61310C5F0	26_2_00007FF61310C5F0
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF61310F224	26_2_00007FF61310F224
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF6130FCE20	26_2_00007FF6130FCE20
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF6130E661C	26_2_00007FF6130E661C
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B87139A0	33_2_00007FF7B87139A0
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B87135EC	33_2_00007FF7B87135EC
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B8718DF0	33_2_00007FF7B8718DF0
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B871CE08	33_2_00007FF7B871CE08
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B871EAB4	33_2_00007FF7B871EAB4
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B87212E0	33_2_00007FF7B87212E0
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B8704EC4	33_2_00007FF7B8704EC4
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B8791690	33_2_00007FF7B8791690
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B870DA8C	33_2_00007FF7B870DA8C
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B8706B94	33_2_00007FF7B8706B94
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B87177C0	33_2_00007FF7B87177C0
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B8705410	33_2_00007FF7B8705410
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B8744320	33_2_00007FF7B8744320
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B87184C0	33_2_00007FF7B87184C0
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B87164DC	33_2_00007FF7B87164DC
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B871A858	33_2_00007FF7B871A858
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B8718060	33_2_00007FF7B8718060
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	Code function: 35_2_00007FF742CE2BD8	35_2_00007FF742CE2BD8
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	Code function: 35_2_00007FF742CE03A0	35_2_00007FF742CE03A0
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	Code function: 35_2_00007FF742CE3718	35_2_00007FF742CE3718
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	Code function: 35_2_00007FF742CD44E8	35_2_00007FF742CD44E8
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	Code function: 35_2_00007FF742CD3514	35_2_00007FF742CD3514
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	Code function: 35_2_00007FF742CE0CA8	35_2_00007FF742CE0CA8
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	Code function: 35_2_00007FF742CEC4D0	35_2_00007FF742CEC4D0
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	Code function: 35_2_00007FF742CEB088	35_2_00007FF742CEB088
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	Code function: 35_2_00007FF742CD3080	35_2_00007FF742CD3080
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	Code function: 35_2_00007FF742CDA1A0	35_2_00007FF742CDA1A0
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	Code function: 35_2_00007FF742CDA5C8	35_2_00007FF742CDA5C8
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	Code function: 35_2_00007FF742CD8310	35_2_00007FF742CD8310
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	Code function: 35_2_00007FF742CE4F10	35_2_00007FF742CE4F10
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	Code function: 35_2_00007FF742CD6218	35_2_00007FF742CD6218

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC67107770 NtClose,	0_2_00007FFC67107770
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6712D520 NtQuerySystemInformation,	0_2_00007FFC6712D520
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FF740787394 new,NtQueryWnfStateData,RtlSubscribeWnfStateChangeNotification,GetLastError,RtlUnsubscribeWnfNotificationWaitForCompletion,SetLastError,	20_2_00007FF740787394
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C8D520 NtQuerySystemInformation,	20_2_00007FFC74C8D520
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C55CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose,	20_2_00007FFC74C55CD0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C5C4D0 CreateFileMappingW,VirtualAlloc,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,	20_2_00007FFC74C5C4D0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C45F40 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject,	20_2_00007FFC74C45F40
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C67770 NtClose,	20_2_00007FFC74C67770
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C5AA70 VirtualAlloc,NtDuplicateObject,RtlQueueApcWow64Thread,	20_2_00007FFC74C5AA70
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C5BAE0 NtReadVirtualMemory,	20_2_00007FFC74C5BAE0

Source: eWlldJYfLc.dll

Binary or memory string: OriginalFilenamedpnhupnp.dJ vs eWlldJYfLc.dll

Source: Dxpserver.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Dxpserver.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Dxpserver.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel34.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel34.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel34.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel34.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel34.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Section loaded: kernel34.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Section loaded: kernel34.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bj1HT\mfpmp.exe	Section loaded: kernel34.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Section loaded: kernel34.dll
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	Section loaded: kernel34.dll

Source: dwmapi.dll.4.dr	Static PE information: Number of sections : 61 > 10
Source: ACTIVEDS.dll.4.dr	Static PE information: Number of sections : 61 > 10
Source: MFPlat.DLL.4.dr	Static PE information: Number of sections : 61 > 10
Source: Secur32.dll.4.dr	Static PE information: Number of sections : 61 > 10
Source: DUI70.dll.4.dr	Static PE information: Number of sections : 61 > 10
Source: UxTheme.dll0.4.dr	Static PE information: Number of sections : 61 > 10
Source: XmlLite.dll.4.dr	Static PE information: Number of sections : 61 > 10
Source: XmlLite.dll0.4.dr	Static PE information: Number of sections : 61 > 10
Source: eWlldJYfLc.dll	Static PE information: Number of sections : 60 > 10
Source: UxTheme.dll.4.dr	Static PE information: Number of sections : 61 > 10

Source: eWlldJYfLc.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dwmapi.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: MFPlat.DLL.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Secur32.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ACTIVEDS.dll.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SppExtComObj.Exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll0.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll0.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: eWlldJYfLc.dll	Virustotal: Detection: 67%
Source: eWlldJYfLc.dll	Metadefender: Detection: 60%
Source: eWlldJYfLc.dll	ReversingLabs: Detection: 88%

Source: eWlldJYfLc.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\eWlldJYfLc.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,IsInteractiveUserSession
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,QueryActiveSession
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,QueryUserToken
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\sdclt.exe C:\Windows\system32\sdclt.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\CloudNotifications.exe C:\Windows\system32\CloudNotifications.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\systemreset.exe C:\Windows\system32\systemreset.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\Dxpserver.exe C:\Windows\system32\Dxpserver.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\mfpmp.exe C:\Windows\system32\mfpmp.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\bj1HT\mfpmp.exe C:\Users\user\AppData\Local\bj1HT\mfpmp.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\msra.exe C:\Windows\system32\msra.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\n0R5g\mstsc.exe C:\Users\user\AppData\Local\n0R5g\mstsc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,IsInteractiveUserSession	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,QueryActiveSession	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,QueryUserToken	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\sdclt.exe C:\Windows\system32\sdclt.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\CloudNotifications.exe C:\Windows\system32\CloudNotifications.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\systemreset.exe C:\Windows\system32\systemreset.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\Dxpserver.exe C:\Windows\system32\Dxpserver.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\bj1HT\mfpmp.exe C:\Users\user\AppData\Local\bj1HT\mfpmp.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\msra.exe C:\Windows\system32\msra.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\n0R5g\mstsc.exe C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: Dxpserver.exe.4.dr

Binary string: FNULL%s\*.*...Device%s\%s%s%s\%s%s\Device\%s%s\Device

Source: classification engine

Classification label: mal100.troj.expl.evad.winDLL@46/19@0/0

Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe

Code function: 20_2_00007FF740783570 CoCreateInstance,

20_2_00007FF740783570

Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe

Code function: 20_2_00007FFC74C5CB00 GetProcessId,CreateToolhelp32Snapshot,Thread32First,

20_2_00007FFC74C5CB00

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,IsInteractiveUserSession

Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	Mutant created: \Sessions\1\BaseNamedObjects\{02c91c43-0eca-a572-1a91-4df7a7da9f72}
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	Mutant created: \Sessions\1\BaseNamedObjects\{25ac7a03-cb33-2ddf-542d-93d552beab0b}

Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe

Code function: 20_2_00007FF740784798 FindResourceExW,LoadResource,LockResource,

20_2_00007FF740784798

Source: eWlldJYfLc.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: eWlldJYfLc.dll

Static file information: File size 1368064 > 1048576

Source: eWlldJYfLc.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000023.00000000.548108875.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe, 00000023.00000002.574100528.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe.4.dr
Source:	Binary string: SppExtComObj.pdb source: SppExtComObj.Exe.4.dr
Source:	Binary string: MFPMP.pdb source: mfpmp.exe, 0000001D.00000000.471765821.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe, 0000001D.00000002.500806173.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe.4.dr
Source:	Binary string: CloudNotifications.pdb source: CloudNotifications.exe, 00000014.00000000.405037506.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe, 00000014.00000002.430793146.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe.4.dr
Source:	Binary string: deviceenroller.pdb source: DeviceEnroller.exe.4.dr
Source:	Binary string: MFPMP.pdbUGP source: mfpmp.exe, 0000001D.00000000.471765821.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe, 0000001D.00000002.500806173.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe.4.dr
Source:	Binary string: DXPServer.pdbGCTL source: Dxpserver.exe, 0000001A.00000000.442933050.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe, 0000001A.00000002.465912323.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe.4.dr
Source:	Binary string: mstsc.pdbGCTL source: mstsc.exe, 00000021.00000000.509159807.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe, 00000021.00000002.535164127.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe.4.dr
Source:	Binary string: CameraSettingsUIHost.pdbGCTL source: CameraSettingsUIHost.exe.4.dr
Source:	Binary string: CameraSettingsUIHost.pdb source: CameraSettingsUIHost.exe.4.dr
Source:	Binary string: SppExtComObj.pdbUGP source: SppExtComObj.Exe.4.dr
Source:	Binary string: mstsc.pdb source: mstsc.exe, 00000021.00000000.509159807.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe, 00000021.00000002.535164127.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe.4.dr
Source:	Binary string: DDODiag.pdbGCTL source: ddodiag.exe.4.dr
Source:	Binary string: DDODiag.pdb source: ddodiag.exe.4.dr
Source:	Binary string: SndVol.pdb source: SndVol.exe, 00000023.00000000.548108875.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe, 00000023.00000002.574100528.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe.4.dr
Source:	Binary string: CloudNotifications.pdbGCTL source: CloudNotifications.exe, 00000014.00000000.405037506.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe, 00000014.00000002.430793146.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe.4.dr
Source:	Binary string: DXPServer.pdb source: Dxpserver.exe, 0000001A.00000000.442933050.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe, 0000001A.00000002.465912323.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe.4.dr
Source:	Binary string: deviceenroller.pdbGCTL source: DeviceEnroller.exe.4.dr

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6713D500 push rax; iretd		0_2_00007FFC6713D501
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C9D500 push rax; iretd		20_2_00007FFC74C9D501

Source: eWlldJYfLc.dll	Static PE information: section name: .vxl
Source: eWlldJYfLc.dll	Static PE information: section name: .qwubgr
Source: eWlldJYfLc.dll	Static PE information: section name: .eer
Source: eWlldJYfLc.dll	Static PE information: section name: .xwwauf
Source: eWlldJYfLc.dll	Static PE information: section name: .pkc
Source: eWlldJYfLc.dll	Static PE information: section name: .npkda
Source: eWlldJYfLc.dll	Static PE information: section name: .vhs
Source: eWlldJYfLc.dll	Static PE information: section name: .iaywj
Source: eWlldJYfLc.dll	Static PE information: section name: .nasi
Source: eWlldJYfLc.dll	Static PE information: section name: .zhvprh
Source: eWlldJYfLc.dll	Static PE information: section name: .yatdsp
Source: eWlldJYfLc.dll	Static PE information: section name: .njso
Source: eWlldJYfLc.dll	Static PE information: section name: .lgliat
Source: eWlldJYfLc.dll	Static PE information: section name: .ntqjh
Source: eWlldJYfLc.dll	Static PE information: section name: .sucsek
Source: eWlldJYfLc.dll	Static PE information: section name: .qsxjui
Source: eWlldJYfLc.dll	Static PE information: section name: .twctcm
Source: eWlldJYfLc.dll	Static PE information: section name: .nms
Source: eWlldJYfLc.dll	Static PE information: section name: .ogj
Source: eWlldJYfLc.dll	Static PE information: section name: .vrkgb
Source: eWlldJYfLc.dll	Static PE information: section name: .gikfw
Source: eWlldJYfLc.dll	Static PE information: section name: .ktl
Source: eWlldJYfLc.dll	Static PE information: section name: .crcn
Source: eWlldJYfLc.dll	Static PE information: section name: .wtfr
Source: eWlldJYfLc.dll	Static PE information: section name: .hep
Source: eWlldJYfLc.dll	Static PE information: section name: .ywg
Source: eWlldJYfLc.dll	Static PE information: section name: .sqsp
Source: eWlldJYfLc.dll	Static PE information: section name: .gzb
Source: eWlldJYfLc.dll	Static PE information: section name: .fatlss
Source: eWlldJYfLc.dll	Static PE information: section name: .plqa
Source: eWlldJYfLc.dll	Static PE information: section name: .vzt
Source: eWlldJYfLc.dll	Static PE information: section name: .dsbyd
Source: eWlldJYfLc.dll	Static PE information: section name: .cdelc
Source: eWlldJYfLc.dll	Static PE information: section name: .qkhkj
Source: eWlldJYfLc.dll	Static PE information: section name: .mnzegr
Source: eWlldJYfLc.dll	Static PE information: section name: .krw
Source: eWlldJYfLc.dll	Static PE information: section name: .jvsmn
Source: eWlldJYfLc.dll	Static PE information: section name: .bygpq
Source: eWlldJYfLc.dll	Static PE information: section name: .kzdbu
Source: eWlldJYfLc.dll	Static PE information: section name: .mwxorn
Source: eWlldJYfLc.dll	Static PE information: section name: .raf
Source: eWlldJYfLc.dll	Static PE information: section name: .zcyw
Source: eWlldJYfLc.dll	Static PE information: section name: .zeczh
Source: eWlldJYfLc.dll	Static PE information: section name: .pvv
Source: eWlldJYfLc.dll	Static PE information: section name: .lug
Source: eWlldJYfLc.dll	Static PE information: section name: .ski
Source: eWlldJYfLc.dll	Static PE information: section name: .japjd
Source: eWlldJYfLc.dll	Static PE information: section name: .mwtzml
Source: eWlldJYfLc.dll	Static PE information: section name: .vgssf
Source: eWlldJYfLc.dll	Static PE information: section name: .gsroye
Source: eWlldJYfLc.dll	Static PE information: section name: .vcmr
Source: eWlldJYfLc.dll	Static PE information: section name: .ufki
Source: eWlldJYfLc.dll	Static PE information: section name: .btl
Source: eWlldJYfLc.dll	Static PE information: section name: .pmeh
Source: mfpmp.exe.4.dr	Static PE information: section name: .didat
Source: mstsc.exe.4.dr	Static PE information: section name: .didat
Source: SndVol.exe.4.dr	Static PE information: section name: .imrsiv
Source: SndVol.exe.4.dr	Static PE information: section name: .didat
Source: DeviceEnroller.exe.4.dr	Static PE information: section name: .didat
Source: CameraSettingsUIHost.exe.4.dr	Static PE information: section name: .imrsiv
Source: CloudNotifications.exe.4.dr	Static PE information: section name: .imrsiv
Source: CloudNotifications.exe.4.dr	Static PE information: section name: .didat
Source: dwmapi.dll.4.dr	Static PE information: section name: .vxl
Source: dwmapi.dll.4.dr	Static PE information: section name: .qwubgr
Source: dwmapi.dll.4.dr	Static PE information: section name: .eer
Source: dwmapi.dll.4.dr	Static PE information: section name: .xwwauf
Source: dwmapi.dll.4.dr	Static PE information: section name: .pkc
Source: dwmapi.dll.4.dr	Static PE information: section name: .npkda
Source: dwmapi.dll.4.dr	Static PE information: section name: .vhs
Source: dwmapi.dll.4.dr	Static PE information: section name: .iaywj
Source: dwmapi.dll.4.dr	Static PE information: section name: .nasi
Source: dwmapi.dll.4.dr	Static PE information: section name: .zhvprh
Source: dwmapi.dll.4.dr	Static PE information: section name: .yatdsp
Source: dwmapi.dll.4.dr	Static PE information: section name: .njso
Source: dwmapi.dll.4.dr	Static PE information: section name: .lgliat
Source: dwmapi.dll.4.dr	Static PE information: section name: .ntqjh
Source: dwmapi.dll.4.dr	Static PE information: section name: .sucsek
Source: dwmapi.dll.4.dr	Static PE information: section name: .qsxjui
Source: dwmapi.dll.4.dr	Static PE information: section name: .twctcm
Source: dwmapi.dll.4.dr	Static PE information: section name: .nms
Source: dwmapi.dll.4.dr	Static PE information: section name: .ogj
Source: dwmapi.dll.4.dr	Static PE information: section name: .vrkgb
Source: dwmapi.dll.4.dr	Static PE information: section name: .gikfw
Source: dwmapi.dll.4.dr	Static PE information: section name: .ktl
Source: dwmapi.dll.4.dr	Static PE information: section name: .crcn
Source: dwmapi.dll.4.dr	Static PE information: section name: .wtfr
Source: dwmapi.dll.4.dr	Static PE information: section name: .hep
Source: dwmapi.dll.4.dr	Static PE information: section name: .ywg
Source: dwmapi.dll.4.dr	Static PE information: section name: .sqsp
Source: dwmapi.dll.4.dr	Static PE information: section name: .gzb
Source: dwmapi.dll.4.dr	Static PE information: section name: .fatlss
Source: dwmapi.dll.4.dr	Static PE information: section name: .plqa
Source: dwmapi.dll.4.dr	Static PE information: section name: .vzt
Source: dwmapi.dll.4.dr	Static PE information: section name: .dsbyd
Source: dwmapi.dll.4.dr	Static PE information: section name: .cdelc
Source: dwmapi.dll.4.dr	Static PE information: section name: .qkhkj
Source: dwmapi.dll.4.dr	Static PE information: section name: .mnzegr
Source: dwmapi.dll.4.dr	Static PE information: section name: .krw
Source: dwmapi.dll.4.dr	Static PE information: section name: .jvsmn
Source: dwmapi.dll.4.dr	Static PE information: section name: .bygpq
Source: dwmapi.dll.4.dr	Static PE information: section name: .kzdbu
Source: dwmapi.dll.4.dr	Static PE information: section name: .mwxorn
Source: dwmapi.dll.4.dr	Static PE information: section name: .raf
Source: dwmapi.dll.4.dr	Static PE information: section name: .zcyw
Source: dwmapi.dll.4.dr	Static PE information: section name: .zeczh
Source: dwmapi.dll.4.dr	Static PE information: section name: .pvv
Source: dwmapi.dll.4.dr	Static PE information: section name: .lug
Source: dwmapi.dll.4.dr	Static PE information: section name: .ski
Source: dwmapi.dll.4.dr	Static PE information: section name: .japjd
Source: dwmapi.dll.4.dr	Static PE information: section name: .mwtzml
Source: dwmapi.dll.4.dr	Static PE information: section name: .vgssf
Source: dwmapi.dll.4.dr	Static PE information: section name: .gsroye
Source: dwmapi.dll.4.dr	Static PE information: section name: .vcmr
Source: dwmapi.dll.4.dr	Static PE information: section name: .ufki
Source: dwmapi.dll.4.dr	Static PE information: section name: .btl
Source: dwmapi.dll.4.dr	Static PE information: section name: .pmeh
Source: dwmapi.dll.4.dr	Static PE information: section name: .bfwtl
Source: MFPlat.DLL.4.dr	Static PE information: section name: .vxl
Source: MFPlat.DLL.4.dr	Static PE information: section name: .qwubgr
Source: MFPlat.DLL.4.dr	Static PE information: section name: .eer
Source: MFPlat.DLL.4.dr	Static PE information: section name: .xwwauf
Source: MFPlat.DLL.4.dr	Static PE information: section name: .pkc
Source: MFPlat.DLL.4.dr	Static PE information: section name: .npkda
Source: MFPlat.DLL.4.dr	Static PE information: section name: .vhs
Source: MFPlat.DLL.4.dr	Static PE information: section name: .iaywj
Source: MFPlat.DLL.4.dr	Static PE information: section name: .nasi
Source: MFPlat.DLL.4.dr	Static PE information: section name: .zhvprh
Source: MFPlat.DLL.4.dr	Static PE information: section name: .yatdsp
Source: MFPlat.DLL.4.dr	Static PE information: section name: .njso
Source: MFPlat.DLL.4.dr	Static PE information: section name: .lgliat
Source: MFPlat.DLL.4.dr	Static PE information: section name: .ntqjh
Source: MFPlat.DLL.4.dr	Static PE information: section name: .sucsek
Source: MFPlat.DLL.4.dr	Static PE information: section name: .qsxjui
Source: MFPlat.DLL.4.dr	Static PE information: section name: .twctcm
Source: MFPlat.DLL.4.dr	Static PE information: section name: .nms
Source: MFPlat.DLL.4.dr	Static PE information: section name: .ogj
Source: MFPlat.DLL.4.dr	Static PE information: section name: .vrkgb
Source: MFPlat.DLL.4.dr	Static PE information: section name: .gikfw
Source: MFPlat.DLL.4.dr	Static PE information: section name: .ktl
Source: MFPlat.DLL.4.dr	Static PE information: section name: .crcn
Source: MFPlat.DLL.4.dr	Static PE information: section name: .wtfr
Source: MFPlat.DLL.4.dr	Static PE information: section name: .hep
Source: MFPlat.DLL.4.dr	Static PE information: section name: .ywg
Source: MFPlat.DLL.4.dr	Static PE information: section name: .sqsp
Source: MFPlat.DLL.4.dr	Static PE information: section name: .gzb
Source: MFPlat.DLL.4.dr	Static PE information: section name: .fatlss
Source: MFPlat.DLL.4.dr	Static PE information: section name: .plqa
Source: MFPlat.DLL.4.dr	Static PE information: section name: .vzt
Source: MFPlat.DLL.4.dr	Static PE information: section name: .dsbyd
Source: MFPlat.DLL.4.dr	Static PE information: section name: .cdelc
Source: MFPlat.DLL.4.dr	Static PE information: section name: .qkhkj
Source: MFPlat.DLL.4.dr	Static PE information: section name: .mnzegr
Source: MFPlat.DLL.4.dr	Static PE information: section name: .krw
Source: MFPlat.DLL.4.dr	Static PE information: section name: .jvsmn
Source: MFPlat.DLL.4.dr	Static PE information: section name: .bygpq
Source: MFPlat.DLL.4.dr	Static PE information: section name: .kzdbu
Source: MFPlat.DLL.4.dr	Static PE information: section name: .mwxorn
Source: MFPlat.DLL.4.dr	Static PE information: section name: .raf
Source: MFPlat.DLL.4.dr	Static PE information: section name: .zcyw
Source: MFPlat.DLL.4.dr	Static PE information: section name: .zeczh
Source: MFPlat.DLL.4.dr	Static PE information: section name: .pvv
Source: MFPlat.DLL.4.dr	Static PE information: section name: .lug
Source: MFPlat.DLL.4.dr	Static PE information: section name: .ski
Source: MFPlat.DLL.4.dr	Static PE information: section name: .japjd
Source: MFPlat.DLL.4.dr	Static PE information: section name: .mwtzml
Source: MFPlat.DLL.4.dr	Static PE information: section name: .vgssf
Source: MFPlat.DLL.4.dr	Static PE information: section name: .gsroye
Source: MFPlat.DLL.4.dr	Static PE information: section name: .vcmr
Source: MFPlat.DLL.4.dr	Static PE information: section name: .ufki
Source: MFPlat.DLL.4.dr	Static PE information: section name: .btl
Source: MFPlat.DLL.4.dr	Static PE information: section name: .pmeh
Source: MFPlat.DLL.4.dr	Static PE information: section name: .mivbr
Source: Secur32.dll.4.dr	Static PE information: section name: .vxl
Source: Secur32.dll.4.dr	Static PE information: section name: .qwubgr
Source: Secur32.dll.4.dr	Static PE information: section name: .eer
Source: Secur32.dll.4.dr	Static PE information: section name: .xwwauf
Source: Secur32.dll.4.dr	Static PE information: section name: .pkc
Source: Secur32.dll.4.dr	Static PE information: section name: .npkda
Source: Secur32.dll.4.dr	Static PE information: section name: .vhs
Source: Secur32.dll.4.dr	Static PE information: section name: .iaywj
Source: Secur32.dll.4.dr	Static PE information: section name: .nasi
Source: Secur32.dll.4.dr	Static PE information: section name: .zhvprh
Source: Secur32.dll.4.dr	Static PE information: section name: .yatdsp
Source: Secur32.dll.4.dr	Static PE information: section name: .njso
Source: Secur32.dll.4.dr	Static PE information: section name: .lgliat
Source: Secur32.dll.4.dr	Static PE information: section name: .ntqjh
Source: Secur32.dll.4.dr	Static PE information: section name: .sucsek
Source: Secur32.dll.4.dr	Static PE information: section name: .qsxjui
Source: Secur32.dll.4.dr	Static PE information: section name: .twctcm
Source: Secur32.dll.4.dr	Static PE information: section name: .nms
Source: Secur32.dll.4.dr	Static PE information: section name: .ogj
Source: Secur32.dll.4.dr	Static PE information: section name: .vrkgb
Source: Secur32.dll.4.dr	Static PE information: section name: .gikfw
Source: Secur32.dll.4.dr	Static PE information: section name: .ktl
Source: Secur32.dll.4.dr	Static PE information: section name: .crcn
Source: Secur32.dll.4.dr	Static PE information: section name: .wtfr
Source: Secur32.dll.4.dr	Static PE information: section name: .hep
Source: Secur32.dll.4.dr	Static PE information: section name: .ywg
Source: Secur32.dll.4.dr	Static PE information: section name: .sqsp
Source: Secur32.dll.4.dr	Static PE information: section name: .gzb
Source: Secur32.dll.4.dr	Static PE information: section name: .fatlss
Source: Secur32.dll.4.dr	Static PE information: section name: .plqa
Source: Secur32.dll.4.dr	Static PE information: section name: .vzt
Source: Secur32.dll.4.dr	Static PE information: section name: .dsbyd
Source: Secur32.dll.4.dr	Static PE information: section name: .cdelc
Source: Secur32.dll.4.dr	Static PE information: section name: .qkhkj
Source: Secur32.dll.4.dr	Static PE information: section name: .mnzegr
Source: Secur32.dll.4.dr	Static PE information: section name: .krw
Source: Secur32.dll.4.dr	Static PE information: section name: .jvsmn
Source: Secur32.dll.4.dr	Static PE information: section name: .bygpq
Source: Secur32.dll.4.dr	Static PE information: section name: .kzdbu
Source: Secur32.dll.4.dr	Static PE information: section name: .mwxorn
Source: Secur32.dll.4.dr	Static PE information: section name: .raf
Source: Secur32.dll.4.dr	Static PE information: section name: .zcyw
Source: Secur32.dll.4.dr	Static PE information: section name: .zeczh
Source: Secur32.dll.4.dr	Static PE information: section name: .pvv
Source: Secur32.dll.4.dr	Static PE information: section name: .lug
Source: Secur32.dll.4.dr	Static PE information: section name: .ski
Source: Secur32.dll.4.dr	Static PE information: section name: .japjd
Source: Secur32.dll.4.dr	Static PE information: section name: .mwtzml
Source: Secur32.dll.4.dr	Static PE information: section name: .vgssf
Source: Secur32.dll.4.dr	Static PE information: section name: .gsroye
Source: Secur32.dll.4.dr	Static PE information: section name: .vcmr
Source: Secur32.dll.4.dr	Static PE information: section name: .ufki
Source: Secur32.dll.4.dr	Static PE information: section name: .btl
Source: Secur32.dll.4.dr	Static PE information: section name: .pmeh
Source: Secur32.dll.4.dr	Static PE information: section name: .uuuuw
Source: UxTheme.dll.4.dr	Static PE information: section name: .vxl
Source: UxTheme.dll.4.dr	Static PE information: section name: .qwubgr
Source: UxTheme.dll.4.dr	Static PE information: section name: .eer
Source: UxTheme.dll.4.dr	Static PE information: section name: .xwwauf
Source: UxTheme.dll.4.dr	Static PE information: section name: .pkc
Source: UxTheme.dll.4.dr	Static PE information: section name: .npkda
Source: UxTheme.dll.4.dr	Static PE information: section name: .vhs
Source: UxTheme.dll.4.dr	Static PE information: section name: .iaywj
Source: UxTheme.dll.4.dr	Static PE information: section name: .nasi
Source: UxTheme.dll.4.dr	Static PE information: section name: .zhvprh
Source: UxTheme.dll.4.dr	Static PE information: section name: .yatdsp
Source: UxTheme.dll.4.dr	Static PE information: section name: .njso
Source: UxTheme.dll.4.dr	Static PE information: section name: .lgliat
Source: UxTheme.dll.4.dr	Static PE information: section name: .ntqjh
Source: UxTheme.dll.4.dr	Static PE information: section name: .sucsek
Source: UxTheme.dll.4.dr	Static PE information: section name: .qsxjui
Source: UxTheme.dll.4.dr	Static PE information: section name: .twctcm
Source: UxTheme.dll.4.dr	Static PE information: section name: .nms
Source: UxTheme.dll.4.dr	Static PE information: section name: .ogj
Source: UxTheme.dll.4.dr	Static PE information: section name: .vrkgb
Source: UxTheme.dll.4.dr	Static PE information: section name: .gikfw
Source: UxTheme.dll.4.dr	Static PE information: section name: .ktl
Source: UxTheme.dll.4.dr	Static PE information: section name: .crcn
Source: UxTheme.dll.4.dr	Static PE information: section name: .wtfr
Source: UxTheme.dll.4.dr	Static PE information: section name: .hep
Source: UxTheme.dll.4.dr	Static PE information: section name: .ywg
Source: UxTheme.dll.4.dr	Static PE information: section name: .sqsp
Source: UxTheme.dll.4.dr	Static PE information: section name: .gzb
Source: UxTheme.dll.4.dr	Static PE information: section name: .fatlss
Source: UxTheme.dll.4.dr	Static PE information: section name: .plqa
Source: UxTheme.dll.4.dr	Static PE information: section name: .vzt
Source: UxTheme.dll.4.dr	Static PE information: section name: .dsbyd
Source: UxTheme.dll.4.dr	Static PE information: section name: .cdelc
Source: UxTheme.dll.4.dr	Static PE information: section name: .qkhkj
Source: UxTheme.dll.4.dr	Static PE information: section name: .mnzegr
Source: UxTheme.dll.4.dr	Static PE information: section name: .krw
Source: UxTheme.dll.4.dr	Static PE information: section name: .jvsmn
Source: UxTheme.dll.4.dr	Static PE information: section name: .bygpq
Source: UxTheme.dll.4.dr	Static PE information: section name: .kzdbu
Source: UxTheme.dll.4.dr	Static PE information: section name: .mwxorn
Source: UxTheme.dll.4.dr	Static PE information: section name: .raf
Source: UxTheme.dll.4.dr	Static PE information: section name: .zcyw
Source: UxTheme.dll.4.dr	Static PE information: section name: .zeczh
Source: UxTheme.dll.4.dr	Static PE information: section name: .pvv
Source: UxTheme.dll.4.dr	Static PE information: section name: .lug
Source: UxTheme.dll.4.dr	Static PE information: section name: .ski
Source: UxTheme.dll.4.dr	Static PE information: section name: .japjd
Source: UxTheme.dll.4.dr	Static PE information: section name: .mwtzml
Source: UxTheme.dll.4.dr	Static PE information: section name: .vgssf
Source: UxTheme.dll.4.dr	Static PE information: section name: .gsroye
Source: UxTheme.dll.4.dr	Static PE information: section name: .vcmr
Source: UxTheme.dll.4.dr	Static PE information: section name: .ufki
Source: UxTheme.dll.4.dr	Static PE information: section name: .btl
Source: UxTheme.dll.4.dr	Static PE information: section name: .pmeh
Source: UxTheme.dll.4.dr	Static PE information: section name: .leg
Source: XmlLite.dll.4.dr	Static PE information: section name: .vxl
Source: XmlLite.dll.4.dr	Static PE information: section name: .qwubgr
Source: XmlLite.dll.4.dr	Static PE information: section name: .eer
Source: XmlLite.dll.4.dr	Static PE information: section name: .xwwauf
Source: XmlLite.dll.4.dr	Static PE information: section name: .pkc
Source: XmlLite.dll.4.dr	Static PE information: section name: .npkda
Source: XmlLite.dll.4.dr	Static PE information: section name: .vhs
Source: XmlLite.dll.4.dr	Static PE information: section name: .iaywj
Source: XmlLite.dll.4.dr	Static PE information: section name: .nasi
Source: XmlLite.dll.4.dr	Static PE information: section name: .zhvprh
Source: XmlLite.dll.4.dr	Static PE information: section name: .yatdsp
Source: XmlLite.dll.4.dr	Static PE information: section name: .njso
Source: XmlLite.dll.4.dr	Static PE information: section name: .lgliat
Source: XmlLite.dll.4.dr	Static PE information: section name: .ntqjh
Source: XmlLite.dll.4.dr	Static PE information: section name: .sucsek
Source: XmlLite.dll.4.dr	Static PE information: section name: .qsxjui
Source: XmlLite.dll.4.dr	Static PE information: section name: .twctcm
Source: XmlLite.dll.4.dr	Static PE information: section name: .nms
Source: XmlLite.dll.4.dr	Static PE information: section name: .ogj
Source: XmlLite.dll.4.dr	Static PE information: section name: .vrkgb
Source: XmlLite.dll.4.dr	Static PE information: section name: .gikfw
Source: XmlLite.dll.4.dr	Static PE information: section name: .ktl
Source: XmlLite.dll.4.dr	Static PE information: section name: .crcn
Source: XmlLite.dll.4.dr	Static PE information: section name: .wtfr
Source: XmlLite.dll.4.dr	Static PE information: section name: .hep
Source: XmlLite.dll.4.dr	Static PE information: section name: .ywg
Source: XmlLite.dll.4.dr	Static PE information: section name: .sqsp
Source: XmlLite.dll.4.dr	Static PE information: section name: .gzb
Source: XmlLite.dll.4.dr	Static PE information: section name: .fatlss
Source: XmlLite.dll.4.dr	Static PE information: section name: .plqa
Source: XmlLite.dll.4.dr	Static PE information: section name: .vzt
Source: XmlLite.dll.4.dr	Static PE information: section name: .dsbyd
Source: XmlLite.dll.4.dr	Static PE information: section name: .cdelc
Source: XmlLite.dll.4.dr	Static PE information: section name: .qkhkj
Source: XmlLite.dll.4.dr	Static PE information: section name: .mnzegr
Source: XmlLite.dll.4.dr	Static PE information: section name: .krw
Source: XmlLite.dll.4.dr	Static PE information: section name: .jvsmn
Source: XmlLite.dll.4.dr	Static PE information: section name: .bygpq
Source: XmlLite.dll.4.dr	Static PE information: section name: .kzdbu
Source: XmlLite.dll.4.dr	Static PE information: section name: .mwxorn
Source: XmlLite.dll.4.dr	Static PE information: section name: .raf
Source: XmlLite.dll.4.dr	Static PE information: section name: .zcyw
Source: XmlLite.dll.4.dr	Static PE information: section name: .zeczh
Source: XmlLite.dll.4.dr	Static PE information: section name: .pvv
Source: XmlLite.dll.4.dr	Static PE information: section name: .lug
Source: XmlLite.dll.4.dr	Static PE information: section name: .ski
Source: XmlLite.dll.4.dr	Static PE information: section name: .japjd
Source: XmlLite.dll.4.dr	Static PE information: section name: .mwtzml
Source: XmlLite.dll.4.dr	Static PE information: section name: .vgssf
Source: XmlLite.dll.4.dr	Static PE information: section name: .gsroye
Source: XmlLite.dll.4.dr	Static PE information: section name: .vcmr
Source: XmlLite.dll.4.dr	Static PE information: section name: .ufki
Source: XmlLite.dll.4.dr	Static PE information: section name: .btl
Source: XmlLite.dll.4.dr	Static PE information: section name: .pmeh
Source: XmlLite.dll.4.dr	Static PE information: section name: .sfgb
Source: DUI70.dll.4.dr	Static PE information: section name: .vxl
Source: DUI70.dll.4.dr	Static PE information: section name: .qwubgr
Source: DUI70.dll.4.dr	Static PE information: section name: .eer
Source: DUI70.dll.4.dr	Static PE information: section name: .xwwauf
Source: DUI70.dll.4.dr	Static PE information: section name: .pkc
Source: DUI70.dll.4.dr	Static PE information: section name: .npkda
Source: DUI70.dll.4.dr	Static PE information: section name: .vhs
Source: DUI70.dll.4.dr	Static PE information: section name: .iaywj
Source: DUI70.dll.4.dr	Static PE information: section name: .nasi
Source: DUI70.dll.4.dr	Static PE information: section name: .zhvprh
Source: DUI70.dll.4.dr	Static PE information: section name: .yatdsp
Source: DUI70.dll.4.dr	Static PE information: section name: .njso
Source: DUI70.dll.4.dr	Static PE information: section name: .lgliat
Source: DUI70.dll.4.dr	Static PE information: section name: .ntqjh
Source: DUI70.dll.4.dr	Static PE information: section name: .sucsek
Source: DUI70.dll.4.dr	Static PE information: section name: .qsxjui
Source: DUI70.dll.4.dr	Static PE information: section name: .twctcm
Source: DUI70.dll.4.dr	Static PE information: section name: .nms
Source: DUI70.dll.4.dr	Static PE information: section name: .ogj
Source: DUI70.dll.4.dr	Static PE information: section name: .vrkgb
Source: DUI70.dll.4.dr	Static PE information: section name: .gikfw
Source: DUI70.dll.4.dr	Static PE information: section name: .ktl
Source: DUI70.dll.4.dr	Static PE information: section name: .crcn
Source: DUI70.dll.4.dr	Static PE information: section name: .wtfr
Source: DUI70.dll.4.dr	Static PE information: section name: .hep
Source: DUI70.dll.4.dr	Static PE information: section name: .ywg
Source: DUI70.dll.4.dr	Static PE information: section name: .sqsp
Source: DUI70.dll.4.dr	Static PE information: section name: .gzb
Source: DUI70.dll.4.dr	Static PE information: section name: .fatlss
Source: DUI70.dll.4.dr	Static PE information: section name: .plqa
Source: DUI70.dll.4.dr	Static PE information: section name: .vzt
Source: DUI70.dll.4.dr	Static PE information: section name: .dsbyd
Source: DUI70.dll.4.dr	Static PE information: section name: .cdelc
Source: DUI70.dll.4.dr	Static PE information: section name: .qkhkj
Source: DUI70.dll.4.dr	Static PE information: section name: .mnzegr
Source: DUI70.dll.4.dr	Static PE information: section name: .krw
Source: DUI70.dll.4.dr	Static PE information: section name: .jvsmn
Source: DUI70.dll.4.dr	Static PE information: section name: .bygpq
Source: DUI70.dll.4.dr	Static PE information: section name: .kzdbu
Source: DUI70.dll.4.dr	Static PE information: section name: .mwxorn
Source: DUI70.dll.4.dr	Static PE information: section name: .raf
Source: DUI70.dll.4.dr	Static PE information: section name: .zcyw
Source: DUI70.dll.4.dr	Static PE information: section name: .zeczh
Source: DUI70.dll.4.dr	Static PE information: section name: .pvv
Source: DUI70.dll.4.dr	Static PE information: section name: .lug
Source: DUI70.dll.4.dr	Static PE information: section name: .ski
Source: DUI70.dll.4.dr	Static PE information: section name: .japjd
Source: DUI70.dll.4.dr	Static PE information: section name: .mwtzml
Source: DUI70.dll.4.dr	Static PE information: section name: .vgssf
Source: DUI70.dll.4.dr	Static PE information: section name: .gsroye
Source: DUI70.dll.4.dr	Static PE information: section name: .vcmr
Source: DUI70.dll.4.dr	Static PE information: section name: .ufki
Source: DUI70.dll.4.dr	Static PE information: section name: .btl
Source: DUI70.dll.4.dr	Static PE information: section name: .pmeh
Source: DUI70.dll.4.dr	Static PE information: section name: .mquhr
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .vxl
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .qwubgr
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .eer
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .xwwauf
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .pkc
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .npkda
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .vhs
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .iaywj
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .nasi
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .zhvprh
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .yatdsp
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .njso
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .lgliat
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .ntqjh
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .sucsek
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .qsxjui
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .twctcm
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .nms
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .ogj
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .vrkgb
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .gikfw
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .ktl
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .crcn
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .wtfr
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .hep
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .ywg
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .sqsp
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .gzb
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .fatlss
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .plqa
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .vzt
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .dsbyd
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .cdelc
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .qkhkj
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .mnzegr
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .krw
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .jvsmn
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .bygpq
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .kzdbu
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .mwxorn
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .raf
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .zcyw
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .zeczh
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .pvv
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .lug
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .ski
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .japjd
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .mwtzml
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .vgssf
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .gsroye
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .vcmr
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .ufki
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .btl
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .pmeh
Source: ACTIVEDS.dll.4.dr	Static PE information: section name: .nfr
Source: SppExtComObj.Exe.4.dr	Static PE information: section name: ?g_Encry
Source: XmlLite.dll0.4.dr	Static PE information: section name: .vxl
Source: XmlLite.dll0.4.dr	Static PE information: section name: .qwubgr
Source: XmlLite.dll0.4.dr	Static PE information: section name: .eer
Source: XmlLite.dll0.4.dr	Static PE information: section name: .xwwauf
Source: XmlLite.dll0.4.dr	Static PE information: section name: .pkc
Source: XmlLite.dll0.4.dr	Static PE information: section name: .npkda
Source: XmlLite.dll0.4.dr	Static PE information: section name: .vhs
Source: XmlLite.dll0.4.dr	Static PE information: section name: .iaywj
Source: XmlLite.dll0.4.dr	Static PE information: section name: .nasi
Source: XmlLite.dll0.4.dr	Static PE information: section name: .zhvprh
Source: XmlLite.dll0.4.dr	Static PE information: section name: .yatdsp
Source: XmlLite.dll0.4.dr	Static PE information: section name: .njso
Source: XmlLite.dll0.4.dr	Static PE information: section name: .lgliat
Source: XmlLite.dll0.4.dr	Static PE information: section name: .ntqjh
Source: XmlLite.dll0.4.dr	Static PE information: section name: .sucsek
Source: XmlLite.dll0.4.dr	Static PE information: section name: .qsxjui
Source: XmlLite.dll0.4.dr	Static PE information: section name: .twctcm
Source: XmlLite.dll0.4.dr	Static PE information: section name: .nms
Source: XmlLite.dll0.4.dr	Static PE information: section name: .ogj
Source: XmlLite.dll0.4.dr	Static PE information: section name: .vrkgb
Source: XmlLite.dll0.4.dr	Static PE information: section name: .gikfw
Source: XmlLite.dll0.4.dr	Static PE information: section name: .ktl
Source: XmlLite.dll0.4.dr	Static PE information: section name: .crcn
Source: XmlLite.dll0.4.dr	Static PE information: section name: .wtfr
Source: XmlLite.dll0.4.dr	Static PE information: section name: .hep
Source: XmlLite.dll0.4.dr	Static PE information: section name: .ywg
Source: XmlLite.dll0.4.dr	Static PE information: section name: .sqsp
Source: XmlLite.dll0.4.dr	Static PE information: section name: .gzb
Source: XmlLite.dll0.4.dr	Static PE information: section name: .fatlss
Source: XmlLite.dll0.4.dr	Static PE information: section name: .plqa
Source: XmlLite.dll0.4.dr	Static PE information: section name: .vzt
Source: XmlLite.dll0.4.dr	Static PE information: section name: .dsbyd
Source: XmlLite.dll0.4.dr	Static PE information: section name: .cdelc
Source: XmlLite.dll0.4.dr	Static PE information: section name: .qkhkj
Source: XmlLite.dll0.4.dr	Static PE information: section name: .mnzegr
Source: XmlLite.dll0.4.dr	Static PE information: section name: .krw
Source: XmlLite.dll0.4.dr	Static PE information: section name: .jvsmn
Source: XmlLite.dll0.4.dr	Static PE information: section name: .bygpq
Source: XmlLite.dll0.4.dr	Static PE information: section name: .kzdbu
Source: XmlLite.dll0.4.dr	Static PE information: section name: .mwxorn
Source: XmlLite.dll0.4.dr	Static PE information: section name: .raf
Source: XmlLite.dll0.4.dr	Static PE information: section name: .zcyw
Source: XmlLite.dll0.4.dr	Static PE information: section name: .zeczh
Source: XmlLite.dll0.4.dr	Static PE information: section name: .pvv
Source: XmlLite.dll0.4.dr	Static PE information: section name: .lug
Source: XmlLite.dll0.4.dr	Static PE information: section name: .ski
Source: XmlLite.dll0.4.dr	Static PE information: section name: .japjd
Source: XmlLite.dll0.4.dr	Static PE information: section name: .mwtzml
Source: XmlLite.dll0.4.dr	Static PE information: section name: .vgssf
Source: XmlLite.dll0.4.dr	Static PE information: section name: .gsroye
Source: XmlLite.dll0.4.dr	Static PE information: section name: .vcmr
Source: XmlLite.dll0.4.dr	Static PE information: section name: .ufki

Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe

Code function: 33_2_00007FF7B871BEA0 LoadLibraryW,GetProcAddress,GetProcAddress,

33_2_00007FF7B871BEA0

Source: Dxpserver.exe.4.dr

Static PE information: 0xABA47AA2 [Sat Apr 2 16:00:34 2061 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample	Static PE information: section name: .text entropy: 7.59477523886
Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample	Static PE information: section name: .text entropy: 7.78392111205

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\n0R5g\Secur32.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\EQ0DjT2sP\CameraSettingsUIHost.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\aJcBg\DeviceEnroller.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\bj1HT\mfpmp.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\4O9p1cGN\dwmapi.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\aJcBg\XmlLite.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\EQ0DjT2sP\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\vFRJtv0CU\SppExtComObj.Exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\vFRJtv0CU\ACTIVEDS.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\R7Mg9\UxTheme.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\O0z6Mm4\ddodiag.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\bj1HT\MFPlat.DLL	Jump to dropped file

Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF6130F3080 WinSqmSetString,IsIconic,ShowWindow,GetSystemMenu,CheckMenuItem,	26_2_00007FF6130F3080
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B87139A0 SetFocus,LoadCursorW,SetCursor,DefWindowProcW,GetClientRect,IsIconic,memset,GetTitleBarInfo,GetCursorPos,SendMessageW,	33_2_00007FF7B87139A0
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B870F5A4 DefWindowProcW,IsIconic,GetClientRect,GetLastError,VariantClear,DefWindowProcW,	33_2_00007FF7B870F5A4
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B878C560 GetWindowRect,IsWindow,IsIconic,GetSystemMetrics,GetSystemMetrics,GetWindowRect,PtInRect,PtInRect,SystemParametersInfoW,CopyRect,SetWindowPos,	33_2_00007FF7B878C560
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B870CE48 IsIconic,GetWindowPlacement,GetLastError,	33_2_00007FF7B870CE48
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B8709A6C IsIconic,GetWindowPlacement,GetWindowRect,	33_2_00007FF7B8709A6C
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B870CF28 IsIconic,GetWindowPlacement,GetLastError,IsZoomed,SetWindowPlacement,GetLastError,SetWindowPos,SetWindowPos,GetClientRect,MoveWindow,	33_2_00007FF7B870CF28
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B8711B44 lstrcmpW,LockWindowUpdate,IsIconic,GetWindowPlacement,GetWindowLongW,SetWindowLongW,SetWindowLongW,VariantInit,VariantClear,GetRgnBox,OffsetRgn,VariantClear,ShowWindow,SetWindowPos,SetWindowPos,SetWindowRgn,LockWindowUpdate,	33_2_00007FF7B8711B44
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B8712F5C IsWindowVisible,IsIconic,	33_2_00007FF7B8712F5C
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B87104F8 IsZoomed,IsIconic,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,	33_2_00007FF7B87104F8
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B8712884 GetWindowRect,GetWindowLongW,GetWindowLongW,memset,CopyRect,IntersectRect,MoveWindow,IsIconic,memset,GetWindowPlacement,	33_2_00007FF7B8712884

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\explorer.exe TID: 5344

Thread sleep count: 63 > 30

Jump to behavior

Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\EQ0DjT2sP\CameraSettingsUIHost.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\aJcBg\DeviceEnroller.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\EQ0DjT2sP\DUI70.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\vFRJtv0CU\SppExtComObj.Exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\vFRJtv0CU\ACTIVEDS.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\O0z6Mm4\ddodiag.exe	Jump to dropped file

Source: C:\Windows\System32\loaddll64.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_0-81998
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_20-79317

Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	API coverage: 0.3 %
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	API coverage: 0.4 %
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	API coverage: 0.3 %

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFC6711DDC0 GetSystemInfo,

0_2_00007FFC6711DDC0

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC6711ED10 FindFirstFileExW,	0_2_00007FFC6711ED10
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FFC74C7ED10 FindFirstFileExW,	20_2_00007FFC74C7ED10
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF6130E1914 SHCreateDirectory,memset,FindFirstFileW,CompareStringOrdinal,CompareStringOrdinal,CompareStringOrdinal,CompareStringOrdinal,SHCreateDirectory,CompareStringOrdinal,CreateFileW,CloseHandle,GetLastError,SetFileAttributesW,CopyFileExW,GetLastError,CoCreateGuid,StringFromGUID2,MoveFileW,GetLastError,CopyFileExW,GetLastError,FindNextFileW,FindClose,GetLastError,	26_2_00007FF6130E1914

Source: explorer.exe, 00000004.00000000.304934300.000000000832A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: explorer.exe, 00000004.00000000.303147807.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.303959479.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
Source: explorer.exe, 00000004.00000000.280980769.0000000000680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000004.00000000.340794911.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.303959479.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000004.00000000.303959479.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
Source: explorer.exe, 00000004.00000000.267951079.00000000062C4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.263815655.0000000004287000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000004.00000000.303880362.000000000820E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.303959479.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
Source: explorer.exe, 00000004.00000000.303147807.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000004.00000000.303959479.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00l

Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe

Code function: 20_2_00007FF740781828 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,

20_2_00007FF740781828

Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe

Code function: 33_2_00007FF7B871BEA0 LoadLibraryW,GetProcAddress,GetProcAddress,

33_2_00007FF7B871BEA0

Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe

Code function: 20_2_00007FF7407859A4 TlsGetValue,GetProcessHeap,HeapFree,TlsSetValue,AcquireSRWLockExclusive,TlsFree,ReleaseSRWLockExclusive,

20_2_00007FF7407859A4

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFC671097D0 LdrLoadDll,FindClose,

0_2_00007FFC671097D0

Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FF740788410 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_00007FF740788410
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe	Code function: 20_2_00007FF7407886F0 SetUnhandledExceptionFilter,	20_2_00007FF7407886F0
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF61310FCB0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	26_2_00007FF61310FCB0
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	Code function: 26_2_00007FF6131100E0 SetUnhandledExceptionFilter,	26_2_00007FF6131100E0
Source: C:\Users\user\AppData\Local\bj1HT\mfpmp.exe	Code function: 29_2_00007FF670A429F0 SetUnhandledExceptionFilter,	29_2_00007FF670A429F0
Source: C:\Users\user\AppData\Local\bj1HT\mfpmp.exe	Code function: 29_2_00007FF670A42D14 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	29_2_00007FF670A42D14
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe	Code function: 33_2_00007FF7B8822264 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	33_2_00007FF7B8822264
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	Code function: 35_2_00007FF742CEF2E0 SetUnhandledExceptionFilter,	35_2_00007FF742CEF2E0
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	Code function: 35_2_00007FF742CEEE40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	35_2_00007FF742CEEE40

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: dwmapi.dll.4.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC866FEFE0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC866FE000 protect: page execute read	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC85C32A20 protect: page execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Contains functionality to automate explorer (e.g. start an application)

Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	Code function: 35_2_00007FF742CDA5C8 GetDC,GetDeviceCaps,ReleaseDC,LoadIconW,SendMessageW,GetWindowBand,FindWindowW,GetWindowBand,FindWindowW,SendMessageTimeoutW,GetWindowLongW,SetWindowLongW,SetForegroundWindow,IsThemeActive,DwmIsCompositionEnabled,GetWindowRect,GetClientRect,EnterCriticalSection,GetWindowRect,LeaveCriticalSection,SetWindowPos,LeaveCriticalSection,memset,Shell_NotifyIconGetRect,GetWindowRect,DwmIsCompositionEnabled,Shell_NotifyIconGetRect,InflateRect,CalculatePopupWindowPosition,SetWindowPos,InvalidateRect,GetClientRect,EnterCriticalSection,SetWindowPos,GetDlgItem,SetFocus,ShowWindow,LeaveCriticalSection,SetTimer,NotifyWinEvent,		35_2_00007FF742CDA5C8
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	Code function: 35_2_00007FF742CDA5C8 GetDC,GetDeviceCaps,ReleaseDC,LoadIconW,SendMessageW,GetWindowBand,FindWindowW,GetWindowBand,FindWindowW,SendMessageTimeoutW,GetWindowLongW,SetWindowLongW,SetForegroundWindow,IsThemeActive,DwmIsCompositionEnabled,GetWindowRect,GetClientRect,EnterCriticalSection,GetWindowRect,LeaveCriticalSection,SetWindowPos,LeaveCriticalSection,memset,Shell_NotifyIconGetRect,GetWindowRect,DwmIsCompositionEnabled,Shell_NotifyIconGetRect,InflateRect,CalculatePopupWindowPosition,SetWindowPos,InvalidateRect,GetClientRect,EnterCriticalSection,SetWindowPos,GetDlgItem,SetFocus,ShowWindow,LeaveCriticalSection,SetTimer,NotifyWinEvent,		35_2_00007FF742CDA5C8

Contains functionality to prevent local Windows debugging

Source: C:\Users\user\AppData\Local\bj1HT\mfpmp.exe	Code function: 29_2_00007FF670A45730 EnterCriticalSection,IsDebuggerPresent,DebugBreak,GetLastError,SetLastError,LeaveCriticalSection,		29_2_00007FF670A45730
Source: C:\Users\user\AppData\Local\bj1HT\mfpmp.exe	Code function: 29_2_00007FF670A454A0 EnterCriticalSection,IsDebuggerPresent,DebugBreak,LeaveCriticalSection,		29_2_00007FF670A454A0

Uses Atom Bombing / ProGate to inject into other processes

Source: C:\Windows\System32\rundll32.exe

Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1

Jump to behavior

Source: explorer.exe, 00000004.00000000.280992287.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.311718742.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.262606736.0000000000688000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000004.00000000.341540544.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.281271896.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.271301902.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.341540544.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.281271896.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.263000213.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: SndVol.exe, 00000023.00000000.548108875.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe, 00000023.00000002.574100528.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe.4.dr	Binary or memory string: Software\Microsoft\Multimedia\Audio\SndVolSndVolPreferencesMaskSndVolSelectedDevicesShell_TrayWnd
Source: explorer.exe, 00000004.00000000.341540544.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.281271896.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.263000213.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.311774801.0000000000708000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.281130871.0000000000708000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.341049556.0000000000708000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000004.00000000.341540544.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.281271896.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.263000213.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: WProgram Manager

Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe

Code function: GetUserPreferredUILanguages,malloc,GetUserPreferredUILanguages,GetLocaleInfoEx,free,

35_2_00007FF742CE9EF4

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe

Code function: 20_2_00007FF740783614 RegGetValueW,RegGetValueW,GetSystemTimeAsFileTime,TranslateMessage,DispatchMessageW,GetMessageW,

20_2_00007FF740783614

Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe

Code function: 33_2_00007FF7B881F5EC memset,GetVersionExW,GetVersionExW,

33_2_00007FF7B881F5EC

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFC67109400 GetUserNameW,

0_2_00007FFC67109400

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Exploitation for Client Execution	Boot or Logon Initialization Scripts	412 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	412 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Software Packing	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Timestomp	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	1 File and Directory Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	25 System Information Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
eWlldJYfLc.dll	67%	Virustotal		Browse
eWlldJYfLc.dll	60%	Metadefender		Browse
eWlldJYfLc.dll	88%	ReversingLabs	Win64.Trojan.Occamy
eWlldJYfLc.dll	100%	Avira	TR/Crypt.ZPACK.Gen
eWlldJYfLc.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\vFRJtv0CU\ACTIVEDS.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\4O9p1cGN\dwmapi.dll	100%	Avira	TR/Crypt.XPACK.Gen7
C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dll	100%	Avira	TR/Crypt.XPACK.Gen7
C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dll	100%	Avira	TR/Crypt.XPACK.Gen7
C:\Users\user\AppData\Local\bj1HT\MFPlat.DLL	100%	Avira	TR/Crypt.XPACK.Gen7
C:\Users\user\AppData\Local\EQ0DjT2sP\DUI70.dll	100%	Avira	TR/Crypt.XPACK.Gen4
C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\n0R5g\Secur32.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\vFRJtv0CU\ACTIVEDS.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\4O9p1cGN\dwmapi.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\bj1HT\MFPlat.DLL	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\EQ0DjT2sP\DUI70.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\n0R5g\Secur32.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\EQ0DjT2sP\CameraSettingsUIHost.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\EQ0DjT2sP\CameraSettingsUIHost.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\O0z6Mm4\ddodiag.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\O0z6Mm4\ddodiag.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
33.2.mstsc.exe.7ffc74c20000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.rundll32.exe.7ffc670c0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
20.2.CloudNotifications.exe.7ffc74c20000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
35.2.SndVol.exe.7ffc74c20000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
33.2.mstsc.exe.15f26e10000.0.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
29.2.mfpmp.exe.1cdaa1c0000.0.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
0.2.loaddll64.exe.16b476e0000.0.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
26.2.Dxpserver.exe.7ffc74c20000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.rundll32.exe.7ffc670c0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
26.2.Dxpserver.exe.19273270000.0.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
29.2.mfpmp.exe.7ffc74c20000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.7ffc670c0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.28586ab0000.0.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
20.2.CloudNotifications.exe.2953cdf0000.1.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
8.2.rundll32.exe.2541e150000.0.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
2.2.rundll32.exe.16bb42f0000.0.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
3.2.rundll32.exe.17f7c0b0000.0.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
0.2.loaddll64.exe.7ffc670c0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
35.2.SndVol.exe.1c1733a0000.0.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
3.2.rundll32.exe.7ffc670c0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://schemas.mi	0%	URL Reputation	safe
https://login.windows.net-%s	0%	Avira URL Cloud	safe
http://schemas.micr	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.mi	explorer.exe, 00000004.00000000.324436158.000000000DA7E000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.windows.net-%s	DeviceEnroller.exe.4.dr	false	Avira URL Cloud: safe	low
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 0000000B.00000003.320980194.000001BB8E646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 0000000B.00000003.320495277.000001BB8E669000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.321905396.000001BB8E66B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Stops/	svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.321751772.000001BB8E613000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 0000000B.00000002.321820678.000001BB8E643000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.321051969.000001BB8E642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.micr	explorer.exe, 00000004.00000000.324436158.000000000DA7E000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=	svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000000B.00000002.321820678.000001BB8E643000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.321051969.000001BB8E642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.t	svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.321244735.000001BB8E63A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=	svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 0000000B.00000002.321751772.000001BB8E613000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	595308
Start date and time:	2022-03-23 14:46:03 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	eWlldJYfLc (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDLL@46/19@0/0
EGA Information:	Successful, ratio: 90%
HDC Information:	Successful, ratio: 29% (good quality ratio 17.8%) Quality average: 41% Quality standard deviation: 39%
HCA Information:	Successful, ratio: 98% Number of executed functions: 69 Number of non-executed functions: 113
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, client.wns.windows.com, fs.microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
Execution Graph export aborted for target mfpmp.exe, PID 3464 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe	bjbMyaakCv.dll	Get hash	malicious	Browse
	CSSmwdf3UF.dll	Get hash	malicious	Browse
	eAcRwbpaRC.dll	Get hash	malicious	Browse
	6DcDu9JyeX.dll	Get hash	malicious	Browse
	EcPDKIddT5.dll	Get hash	malicious	Browse
	CsUUaEi57B.dll	Get hash	malicious	Browse
	f4.dll	Get hash	malicious	Browse
	p3D6mSixxP.dll	Get hash	malicious	Browse
	YCmvsk3Lmf.dll	Get hash	malicious	Browse
	Ppy154hE7Y.dll	Get hash	malicious	Browse
	yGI53fbtYF.dll	Get hash	malicious	Browse
	zB14GfXeGv.dll	Get hash	malicious	Browse
	U4zqCpLYS2.dll	Get hash	malicious	Browse
	ASfbCicRC5.dll	Get hash	malicious	Browse
	vVPS3LRIrm.dll	Get hash	malicious	Browse
	KANve4zs8b.dll	Get hash	malicious	Browse
	maCZfyeqR2.dll	Get hash	malicious	Browse
	C3AGWzJKYE.dll	Get hash	malicious	Browse
	Hya8QBERWA.dll	Get hash	malicious	Browse
	TWz0JnTOzu.dll	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	304640
Entropy (8bit):	5.920357039114308
Encrypted:	false
SSDEEP:	6144:SidsFxbUPoT/FPrriCEe+oiXoGJm7JwQ9oWxDEHZwj:xaFxbFDBsBo6maPWxDcwj
MD5:	DCCB1D350193BE0A26CEAFF602DB848E
SHA1:	02673E7070A589B5BF6F217558A06067B388A350
SHA-256:	367CEA47389B6D5211595AE88454D9589AA8C996F5E765904FFEDE434424AF22
SHA-512:	ECD3C32E2BED31FC6328CA4B171B5D2503A2795324667F67FF48A67DF7C8B88760A62C0119A173487B9886E6AF3994025A85E42B064BEA38A466A6848AF65541
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: bjbMyaakCv.dll, Detection: malicious, Browse Filename: CSSmwdf3UF.dll, Detection: malicious, Browse Filename: eAcRwbpaRC.dll, Detection: malicious, Browse Filename: 6DcDu9JyeX.dll, Detection: malicious, Browse Filename: EcPDKIddT5.dll, Detection: malicious, Browse Filename: CsUUaEi57B.dll, Detection: malicious, Browse Filename: f4.dll, Detection: malicious, Browse Filename: p3D6mSixxP.dll, Detection: malicious, Browse Filename: YCmvsk3Lmf.dll, Detection: malicious, Browse Filename: Ppy154hE7Y.dll, Detection: malicious, Browse Filename: yGI53fbtYF.dll, Detection: malicious, Browse Filename: zB14GfXeGv.dll, Detection: malicious, Browse Filename: U4zqCpLYS2.dll, Detection: malicious, Browse Filename: ASfbCicRC5.dll, Detection: malicious, Browse Filename: vVPS3LRIrm.dll, Detection: malicious, Browse Filename: KANve4zs8b.dll, Detection: malicious, Browse Filename: maCZfyeqR2.dll, Detection: malicious, Browse Filename: C3AGWzJKYE.dll, Detection: malicious, Browse Filename: Hya8QBERWA.dll, Detection: malicious, Browse Filename: TWz0JnTOzu.dll, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9. E}.N.}.N.}.N...M.~.N...J.d.N...K.{.N...O.X.N.}.O.F.N...G.[.N....\|.N...L.\|.N.Rich}.N.........PE..d....z............".................`..........@..........................................`.......... ..........................................\|....0..H....... ...............p...`...T............................<...............=...............................text...<........................... ..`.rdata..6...........................@..@.data...............................@....pdata.. ...........................@..@.rsrc...H....0......................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\4O9p1cGN\dwmapi.dll

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1372160
Entropy (8bit):	5.073965259759853
Encrypted:	false
SSDEEP:	12288:vZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:vZK6F7n5eRmDFJivohZFV
MD5:	76657995BEE544EFB7B57F3ADE10CACC
SHA1:	AFD9BC6AAEF6E67ABEB32C4111B61F39412D8DCA
SHA-256:	E4FAF63C9DF8C711816BDD85DED07539FC7F425EFFBAFDDB680EFE01E45DCD26
SHA-512:	BEF755E7AE0D4C82D7F0A86A881FBDAFC565C990C821EBA88B1D5C208B1A94097E3BC74A9AFA58B11146658CC68CECE1F615E28FC891852FB99FA4D703829670
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.............................................&...$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

C:\Users\user\AppData\Local\EQ0DjT2sP\CameraSettingsUIHost.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32104
Entropy (8bit):	6.224595599643794
Encrypted:	false
SSDEEP:	768:HYxSW1tZfZjtM2mpgc8WtCpZswKro1PDg:HhAhty8WteuwKrwPDg
MD5:	34F32BC06CDC7AF56607D351B155140D
SHA1:	88EF25BC91BCC908AF743ECA254D6251E5564283
SHA-256:	47238D9ED75D01FD125AC76B500FEEF7F8B27255570AD02D18A4F049B05DF3BD
SHA-512:	D855414779125F4E311ACF4D5EFC8ACA4452323CABD1694798CA90FD5BD76DC70B5D06790A2AE311E7DD19190DCCB134F6EF96AB1B7CF5B8A40AD642B72D5144
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._Lp..-...-...-...U...-..tI...-..tI...-..tI...-..tI...-...-..K-..tI...-..tI..-..tI...-..Rich.-..........................PE..d....\YN..........".........2.......0.........@.................................................... ......................................._.......................Z..h#...........X..T...................`S..(...`R...............S...............................text....(......................... ..`.imrsiv......@...........................rdata.......P......................@..@.data........p.......J..............@....pdata...............L..............@..@.rsrc................P..............@..@.reloc...............X..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\EQ0DjT2sP\DUI70.dll

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1654784
Entropy (8bit):	5.506546408859127
Encrypted:	false
SSDEEP:	12288:tZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuwmsNRt:tZK6F7n5eRmDFJivohZFVmu
MD5:	72722E89BA0B4F6CAD054811AB8BB33C
SHA1:	84099E5B7CF14C99D301AADAD9934E8981C019EB
SHA-256:	27DBA4A57AD9F0CA7678B55C851F17E1A2CAE742FCFD041D8503080831E93520
SHA-512:	08CF3ABE10557F284B0427849A4CEF2F111E67E6371F79C3B477F659CC36B438E6C9E541C2DD10C290C6A43E963EBE1B4A7BEF89910C7C98A6099E6E04F8A9BC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@.............................@............`.............................................dQ..$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	259904
Entropy (8bit):	5.955701055747905
Encrypted:	false
SSDEEP:	3072:UfYIZJbRydnidilSnGvLqeD358rwW39nuyHjVozZcxSHfcBL1ljbEyB7HbIa+:Uf9JonidFnqLV358rNnJqcRcy10/
MD5:	CDD7C7DF2D0859AC3F4088423D11BD08
SHA1:	128789A2EA904F684B5DF2384BA6EEF4EB60FB8E
SHA-256:	D98DB8339EB1B93A7345EECAC2B7290FA7156E3E12B7632D876BD0FD1F31EC66
SHA-512:	A093BF3C40C880A80164F2CAA87DF76DCD854375C5216D761E60F3770DFA04F4B02EC0CA6313C32413AC99A3EBDC081CF915A7B468EE3CED80F9B1ECF4B49804
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<.BL]..L]..L]..E%...]..#9..O]..#9..U]..#9..F]..#9..W]..L]...\..#9..o]..#9k.M]..#9..M]..RichL]..........................PE..d...wJSn.........."............................@.............................@....................... .........................................p.... ..@...............@+...0.......U..T...................p&..(...p%...............&......P........................text............................... ..`.imrsiv..................................rdata....... ......................@..@.data...............................@....pdata..............................@..@.didat..............................@....rsrc...@.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dll

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1372160
Entropy (8bit):	5.07954324475136
Encrypted:	false
SSDEEP:	12288:2ZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:2ZK6F7n5eRmDFJivohZFV
MD5:	AA4563F3E285E21921818923EEC1AB27
SHA1:	F36D24960356D6CCB49EF189025B9366324851D9
SHA-256:	33736F3A5EB68B07C19FDA12C97A3A17120719FA53FFF3B74EB4B5BCA81ED86E
SHA-512:	26BBE92AF58E8B574BA3C4673938F48BF12AFA872FDE65BC3E4A48C590C20BD03B9F1DA460E9F5EB8D5410272E0741D8C4EC3B068CFA4D78595E0A8042E5E488
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dll

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1372160
Entropy (8bit):	5.066544233417286
Encrypted:	false
SSDEEP:	12288:CZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:CZK6F7n5eRmDFJivohZFV
MD5:	CFC069A16E13B366B0F56BD27F5BC600
SHA1:	CD6DF254F7B0550B0CC2524F4592571C9EC3F7B1
SHA-256:	1A044F24CC8B8D583E66F577C90C92FF15FF4F3D1FE8096A38B5032C1F8B8D6B
SHA-512:	55F44E15EB12F94804DFE947774B2078DCCD13E0A98EEB9963F90BC0289BD7345F90063DCD29530D161C0B411623C411613FAA6323C53F1C5C7595D19004C117
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

C:\Users\user\AppData\Local\O0z6Mm4\ddodiag.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37888
Entropy (8bit):	5.0324146638870335
Encrypted:	false
SSDEEP:	768:Ii5tlKBaheiGK/hc3aZkLmMgMaouZl6i9Kott/D:/C0heiGK/hc3aZkLmMgMaouZl6i9t/D
MD5:	3CE911D7C12A2EFA9108514013BD17FE
SHA1:	2F739BD7731932A0BF13A3B8526FC867EC41C63E
SHA-256:	FC55CB5FF243496B039D3DB181BD846BDD38D11C7D52E4BA20D882B65FBE1C3B
SHA-512:	33F4FD94916DB3F0BC4E138DD88125D9B45108F7EECFDE0A54BE1901F4BE3F1966BC0FE9278A919A3D94AEC53A8269ACA9451EBA7D53C82BF64CC215522AD78E
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.=...S...S...S.s.P...S.s.W...S.s.V...S.s.R...S...R.$.S.s.Z...S.s....S.s.Q...S.Rich..S.........PE..d...~3............"......&...p......p/.........@.....................................q....`.......... .......................................~..d.......p.......................(...`z..T........................... E.............. F...............................text...P%.......&.................. ..`.rdata.."D...@...F...*..............@..@.data................p..............@....pdata..............................@..@.rsrc...p...........................@..@.reloc..(...........................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	77072
Entropy (8bit):	6.115516882753233
Encrypted:	false
SSDEEP:	1536:PBw6bK5qGy2vbnG4bhimIHw28N6GgIpdNtgdNttP+O1K9dr3uhyZb3NnPg5:FbK522vDfnp28a+O1AdCoZxno5
MD5:	D9FF4C8DBC1682E0508322307CB89C0F
SHA1:	52FF480ABF6A6CE9BC32BD3B467C028C35849C6F
SHA-256:	E99A6238FDF53700DE8588E1C1128D52680C1DCAAD4E32B38EF2170395495D29
SHA-512:	C068F98855514994AA7CD66ED02E3FD05B7E81EAD714F83CC158B65AAC6DE12A1D324375C41FEC5C1B6A3F1D6D8639EBFF71D510A720148A33E645ED066DAF2C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................=.....................................e............Q............Rich....................PE..d................."............................@.............................p.......*............... ......................................p........@.. .... ..L........%...`......P...T............................................... .......`....................text.............................. ..`.imrsiv..................................rdata...W.......X..................@..@.data...x...........................@....pdata..L.... ......................@..@.didat.......0......................@....rsrc... ....@......................@..@.reloc.......`......................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\R7Mg9\UxTheme.dll

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1372160
Entropy (8bit):	5.079630029271723
Encrypted:	false
SSDEEP:	12288:qZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:qZK6F7n5eRmDFJivohZFV
MD5:	EEEA0804F1E5EB7827FD942423AC682D
SHA1:	09CD42B0D6B83B896B61016364BCAE0FDB729FA2
SHA-256:	EC50BADCD4F4E021A341A08A03FA8A72D4496A5B71BA1BBF6C4F49F79EA61F45
SHA-512:	0C58E87B0716CBB5A0D7DE3A0463C4AF9E09C28EE99543F5A4130A7658B2BB8EB8A88F5BEE0B6877DC9224B6AA0988850C83BF5EB48CB4A22FBEEEF79EBBEE6C
Malicious:	false
Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

C:\Users\user\AppData\Local\aJcBg\DeviceEnroller.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	359936
Entropy (8bit):	6.00535524532166
Encrypted:	false
SSDEEP:	6144:NXYgu80D0GEiHJb3r/mrKqfNF3Ne8xQOQ2UyQPyHS:Nok0DTHJrr/MKqfNPRyyQI
MD5:	53688BC273A0CB9FD174F809FB56F866
SHA1:	F69901D480530661A3342E567C2F789D3361851D
SHA-256:	D39F1DE499FFD7D8E12ADEA0979AA70FB291C8BD9061019AA0045A247A4B948B
SHA-512:	2233B66D79042C2C1F8B10228FAEE3698FA2C54396B0331F7352DC087F23493BDEB89CECD7E23A1B2CFBD124D9ADB483413DC55DDA813C4F49B18120A702AE15
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(...l...l...l...e.2.0.....o.....t...l...............a.....G.....^.m.....m...Richl...................PE..d......{.........."......\|..........0N.........@..........................................`.......... ..................................................pE...@...$..............h....#..T...................0...(...0...............X...(....... ....................text....{.......\|.................. ..`.rdata..............................@..@.data........ ......................@....pdata...$...@...&..................@..@.didat.......p.......0..............@....rsrc...pE.......F...2..............@..@.reloc..h............x..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\aJcBg\XmlLite.dll

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1372160
Entropy (8bit):	5.0665476710905875
Encrypted:	false
SSDEEP:	12288:qZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:qZK6F7n5eRmDFJivohZFV
MD5:	5A3E479CD2E6CE8BFB95EB1B9473DF7C
SHA1:	E006DC68DA1C26A263DA0FF6D1B3B6E5E8E5A657
SHA-256:	0D7E29272223CE36DAA5CAA7DCDADBAED9CE393E26FF9A8C7BE5382A072B7EDF
SHA-512:	932974FAD53CD8F754758A2F6712140217369C207CEEDB00A7A34A606C43095DCB4C979151077BBE39C9EF4390E9F1FEB926CEFCDA7D765860B1FB0A3BC8D524
Malicious:	false
Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

C:\Users\user\AppData\Local\bj1HT\MFPlat.DLL

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1376256
Entropy (8bit):	5.093356085119384
Encrypted:	false
SSDEEP:	12288:3ZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:3ZK6F7n5eRmDFJivohZFV
MD5:	094F25E8EE0B130D03AE8565EC8BF099
SHA1:	5988CCA553B95A1D599AF1409602270FC2E97713
SHA-256:	B738ACDF220BAB43ED0EF6E0ABBBEDF3037FA9B654626C526393ECADB11D756B
SHA-512:	485AF608EE610ECDC4AE8471415EEBBA38A47A1312CDBE8A5B9E3E5DC6D40707570D37C819B572E25F59199ED645D75B973BA042C049302AF39BF77CBB2B808D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.................................................$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

C:\Users\user\AppData\Local\bj1HT\mfpmp.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49688
Entropy (8bit):	6.083384253651048
Encrypted:	false
SSDEEP:	768:vcqpeHOwVxW4zmjjJF686T/5Lel2fBetjEWI9Whu3H1PcSP:vcEoVxJodg/tfiEAhu3VPcSP
MD5:	7C3D09D6DB5DB4A272FCF4C1BB3986BD
SHA1:	F0C392891B6D73EADB20F669A29064910507E55E
SHA-256:	E459FF6CBA8C93589B206C07BDCCD2E6C57766BE6BB4754F2FB1DEF9EF2E3BDE
SHA-512:	6CFE325CD0A78D6ACC9473BA51069E234CB0F9A47F285A6204EE787902C77005491B41C301DD38602CC387329F214E700F9203E4ECE5077E58D30276821640E4
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0._.Q`..Q`..Q`..)...Q`..5c..Q`..5d..Q`..Qa..Q`..5a..Q`..5e..Q`..5n..Q`..5...Q`..5b..Q`.Rich.Q`.................PE..d...^.A..........."......R...V......P).........@....................................s.....`.......... ......................................h...........`................$..........`z..T...........................Pq..............`r......H...`....................text....Q.......R.................. ..`.rdata..T-...p.......V..............@..@.data...............................@....pdata..............................@..@.didat..0...........................@....rsrc...`...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\n0R5g\Secur32.dll

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1372160
Entropy (8bit):	5.0819568503752945
Encrypted:	false
SSDEEP:	12288:7ZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:7ZK6F7n5eRmDFJivohZFV
MD5:	A9D03770C3381277E769A3A10F4FA7BA
SHA1:	A9968FB16A693C97870A01AC3F6448B4029B02EB
SHA-256:	4D5CEA934217B0CAD20DE8A5D5A7E7E9E09FBBC46025CB9CED2857964CF0D72F
SHA-512:	7A1AF1FF937D496AA040195A998320FF4F9240CA0D7B223EBDAC29E02ADFA6A91EE010A1AE287F7AC9111B0BBB965898EFEF9373F805FD1335D5F254809E6EEC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.............................................#...$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

C:\Users\user\AppData\Local\n0R5g\mstsc.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3640832
Entropy (8bit):	5.884402821447862
Encrypted:	false
SSDEEP:	98304:q8yNOTNEpZxGb+ZPgN6tYDNBMe+8noqvEYw0n2WFfZT+xgsLOsMg:q8yNOTNEpZxk+ZIN6tYDNBMe+8noqvEB
MD5:	3FBB5CD8829E9533D0FF5819DB0444C0
SHA1:	A4A6E4E50421E57EA4745BA44568B107A9369447
SHA-256:	043870DBAB955C1851E1710D941495357383A08F3F30DD3E3A1945583A85E0CA
SHA-512:	349459CCF4DDFB0B05B066869C99088BA3012930D5BBC3ED1C9E4CF6400687B1EFE698C5B1734BF6FF299F6C65DD7A71A2709D3773E9E96F6FDE659F5D883F48
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... w.dN$.dN$.dN$..M%.dN$..J%.dN$..K%.dN$..O%.dN$.dO$TfN$..G%.eN$...$.dN$..L%.dN$Rich.dN$........PE..d.....Y..........."......$....%.....p..........@..............................7......K8...`..................................................].......p..H>!.....`.............7. ..P...T...........................`...............`........\..`....................text....".......$.................. ..`.rdata...\...@...^...(..............@..@.data...P(..........................@....pdata..`...........................@..@.didat..(....`....... ..............@....rsrc...H>!..p...@!.."..............@..@.reloc.. ....7..,...b7.............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\vFRJtv0CU\ACTIVEDS.dll

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1372160
Entropy (8bit):	5.069365048727469
Encrypted:	false
SSDEEP:	12288:QZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:QZK6F7n5eRmDFJivohZFV
MD5:	7030AA0D1AD9097FBA4716E8769ADF1C
SHA1:	238ADB06CB99D070EC79034110FB65D5E854859E
SHA-256:	A847A1B3D028F0F305E1EA8B62B07690DEC695682DA8C5015CE9AB6F9EF69ABC
SHA-512:	2919F2D46B8364A8F05D7E46F2356AE6174821CD9A3658EB27A4A8F4C0FC5CDEDD87CD26EEE3DA281E8F5F3D9AF04192E443BC94F910A188F8B6369802BC877E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb.....qb.;...{qb......qb..#...qb...f.oqb....hqb.z....qb.....:qb.;...tqb.Rich.qb.................................................................................................PE..d.=...}^.........." ..... ...........$.........@..........................................`.............................................y...$...<....................................................................................0..(............................text............ .........@........ ..`.rdata..Co...0...p...0...0.@Co......@..@.data....;.......@.........@.;......@....pdata..8..................@8.......@..@.rsrc......................@........@..@.reloc..1..................@1.......@..B.vxl............. .........@........@..@.qwubgr.$....0... ...0...0.@$.......@..@.eer....

C:\Users\user\AppData\Local\vFRJtv0CU\SppExtComObj.Exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	577024
Entropy (8bit):	7.365924302927238
Encrypted:	false
SSDEEP:	12288:KEpKNOQ/1mgFgnHF+2ryqfut4iob3vBzx4PQpIQbwhsi:lpKbbFgl+2Oqfuqiob3JUFs
MD5:	809E11DECADAEBE2454EFEDD620C4769
SHA1:	A121B9FC2010247C65CE8975FE4D88F5E9AC953E
SHA-256:	8906D8D8BCD7C8302A3E56EA2EBD0357748ACC9D3FDA91925609C742384B9CC2
SHA-512:	F78F46437C011C102A9BCEC2A8565EDC75500C9448AC17457FF44D3C8DB1980F772C0D1546F1DEE0F8A6F2C7273A5A915860B768DE9BB24EBEFE2907CE18B0DF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%.].a.3.a.3.a.3.h.u.3...6.`.3...7.t.3...2.n.3.a.2...3...=.r.3...0.e.3....`.3...1.`.3.Richa.3.........PE..d...b.............".................0..........@................CS P................3................ .......................................Y..h................J......................T............................S...............z..`............................text............................... ..`?g_Encry.-.......................... ..`.rdata..._.......`..................@..@.data........p.......V..............@....pdata...J.......L...d..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	1450
Entropy (8bit):	7.341856001318595
Encrypted:	false
SSDEEP:	24:Uk1KaW6dGUcke/TZTy9huyg1FxVOJ8Mk20PrbBuN1rhbzQcR8Yw76s80c+:UwKZBUckerYh/g19u8F2Ub8N1NXQcGYO
MD5:	464F2980E43A11D0B043075EFE6C5BF4
SHA1:	41A667A8B3E476E64CB9C026908057E9FD420507
SHA-256:	EF19B78322AB9FF8DF1F08E2936B698BD7A57E490EA7E40E675421D60344EDF6
SHA-512:	162D82A7F9C8B2F152331CDA46B34A428B329F506FE854B6203653F99A0E1125D664ADE6C08E878216C9E957606314323251B6B7ED3ABC82884E243F7E094A5F
Malicious:	false
Preview:	........................................user.....................RSA1................a>.(.p_{..E..%......Lr...z...$f....y7)b<.. ...b...............0........s..`).F.g.t......o<..j.n..X.R...XqM....\....~?.,......................z..O......w...L.aI....?E......,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ....u/..0.Y..U;...{5}.y..9MFX..l.............. ....G`.....hj.Lwi........Zu2.\/.fI.............).z#..#....@.. U....j..{.C.Z.Ufd...mX.Q%..2.^7.J/.<.'0..m...:.m%.[g...D.Ky...y..0."...R.IB.X..H.W...T.+X..-)......4.......SY..7..Leb.^...6=.j......,.N.b_.5.eqA..%..Xp.........H{7..A..71.Pe.f.V%...O#.cR.......zC..t.X..~e2X..d....V<......H@.qE....r`...0..._....;.U....A..w.........^.lD.!Y...].....Fm;Nf]7.f....Dw{.jC...<... .;pC~.Ke'iL..p5...Z.b.n..Zz..J <<&d..$i.lf.......{.9^.J.j{..+.....5.b.u.g. .w.{q.O........d....=T.....8P-.....\)$.1.......z....V.~.].m`bV.g.!4....z.~GI...[3...V?#..;.bg.A...n......$O..{+.o".bm!J.p..H..@..&wlT..Jn..1GAT......

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	5.088449668278153
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	eWlldJYfLc.dll
File size:	1368064
MD5:	d098d01cbea52f858bce6d0d9faa5b26
SHA1:	952ce9cd899108c2821bf488b98387b6db8424b8
SHA256:	82c89b2a758177c7cfb7c1763b0444281c6b670deef015a886c866f18dbd8370
SHA512:	ca6b21d580689b8e50b55277d9630e972da202270800c3820c060782f464115220674cfcf78fb3253c5d4607cebf23f087a5281a7a324f94aa75b97a8329f702
SSDEEP:	12288:LZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:LZK6F7n5eRmDFJivohZFV
File Content Preview:	MZ......................@.......................................X..Z.qb..qb..qb.a...jqb.s....qb.9...\qb.s...(qb......qb..#.. qb../b..qb......qb.....Hqb..(c./qb.r,f..qb..(c..qb.;...,qb../..Tqb.....Zqb......qb.z...Bqb.....nqb.....[qb......qb.;...{qb......qb

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x1400424b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x5E7D9D05 [Fri Mar 27 06:28:21 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	4a2e61e1749a0183eccaadb9c4ef6ec2

Entrypoint Preview

Instruction
dec eax
mov dword ptr [00070639h], ecx
dec eax
lea ecx, dword ptr [FFFFF2F2h]
dec esp
mov dword ptr [0007064Bh], eax
dec esp
mov dword ptr [00070654h], edi
dec esp
mov dword ptr [00070655h], esi
dec eax
xor eax, eax
dec eax
inc eax
dec eax
add ecx, eax
dec esp
mov dword ptr [00070655h], esp
dec eax
dec ecx
dec eax
mov dword ptr [00070653h], esi
dec eax
test eax, eax
je 00007F13CCA7C10Dh
dec eax
mov dword ptr [0007060Fh], esp
dec eax
mov dword ptr [00070600h], ebp
dec eax
mov dword ptr [00070649h], ebx
dec eax
mov dword ptr [0007063Ah], edi
dec eax
test eax, eax
je 00007F13CCA7C0ECh
dec esp
mov dword ptr [000705FEh], ecx
dec esp
mov dword ptr [0007060Fh], ebp
dec eax
mov dword ptr [000705D0h], edx
jmp ecx
dec eax
add edi, ecx
retn 0008h
ud2
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push esi
dec eax
sub esp, 00000080h
dec eax
mov dword ptr [esp+78h], 58225FC8h
mov dword ptr [esp+60h], 2DFAE652h
mov al, byte ptr [esp+77h]
mov dl, al
add dl, FFFFFF85h
mov byte ptr [esp+77h], dl
mov word ptr [esp+5Eh], 3327h
dec esp
mov eax, dword ptr [esp+78h]
inc esp
mov ecx, dword ptr [esp+64h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x14d010	0x8ee	.pmeh
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa9924	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbf000	0x3d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1000	0x0	.text
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc0000	0xefc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x43000	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x418cc	0x42000	False	0.781412760417	data	7.78392111205	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x43000	0x66f43	0x67000	False	0.700320938258	data	7.87281050709	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xaa000	0x13ba7	0x14000	False	0.0782836914062	data	2.51707039551	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0xbe000	0x138	0x1000	False	0.061279296875	PEX Binary Archive	0.599172422844	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xbf000	0x69e	0x1000	False	0.123291015625	data	1.07831823765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc0000	0xf31	0x1000	False	0.416748046875	data	5.36145191459	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.vxl	0xc1000	0x14d4	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.qwubgr	0xc3000	0x1124	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eer	0xc5000	0x1e66	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xwwauf	0xc7000	0x9cd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pkc	0xc8000	0x42a	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.npkda	0xc9000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vhs	0xca000	0x1af	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.iaywj	0xcb000	0x1455	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.nasi	0xcd000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zhvprh	0xce000	0x6cd0	0x7000	False	0.00177873883929	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.yatdsp	0xd5000	0x543	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.njso	0xd6000	0x1278	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.lgliat	0xd8000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ntqjh	0xd9000	0xbf6	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.sucsek	0xda000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.qsxjui	0xdb000	0x9cd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.twctcm	0xdc000	0x1124	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.nms	0xde000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ogj	0xdf000	0x1278	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vrkgb	0xe1000	0x706	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gikfw	0xe2000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ktl	0xe3000	0x9cd	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.crcn	0xe4000	0x5a7	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wtfr	0xe5000	0x1ee	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.hep	0xe6000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ywg	0xe7000	0xd33	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.sqsp	0xe8000	0x2da	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gzb	0xe9000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fatlss	0xea000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.plqa	0xeb000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vzt	0xec000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.dsbyd	0xed000	0x1e66	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.cdelc	0xef000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.qkhkj	0xf0000	0x5a7	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.mnzegr	0xf1000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.krw	0xf2000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.jvsmn	0xf3000	0x389	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bygpq	0xf4000	0x1278	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.kzdbu	0xf6000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.mwxorn	0xf7000	0x3fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.raf	0xf8000	0x389	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zcyw	0xf9000	0x2da	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zeczh	0xfa000	0x128f	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pvv	0xfc000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.lug	0xfd000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ski	0x143000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.japjd	0x144000	0x128f	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.mwtzml	0x146000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vgssf	0x147000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gsroye	0x148000	0x1278	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vcmr	0x14a000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ufki	0x14b000	0x389	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.btl	0x14c000	0x2da	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pmeh	0x14d000	0x8fe	0x1000	False	0.25537109375	data	3.73292380196	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xbf0a0	0x2dc	data	English	United States
RT_MANIFEST	0xbf380	0x56	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	GetServiceDisplayNameW
KERNEL32.dll	LoadLibraryA, HeapUnlock

Exports

Name	Ordinal	Address
IsInteractiveUserSession	1	0x14001b188
QueryActiveSession	2	0x14002de80
QueryUserToken	3	0x140021f90
RegisterUsertokenForNoWinlogon	4	0x140037744
WTSCloseServer	5	0x140001e84
WTSConnectSessionA	6	0x1400128ec
WTSConnectSessionW	7	0x14003b464
WTSCreateListenerA	8	0x14003ca60
WTSCreateListenerW	9	0x140016670
WTSDisconnectSession	10	0x14002e280
WTSEnableChildSessions	11	0x14001d394
WTSEnumerateListenersA	12	0x140008b14
WTSEnumerateListenersW	13	0x14000ae90
WTSEnumerateProcessesA	14	0x140006aa4
WTSEnumerateProcessesExA	15	0x140036e0c
WTSEnumerateProcessesExW	16	0x14003dd78
WTSEnumerateProcessesW	17	0x1400040c8
WTSEnumerateServersA	18	0x140035160
WTSEnumerateServersW	19	0x140038de0
WTSEnumerateSessionsA	20	0x140031ca8
WTSEnumerateSessionsExA	21	0x14000d828
WTSEnumerateSessionsExW	22	0x14001fae0
WTSEnumerateSessionsW	23	0x1400287b8
WTSFreeMemory	24	0x14002b15c
WTSFreeMemoryExA	25	0x140029c60
WTSFreeMemoryExW	26	0x14000a54c
WTSGetChildSessionId	27	0x140037034
WTSGetListenerSecurityA	28	0x140010070
WTSGetListenerSecurityW	29	0x14002dea0
WTSIsChildSessionsEnabled	30	0x14002b160
WTSLogoffSession	31	0x14002f53c
WTSOpenServerA	32	0x140026a74
WTSOpenServerExA	33	0x140028860
WTSOpenServerExW	34	0x14002380c
WTSOpenServerW	35	0x14002aa8c
WTSQueryListenerConfigA	36	0x140019714
WTSQueryListenerConfigW	37	0x1400401a4
WTSQuerySessionInformationA	38	0x140030ae4
WTSQuerySessionInformationW	39	0x140024f78
WTSQueryUserConfigA	40	0x14002490c
WTSQueryUserConfigW	41	0x14003dda8
WTSQueryUserToken	42	0x140004d64
WTSRegisterSessionNotification	43	0x140008d84
WTSRegisterSessionNotificationEx	44	0x14001a96c
WTSSendMessageA	45	0x14003dd78
WTSSendMessageW	46	0x14000a2cc
WTSSetListenerSecurityA	47	0x140037dec
WTSSetListenerSecurityW	48	0x140033d00
WTSSetRenderHint	49	0x1400309e8
WTSSetSessionInformationA	50	0x140027a8c
WTSSetSessionInformationW	51	0x140020908
WTSSetUserConfigA	52	0x140013664
WTSSetUserConfigW	53	0x14002f130
WTSShutdownSystem	54	0x1400234cc
WTSStartRemoteControlSessionA	55	0x14002f0b0
WTSStartRemoteControlSessionW	56	0x140040e90
WTSStopRemoteControlSession	57	0x14000daec
WTSTerminateProcess	58	0x1400270d8
WTSUnRegisterSessionNotification	59	0x14002c144
WTSUnRegisterSessionNotificationEx	60	0x140035390
WTSVirtualChannelClose	61	0x140042810
WTSVirtualChannelOpen	62	0x140035678
WTSVirtualChannelOpenEx	63	0x14002dff4
WTSVirtualChannelPurgeInput	64	0x14000e808
WTSVirtualChannelPurgeOutput	65	0x14003aacc
WTSVirtualChannelQuery	66	0x1400235d4
WTSVirtualChannelRead	67	0x140041888
WTSVirtualChannelWrite	68	0x14000c228
WTSWaitSystemEvent	69	0x140038334

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights
InternalName	dpnhup
FileVersion	1.56
CompanyName	Microsoft C
ProductName	Sysinternals Streams
ProductVersion	6.1
FileDescription	Thai K
OriginalFilename	dpnhupnp.d
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	15:47:10
Start date:	23/03/2022
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\eWlldJYfLc.dll"
Imagebase:	0x7ff72e730000
File size:	140288 bytes
MD5 hash:	4E8A40CAD6CCC047914E3A7830A2D8AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Target ID:	1
Start time:	15:47:11
Start date:	23/03/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1
Imagebase:	0x7ff64ce50000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	15:47:12
Start date:	23/03/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,IsInteractiveUserSession
Imagebase:	0x7ff7ef960000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.382839680.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	15:47:12
Start date:	23/03/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1
Imagebase:	0x7ff7ef960000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.260901088.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	15:47:14
Start date:	23/03/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6b8cf0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	15:47:15
Start date:	23/03/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,QueryActiveSession
Imagebase:	0x7ff7ef960000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000006.00000002.267568902.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	8
Start time:	15:47:18
Start date:	23/03/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,QueryUserToken
Imagebase:	0x7ff7ef960000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000008.00000002.274772551.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	11
Start time:	15:47:30
Start date:	23/03/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff73c930000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	18
Start time:	15:48:17
Start date:	23/03/2022
Path:	C:\Windows\System32\sdclt.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sdclt.exe
Imagebase:	0x7ff60bf90000
File size:	1210880 bytes
MD5 hash:	0632A8402C6504CD541AC93676AAD0F5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	19
Start time:	15:48:18
Start date:	23/03/2022
Path:	C:\Windows\System32\CloudNotifications.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\CloudNotifications.exe
Imagebase:	0x7ff793190000
File size:	77072 bytes
MD5 hash:	D9FF4C8DBC1682E0508322307CB89C0F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	20
Start time:	15:48:20
Start date:	23/03/2022
Path:	C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe
Imagebase:	0x7ff740780000
File size:	77072 bytes
MD5 hash:	D9FF4C8DBC1682E0508322307CB89C0F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security

Show Windows behavior

Target ID:	22
Start time:	15:48:33
Start date:	23/03/2022
Path:	C:\Windows\System32\systemreset.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\systemreset.exe
Imagebase:	0x7ff764df0000
File size:	506184 bytes
MD5 hash:	872AE9FE08ED1AA78208678967BE2FEF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	25
Start time:	15:48:34
Start date:	23/03/2022
Path:	C:\Windows\System32\Dxpserver.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\Dxpserver.exe
Imagebase:	0x7ff7a7db0000
File size:	304640 bytes
MD5 hash:	DCCB1D350193BE0A26CEAFF602DB848E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	26
Start time:	15:48:38
Start date:	23/03/2022
Path:	C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe
Imagebase:	0x7ff7540f0000
File size:	304640 bytes
MD5 hash:	DCCB1D350193BE0A26CEAFF602DB848E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001A.00000002.465961019.00007FFC74C21000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Show Windows behavior

Target ID:	28
Start time:	15:48:49
Start date:	23/03/2022
Path:	C:\Windows\System32\mfpmp.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\mfpmp.exe
Imagebase:	0x7ff6cc190000
File size:	49688 bytes
MD5 hash:	7C3D09D6DB5DB4A272FCF4C1BB3986BD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	29
Start time:	15:48:51
Start date:	23/03/2022
Path:	C:\Users\user\AppData\Local\bj1HT\mfpmp.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\bj1HT\mfpmp.exe
Imagebase:	0x7ff670a40000
File size:	49688 bytes
MD5 hash:	7C3D09D6DB5DB4A272FCF4C1BB3986BD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000001D.00000002.500951495.00007FFC74C21000.00000020.00000001.01000000.0000000E.sdmp, Author: Joe Security

Show Windows behavior

Target ID:	30
Start time:	15:49:06
Start date:	23/03/2022
Path:	C:\Windows\System32\msra.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msra.exe
Imagebase:	0x7ff7a2430000
File size:	600064 bytes
MD5 hash:	3240CC226FB8AC41A0431A8F3B9DD770
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	31
Start time:	15:49:06
Start date:	23/03/2022
Path:	C:\Windows\System32\mstsc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\mstsc.exe
Imagebase:	0x7ff633000000
File size:	3640832 bytes
MD5 hash:	3FBB5CD8829E9533D0FF5819DB0444C0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	33
Start time:	15:49:08
Start date:	23/03/2022
Path:	C:\Users\user\AppData\Local\n0R5g\mstsc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\n0R5g\mstsc.exe
Imagebase:	0x7ff7b8700000
File size:	3640832 bytes
MD5 hash:	3FBB5CD8829E9533D0FF5819DB0444C0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000021.00000002.543380049.00007FFC74C21000.00000020.00000001.01000000.00000011.sdmp, Author: Joe Security

Show Windows behavior

Target ID:	34
Start time:	15:49:25
Start date:	23/03/2022
Path:	C:\Windows\System32\SndVol.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SndVol.exe
Imagebase:	0x7ff62b390000
File size:	259904 bytes
MD5 hash:	CDD7C7DF2D0859AC3F4088423D11BD08
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	35
Start time:	15:49:27
Start date:	23/03/2022
Path:	C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe
Imagebase:	0x7ff742cd0000
File size:	259904 bytes
MD5 hash:	CDD7C7DF2D0859AC3F4088423D11BD08
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000023.00000002.574221343.00007FFC74C21000.00000020.00000001.01000000.00000013.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	42.1%
Total number of Nodes:	397
Total number of Limit Nodes:	49

Executed Functions

Function 00007FFC6710A2C0 Relevance: 5.0, APIs: 2, Instructions: 2002COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9415309a58e3bb0cce1d0d6f8698424f4f4bce1af9acf6eed5649f75a2bafcac
Instruction ID: c78f56406c9c6561432bcf7cdc2e2f26f9ec8b994acfb5efb39312f479c7861d
Opcode Fuzzy Hash: 9415309a58e3bb0cce1d0d6f8698424f4f4bce1af9acf6eed5649f75a2bafcac
Instruction Fuzzy Hash: 0803E266A0C7AEC2EB249F12D4682B967A1FF45B88F444833CA4D07795EF3CE544E760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670F59F0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFC67107770: NtClose.NTDLL ref: 00007FFC67107799

ExitProcess.KERNEL32 ref: 00007FFC670F5C91

Strings

-R+, xrefs: 00007FFC670F5C7B

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: CloseExitProcess
String ID: -R+
API String ID: 3487036407-215093852
Opcode ID: 861e373727f0bf5d6b131c94e4e6e9b6b0c96c54314d595459500fe5a7d22774
Instruction ID: 0bc01b030c3d127525b9bbaef63d67f3c16429dff6ef3f2e8a315d9e09d8e317
Opcode Fuzzy Hash: 861e373727f0bf5d6b131c94e4e6e9b6b0c96c54314d595459500fe5a7d22774
Instruction Fuzzy Hash: ED817F26B1C66AD5FB10EBB2C5652FD2365AF84348F814832DE0E579CADE2CE545C370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6711ED10 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileExW.KERNELBASE ref: 00007FFC6711ED6D

Strings

., xrefs: 00007FFC6711EDEA

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID: .
API String ID: 1974802433-248832578
Opcode ID: 5588d055546eb8cf66efa63037f07df379a20e7f6d9627be0340d4208e6e69ea
Instruction ID: daf6856250c4f48e30f4f7e7ac2b7c69af0f1bd74807e2e3eeb4eaec37b02cd7
Opcode Fuzzy Hash: 5588d055546eb8cf66efa63037f07df379a20e7f6d9627be0340d4208e6e69ea
Instruction Fuzzy Hash: 7241F631A0D265C1EF644B62D1243792391EF44BA8F184A32CA6D1BBD8DF2DE986C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670E7880 Relevance: 2.9, Strings: 2, Instructions: 383
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)8GV, xrefs: 00007FFC670E7D3D
)8GV, xrefs: 00007FFC670E7C59

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: )8GV$)8GV
API String ID: 0-993736920
Opcode ID: 061befe2941c03f03dbd409cc30a744c1902cebc942325edb7f29670219fe0a0
Instruction ID: e551a1038a0b7dc92577d3522c0671dbeaf1f1df1bd88cf90cafcf12714557a1
Opcode Fuzzy Hash: 061befe2941c03f03dbd409cc30a744c1902cebc942325edb7f29670219fe0a0
Instruction Fuzzy Hash: 95F17322A2C56AD5EB10EF72D4612FD6365EF94384F801832EA4D8769ADF3CD546C730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6711DDC0 Relevance: 2.4, APIs: 1, Instructions: 882COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE ref: 00007FFC6711EB81

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 5431e0cf82004956d4d9b66d8369a133d4c7d5605faf03c84d9b45e582fc3e19
Instruction ID: e1e2744c765ac1d2e5270ab3169ccf5505fa91137470748f6ccc94a6a02ac708
Opcode Fuzzy Hash: 5431e0cf82004956d4d9b66d8369a133d4c7d5605faf03c84d9b45e582fc3e19
Instruction Fuzzy Hash: 2482E462A0C7AAC6EB648B5294602B977A0FF45F85F444C37CA4D0BB95EF3CD654C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6710CA50 Relevance: 2.3, APIs: 1, Instructions: 784COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 275b5cfb1ed7da0fd965c210da93515670eebad8c799b5ec9897819ef378c5e7
Instruction ID: 391c30a6f5a6aa67b95649679ba6576edf73f979575dfece843ae0cef70d7b70
Opcode Fuzzy Hash: 275b5cfb1ed7da0fd965c210da93515670eebad8c799b5ec9897819ef378c5e7
Instruction Fuzzy Hash: 3C72CF62A0C7AAC5EB148F1294683F927A1FF45B88F945833CA8D07799DF3CE540E760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6712D520 Relevance: 1.7, APIs: 1, Instructions: 237
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQuerySystemInformation.NTDLL ref: 00007FFC6712D5C0

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a86a9bd51dc2949cd05d03de92b4f4ab6bcf3bed1841e9c0a59ca0c779675c2d
Instruction ID: 9a5e857954b4feeee4f08983d38a76f9fd0217e54200d5ecd28978f74054b5dc
Opcode Fuzzy Hash: a86a9bd51dc2949cd05d03de92b4f4ab6bcf3bed1841e9c0a59ca0c779675c2d
Instruction Fuzzy Hash: 15B19C36A0C65ADAE750EF26D2612AE33B0FF44788F504836DA5D47B95DF38E464C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC671097D0 Relevance: 1.7, APIs: 1, Instructions: 185
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL ref: 00007FFC671099EE

Part of subcall function 00007FFC6711EC70: FindNextFileW.KERNELBASE(?,?,D353BBDF,00007FFC6710990E), ref: 00007FFC6711EC9B

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: FileFindLoadNext
String ID:
API String ID: 50669962-0
Opcode ID: 8ae045245011a34f88152a78bb84e1250efdef914e004368085cefc9dfb048a4
Instruction ID: 9e787faa0bceaf3dd038fc7c6bba84c78feb785c7cf1f997af0b5b8443798060
Opcode Fuzzy Hash: 8ae045245011a34f88152a78bb84e1250efdef914e004368085cefc9dfb048a4
Instruction Fuzzy Hash: A1819022A2C56AC5EA10EB62D4792FE6365FFC4744F804932EA4D17ACADF3CE505D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67109400 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 00007FFC67109443

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 61134290c5f0672a3f6bf35b943af87a7f429b15799ed0f7774ee38327f57094
Instruction ID: 4ed04fe3c232a77d106ef1f6eeafea0b8ba8b1b5eebf8b3c5c98a56db4f628cd
Opcode Fuzzy Hash: 61134290c5f0672a3f6bf35b943af87a7f429b15799ed0f7774ee38327f57094
Instruction Fuzzy Hash: 8E0175A1A1C55EC2EE10EB16E8751BE5321FFD4784F805833E98E4768BDE2CD115D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67107770 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

NtClose.NTDLL ref: 00007FFC67107799

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 860ba978492d36cdfe31f6537ec1931d4b76ea568ca190dfd252f9a33af48d82
Instruction ID: d2315f2b09073cab8a7b48e2db21e56e70bd14cd73f25228fe0c6df8c9263fa5
Opcode Fuzzy Hash: 860ba978492d36cdfe31f6537ec1931d4b76ea568ca190dfd252f9a33af48d82
Instruction Fuzzy Hash: 69D05E51A1D619C2FE2467A3A16D3B402909FD9744F084833CE8E0A3C7EE2C9891D332

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670F5020 Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

-R+, xrefs: 00007FFC670F529C

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: -R+
API String ID: 0-215093852
Opcode ID: 757887669241c1ad3ea049100046a135482c7929ff5ed67d69c536cca754f35d
Instruction ID: cfd2632594f3b14d0885ed29eabad587f2242df14e5f678503668899f2f13ee1
Opcode Fuzzy Hash: 757887669241c1ad3ea049100046a135482c7929ff5ed67d69c536cca754f35d
Instruction Fuzzy Hash: A9718026B0C669C5FB10EB62E4642EE63A1FF84344F944836EE4D47A8ADF3CE445D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67113150 Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd6ed765f5991ce6959c534cf14e9b84c91dc21dbee004d70060983254845f38
Instruction ID: d36a84fac0664f6c7ea9295053ee93fa180d5aa26e9f18f8e7904d6885240924
Opcode Fuzzy Hash: fd6ed765f5991ce6959c534cf14e9b84c91dc21dbee004d70060983254845f38
Instruction Fuzzy Hash: D172B262A0D7A9C5FA248B26D4603B927A1FF45F84F445833CA4E0BB99EF3CD546C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670FAA70 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b52c0054d56aefd0f3e1567eddfd226f434cc3305f3d4ff0dfe5c57373c99d56
Instruction ID: 3930091d18e4b5c7b80d59364576c51df122a6521e4282c8fab08d426c491044
Opcode Fuzzy Hash: b52c0054d56aefd0f3e1567eddfd226f434cc3305f3d4ff0dfe5c57373c99d56
Instruction Fuzzy Hash: 0B22BF26A0C56AC6EA20EF22D2612BD6355BF84744F504936DE0E877D6EF3CE509C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67127650 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e671008534e80604538bd923785f75ee5c173f21ecf6df136e96451e37028845
Instruction ID: 6261c5683c2b7ad42f8bc950de7bbb287c8f893c58f2face29e74a7d7b95ec00
Opcode Fuzzy Hash: e671008534e80604538bd923785f75ee5c173f21ecf6df136e96451e37028845
Instruction Fuzzy Hash: 4E61B531B1D26AC2FA54A623553557B51A1EF843A4F180A37EF7E427C5EF3CE441CA20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670F76E0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 00007FFC670F780F

Strings

d, xrefs: 00007FFC670F77F6
UsS, xrefs: 00007FFC670F784B
)8GV, xrefs: 00007FFC670F77CC
UsS, xrefs: 00007FFC670F7AE7

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: ConsoleFree
String ID: )8GV$UsS$UsS$d
API String ID: 771614528-2529742583
Opcode ID: fe77994c02c4c18a5344a767264b09122eac9de7f449874fa6967c2ee9c58cdd
Instruction ID: 5666e4b1029d1c5707ca211272cee02bcbfc713ee7008d18883d2bca0ed3c8ef
Opcode Fuzzy Hash: fe77994c02c4c18a5344a767264b09122eac9de7f449874fa6967c2ee9c58cdd
Instruction Fuzzy Hash: F191E621B1C66AC2EA54EB22E1751BE5351FF84780F944936EE5E877C6DE2CD801C371

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67122E60 Relevance: 6.3, APIs: 4, Instructions: 289
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFC67122F59
RegEnumKeyW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFC67122FB4
RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFC67123039
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002,?), ref: 00007FFC67123164

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: Close$EnumOpen
String ID:
API String ID: 138425441-0
Opcode ID: 9040a30d361a83406cf626564ceae3e4d7b26da50e6fb5ff6255cba964b20aea
Instruction ID: 17f2deafbfc04828739bba9b4cd114bcc09292585fa60eb428579f186d443f26
Opcode Fuzzy Hash: 9040a30d361a83406cf626564ceae3e4d7b26da50e6fb5ff6255cba964b20aea
Instruction Fuzzy Hash: 07C1A831B0D669C2EE649B66E46037D6361EFC5750F044A32EE6D477C5DE2CE846CB20

Uniqueness

Uniqueness Score: -1.00%

Function 0000016B476E2264 Relevance: 6.2, APIs: 4, Instructions: 230
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 0000016B476E23BE
VirtualProtect.KERNELBASE ref: 0000016B476E2478
RtlAvlRemoveNode.NTDLL ref: 0000016B476E25BE
VirtualProtect.KERNELBASE ref: 0000016B476E2684

Memory Dump Source

Source File: 00000000.00000002.280677728.0000016B476E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000016B476E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b476e0000_loaddll64.jbxd

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
Instruction ID: 3df77a88728f1cd9725476dce1071c58039c14a2edb71566679ec826ba88cf92
Opcode Fuzzy Hash: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
Instruction Fuzzy Hash: 7EB14676618BC586D7708B1AE4407EAB7A1F7C9B80F108026DE8D97B59DF7AC891CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6711F550 Relevance: 3.1, APIs: 2, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec0a7225e8e6c00049340723db4e1e7198fb52ab2bc5e590aae07ecbfda9d15
Instruction ID: ebddfab639dfa32e7a1e5b0fe1cdd0fa17d2988cd0fbadf6a6b926681fe21738
Opcode Fuzzy Hash: aec0a7225e8e6c00049340723db4e1e7198fb52ab2bc5e590aae07ecbfda9d15
Instruction Fuzzy Hash: 56512921B0D6AAC2F6649B23A4343BA2265FF84784F144937DAAE0B7C5DE3DD441DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6711F7A0 Relevance: 3.1, APIs: 2, Instructions: 115
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE ref: 00007FFC6711F866
ReadFile.KERNELBASE ref: 00007FFC6711F8D4

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: db028594bc8b5677cbc4ad6c23936fd200019b0bac19abf828ee229ab7d43dc6
Instruction ID: a2d2bca99f1db04458628e36d8234714a147bffbd16d1f40bda1424cb3871bbe
Opcode Fuzzy Hash: db028594bc8b5677cbc4ad6c23936fd200019b0bac19abf828ee229ab7d43dc6
Instruction Fuzzy Hash: 1F41A521F1D6A9C3EA50AB26A06117E6399EF84784F140536EA9E4BBD5DF3CD402CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67122810 Relevance: 3.1, APIs: 2, Instructions: 76
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFC6710961D), ref: 00007FFC67122885
RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFC6710961D), ref: 00007FFC671228E8

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 505d3e8216d65752d9c9970fe8de9b0105d3b943a84e5339b5d033298b12e6c9
Instruction ID: 456c83149d5d6734ef7f60e65f37fe2f4bc60ece843003f8ef6c619278681f33
Opcode Fuzzy Hash: 505d3e8216d65752d9c9970fe8de9b0105d3b943a84e5339b5d033298b12e6c9
Instruction Fuzzy Hash: 0B21D637B1E66982EA10DB56A42112EA3A1EF847A4F084536EE9C47BD8DF7CD481CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67121850 Relevance: 1.6, APIs: 1, Instructions: 144
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNELBASE ref: 00007FFC671219AE

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 2cf95efc385c725b9022cf8212db04d77c482d4e4406951c86c10693420f5340
Instruction ID: 69b3c109f16f0cc5d5709a9479b5e565b80d2b9a5a2cfdb242d2969dad9385d0
Opcode Fuzzy Hash: 2cf95efc385c725b9022cf8212db04d77c482d4e4406951c86c10693420f5340
Instruction Fuzzy Hash: BB51CD32A0D3A5C6EB94EB2250352BD2261EF84B84F580836EE9D07785DF3DD981D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67121490 Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FFC671214EB

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 2eccd0c63b57d71c448d16ee564a8a11a0e937c987636d1f9c740f04a7ca8c8e
Instruction ID: f061e0582c38a4cef2ed241a95240ac0e5f974d12b7430faa73e6a2dbff61de4
Opcode Fuzzy Hash: 2eccd0c63b57d71c448d16ee564a8a11a0e937c987636d1f9c740f04a7ca8c8e
Instruction Fuzzy Hash: E821833670CB5AC2EA10EF5AA1640A973B0FF89784F944436DB9D07B45EF78E511CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6711F629 Relevance: 1.6, APIs: 1, Instructions: 53
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC6711F9E1), ref: 00007FFC6711F6CC

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9933a6296932c9aaeac43b8e72c576d6d43d9e66245f160a84ba2bfbc0e42396
Instruction ID: 71c5517bebf96a4f4d620ead332a71bfea0dd4ccca4f7b16b38fd6af7bb5c086
Opcode Fuzzy Hash: 9933a6296932c9aaeac43b8e72c576d6d43d9e66245f160a84ba2bfbc0e42396
Instruction Fuzzy Hash: 9A11E722A0D66AC2E6709B12A0243BB6394FF44784F580937DBAE0B791DF3DE441DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6711F642 Relevance: 1.6, APIs: 1, Instructions: 51filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC6711F9E1), ref: 00007FFC6711F6CC
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC6711F9E1), ref: 00007FFC6711F75A

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: ab920c4048ecd73485d9a24abe9911eec550e0ad73fe64493c44082e69fe9c96
Instruction ID: 0a12c22122c171aa0244ab060d558932ebdd2d787245e2a4df539d15c2f15a50
Opcode Fuzzy Hash: ab920c4048ecd73485d9a24abe9911eec550e0ad73fe64493c44082e69fe9c96
Instruction Fuzzy Hash: 4911C62260D66AC6E6609B1260243BA6395FF84784F580937DBDE0B791DF3CD441DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6711EC70 Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,?,D353BBDF,00007FFC6710990E), ref: 00007FFC6711EC9B

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 26ebda7149b16bce636ef64988408f2f4fd758443eccbcd7e202da9d4eacb6a9
Instruction ID: 56e2db17ffddd385ee355572dd9702f3e610bd673300856617fc73fb7469345b
Opcode Fuzzy Hash: 26ebda7149b16bce636ef64988408f2f4fd758443eccbcd7e202da9d4eacb6a9
Instruction Fuzzy Hash: 7511C621A2C26AC2FB644BA6952177913D1DF50789F041832DE4C4B6C5DF2CEA99C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6711F658 Relevance: 1.6, APIs: 1, Instructions: 50filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC6711F9E1), ref: 00007FFC6711F6CC
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC6711F9E1), ref: 00007FFC6711F75A

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: e80f8483cf94c30f6301f3d3c985100ccdfca77954115487aecc5a17041d3c9f
Instruction ID: 493b0d88328c52f392fa653fae8f466e9db585727ea1320e62ef08666aec3be9
Opcode Fuzzy Hash: e80f8483cf94c30f6301f3d3c985100ccdfca77954115487aecc5a17041d3c9f
Instruction Fuzzy Hash: 4511E022A0D6AAC2E6709B1260243FA2394FF84780F180937DBAE0B790DF3CD441DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6711F668 Relevance: 1.5, APIs: 1, Instructions: 47filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC6711F9E1), ref: 00007FFC6711F6CC
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC6711F9E1), ref: 00007FFC6711F75A

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: 6e284fec9c092ab559da79d84b2b54fba405a3312493b2d376a7f6576a005246
Instruction ID: 6b2b77d80570fac13ad2bc04f73218479962fcb15e979423cdd825bc2a2a7bdc
Opcode Fuzzy Hash: 6e284fec9c092ab559da79d84b2b54fba405a3312493b2d376a7f6576a005246
Instruction Fuzzy Hash: 5D01A522A0D6AAC2E6709B12B0243BA6354FF84784F580937DB9E0B791DF3CD441DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC671226A0 Relevance: 1.5, APIs: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.ADVAPI32 ref: 00007FFC67122716

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: af68b27f32d806152594ea98ebc8f2426a04b51a09888dca3b9f639ab6fe49d2
Instruction ID: 5668e3d75a2cd46fb618cca09badb813bdaffb4d24fec8b2e199cc41921c7ac7
Opcode Fuzzy Hash: af68b27f32d806152594ea98ebc8f2426a04b51a09888dca3b9f639ab6fe49d2
Instruction Fuzzy Hash: 59114F7660CB85C6D6209F02F45019AB7A4FB88B80F698526EF9D03B04DF38D591CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC671070F0 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

RtlCreateHeap.NTDLL ref: 00007FFC6710713D

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 7e47ca28742369fe6618816808a4c8b1d75f0f49f581dd722c821a23b829cda3
Instruction ID: d46c35bca76d3d9b640076a98c9a19b6a8855c95a10b86f20a1853828b930cb3
Opcode Fuzzy Hash: 7e47ca28742369fe6618816808a4c8b1d75f0f49f581dd722c821a23b829cda3
Instruction Fuzzy Hash: FB01F261A0CA69C2FA548B12F93466563A0FF89BC4F088836DACC0A795EE3CD420C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC671094A0 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32 ref: 00007FFC671094E3

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 493c924839c8f486efe9302bf07efba55ae8e24e31a758d15e6e508aa6b42a41
Instruction ID: a94b1dd4c3dd42c6aed8a2fa1bdbe26a2b4b6b262399d2e264e00402d1e2fed2
Opcode Fuzzy Hash: 493c924839c8f486efe9302bf07efba55ae8e24e31a758d15e6e508aa6b42a41
Instruction Fuzzy Hash: 4E0171A1A2C56EC2EE10EB17E8791BA5321FFD8784F405833E98E4768BDE2CD115D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67107190 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

RtlDeleteBoundaryDescriptor.NTDLL ref: 00007FFC671071EC

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: BoundaryDeleteDescriptor
String ID:
API String ID: 3203483114-0
Opcode ID: 4cc1cfa08cb3aa26b208f28932105458a4a2f75863f8a1a8a56e0b8e89d82dcb
Instruction ID: 4a78a38863c437d914e34cfeb6b49a89ca47a7e84444b3898e8ee76d879d2d41
Opcode Fuzzy Hash: 4cc1cfa08cb3aa26b208f28932105458a4a2f75863f8a1a8a56e0b8e89d82dcb
Instruction Fuzzy Hash: 39F03440E0E26A82FE68A3A3583827101825F89740F1C8C37C85E4A3C6EE2CEA51E221

Uniqueness

Uniqueness Score: -1.00%

Function 0000016B476E2060 Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000016B476E29A2), ref: 0000016B476E20B0

Memory Dump Source

Source File: 00000000.00000002.280677728.0000016B476E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000016B476E0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b476e0000_loaddll64.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
Instruction ID: 81247a2d3b84d932a238603f52e13dca24148583c201f72aa6798e3078c68cd2
Opcode Fuzzy Hash: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
Instruction Fuzzy Hash: 35312F76615A5086D790DF1AE49579A7BB1F389BD4F205026EF8D87B18DF3AC482CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFC670EC030 Relevance: 9.5, Strings: 7, Instructions: 762COMMON

Download Yara Rule

Strings

4040, xrefs: 00007FFC670EC4FA
0020, xrefs: 00007FFC670EC321
GNOP, xrefs: 00007FFC670EC361
0020, xrefs: 00007FFC670EC4D9
UsS, xrefs: 00007FFC670EC053
3050, xrefs: 00007FFC670EC328
3050, xrefs: 00007FFC670EC4D2

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: 0020$0020$3050$3050$4040$GNOP$UsS
API String ID: 0-786335679
Opcode ID: c7546b07cbe0d0cb54ac19bbcafac055524b476eec2706f5b751194a06c46227
Instruction ID: 12c5acca109651849dd426818243d7eb232cd29b6d41fe925ce48b6f9af37fde
Opcode Fuzzy Hash: c7546b07cbe0d0cb54ac19bbcafac055524b476eec2706f5b751194a06c46227
Instruction Fuzzy Hash: 6772852261C6AAD5EB20EF22C4A12FD2765FF94344F804532EA4D8769ADF3CE645C770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670F9990 Relevance: 7.1, Strings: 5, Instructions: 866COMMON

Download Yara Rule

Strings

S4, xrefs: 00007FFC670F9EFA
D, xrefs: 00007FFC670FA37B
vfoR, xrefs: 00007FFC670FA518
vfoR, xrefs: 00007FFC670FA39F
vfoR, xrefs: 00007FFC670FA5A0

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: S4$D$vfoR$vfoR$vfoR
API String ID: 0-739406038
Opcode ID: 9f81d7648c501c679a01b7c8bfebcff3f359ab3110e0c3c4bcb0409a87ab8b81
Instruction ID: 58ae2a8a60a15cdeb28d529e7bbe9393820e073c2c8875083623161b0558e34f
Opcode Fuzzy Hash: 9f81d7648c501c679a01b7c8bfebcff3f359ab3110e0c3c4bcb0409a87ab8b81
Instruction Fuzzy Hash: 54828B22A2C666C5EA10DF22D6A05ED6364FF84754F804932EE5E837DADF3CE504CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670FBAE0 Relevance: 6.9, Strings: 5, Instructions: 645COMMON

Download Yara Rule

Strings

S4, xrefs: 00007FFC670FBDCB
vfoR, xrefs: 00007FFC670FC0C2
vfoR, xrefs: 00007FFC670FC25F
vfoR, xrefs: 00007FFC670FBE17
vfoR, xrefs: 00007FFC670FC2E3

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: S4$vfoR$vfoR$vfoR$vfoR
API String ID: 0-2269768260
Opcode ID: ad1c61b5abb7709118fef60bedef370a1d41792bb72744018df3e1a3b7ec9870
Instruction ID: fd5ff133f42e9a29ad180b427ea5c4bfcd4e3709c5d3e922268ed9d2f560563b
Opcode Fuzzy Hash: ad1c61b5abb7709118fef60bedef370a1d41792bb72744018df3e1a3b7ec9870
Instruction Fuzzy Hash: 82422821B0C66AC1FA10EB6296712FE5251AF857A4F440A31DE1E877DAEF3CE505C770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67134FF0 Relevance: 5.7, Strings: 4, Instructions: 682COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00007FFC6713536B
VUUU, xrefs: 00007FFC671353C4
ERCP, xrefs: 00007FFC6713511D
VUUU, xrefs: 00007FFC6713534B

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU
API String ID: 0-2165971703
Opcode ID: 591c415930979aab0714090d7240fd92d9ed515d5c4c0def523605ced274e22d
Instruction ID: 56102c6ccfb2df1cf668b46486808a12c09e50bc58021d01f4686d380f25a98f
Opcode Fuzzy Hash: 591c415930979aab0714090d7240fd92d9ed515d5c4c0def523605ced274e22d
Instruction Fuzzy Hash: B7528072A0D6A9CAEB648A7694603BD37A1FF04B68F144937DB4E56E84DF3CE580C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670E6FE0 Relevance: 4.3, Strings: 3, Instructions: 509COMMON

Download Yara Rule

Strings

@, xrefs: 00007FFC670E76ED
)8GV, xrefs: 00007FFC670E747C
)8GV, xrefs: 00007FFC670E75FD

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: )8GV$)8GV$@
API String ID: 0-2802744955
Opcode ID: 81e940176c9cdf8373318ab9bdac5e965fb5dbb86a08c93e689229e17a67c758
Instruction ID: 3018f5046f41b2ecddc58344147b1175a6e39ca749fe0b26499fef83697f07a9
Opcode Fuzzy Hash: 81e940176c9cdf8373318ab9bdac5e965fb5dbb86a08c93e689229e17a67c758
Instruction Fuzzy Hash: B2326F22A2C66AD5EB10EF62D8712FD2365EF84384F805832EA4D87696DF3CE545C770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670C6790 Relevance: 4.2, Strings: 3, Instructions: 406COMMON

Download Yara Rule

Strings

GET, xrefs: 00007FFC670C686D, 00007FFC670C687B
*/*, xrefs: 00007FFC670C6CE2
POST, xrefs: 00007FFC670C6CD6

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: */*$GET$POST
API String ID: 0-3233530491
Opcode ID: 6a5464faf8c14e7bbf553d431dd16a1925e01ededdcf9ee096d392032e91729e
Instruction ID: 67886a16fb9984d8a88fabcdf9b88730343aae8ada1157d8d1fa51cd1de77459
Opcode Fuzzy Hash: 6a5464faf8c14e7bbf553d431dd16a1925e01ededdcf9ee096d392032e91729e
Instruction Fuzzy Hash: 1512B436A1CA5AC5EB10DF62E8641EE7361FF84388F400832EA4D47B9ADF38D549D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670F91F0 Relevance: 4.1, Strings: 3, Instructions: 321COMMON

Download Yara Rule

Strings

vfoR, xrefs: 00007FFC670F94F3
vfoR, xrefs: 00007FFC670F9592
0, xrefs: 00007FFC670F9296

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: 0$vfoR$vfoR
API String ID: 0-4254161263
Opcode ID: d350fa5340abd046ea64996543aff13dccd632d370100e2343bf5d1d1fac6f85
Instruction ID: 91479274af5a788c8521a8e4f121a1d4c69fe43f54c7610bd74ecc6d1c669c35
Opcode Fuzzy Hash: d350fa5340abd046ea64996543aff13dccd632d370100e2343bf5d1d1fac6f85
Instruction Fuzzy Hash: 4FD1B122B1C666C5EA10EF62D5601FD2365EF84784F844832EE4D87B9AEE3CE505C770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC671122C0 Relevance: 3.4, Strings: 2, Instructions: 875COMMON

Download Yara Rule

Strings

(, xrefs: 00007FFC671122EC
, xrefs: 00007FFC6711230D

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: $(
API String ID: 0-55695022
Opcode ID: 3e2b856d7d3a8f0ae5682c0587b3bcc00a6fd6a82b500f45648ef920e4746369
Instruction ID: 558a44d50961bc26a8e4bcfce2f95ca24eb363e6dc0fffe97ebb4fdc74cd2f2c
Opcode Fuzzy Hash: 3e2b856d7d3a8f0ae5682c0587b3bcc00a6fd6a82b500f45648ef920e4746369
Instruction Fuzzy Hash: 6E829061B0C7AAC5EB64CB2694643B963A1FF46B84F445833DA4D0B799EF3CE851C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670C2980 Relevance: 2.9, Strings: 2, Instructions: 387COMMON

Download Yara Rule

Strings

UsS, xrefs: 00007FFC670C2992
UsS, xrefs: 00007FFC670C2AEF

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: UsS$UsS
API String ID: 0-3680756722
Opcode ID: 23b3fcce26cd67675d50db75c0cf96bdd3c5247b54bcd1dae220c95baa2cfd8f
Instruction ID: 8d7b2a37a702e7d7be68278803791370ee3951f281bd2b2722d4f3b7798a3864
Opcode Fuzzy Hash: 23b3fcce26cd67675d50db75c0cf96bdd3c5247b54bcd1dae220c95baa2cfd8f
Instruction Fuzzy Hash: 12025D22B2C5AAD5EB10EB62C4A52FD6325EF94344F800832EA0D87ADADF3CD545D730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670FB250 Relevance: 2.9, Strings: 2, Instructions: 387COMMON

Download Yara Rule

Strings

vfoR, xrefs: 00007FFC670FB705
vfoR, xrefs: 00007FFC670FB5F3

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: Close
String ID: vfoR$vfoR
API String ID: 3535843008-516101275
Opcode ID: e70ccd0b46facdcf3166a131d5e4bc0fa276d7f0aa9f1a61874d8124f207c8d6
Instruction ID: a5c9b2ce7b14c119a87610511f4a2d4f394b45a4e94e33a3bd8fb0b56ad780fc
Opcode Fuzzy Hash: e70ccd0b46facdcf3166a131d5e4bc0fa276d7f0aa9f1a61874d8124f207c8d6
Instruction Fuzzy Hash: E6F17022B1C56AD5EB10EB72D6711FD2365AF84344F844832EE0E97A9AEE3CE505C770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670C18D0 Relevance: 2.8, Strings: 2, Instructions: 320COMMON

Download Yara Rule

Strings

UsS, xrefs: 00007FFC670C1CCF
UsS, xrefs: 00007FFC670C18EA

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: UsS$UsS
API String ID: 0-3680756722
Opcode ID: 7d587fa0f625cbfa3b7563032b3aa8ec30568e3b4734641fd00ec8f0f8d94bc2
Instruction ID: aaeda1d742bdbd2ee4cfb6c5eb1033a7b8805caeef10210fd1158b7e7d6b3254
Opcode Fuzzy Hash: 7d587fa0f625cbfa3b7563032b3aa8ec30568e3b4734641fd00ec8f0f8d94bc2
Instruction Fuzzy Hash: 71F14E22A2C5AAD5EB10EB72C8651FD6365FF94344F804832E64D879DAEF38E605D730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6713C590 Relevance: 2.7, Strings: 2, Instructions: 157COMMON

Download Yara Rule

Strings

, xrefs: 00007FFC6713C5AF
, xrefs: 00007FFC6713C590

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 826032f99af1e45f3323206c5674498b31217282fc7c017b9907595b70bb6924
Instruction ID: 3636066956eb4614883ecaa2334c11b48a049b3acc3de6a496a32e5fe7ce1cd2
Opcode Fuzzy Hash: 826032f99af1e45f3323206c5674498b31217282fc7c017b9907595b70bb6924
Instruction Fuzzy Hash: 365179B3A086A9CAE7608F16D49876936A8FF44764F164A36DB4D87BD0DF78D440CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67122CA0 Relevance: 2.6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

Strings

,q,\, xrefs: 00007FFC67122DDB
,q,\, xrefs: 00007FFC67122D9E

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: ,q,\$,q,\
API String ID: 0-1092452903
Opcode ID: da22d920ff5cc6227cc0f6e061e432e43b1ab4f4e1d95c9d1540ba4b916ccb75
Instruction ID: 728bf1e697fa5fdbf8b480067d7f2159b1b33f29c26ec3d7b75c7084f9cb4cd7
Opcode Fuzzy Hash: da22d920ff5cc6227cc0f6e061e432e43b1ab4f4e1d95c9d1540ba4b916ccb75
Instruction Fuzzy Hash: 85418222F2C57AD4FB10EB7298650FD1275AF98B84B844832EE1E57BCADE2CD441D320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670F6130 Relevance: 2.5, Strings: 1, Instructions: 1270COMMON

Download Yara Rule

Strings

UsS, xrefs: 00007FFC670F6190

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: UsS
API String ID: 0-2967771648
Opcode ID: ca8ab2eaa58e68f626e0bd3fe2f5443d0bfce1d6699e45fb875e230c1eb9d738
Instruction ID: eae6867b03ca0f85d1566b23e02cc397555640d538292d707891a8dc8f71638c
Opcode Fuzzy Hash: ca8ab2eaa58e68f626e0bd3fe2f5443d0bfce1d6699e45fb875e230c1eb9d738
Instruction Fuzzy Hash: 1FD26222A1C5AAD5EB60EF22C5652FD2365EF94348F804832EA0D876D6DF3CE645C770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670CC5A0 Relevance: 2.1, Strings: 1, Instructions: 865COMMON

Download Yara Rule

Strings

GET, xrefs: 00007FFC670CC5B5

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: GET
API String ID: 0-1805413626
Opcode ID: 1dfb2083978177327a3efa0d8a5fed058735e8857845f4be6ccedbbe9a0fe535
Instruction ID: a58c89a082b3d64e27f5b0ffb0108e3c41693290608d36287fe9b625fd844cb2
Opcode Fuzzy Hash: 1dfb2083978177327a3efa0d8a5fed058735e8857845f4be6ccedbbe9a0fe535
Instruction Fuzzy Hash: C982A122A1C66AC1FB50DB26D0B53BE6760EF95748F541932EA4E876C6CE3CE446C730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670D9D70 Relevance: 2.1, APIs: 1, Instructions: 609COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c7e941e264df4391f837f471c4530af583cdd237315f41e6336cec395a03c1
Instruction ID: 0ffd8d342d86dbf3d99e8928ce982d6dc484cd37ea2a6307dce67871df34a543
Opcode Fuzzy Hash: a8c7e941e264df4391f837f471c4530af583cdd237315f41e6336cec395a03c1
Instruction Fuzzy Hash: E5527221A1C6AAC5FB20EB72C4753FD23A5EF90754F900832EA0D56ADADE2CE545C770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670D5420 Relevance: 1.9, Strings: 1, Instructions: 680COMMON

Download Yara Rule

Strings

,q,\, xrefs: 00007FFC670D5611

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: Close
String ID: ,q,\
API String ID: 3535843008-3313482636
Opcode ID: 279a58ebf584ed7ba7a6137754720abf4cd195921bddb2da9a4930e224aabd46
Instruction ID: 7e857828679d083ed1950952db561f2aca00d7d0785daf9808ab65ffc58192a1
Opcode Fuzzy Hash: 279a58ebf584ed7ba7a6137754720abf4cd195921bddb2da9a4930e224aabd46
Instruction Fuzzy Hash: 14627E22B1C66AD5EB10EB72D4651FD6361EF94348F804832EA0E47ACAEF3CE545D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670D3CD0 Relevance: 1.8, Strings: 1, Instructions: 572COMMON

Download Yara Rule

Strings

z, xrefs: 00007FFC670D452E

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID: z
API String ID: 1964310414-1657960367
Opcode ID: dd11310e4e969feabe1950c7963c6dce303810d0ab3ef17bc16e70dc82ddfa45
Instruction ID: ac52ae59ea7ce7531bb0170aed2957083ec9be3533356cead8602f3d4c4897c3
Opcode Fuzzy Hash: dd11310e4e969feabe1950c7963c6dce303810d0ab3ef17bc16e70dc82ddfa45
Instruction Fuzzy Hash: 3F527E32B18AA9E6E748EB31C6652ED7365FF84344F804836E71D43686DF38E165C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670E5050 Relevance: 1.8, Strings: 1, Instructions: 566COMMON

Download Yara Rule

Strings

!hMy, xrefs: 00007FFC670E50CA

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: !hMy
API String ID: 0-318797071
Opcode ID: 8b1187c18133ce5b7faad7b4676b2ffb1aaee7d6e49dd8e33e69b88e7ee9e1c4
Instruction ID: 74800c2cf9666f752bdee80f9087cf0d41a8e3bf48da489825fbb7d38372d95c
Opcode Fuzzy Hash: 8b1187c18133ce5b7faad7b4676b2ffb1aaee7d6e49dd8e33e69b88e7ee9e1c4
Instruction Fuzzy Hash: 88428236A1C66AC5EA24EB22D4652FE6360EF95344F804C32D79E822D6DF3CE585C770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670EA310 Relevance: 1.7, Strings: 1, Instructions: 488COMMON

Download Yara Rule

Strings

'Q|, xrefs: 00007FFC670EA42A

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: CloseEnumValue
String ID: 'Q|
API String ID: 858281747-3964534801
Opcode ID: a7f88f11ebb2f20ff444be0074f6f7f4e2b2bd0c8388cc24e2b6011576de200b
Instruction ID: 49710ced281052175f2b811221368114e56309b9015018a14257e097a50769ca
Opcode Fuzzy Hash: a7f88f11ebb2f20ff444be0074f6f7f4e2b2bd0c8388cc24e2b6011576de200b
Instruction Fuzzy Hash: CE229D22B1C56AC5EA10EB62C1751FD2371EF88748F944932EA4E976CADF2CE506C770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670F4360 Relevance: 1.7, Strings: 1, Instructions: 455COMMON

Download Yara Rule

Strings

U, xrefs: 00007FFC670F48D7

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 2cc168c4871c95d12501f34edc6984f15e3f5eb071fe1104ca5c8a2494e78bfa
Instruction ID: 6efd5cc19fe5c0eadf68b5a1c51cbd4c322ae67d1963a5af26f65f44ed17af42
Opcode Fuzzy Hash: 2cc168c4871c95d12501f34edc6984f15e3f5eb071fe1104ca5c8a2494e78bfa
Instruction Fuzzy Hash: 59227F21A2C6AAD5FB10EB62D5653FD2361AF81784F800832EE4D47ADADF2CE545C730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670E4140 Relevance: 1.7, Strings: 1, Instructions: 430COMMON

Download Yara Rule

Strings

Content-Type, xrefs: 00007FFC670E446F

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: Content-Type
API String ID: 0-2058190213
Opcode ID: cc7789c24dcbb59baa313f562ed9f0841053ccb7bb214165e6c015bb631d1140
Instruction ID: 0274278f8d0f04f26d262739beb19f3d9c67cd5785c390ea9bacf4bd2c0934cc
Opcode Fuzzy Hash: cc7789c24dcbb59baa313f562ed9f0841053ccb7bb214165e6c015bb631d1140
Instruction Fuzzy Hash: B5128322B1C66AD6EB24EB72D0652FD6365EF44744F804836EA4E87686DF3CE506C370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670E69C0 Relevance: 1.7, Strings: 1, Instructions: 401COMMON

Download Yara Rule

Strings

0, xrefs: 00007FFC670E6C02

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 603a1e6c89c621f90dbb0577f2ffc501f40dea9117a46ee29aeb04ead18e60eb
Instruction ID: 3fbc5e500207e3f01532df7f284404267e168748a6765321a07421263ee001cc
Opcode Fuzzy Hash: 603a1e6c89c621f90dbb0577f2ffc501f40dea9117a46ee29aeb04ead18e60eb
Instruction Fuzzy Hash: F0F1C632B0C769C2EB149B22A5602BA73A5FF85784F444836EE8D87B95DF3CD451C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6713C0EB Relevance: 1.6, Strings: 1, Instructions: 372COMMON

Download Yara Rule

Strings

, xrefs: 00007FFC6713C1AE

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d0fe163027e34e7fec8cb7a5ca1a9258698c9fba023c4617cc73a7ffd335cb98
Instruction ID: 38a4252b96209a9fba56950d001ba17a3dcae60514a7fe00d3066fbce678d3f2
Opcode Fuzzy Hash: d0fe163027e34e7fec8cb7a5ca1a9258698c9fba023c4617cc73a7ffd335cb98
Instruction Fuzzy Hash: 70F17E72A082A9CAE7948F1A8058B7E3AA9FF44B54F054A3ADF4D57BC1DF39D440C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670F3CF0 Relevance: 1.6, Strings: 1, Instructions: 364COMMON

Download Yara Rule

Strings

-R+, xrefs: 00007FFC670F42F6

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: -R+
API String ID: 0-215093852
Opcode ID: c2ebaee40d3443b75258207ad54ae9ef1b3727b9b2307a94eb29f165cfbdaf13
Instruction ID: fd580cdc981b5d90de083af007db4c004a95d279b0196e8dfadebe3f50b6d61e
Opcode Fuzzy Hash: c2ebaee40d3443b75258207ad54ae9ef1b3727b9b2307a94eb29f165cfbdaf13
Instruction Fuzzy Hash: 1902AF22A2C6AAD5EB10EF62D5601ED6325FF84344F804832EA4D97ADADF3CE545C730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670E11B0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

, xrefs: 00007FFC670E12AB

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 827202f5d2b5b2e60ad1ac815b4e038e1c503d1a990c37d258570859f0d0a253
Instruction ID: d20497ee8af466e685942b774c95954a53767f37ca84f4280dbcf7bb83641720
Opcode Fuzzy Hash: 827202f5d2b5b2e60ad1ac815b4e038e1c503d1a990c37d258570859f0d0a253
Instruction Fuzzy Hash: D0B1B421B1C66AC5EB14EB7280742FD2361AF85788F444836DE0E57BCADE3CE506D360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670EF6B0 Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

, xrefs: 00007FFC670EF82E

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c52085b52813831b42183e47ad3d99a7f7d6d7082d4d86fa951259cb7f88e0df
Instruction ID: db939553db064fb8abe43f3537c556aedf40f029ca8da8953e24131fcdb306f8
Opcode Fuzzy Hash: c52085b52813831b42183e47ad3d99a7f7d6d7082d4d86fa951259cb7f88e0df
Instruction Fuzzy Hash: 4181C521B1D26AC2E954A763A43437E6256BFC5B80F444C35E98E877CADE3CE901DB31

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67140820 Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

, xrefs: 00007FFC67140864

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 0862e3f9c1a049c60bd6644a5a9cac2d78c2248cef8693d182035f2e1037fa13
Instruction ID: eb67103c91652afad1b477778782e368288b9c9ea6cd6651157b735264a5f4ee
Opcode Fuzzy Hash: 0862e3f9c1a049c60bd6644a5a9cac2d78c2248cef8693d182035f2e1037fa13
Instruction Fuzzy Hash: AE716D737381B48BE7658B1FA420AAA7390F76634DFD56215EBCA47B41CA3DB900CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670E3D50 Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

`ngU, xrefs: 00007FFC670E3E7E

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: `ngU
API String ID: 0-1771476526
Opcode ID: 99573f904c5d6b3ad7913296c3be0af2c30b65ad59d47746cb0cd9dafcb922a0
Instruction ID: ce3c12764ae9ac002fb95710383ad22d53b8a5e4d2d484e1568d7cd7dfbd075e
Opcode Fuzzy Hash: 99573f904c5d6b3ad7913296c3be0af2c30b65ad59d47746cb0cd9dafcb922a0
Instruction Fuzzy Hash: A191A522B1C56AC5FB14EB72D0A52FD6371AF54788F805833EA0D9769ADE2CE405D370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6713B7A0 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00007FFC6713B7EF

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: ERCP
API String ID: 0-1384759551
Opcode ID: 5c0459b61386457cc212822abbe1eb74425903cd16e4a0cba1d06804f81f7a37
Instruction ID: 64ad6c8a474110177e59ba370b623202840fd983bf0eb553b37af5e9c105da6d
Opcode Fuzzy Hash: 5c0459b61386457cc212822abbe1eb74425903cd16e4a0cba1d06804f81f7a37
Instruction Fuzzy Hash: 7E41D667B244558BE3189F2998212BA2791F7E87817008838FBD7C3B89ED7CDE51C364

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67110650 Relevance: .9, Instructions: 875COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a739226de17ccc464195f0c11a586dc0e689c8a4ce4879c487f931ef600b5e
Instruction ID: a0fa98993a89aad90b4b4e9af561c4817a80df81c071596dbcc9d30c3dd1a0cc
Opcode Fuzzy Hash: 02a739226de17ccc464195f0c11a586dc0e689c8a4ce4879c487f931ef600b5e
Instruction Fuzzy Hash: 3B82C062B1C7AAC2FA248B1294643B963A1FF44F84F855833DA4D4B799EF3CD855C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67114BC0 Relevance: .8, Instructions: 806COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe943440eb55d8ace1a4f0b4e594e6dcceb577fc1d26ec84d65597700bc05909
Instruction ID: a26c6cdc347734a4f5b4582225890518bcb55d1bd5d551fe4b914abd61e6452c
Opcode Fuzzy Hash: fe943440eb55d8ace1a4f0b4e594e6dcceb577fc1d26ec84d65597700bc05909
Instruction Fuzzy Hash: 0372D061B0C7AEC5EB658B1694602B867A1FF95F84F854833CA4D0B795EF3CE981C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67115840 Relevance: .8, Instructions: 796COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca06bd7f2049d35bb73f0ad3582ff2a172ed3a9d9748a45a6c721c0f409364d
Instruction ID: c92f574b973ea68f3bbf2bfedba711c59c94211aefa7e300413914a967087d0b
Opcode Fuzzy Hash: cca06bd7f2049d35bb73f0ad3582ff2a172ed3a9d9748a45a6c721c0f409364d
Instruction Fuzzy Hash: 9B72F171B0C7AEC1EA648B1694642B867A5FF85B84F854833CA4D0B795EF3CE981C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670D7410 Relevance: .7, Instructions: 747COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 9a309b6559be776572afeeb754e3d6c3cc73aff03e68f9f8e21edbf3e8152795
Instruction ID: b4f24fcdc70ba3a5324f41fa9243f85a1d62b5a0174a7d845ed31bc8be3a86d8
Opcode Fuzzy Hash: 9a309b6559be776572afeeb754e3d6c3cc73aff03e68f9f8e21edbf3e8152795
Instruction Fuzzy Hash: 18723F21B2C66AD4EB00EF72C5A51ED6765EF94344FC04832EA4D87A9AEF2CE505C770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6713C8B1 Relevance: .7, Instructions: 735COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 274968c8ba36a5bd2d21743935f1cb3ee72fd8aa297ca413f492129fefee32e3
Instruction ID: 6fc21b1351f91456d8824c4e49fd371a392e74310b3203dee9f9a7c8993d5c26
Opcode Fuzzy Hash: 274968c8ba36a5bd2d21743935f1cb3ee72fd8aa297ca413f492129fefee32e3
Instruction Fuzzy Hash: ED52C276A182B98BD7548E2AD068A7D3BA9FF44754F01463ADB4E47BC0DF39D844CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6710F870 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fea4f79aaad7fe9cbf46996f4e631aa0e68aa59668c00d258b2a964dad979c92
Instruction ID: 0a7c7a107c83f3880b626d8768647496cdc4893f51a4cd6cf2ca87ed5972a539
Opcode Fuzzy Hash: fea4f79aaad7fe9cbf46996f4e631aa0e68aa59668c00d258b2a964dad979c92
Instruction Fuzzy Hash: 2452F362B1CBA9C1EB648B12D4643B963A1FF84B84F445833DA5D07799EF3CE850D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6713EF80 Relevance: .7, Instructions: 677COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a27784a074e2bb7dca5615da6ac60503d5b4f0c137b04b5a13c1ab1661bc6fbb
Instruction ID: b6ee770ef54eb594334c14f5b9106140cfc050bba978a1939048bda9c8ba67a1
Opcode Fuzzy Hash: a27784a074e2bb7dca5615da6ac60503d5b4f0c137b04b5a13c1ab1661bc6fbb
Instruction Fuzzy Hash: 11626DB6618669CBD7648F26C09052C37B1FB58F68B255626CF1D43B89CF38E891CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670DE9B0 Relevance: .7, Instructions: 675COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 42a198ccab95ff3d5507a2f7297670992f3d12e92f6fddfb7f5eacd0fe1112bf
Instruction ID: ab5d292c2c91365b361a6e7cb3dfceb476e60e1a879ab144fc4f141832bbbd1c
Opcode Fuzzy Hash: 42a198ccab95ff3d5507a2f7297670992f3d12e92f6fddfb7f5eacd0fe1112bf
Instruction Fuzzy Hash: 81628322A2C66AD5EB50EF32D5651FD6765EF84384F804832EA0D87696DF3CE508C770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670C6E90 Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 586b0c86dd539f38de0044fba9eaed018cb5e3f9552df3ce0dc7b389be7bca84
Instruction ID: 7e1ea8d7dc4ebc121c80d9d2ae168d1814de528a06c26ae26279bd4d699cb8f9
Opcode Fuzzy Hash: 586b0c86dd539f38de0044fba9eaed018cb5e3f9552df3ce0dc7b389be7bca84
Instruction Fuzzy Hash: 3352A121A2C66AC1FA40EB62E4755FE6361FF84784F805832EA4E87696DF3CE505C770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670D8670 Relevance: .6, Instructions: 558COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557c7400a35dc890cbd9c3821301a71d01a8831d2c5bcf8c7cf52b04ca6a0dcc
Instruction ID: a4e128f856a18f21fe7104dd9a64fdafbfb743df579255dcc0b7b1a7e42dbd58
Opcode Fuzzy Hash: 557c7400a35dc890cbd9c3821301a71d01a8831d2c5bcf8c7cf52b04ca6a0dcc
Instruction Fuzzy Hash: 76427B22A1C6AAC5EB10EB72C5612FD6365EF94354F804832EA0D87ADADF3CE545C770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670E4800 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f90d669f03444080482cfb23dd3a86fad7c075120776a780245215426cd9e6d8
Instruction ID: c3119dc900060a2258a7744ccca3521d1bccf1347d73575b74ef8fd5d2c62505
Opcode Fuzzy Hash: f90d669f03444080482cfb23dd3a86fad7c075120776a780245215426cd9e6d8
Instruction Fuzzy Hash: 7E32C622B18666C5EB10EF77C4A52ED2765EF84B98F445436EE0E8778ADE3CE045C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670D23F0 Relevance: .5, Instructions: 542COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7139bcd1ce5fdb58b7d546cb367074c75fbad7a78bf90e696654dd1ca0ba9ac0
Instruction ID: fc3fcc5221f96567d45d234464294515e189abecee0434864ca0c2b1c2bf13b4
Opcode Fuzzy Hash: 7139bcd1ce5fdb58b7d546cb367074c75fbad7a78bf90e696654dd1ca0ba9ac0
Instruction Fuzzy Hash: 33329022A1C66AD5EB10EF22D4A51FD2365EF94388F804832EA4D876DADF3CE505D770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670CB100 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16dea1e3c739009a0f3e1ac8366c1456fe6298dd4187c04af5b77b77fa2332cb
Instruction ID: c7ea6904f67e342368346b2e6047d44150bdeff991847154cc68b6b342c999f2
Opcode Fuzzy Hash: 16dea1e3c739009a0f3e1ac8366c1456fe6298dd4187c04af5b77b77fa2332cb
Instruction Fuzzy Hash: 51428522A1C66AD5EB10EF62C4A56FD6365FF84384F804832EA0D8769ADF3CD549C770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670DD890 Relevance: .5, Instructions: 528COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 996240fad6b35de64fc793b92b35b26cdcc948d61e990141f48373fa04fa355f
Instruction ID: 66c7a3c4f85a98af1703e26946281067a7bfaa6137727e29cb80e01b287d840d
Opcode Fuzzy Hash: 996240fad6b35de64fc793b92b35b26cdcc948d61e990141f48373fa04fa355f
Instruction Fuzzy Hash: 0E329222B18BAAC5EB10DF76D8642ED23A1FF84788F444836EA4D47B89DF38D545D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670F89F0 Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf3bbf9f7806764439d6e39547c55a4600bd87bd8b1462e0748042ecacfab7a1
Instruction ID: dad98fd040ba8d995ccba6e1cbfde44889339e88591aca3529012ce0722a9916
Opcode Fuzzy Hash: bf3bbf9f7806764439d6e39547c55a4600bd87bd8b1462e0748042ecacfab7a1
Instruction Fuzzy Hash: 9E228D22B0D66AC5EA10EF2286A52BD2358AF84B44F454D36DE0E877C6DF3CE505C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670D95C0 Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56e5b9810e8218cc68cf3b2d17d9b0a65729533e7e14b0982b9244d7add9ffb
Instruction ID: 9f2b4694ade63ea6cac57ca9bda372ba5c32e430a78221a42bff268275b3b61b
Opcode Fuzzy Hash: a56e5b9810e8218cc68cf3b2d17d9b0a65729533e7e14b0982b9244d7add9ffb
Instruction Fuzzy Hash: 80128121A2C66AC5EB10EF72D4752FD63A5EF84744F800832EA4D96ADADE3CE545C730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6712E400 Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49b644cad6694cd14e8da8a75c2b99da55971c1b9b2318d785b08d65ed4a64b
Instruction ID: f423b98ff0a8c816ef990eedf1c062721b6238d2f4cc845a73532161272e1e28
Opcode Fuzzy Hash: d49b644cad6694cd14e8da8a75c2b99da55971c1b9b2318d785b08d65ed4a64b
Instruction Fuzzy Hash: A002017290C2BAC5FB658B3680293793BB1EF11704F154937DAAE425E5DE2CE688D730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670CDE20 Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a31171ef1d09154c8bb64f43a5a6c94ab0abf716ba086a025094ebfeb533d6
Instruction ID: 09471cd9e1873fcf24ff1c3c8780a26cf2ac3e9d7638eaf7129c85ccbcba7cc1
Opcode Fuzzy Hash: a7a31171ef1d09154c8bb64f43a5a6c94ab0abf716ba086a025094ebfeb533d6
Instruction Fuzzy Hash: D6225322B2C66AD5EB10EF72C5A51ED6365FF94344F804832EA4D8769AEF3CE105C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670C5C20 Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d2b93ebdf18556efae1baa4f9cd6940db842e628aaa6e187870812b7cc1f0b
Instruction ID: b52d9b7521ba978e4d22eac4cea1d8984fe40d0096c4a9f62fe16028b3d83a0d
Opcode Fuzzy Hash: 50d2b93ebdf18556efae1baa4f9cd6940db842e628aaa6e187870812b7cc1f0b
Instruction Fuzzy Hash: 3122B732A2C66AC1EB10EB62D4695FE2365FF94784F804832EA4D83696DF3CE545C730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC671282A0 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f214e6889ff07b5cdff74ab9c3a83d51ae64ba2f67ed0e5182fd07676cd33270
Instruction ID: 08cb11feb0b256bfdcf4fee20eea164c5cfc94f9952e1680e77192d9b011c038
Opcode Fuzzy Hash: f214e6889ff07b5cdff74ab9c3a83d51ae64ba2f67ed0e5182fd07676cd33270
Instruction Fuzzy Hash: CC029131B0C66AC7FB20EB6290712F912A5AF94748F444936EE5D47BC6EF2CE541C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67129410 Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 141879225045fb0130bba94e189b1d8bd3edad3111932d99e478955394790145
Instruction ID: 7640f7b16f42486e249dccc5514ef23db0b5af4abe0ab5b34affe6be69f292bc
Opcode Fuzzy Hash: 141879225045fb0130bba94e189b1d8bd3edad3111932d99e478955394790145
Instruction Fuzzy Hash: C2028D36B0C26ACAEB10DF26C1A51AD33A5EF84784F514836DE1E97786DE3CE845C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670CBB20 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f12b039721c9f9441b328414c886d93419b1b5e6ea1361f51a92b464c44b6d
Instruction ID: 1e76f383a1bdf5c35fac8d14758ca447b3b671d8327a74596fc25c405298291a
Opcode Fuzzy Hash: 81f12b039721c9f9441b328414c886d93419b1b5e6ea1361f51a92b464c44b6d
Instruction Fuzzy Hash: 7E129621A2C66AD5EB10EF22D4A52FD6365FF84388F801832EA4D9768BDE7CD505D730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67118D20 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad044c472c29d2d325e1586ee8c46f59d785f533081c7cd73c132967cb7ee4b1
Instruction ID: 624a3d649205cdeecf09c2c4f3dab2d2b93a5b9590720332d750c4174bf2a7ad
Opcode Fuzzy Hash: ad044c472c29d2d325e1586ee8c46f59d785f533081c7cd73c132967cb7ee4b1
Instruction Fuzzy Hash: BD02D021B0C7AAC6EB549B1294642B977A1FF85F84F894837DA5D0B785EF3CE840C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6712B260 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd096a2520fd449fd2f8ed8bbd7dc8bfb964da9cbcf35daf852df9bd2801131
Instruction ID: e98392ad2b8ce95ee26113797a938f0ff2ca6338fdbb12aa5e1b662add5d6724
Opcode Fuzzy Hash: 1cd096a2520fd449fd2f8ed8bbd7dc8bfb964da9cbcf35daf852df9bd2801131
Instruction Fuzzy Hash: 1912A022B2C56AD5EB10EF72D8A51ED6365FF84788F804832EA0D57A9ADF3CD504D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670E872B Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecf9948244fb180f3218659b2276fec5f0e0b2484f239b0f5a362a7c94b9c646
Instruction ID: 57585f55a8db03dec92d6135a0f2ed82dfdaf98e9654cc7934269a7cf32d6272
Opcode Fuzzy Hash: ecf9948244fb180f3218659b2276fec5f0e0b2484f239b0f5a362a7c94b9c646
Instruction Fuzzy Hash: 1512A332B2CA9AD9EB10EF72C4612ED2761EF91344F800832E64D47ADADF38D645C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670F06A0 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25436a7cbd74014a54dbca1e2ad640bb45033137a792dd7e05ffba4b7717c84d
Instruction ID: 18cd7f9f9221e42e79c478f65e313fb9273e70d62cede7a6ae4555716c4b6613
Opcode Fuzzy Hash: 25436a7cbd74014a54dbca1e2ad640bb45033137a792dd7e05ffba4b7717c84d
Instruction Fuzzy Hash: 7E028222B2C66AD5EA00EF62D5651ED6364EF94384F801832EE4D83A9ADF3CE545C770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670D08B0 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5bd0618e608784adac2a6ccecd2ba7583a7e321574bdf58de7476e057eceed6
Instruction ID: 6eaae6e73936c35222299f277a5777423d5e39b34643cc7a6fdbc6b470ed79f2
Opcode Fuzzy Hash: e5bd0618e608784adac2a6ccecd2ba7583a7e321574bdf58de7476e057eceed6
Instruction Fuzzy Hash: 89024272728A66D9EB10DF72C0A12EE2724EF44748F805436EF0E57A8ADE39F505D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670D8FC0 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b92677647bed7ff327017e43527478b9a79cad1f243ae3ae9f668c2885e425b
Instruction ID: ab145a3962ebb20f6dc051af5dfec07b2bd25fd7ca934c23e65385e99de3eab6
Opcode Fuzzy Hash: 0b92677647bed7ff327017e43527478b9a79cad1f243ae3ae9f668c2885e425b
Instruction Fuzzy Hash: E1F17421A2C66AD5EB10EB72D5751FD2365EF94358F840932EA0D866CADE3CE505C730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670DE110 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a010a916781879698f2e19ceb648617af44b790d6a98b2a48fbd400929ff3e5
Instruction ID: 50f5c9d40d457d3da788e1bbea24ce97efb37a49f590afbdae53ea85dcd0e414
Opcode Fuzzy Hash: 4a010a916781879698f2e19ceb648617af44b790d6a98b2a48fbd400929ff3e5
Instruction Fuzzy Hash: E9029122B2C56AD4EB10EB62D5752FD6365EF84784F804832EA0D97ACADF2CE505C770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6713FC00 Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e549e9e6f9381bdde19e3905a338851c9fa38214a788d33658dd8582749182
Instruction ID: eeeea92944d11800e664ce07cb5b527b313d95c6aebd4c586bb1532711a98b48
Opcode Fuzzy Hash: 34e549e9e6f9381bdde19e3905a338851c9fa38214a788d33658dd8582749182
Instruction Fuzzy Hash: FAD15733A1C6A98BD3188F2A941427D7BA4FB54794F004236EF9E83B89DE3DD944CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6712C780 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa656bd85405484802945174f5bcfb23684b2d937a5203aa7dfb0011b340f73
Instruction ID: a690dda25ad177c8db0c2d060b7ad2d70ef8a078236f3302cb011094cd909d48
Opcode Fuzzy Hash: cfa656bd85405484802945174f5bcfb23684b2d937a5203aa7dfb0011b340f73
Instruction Fuzzy Hash: 1EF17F22A2C9AAD8EB10EF32D8A51FD6365EF94348F804833E60D569DADF3CD545D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670DA7D0 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9b76e739d0b20bc514d5649fa6397f4267e8081a65911ffc1e4c9d184f3614
Instruction ID: ab560029adce1441b86e17ce04622b670c29b8a48488ef8a4b9e4e6c48a661a0
Opcode Fuzzy Hash: ec9b76e739d0b20bc514d5649fa6397f4267e8081a65911ffc1e4c9d184f3614
Instruction Fuzzy Hash: 79E1A122A1C66AC5FB10EB72D4752FD23A5EF90358F904832EA0D46ACADF2CE545C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670ED550 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623638aa73f52889be8d1c31f433fa6a904df7df3d8eb3ae4ee5af1cf35276be
Instruction ID: 2ff8c0364ec1172a08daf024994c57e3f09ed5e9b1bbb2f71caa4e52d07fcdf6
Opcode Fuzzy Hash: 623638aa73f52889be8d1c31f433fa6a904df7df3d8eb3ae4ee5af1cf35276be
Instruction Fuzzy Hash: F8E18522A2C56AD5EA00EF62D5651ED6364FF84384F900832EE4D93ADAEF3CE545C770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67125B50 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c2437e9efd40f163505b5ee16583e4bba0e0d31fdf673491ef8b3244613bb6
Instruction ID: 2ed7e465eae8cdfc884531d99e60ca681b6c39e93a00bb9278011fb81c5a6514
Opcode Fuzzy Hash: e6c2437e9efd40f163505b5ee16583e4bba0e0d31fdf673491ef8b3244613bb6
Instruction Fuzzy Hash: D1C13B1352C1E08AD3558B3660A02BABEA0EF95388F580576DEDD96ADBCE1CD254CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670EDAA0 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019c3818e49e7492b17d3b444b1d0ddf21397838769942b4d133398172001bc0
Instruction ID: 91d02e037f77d31f36bcbf0510a94a1eab84b33982e925006638cc30fa7a8ae0
Opcode Fuzzy Hash: 019c3818e49e7492b17d3b444b1d0ddf21397838769942b4d133398172001bc0
Instruction Fuzzy Hash: 60D15222B2C56AD1EB00EF72D4651ED6365FF94344F904832EA4D87A9ADF3CD505CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670F0D10 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cddc44d860aa59944bf5c23a4df4552e0da28415d8bd1abcc74885b13133f392
Instruction ID: c1c66901a3ca9efaa8bb5e420a7fef04a0c9a0dadaa219ea8f98005954e04677
Opcode Fuzzy Hash: cddc44d860aa59944bf5c23a4df4552e0da28415d8bd1abcc74885b13133f392
Instruction Fuzzy Hash: 25C19122B1C52AC5FB20EB7295603BE27A1AF84388F544836EE4D976D9DE3CE505C370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670EAC80 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 6a1bd024c2c415626e3d26f25a7162ee42f270b7bb063cf94463ffc28699e898
Instruction ID: 4835f7b1e88634a7408c0b9bf2fde960d48d6a9092c513ac6f893ead99037e6b
Opcode Fuzzy Hash: 6a1bd024c2c415626e3d26f25a7162ee42f270b7bb063cf94463ffc28699e898
Instruction Fuzzy Hash: A9D1A022A2C66AD5EB00EB22D4652FD6365FF84384F804832EA5D47ACADF3CE505D770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67120770 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e42092f548368cb371c2b483d487d87f6b6e0d7345918813f4e9e68c14427a
Instruction ID: 2ef2d101904763483076f57c9cb1008731672eb547b9533a9eb45a0269ba53cf
Opcode Fuzzy Hash: 78e42092f548368cb371c2b483d487d87f6b6e0d7345918813f4e9e68c14427a
Instruction Fuzzy Hash: 63C19E22B1C62AC6FB10EBA2C0792BD2365EF54788F804932DE1D576D6EE3CE545D360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67120F30 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f517ed78391c7fc8f6e750fc61c14f38bf71b43654d3e29c65c5cd78ea3ef9
Instruction ID: 5cc98f1726e3e5b6140ca79a022da008675f5a98d5ec42d4affbbe3fb359af16
Opcode Fuzzy Hash: b0f517ed78391c7fc8f6e750fc61c14f38bf71b43654d3e29c65c5cd78ea3ef9
Instruction Fuzzy Hash: D8C1C332B0C65AD6EB14EB72D4742FC23A1AF44758F440A32DA2D57AC6DF38E5A5D320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670E3910 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 307f0f14a74e58f75e681ef2cc5d2378040a00e8304d47f44f5e290cb001da96
Instruction ID: 645123d42902c3101faca9ad170dbeeb2f7eba78ee083b585b3e5c0209443e6e
Opcode Fuzzy Hash: 307f0f14a74e58f75e681ef2cc5d2378040a00e8304d47f44f5e290cb001da96
Instruction Fuzzy Hash: 12B16F25B1863AC4EB04EB62D8695FD2365AF49BC8F805836EE0D57B96DE3CD405D320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6712B960 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e55de7ce1179f0f36ce485c2ca33088e433d153ca3a1ab5c59ce295e2ff2f528
Instruction ID: b754d2b278072cae76fd127c96c13b872dd16323b8acdd5c8e35198a53cbc173
Opcode Fuzzy Hash: e55de7ce1179f0f36ce485c2ca33088e433d153ca3a1ab5c59ce295e2ff2f528
Instruction Fuzzy Hash: 87C17022B1C56AD5EB20EB72D4652FD2375AF54788F800836DE0D57A8AEE3CE149D360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670F1D30 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d38a847d9370bba91ed3935733d594ce3305399c67660d5bb08561dfbf887e03
Instruction ID: 5c41e6a678bf4eab77527fa15608f020ae488bb8f1710fe525c8a8cbf4aa8419
Opcode Fuzzy Hash: d38a847d9370bba91ed3935733d594ce3305399c67660d5bb08561dfbf887e03
Instruction Fuzzy Hash: D8C17422B1C5AAD9FB10EB62D5642FD2365AF94348F804832DE0DA6ADADF3CD505D370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670F25C0 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c6439e09a40265a4e95b22acf488c3e8bcb13a6b9fe0244e0b503cf04d4d59
Instruction ID: 21dc1b9c2088620e0102393af8cd74af6787cfe143a409c5c6a58fea3cf34dda
Opcode Fuzzy Hash: 83c6439e09a40265a4e95b22acf488c3e8bcb13a6b9fe0244e0b503cf04d4d59
Instruction Fuzzy Hash: 5EB17022B2C5AAC2EA14EF22D5651FE6351EF94784F844832EE4D8779ADE3CE504C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67124390 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6932f466916dd60a901800d8cf2606beabf989d8d377ac7c79455be2081a79f4
Instruction ID: 469989dda8b39ca10d7265335b0b1ee740645f0fcd3224ee8cfe55fdad882ec0
Opcode Fuzzy Hash: 6932f466916dd60a901800d8cf2606beabf989d8d377ac7c79455be2081a79f4
Instruction Fuzzy Hash: CEA13B31A1C6BAC2EB619B2694343BA16F1AF84344F545932EE6E477C8EE3CDC41C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6712E48B Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a38545368d800816d91fafedca056006431c0b1922fe48b29b4c2ab83955551
Instruction ID: b5923fcc0d6d826c02715e043479ff67e1b28dfb9e6be0d496d515169f30c60d
Opcode Fuzzy Hash: 3a38545368d800816d91fafedca056006431c0b1922fe48b29b4c2ab83955551
Instruction Fuzzy Hash: 56A1157280C2BAC5FB658A3280653797BF1EF11709F154433DAAE425D5DE2CEA89D730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67127AF0 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9aa67c4f42f0dc04bfc4c3fc88b13842e585507a9ff165ebfaf896c41a7855b
Instruction ID: 96e3b0afef3945bba5401bb06cec60a85f910f7996e330048cf88467e0277057
Opcode Fuzzy Hash: c9aa67c4f42f0dc04bfc4c3fc88b13842e585507a9ff165ebfaf896c41a7855b
Instruction Fuzzy Hash: E9A1BF32B0C66AD5EB10EB6294602BA22E5EF98784F440937DE5D537D5EF38E941C370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670C7A40 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 416f41ac475a1bb2d945df44cd1e44e91a0a7360b86ad90bd37f89514c6d65ab
Instruction ID: b67bf4e4c0b4ca92fe8b7fc173992b9792a06436d6a81edae7ba75758e2f9517
Opcode Fuzzy Hash: 416f41ac475a1bb2d945df44cd1e44e91a0a7360b86ad90bd37f89514c6d65ab
Instruction Fuzzy Hash: A1B1A321B2C65AD1EA00EB22E4691FE6365FF94784F801832FA4E4769ADF3CE505D770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6712E4AD Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
Instruction ID: 5294df780cfba91cfe06979aab40d5e1b33e16349ab0bb0c888b0e7188b42704
Opcode Fuzzy Hash: dc8327572ae460ec67bee7642bc1df1dfc8e00bf19c98c3d2f0bb37742338d2b
Instruction Fuzzy Hash: C0A1367280C2BAC5FB658A32802537A3BB1EF11708F154433DAEE465D5DE2CEA89D730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6712E49D Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
Instruction ID: 74ba2630e6230bbd936a1decefbb181092ccd02935c5053fc779fc3082c0de49
Opcode Fuzzy Hash: 1e075c1df208aa39fb877a834bfc4403f559291216783e55fb63477ae2eadfdc
Instruction Fuzzy Hash: A2A1367280C2BAC5FB658A32802537A7BF1EF11709F154433DAAE465D5DE2CEA89D730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6712E4A6 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
Instruction ID: e0e9da7c3e9869cb0333a26431ac643db5d9525d82819a645906e64873d05359
Opcode Fuzzy Hash: b68406ce4345875cbc0110dbe212228596ffa7fd34d07f9d141f7f6a9cf54bfa
Instruction Fuzzy Hash: 31A1267280C2BAC5FB658A32802537A7BB1EF11709F154433DAAE465D5DE2CEA89D730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6712E4B6 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
Instruction ID: bd8021cbe37d2f6d0dabc166cd4f60138c8b0fc152884de69f09d8e1225c4239
Opcode Fuzzy Hash: 20a2fa5d4e375044cfc16d96b5b502da69406d12098659286745a9d4aecf6a6c
Instruction Fuzzy Hash: 3FA1267280C2BAC5FB658A32802537A7BF1EF11705F154433DAAD465D5DE2CEA89DB30

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6712E494 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
Instruction ID: 7a2e220692977701b417ff3be56bd98663de9707aa22b67a2a8d36ebf1f56f36
Opcode Fuzzy Hash: 92fc6e297697f72d3d55b197ac04fe50775a4f95a26f4c9e919e5e137ab98750
Instruction Fuzzy Hash: B7A1367280C2BAC5FB658A32802537A7BF1EF11709F154433DAAE465D5DE2CEA89D730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670C1010 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0b3c74c90c8ebee581f861ac3507a9c6adabab669bf90753d4843c10547964
Instruction ID: c68592b63e5b3076dc9b7a7f157d5ba28381f570baffca0908ffa2234d77f27d
Opcode Fuzzy Hash: 4c0b3c74c90c8ebee581f861ac3507a9c6adabab669bf90753d4843c10547964
Instruction Fuzzy Hash: 60919136B0D66AC6EB50EB62D5742BD23A5AF84748F444832DE0E87B95EE3CE405C370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670D65E0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d50560bdfbda826e81843fbf93004351cf64035d4d4cac07f969261b8185ab4f
Instruction ID: 58e6adaf04f4b18b863b11ab28f7770e31745f244224362a6ec96609ce38e199
Opcode Fuzzy Hash: d50560bdfbda826e81843fbf93004351cf64035d4d4cac07f969261b8185ab4f
Instruction Fuzzy Hash: 3BA16422B1C66AD9FB10EB72D5651FC2365AF94348F804932EA0D57ACAEF38E505D370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670EF1F0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9870e55b1e5bf04e241743c4586011b4434590149557e7c254f0b1f56fdab86f
Instruction ID: 001343678d446d04201882c3837388923ae50b34d4d3df66cf78413a31a1a3df
Opcode Fuzzy Hash: 9870e55b1e5bf04e241743c4586011b4434590149557e7c254f0b1f56fdab86f
Instruction Fuzzy Hash: 0BA19E22A1C66AD5EA50EF22D4741FD2365EF94384F840832EA4D57A9ADF3CE506CB30

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670D8340 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e81a262cda3168bcad7e7504a26cb2082127080fdf78040bff04c52d5a9599
Instruction ID: ca5011bcb9a503e4cd051b1944a73470f628b9bc4299dc10f8cde028ecc7d0c4
Opcode Fuzzy Hash: d7e81a262cda3168bcad7e7504a26cb2082127080fdf78040bff04c52d5a9599
Instruction Fuzzy Hash: 37913122F1C62AD9EB10EBB2C5651FC13659F94348F804836DD0D976CAEE2CE509D370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670EE9A0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: abb5af3013fd6220e6665e7c4d856e09e457d9463e8ceb771b8041e35f9ca803
Instruction ID: 7edd39bd423bcd7ed2494c15ac87c4fa92519ffc8a892118dfa767b9ac05b3f5
Opcode Fuzzy Hash: abb5af3013fd6220e6665e7c4d856e09e457d9463e8ceb771b8041e35f9ca803
Instruction Fuzzy Hash: 0E91A122B2C56AD1EB00EB62D4695EE6365FF94784F801833EA4D43A9BDF3CD504CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6713BF6F Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bcda5f2e61e4c1def9d688b2f5660763abb74eff223fccdf401fc2a77c4feb5
Instruction ID: 6e5ed03eae513f3f001ba5eecf4b45f328a5982cdf5fe9e6da322c660c4ab47d
Opcode Fuzzy Hash: 3bcda5f2e61e4c1def9d688b2f5660763abb74eff223fccdf401fc2a77c4feb5
Instruction Fuzzy Hash: E9817076A182A9CBE764CF2A8058B6D36A8FF04754F11497ADF4D87B84DF39E840CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670FF870 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b85e566c5cd1b3efafa7de1cf7fdb180de4cf711e5ead7e0c2a340013c9006fe
Instruction ID: 3a1b889e16bcc08509788f1d13176ad25cebf2091a465961d1f8f3942883a97d
Opcode Fuzzy Hash: b85e566c5cd1b3efafa7de1cf7fdb180de4cf711e5ead7e0c2a340013c9006fe
Instruction Fuzzy Hash: 1381B962A0CA6AC6EB218B2BD66007D6B65FF85B90F184532CE8E87755CE3CF441C730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670E82E0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f3b5d1f381441116eef44686c6cbc86ac4360f19897277b7bf3a5d517a81fc
Instruction ID: dde992cd60c7d717485350bfd260ffbd8b66da1e6164a84abbf2e7da0e465343
Opcode Fuzzy Hash: f1f3b5d1f381441116eef44686c6cbc86ac4360f19897277b7bf3a5d517a81fc
Instruction Fuzzy Hash: 39917E22B1C56ACAF710EB62D4612FE23A0EF94748F845832DA4E876D6DF2CE445D770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670F0300 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce8bba41df0b631ae6b7206df5ab0a6277447c4f11eb6ec05468c548c9ecf811
Instruction ID: a701dd3ee7d457476a5bf1ab615e861c55e515390d5bb5e62fddeeeaee816f4b
Opcode Fuzzy Hash: ce8bba41df0b631ae6b7206df5ab0a6277447c4f11eb6ec05468c548c9ecf811
Instruction Fuzzy Hash: 80914E32B1C56AD6EB10EBB2D5612ED2361AF80358F800932DE1D979DADF3CE555C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67126950 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f8adc0b036d941ec198f692a244335db4514cc05e594f38ae55f616912a3bd7
Instruction ID: db80741e59f62828d35134157fef7e6361663c7e0c789090f681b1ea5a1fefaf
Opcode Fuzzy Hash: 6f8adc0b036d941ec198f692a244335db4514cc05e594f38ae55f616912a3bd7
Instruction Fuzzy Hash: 76817122B1C66AD5EB00EF72D5711FD23659F84788B844932EE1D87AC6EF38E505C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670F2E10 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ab40f336fdfb1061e144a8cc54dd8d077ea0d8f8a68ce9c2a609d9519aa0c7
Instruction ID: 3ea768013565d162a61b8ddd2a238cb8e7b319b364739ed23abfeb19a90b33b3
Opcode Fuzzy Hash: f4ab40f336fdfb1061e144a8cc54dd8d077ea0d8f8a68ce9c2a609d9519aa0c7
Instruction Fuzzy Hash: 28719321B0D66AD5EB14EB72D2742BD5291DF88788F444836EE0D87BCAEE3CE505D321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67127EC0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dcde41e0a7583d518310dfbb963ee780db1660248ca706961fee8ac5049723c
Instruction ID: 3c4b9f7f2dd86e03d3a2c492313c7645135a8887e6ff404908b938808a703ce6
Opcode Fuzzy Hash: 4dcde41e0a7583d518310dfbb963ee780db1660248ca706961fee8ac5049723c
Instruction Fuzzy Hash: AC611521B1C66AC1EB50EB2395315BA52A0EF857D0F444A33EE6D877D6EF2CE441CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6712A6B0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c36971f46e003a861835c282887fceece629fa51251a8ea25984ac83311837
Instruction ID: 501d39a54b2ef7533b12af3bdbe2dab0ad59bb3b8de8c2f7c0a40a5bfeceffd7
Opcode Fuzzy Hash: 90c36971f46e003a861835c282887fceece629fa51251a8ea25984ac83311837
Instruction Fuzzy Hash: 79715736B0CA2AC9EB14DB66D0712BD23A1EF84B48F544832DE0E47B89DE38D549C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6711F2C0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 798e347792bcf9b81b96428d86b51cfbcdcb2c80bf44afc999fdb096d1e74fe6
Instruction ID: 9ac892af78273f6a22dcb2e7bb72484fa6067b4af3325719340a8486194df159
Opcode Fuzzy Hash: 798e347792bcf9b81b96428d86b51cfbcdcb2c80bf44afc999fdb096d1e74fe6
Instruction Fuzzy Hash: ED61A621B1D56AD5FB10EB72C0742FD1365AF88788F844833EA0D5BACAEE2CD501E761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670C1620 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4dc2bfabc17449b75592575b237d49754ff1d7599ab7260522444cf79d2ee90
Instruction ID: bd216cceeabf8faf67b2f5684bec936890e3dd5d06c7de24641fe20e0585b771
Opcode Fuzzy Hash: b4dc2bfabc17449b75592575b237d49754ff1d7599ab7260522444cf79d2ee90
Instruction Fuzzy Hash: 2C61A722A2C66AC1FA20EB16D0756BE6361FF85784F805932FA5D47ACADF3CD504D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670F21D0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 879cfdad07db6dd87252a24be95836cbeb42ffab31f611b4c9adb5531f6bcd0b
Instruction ID: aa371db465e6a3eebc202bc9e40974dc834bf116b6b75f17401475df75ce5d30
Opcode Fuzzy Hash: 879cfdad07db6dd87252a24be95836cbeb42ffab31f611b4c9adb5531f6bcd0b
Instruction Fuzzy Hash: ED719B32A1C699D9EB10EF62D4642ED7761FF84348F844432EA4D47A8ADF7CE548CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6712AAA0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 275f6da6b97318c83fb225dda8a1cf2de2bb796bd6b45b7edf39d740dbf5db77
Instruction ID: a71eb33b07153204e8a72bc6600ab81f7c7120c8a01e38ab7ca8b6f2a320d363
Opcode Fuzzy Hash: 275f6da6b97318c83fb225dda8a1cf2de2bb796bd6b45b7edf39d740dbf5db77
Instruction Fuzzy Hash: 4E517532A1C56AD6FB50EB62D4752FE6361FF84344F840832EA4D47A9ADE2CE544DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670DE770 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cfd4d3a38dcc9c286a30951bdd9187095240217e9738b6b55d4f719d628df71
Instruction ID: 82ac3c10ca98d0d09637ed8355f4b5ab220335fcb4da00906bc4a41f9ca85301
Opcode Fuzzy Hash: 0cfd4d3a38dcc9c286a30951bdd9187095240217e9738b6b55d4f719d628df71
Instruction Fuzzy Hash: 8F51C232A1C79AC5EB10DB26D4A42BDA3A1FF85784F404936EA4D47BDADE3CD501CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670E3340 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde20b107614cf7f05154718f8ba7f9bd15b3d18a84ad2b0ec48881977a5ed00
Instruction ID: e63a974e16e48b22ef300a31934539b827998cf2d45591566448f5dc67f31cf6
Opcode Fuzzy Hash: dde20b107614cf7f05154718f8ba7f9bd15b3d18a84ad2b0ec48881977a5ed00
Instruction Fuzzy Hash: 14613932508B85C1E750DF32A454AED33A9FB48B88F984539EE9D4B35ADF398056E334

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC6712A490 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d04c4905bf18e0a6290439cd50923c1c84a3f6567b06c6e696e708ae0d6a31f
Instruction ID: 05b05996f8a2426751c498e914511c575ae22d3027ed914654adfc16f981c537
Opcode Fuzzy Hash: 9d04c4905bf18e0a6290439cd50923c1c84a3f6567b06c6e696e708ae0d6a31f
Instruction Fuzzy Hash: DC51722272C5AAD1EA50EB23D5656AE6365FF85BC0F805833EE4D43B86DE3CD404DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670F1B30 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c88a559203c7cebfbd6855f8d2fd484b342d8cb8f626eff4b2b47ba49cdf8c80
Instruction ID: aa11da51afd0b857bbaa584026fa050e44764d5caa9f7f21b5103401461f73f4
Opcode Fuzzy Hash: c88a559203c7cebfbd6855f8d2fd484b342d8cb8f626eff4b2b47ba49cdf8c80
Instruction Fuzzy Hash: B4518122B1C55AD9FB10DB62D4716FD2365AF84788F844832EE0D96ACADE3CE505D360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670EE7B0 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae699ce5c0bbda65b5b1ef91aada53cd0acd1d5adef34fe9746f0cfa28bcfde
Instruction ID: 2686e77250481ddc1aefde792cd29611379c958248e71f9e9655d3a39b1f9c3e
Opcode Fuzzy Hash: 0ae699ce5c0bbda65b5b1ef91aada53cd0acd1d5adef34fe9746f0cfa28bcfde
Instruction Fuzzy Hash: 0B51A222B1C56AD5FB50EB72D4653FE6361BF84348F840832EA4D4698ADF3CE549DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670F0020 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93de49f56272cc95a8d74b98ed4d3cc6bbdaf70b6a689fecc50139941e1158ee
Instruction ID: 79f8dd94e3813cfb9124b726a28ced120187c219456e1079bc472f40f3eacc62
Opcode Fuzzy Hash: 93de49f56272cc95a8d74b98ed4d3cc6bbdaf70b6a689fecc50139941e1158ee
Instruction Fuzzy Hash: 8C51B132A1CA6AD2EA10DB22C5655BE6364FF98750F814932EE0D83792DF3CE155C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67122AE0 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c5eff94ab1069691c4844bc6226e708b04ada7520549e9c415e38db7fabc1b
Instruction ID: 58f2c44165fd3c0acecf53169d14a9bdb0eef9b183e5b6a77f0c3d529a34d619
Opcode Fuzzy Hash: a0c5eff94ab1069691c4844bc6226e708b04ada7520549e9c415e38db7fabc1b
Instruction Fuzzy Hash: DC417F22F2C53AC5FB14EB7298651FD1261AF88784F854832EE1E57A9ADE2CD541D320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670E3610 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a67f7206456b2db2724d6fae160af65c8de3ea401ed3a1e642dae891dc2ed5
Instruction ID: 9084fd8b620d442859af02e8f1ad31bb6c8aa8fa693755aebda6e0ae5634f256
Opcode Fuzzy Hash: 20a67f7206456b2db2724d6fae160af65c8de3ea401ed3a1e642dae891dc2ed5
Instruction Fuzzy Hash: AD510632618BA4C5E744DF36E8542DD33A8FB48F88F58853AEA8D4B799DF348052D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670F5CD0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d5522483151d29cc1ab9e0e0eb5f9bdd0ac6375b7f5cd2107375de97b23ccdb
Instruction ID: 7f7e2a35a9c7d226aee8e6aef9966f9abd1dcac2b6e9d73ddd2415d1dc7a8aa8
Opcode Fuzzy Hash: 8d5522483151d29cc1ab9e0e0eb5f9bdd0ac6375b7f5cd2107375de97b23ccdb
Instruction Fuzzy Hash: A7511472709755CAE7649F71A0603AE3692EF84308F148939EA4E0BBC9DF3DC411C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670E92C0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: ed485ed79017828fa275668a6b240ee44ec333649149c50830fa5468da009089
Instruction ID: 0d2a502285d57ebc34fc421785ceaf53f410ae01ac71eae8710981951f9a23ff
Opcode Fuzzy Hash: ed485ed79017828fa275668a6b240ee44ec333649149c50830fa5468da009089
Instruction Fuzzy Hash: 52517A32718A96E2E708DB22D5A13E9B368FF48340F908426DB5C57655CF38E1B6D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670E2F50 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 329e3b8f024e1dd1533882e6a9b116661807d52ce56c67e8b288f43a3d04241f
Instruction ID: 25faf22ec587904ae01c65cff4c3d4824544fe37a83aebe7ffc93a729283a812
Opcode Fuzzy Hash: 329e3b8f024e1dd1533882e6a9b116661807d52ce56c67e8b288f43a3d04241f
Instruction Fuzzy Hash: 57511832618BA5C5E744DF35E8512DD33A8FB48F88F58453AEA8D4B799DF348052D360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC67125760 Relevance: .1, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3e9a54e1fe4ebffb9e64bf804787288841480151686f3b26699af22df9eaf9
Instruction ID: c083a88df49a69033581e0a1463ab54f4693d5f5c4adab289f5ad5f0932ea1ae
Opcode Fuzzy Hash: 5a3e9a54e1fe4ebffb9e64bf804787288841480151686f3b26699af22df9eaf9
Instruction Fuzzy Hash: 4F314872A0CA69C2F6549B07A4A127976A1EF88340F948577DBAD433C8DEBCD8C1C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670C5350 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f9d156710a96b2c26b0618203b3b02571b95e83806bfe28e8d5b0c11668b02
Instruction ID: bef1246b6bd62546e7d08921d2c2a35d93a2278047012230672b22c551db1aa6
Opcode Fuzzy Hash: 25f9d156710a96b2c26b0618203b3b02571b95e83806bfe28e8d5b0c11668b02
Instruction Fuzzy Hash: BD315C32624B54D1E248DF26D8942ED73A9FB88B88FA88436E38C07695DF79D063D310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC670C7E80 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFC670C0000, based on PE: true

Associated: 00000000.00000002.280888844.00007FFC670C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281038615.00007FFC67143000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281053176.00007FFC67156000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.281057803.00007FFC67158000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffc670c0000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288751330fbc12dfa7c57884471a2cf55a6adf9df6ede5974d900619b2209c55
Instruction ID: 4680ba70c6a3af8f97329cdf6f7b6a2c3e848f611ae0c9f168beba79b5b52dee
Opcode Fuzzy Hash: 288751330fbc12dfa7c57884471a2cf55a6adf9df6ede5974d900619b2209c55
Instruction Fuzzy Hash: 11311036614B44C0D740DF3599942ED72E9FF98B88FA88836D64C4A5A5DF79C057E320

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 7120, Parent PID: 7088COMMON

Execution Graph

Execution Coverage:	18.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	15
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000016BB42F2264 Relevance: 6.2, APIs: 4, Instructions: 230
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 0000016BB42F23BE
VirtualProtect.KERNELBASE ref: 0000016BB42F2478
RtlAvlRemoveNode.NTDLL ref: 0000016BB42F25BE
VirtualProtect.KERNELBASE ref: 0000016BB42F2684

Memory Dump Source

Source File: 00000002.00000002.382570831.0000016BB42F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000016BB42F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16bb42f0000_rundll32.jbxd

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
Instruction ID: 5ca31b123752109fed6dfc990a2c84b796dcea46d53c83c6776e3a80e7e81efd
Opcode Fuzzy Hash: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
Instruction Fuzzy Hash: E5B146B6619BC586D770CB1AE4407DAB7A0F7C9B80F508026DE8D93B58DB7EC8918F40

Uniqueness

Uniqueness Score: -1.00%

Function 0000016BB42F2060 Relevance: 1.3, APIs: 1, Instructions: 67
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000016BB42F29A2), ref: 0000016BB42F20B0

Memory Dump Source

Source File: 00000002.00000002.382570831.0000016BB42F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000016BB42F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_16bb42f0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
Instruction ID: ae7ab2af6aaaf4eea882d31288538f28078403b75ffac0795b8bf6b8cfb94fce
Opcode Fuzzy Hash: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
Instruction Fuzzy Hash: B13145B6615B5086D790DF1AE45579A7BB0F389BD4F605026EF8D87B18DF3AC442CB00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 7132, Parent PID: 7112COMMON

Execution Graph

Execution Coverage:	18.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	15
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000017F7C0B2264 Relevance: 6.2, APIs: 4, Instructions: 230
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 0000017F7C0B23BE
VirtualProtect.KERNELBASE ref: 0000017F7C0B2478
RtlAvlRemoveNode.NTDLL ref: 0000017F7C0B25BE
VirtualProtect.KERNELBASE ref: 0000017F7C0B2684

Memory Dump Source

Source File: 00000003.00000002.260779016.0000017F7C0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017F7C0B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_17f7c0b0000_rundll32.jbxd

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
Instruction ID: e719557f0ef0e3437d2ec4e387c8b40f73434386ceea93628adf7f00931d7e6c
Opcode Fuzzy Hash: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
Instruction Fuzzy Hash: 10B14276618BC586D770CF1AE4407DAB7A1F789B80F10812AEE8D97B58DB79C852CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0000017F7C0B2060 Relevance: 1.3, APIs: 1, Instructions: 67
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000017F7C0B29A2), ref: 0000017F7C0B20B0

Memory Dump Source

Source File: 00000003.00000002.260779016.0000017F7C0B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017F7C0B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_17f7c0b0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
Instruction ID: 7a537a4debf569a3a6e8b95bb188fe87d85134cd4551affd1cc852f0a2e120db
Opcode Fuzzy Hash: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
Instruction Fuzzy Hash: 4F316D72619B8086D790CF1AE45479A7BB5F389BC4F204026EF8D87B18DF39C442CB00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 5384, Parent PID: 7088COMMON

Execution Graph

Execution Coverage:	18.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	15
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000028586AB2264 Relevance: 6.2, APIs: 4, Instructions: 230
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 0000028586AB23BE
VirtualProtect.KERNELBASE ref: 0000028586AB2478
RtlAvlRemoveNode.NTDLL ref: 0000028586AB25BE
VirtualProtect.KERNELBASE ref: 0000028586AB2684

Memory Dump Source

Source File: 00000006.00000002.267231227.0000028586AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000028586AB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_28586ab0000_rundll32.jbxd

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
Instruction ID: fd1a52e41380e52db3b08651ed09dd0c757b1c1ed48366bd9bbe19f53a1a7662
Opcode Fuzzy Hash: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
Instruction Fuzzy Hash: 39B15576619BD48AE7308B1AE44079AB7A0F7C9B80F108126DE8D57B59DF7DC8918F40

Uniqueness

Uniqueness Score: -1.00%

Function 0000028586AB2060 Relevance: 1.3, APIs: 1, Instructions: 67
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,0000028586AB29A2), ref: 0000028586AB20B0

Memory Dump Source

Source File: 00000006.00000002.267231227.0000028586AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000028586AB0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_28586ab0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
Instruction ID: 1f60db79b2323e68ca107062d3cd1dafe3a2fc7688294d88ad32c2db47cd93f6
Opcode Fuzzy Hash: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
Instruction Fuzzy Hash: 04313C76615B90C6D790DF1AE45579A7BB0F389BD4F205026EF8D87B18DF39C4928B00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 3156, Parent PID: 7088COMMON

Execution Graph

Execution Coverage:	18.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	15
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000002541E152264 Relevance: 6.2, APIs: 4, Instructions: 230
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 000002541E1523BE
VirtualProtect.KERNELBASE ref: 000002541E152478
RtlAvlRemoveNode.NTDLL ref: 000002541E1525BE
VirtualProtect.KERNELBASE ref: 000002541E152684

Memory Dump Source

Source File: 00000008.00000002.274411537.000002541E150000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002541E150000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2541e150000_rundll32.jbxd

Similarity

API ID: ProtectVirtual$NodeRemove
String ID:
API String ID: 3879549435-0
Opcode ID: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
Instruction ID: 65178579c813a73490c4558726b051dd2e145203941277cfc54773149d0ef565
Opcode Fuzzy Hash: 998c333fcbc94d6503e1fd2d6b22b9b8446f434769f01d9b0eba9ba6cd5b82e5
Instruction Fuzzy Hash: 50B152B7618BC486D7708B1AE4407DEBBA0F789B84F108126EE8D57B58DB79C891CF40

Uniqueness

Uniqueness Score: -1.00%

Function 000002541E152060 Relevance: 1.3, APIs: 1, Instructions: 67
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,000002541E1529A2), ref: 000002541E1520B0

Memory Dump Source

Source File: 00000008.00000002.274411537.000002541E150000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002541E150000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2541e150000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
Instruction ID: 138e2dda3d538cdbc352a54361c6ed647ea653878e19b56facb592d8b3b90fed
Opcode Fuzzy Hash: efef561593cea6ec73f14c0a970d655c71aa6a4b298494007811926080961454
Instruction Fuzzy Hash: 43314B76615F9086D790DF1AE45479A7BB0F789BC4F204026EF8D87B18DF7AC4928B04

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CloudNotifications.exePID: 2928, Parent PID: 3968COMMON

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	399
Total number of Limit Nodes:	49

Executed Functions

Function 00007FFC74C45F40 Relevance: 7.6, APIs: 5, Instructions: 146
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 00007FFC74C45FC0
NtMapViewOfSection.NTDLL ref: 00007FFC74C46066
NtUnmapViewOfSection.NTDLL ref: 00007FFC74C460B0
NtDuplicateObject.NTDLL ref: 00007FFC74C460EC
NtDuplicateObject.NTDLL ref: 00007FFC74C46130

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: Section$DuplicateObjectView$CreateUnmap
String ID:
API String ID: 1515463610-0
Opcode ID: 97397e7d40928cd0d5b9b3652568a259d3e0dc23511567da45a542a92ecf9865
Instruction ID: 5859a8184a9344e2c6a5d2cd470c68e4127c239c755685c7f6c21e195c7e706d
Opcode Fuzzy Hash: 97397e7d40928cd0d5b9b3652568a259d3e0dc23511567da45a542a92ecf9865
Instruction Fuzzy Hash: B651D173B247A58AEB10CF6495802AE3AA4FB453A8F144236EF6E17BD9DF38D440C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C5C4D0 Relevance: 7.6, APIs: 5, Instructions: 136
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00007FFC74C5C543
NtMapViewOfSection.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00007FFC74C5C5D5
NtUnmapViewOfSection.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00007FFC74C5C61F
NtDuplicateObject.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00007FFC74C5C65B
NtDuplicateObject.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00007FFC74C5C6B5

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: DuplicateObjectSectionView$CreateFileMappingUnmap
String ID:
API String ID: 640117302-0
Opcode ID: 670f384008056c7cc93a1ca92abb5e2d1eaf97c9022006726f08d491f91b699f
Instruction ID: fbeb3e28d1b98ef5722cc68096ecd486ade50c06c2e1fa0169e247f353113da1
Opcode Fuzzy Hash: 670f384008056c7cc93a1ca92abb5e2d1eaf97c9022006726f08d491f91b699f
Instruction Fuzzy Hash: 7551C273618795C1EA209B55A4812AEBBA1EB857B4F144736EAAE077D9DF3CD000C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C55CD0 Relevance: 7.6, APIs: 5, Instructions: 117
memorynativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAddVectoredContinueHandler.NTDLL ref: 00007FFC74C55CFB
VirtualProtect.KERNELBASE ref: 00007FFC74C55E01
VirtualProtect.KERNELBASE ref: 00007FFC74C55E39
RtlCreateUserThread.NTDLL ref: 00007FFC74C55E98
NtClose.NTDLL ref: 00007FFC74C55EBA

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$CloseContinueCreateHandlerThreadUserVectored
String ID:
API String ID: 238847861-0
Opcode ID: 05735a28f3e0b71d633d86495be0ff456b8aca840665f888ab55937f3f5ee976
Instruction ID: 8a9d40a72f03e44d7ba9058b8d423f67047967e4a92ba9bcfcf0683ef3eeee7c
Opcode Fuzzy Hash: 05735a28f3e0b71d633d86495be0ff456b8aca840665f888ab55937f3f5ee976
Instruction Fuzzy Hash: 8351EF73719765CAE7649F70A0803AE36E2EB85348F54813AEA4E0BB9ADF3DD401C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C6A2C0 Relevance: 5.0, APIs: 2, Instructions: 2002COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee7fddd203a8e558f35a9e2d5444ceda48a0d6c28115a6dd4b832a9e3b433bc2
Instruction ID: 04ce9d5607f9be03514e3476240780cbdb00e9d251f0c834be8ef49b146f8ff6
Opcode Fuzzy Hash: ee7fddd203a8e558f35a9e2d5444ceda48a0d6c28115a6dd4b832a9e3b433bc2
Instruction Fuzzy Hash: AF03B227B28BAAC1EB149B25D5802B977A1FF45B88F488037CA0D47795EF3CE545C362

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C5CB00 Relevance: 4.6, APIs: 3, Instructions: 110
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessId.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFC74C5B278), ref: 00007FFC74C5CB34
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FFC74C5CB6F
Thread32First.KERNEL32 ref: 00007FFC74C5CBB8

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: CreateFirstProcessSnapshotThread32Toolhelp32
String ID:
API String ID: 3863306361-0
Opcode ID: b47dcf69268d21a52e3390d85a6bf023463a9f72fecd0d4c9e4fe7e291b6d81b
Instruction ID: e5df8b06fb5a826ca1646d3e6a00ca192a6d26d93fbfecbe3f496fe87cfda986
Opcode Fuzzy Hash: b47dcf69268d21a52e3390d85a6bf023463a9f72fecd0d4c9e4fe7e291b6d81b
Instruction Fuzzy Hash: 5A41B223A3C66AC1EA64DB14D4C02BEA6A1EFD4740F648032EA4E477DADF2CE504C771

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C7ED10 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileExW.KERNELBASE ref: 00007FFC74C7ED6D

Strings

., xrefs: 00007FFC74C7EDEA

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID: .
API String ID: 1974802433-248832578
Opcode ID: ff81af2d261303690ea493e3242ce8d1552905d18e62b81d1f6e499c765c4368
Instruction ID: dde3f0e9e854dfc23df065d3db19c428d98a13067f515db1a2c359eaa8f0701a
Opcode Fuzzy Hash: ff81af2d261303690ea493e3242ce8d1552905d18e62b81d1f6e499c765c4368
Instruction Fuzzy Hash: 3541D733A18665C3FB664B34D1803792791DB54BA8F184636CA6C073D9DF7CE892C361

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C5AA70 Relevance: 3.5, APIs: 2, Instructions: 521
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: CreateFirstProcessSnapshotThread32Toolhelp32
String ID:
API String ID: 3863306361-0
Opcode ID: 277ce45b2216b12cefbf83b438674a130952188f23bbf01386831949dd88dbfb
Instruction ID: 110ca32751cc3f73f37d8e03f9ec21883175659bff7e40befdcc937a36ae1ce6
Opcode Fuzzy Hash: 277ce45b2216b12cefbf83b438674a130952188f23bbf01386831949dd88dbfb
Instruction Fuzzy Hash: 5522C027B2852AC6EA24EB21D0D12BEAB65BF84740F644137DA1E477D6EE3CF505C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C7DDC0 Relevance: 2.4, APIs: 1, Instructions: 882COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE ref: 00007FFC74C7EB81

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: d865aafef4abeeda741963791a5c8816191fe4801083d7ca403ac3fcd0a015d3
Instruction ID: bb7e1cca93b4b5cdf135848572aa380b3d6dacb99a52bde289810076a28ce7ed
Opcode Fuzzy Hash: d865aafef4abeeda741963791a5c8816191fe4801083d7ca403ac3fcd0a015d3
Instruction Fuzzy Hash: D382C163B287AAC2EB669B35D4802B977A1FB45B84F484437CA4D0779ADF3CE540C361

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C6CA50 Relevance: 2.3, APIs: 1, Instructions: 784COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bccb5b6955ed9ec30ef0630396ab279aebbaaecab2cfa1876175928a4d7afc1
Instruction ID: ebf0ed9d54a735bb9d5d01d075771e083f5ca9ca24441187bdfaf684af3577f3
Opcode Fuzzy Hash: 5bccb5b6955ed9ec30ef0630396ab279aebbaaecab2cfa1876175928a4d7afc1
Instruction Fuzzy Hash: C472B163B287AAC1EB158B25D4803B977A1FB45B84F888437CA1D07799DF3CE951C362

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C8D520 Relevance: 1.7, APIs: 1, Instructions: 237nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00007FFC74C8D5C0

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: ed208b4a2a7bacdb4c5f30ed80db816c0f4e91369da1132ce030e5105a6ffa5e
Instruction ID: 78053cf7905b944b315d098d278c65dae420b109b03fdefbff20ca7941958342
Opcode Fuzzy Hash: ed208b4a2a7bacdb4c5f30ed80db816c0f4e91369da1132ce030e5105a6ffa5e
Instruction Fuzzy Hash: 85B16B37A2565ADAE714EF26D1802AE33A8FB44788F444436DB5E47B99DF38E424C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C697D0 Relevance: 1.7, APIs: 1, Instructions: 185libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrLoadDll.NTDLL ref: 00007FFC74C699EE

Part of subcall function 00007FFC74C7EC70: FindNextFileW.KERNELBASE(?,?,D353BBDF,00007FFC74C6990E), ref: 00007FFC74C7EC9B

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: FileFindLoadNext
String ID:
API String ID: 50669962-0
Opcode ID: 0d34ce97f68ac5289fb971ae0a429462904370c38f5bf85b33eb1a6d885584d5
Instruction ID: eeaebbbed2a62424aafd04473e2d85a79dc5c29bd6fa3dd1997289740e231ab9
Opcode Fuzzy Hash: 0d34ce97f68ac5289fb971ae0a429462904370c38f5bf85b33eb1a6d885584d5
Instruction Fuzzy Hash: 13817023A3856AC2FB14EB21D4912FE6365EF95354F808172EA8D47ACBDE3CE505C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C67770 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

NtClose.NTDLL ref: 00007FFC74C67799

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 860ba978492d36cdfe31f6537ec1931d4b76ea568ca190dfd252f9a33af48d82
Instruction ID: 72ed8d3d9af2847b2398ad6ccae687d48c2cd243c3cf94c5b6924fe3d37706e1
Opcode Fuzzy Hash: 860ba978492d36cdfe31f6537ec1931d4b76ea568ca190dfd252f9a33af48d82
Instruction Fuzzy Hash: 9CD05E52A36619C1FE2567A2A1823B402908F99704F0884B2CE8D0A3D7EE2CA885C333

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C82E60 Relevance: 6.3, APIs: 4, Instructions: 289
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFC74C82F59
RegEnumKeyW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFC74C82FB4
RegOpenKeyExW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002), ref: 00007FFC74C83039
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000002,?), ref: 00007FFC74C83164

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: Close$EnumOpen
String ID:
API String ID: 138425441-0
Opcode ID: 70ade09d1917b73a1c0b0a587b97ca231d341992035ac4f1723fae1abeb74924
Instruction ID: 946b3befe0e55c1d712fb0f0e6655864ded854ddfec1efbcfc97cfa9ca622a90
Opcode Fuzzy Hash: 70ade09d1917b73a1c0b0a587b97ca231d341992035ac4f1723fae1abeb74924
Instruction Fuzzy Hash: 14C1A623B2D669C2EE609B56E4803B9A394EF85760F444233EA6D477D6DF3CE805C721

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C5C970 Relevance: 4.6, APIs: 3, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32EnumProcessModulesEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FFC74C599E8), ref: 00007FFC74C5C9E6
K32GetModuleBaseNameW.KERNEL32 ref: 00007FFC74C5CA35
K32GetModuleInformation.KERNEL32 ref: 00007FFC74C5CADC

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: Module$BaseEnumInformationModulesNameProcess
String ID:
API String ID: 2890305978-0
Opcode ID: 0a8ac744251672cff66e4c1f40cbe235c77a46854590e8273bcd534dfa9c016b
Instruction ID: e7d26fd8c6c2fbfef0c062d2644fc482969ba9f6ca3c4d46d6554180346d9366
Opcode Fuzzy Hash: 0a8ac744251672cff66e4c1f40cbe235c77a46854590e8273bcd534dfa9c016b
Instruction Fuzzy Hash: 0E419C22B28665C6EB18EBB198912FD6761BB84788F904033EE4D57B8ADF38D405C361

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C8CF10 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFC74C67770: NtClose.NTDLL ref: 00007FFC74C67799

GetExitCodeProcess.KERNELBASE ref: 00007FFC74C8CFC7

Strings

0, xrefs: 00007FFC74C8CF35

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: CloseCodeExitProcess
String ID: 0
API String ID: 1252061823-4108050209
Opcode ID: 09e40f488223bff79dcad3cacf0ebd6f00734bf62418731ffb97b5ac32de472a
Instruction ID: 47330c4f6e7b56ab81c2fe970ecffcf548b71adb41833562d8e665ddc9770765
Opcode Fuzzy Hash: 09e40f488223bff79dcad3cacf0ebd6f00734bf62418731ffb97b5ac32de472a
Instruction Fuzzy Hash: C6319533628796C6EA709F11E0802BE76A4FB84340F548036EB8E47A9ADF3CD845CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C7F550 Relevance: 3.1, APIs: 2, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f6d19f31b6694c0a71228a85886c7f0685ab46206413fc2dbfe68e670c2c6b7
Instruction ID: 6adf4e3497699958c5f57353ea78d8b55eda702ac36b2e8dd3d0528d431f0d9a
Opcode Fuzzy Hash: 2f6d19f31b6694c0a71228a85886c7f0685ab46206413fc2dbfe68e670c2c6b7
Instruction Fuzzy Hash: E451E423B286AAC2F6A59B31A4D03BA6295BF88784F148437DA5E077D5DF3DD405C321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C7F7A0 Relevance: 3.1, APIs: 2, Instructions: 115
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE ref: 00007FFC74C7F866
ReadFile.KERNELBASE ref: 00007FFC74C7F8D4

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: b116437d9c020b1ea1b9c9643b01bd8b4a4effd594b6bd5f05ce2173e7f7b903
Instruction ID: b800a1ce99223b4ec4db60dbdda236022a63f6f64923b06642155eb31fc4f5c1
Opcode Fuzzy Hash: b116437d9c020b1ea1b9c9643b01bd8b4a4effd594b6bd5f05ce2173e7f7b903
Instruction Fuzzy Hash: 8341A423F286A9C3EA51AB35A0C017E6399EF85784F144137EA4D4779ADF3CE406CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C82810 Relevance: 3.1, APIs: 2, Instructions: 76
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFC74C6961D), ref: 00007FFC74C82885
RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFC74C6961D), ref: 00007FFC74C828E8

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 505d3e8216d65752d9c9970fe8de9b0105d3b943a84e5339b5d033298b12e6c9
Instruction ID: c23c2f274dc92b2e5cd66ba3ee73c6176e08ccb96d5b38b028b6de6dfff07fe8
Opcode Fuzzy Hash: 505d3e8216d65752d9c9970fe8de9b0105d3b943a84e5339b5d033298b12e6c9
Instruction Fuzzy Hash: 2A21B527B2966986EE54CB55A44013AE795EF857F4F084132EE9C07BD8DF7CD481CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C81850 Relevance: 1.6, APIs: 1, Instructions: 144synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexExA.KERNEL32 ref: 00007FFC74C819AE

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 29a8f4c580aae3d34eae2ad777ff7b887acb7bd556e13acb8744778cb3517a5c
Instruction ID: b601fb2bde07c7fa8330ebd121d779b2cf6c299beb493da2bac88abf7d957a21
Opcode Fuzzy Hash: 29a8f4c580aae3d34eae2ad777ff7b887acb7bd556e13acb8744778cb3517a5c
Instruction Fuzzy Hash: 9751CA33A29365C6EB64EB2290812BD22D5EF84780F584536EE5D0778ADF3CE941C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C8D1E0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

QueryFullProcessImageNameW.KERNELBASE ref: 00007FFC74C8D276

Part of subcall function 00007FFC74C8CF10: GetExitCodeProcess.KERNELBASE ref: 00007FFC74C8CFC7

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: Process$CodeExitFullImageNameQuery
String ID:
API String ID: 2650637187-0
Opcode ID: 28ec5ec08ee7c2c3a7cdc96954312a46c15a8a1eb4e126f65de35e9e27a46c18
Instruction ID: f348c3e1ac13fcd1f2234917b4c1df07e009b563495fc0c697820627272e0a5d
Opcode Fuzzy Hash: 28ec5ec08ee7c2c3a7cdc96954312a46c15a8a1eb4e126f65de35e9e27a46c18
Instruction Fuzzy Hash: A5418133A2866AC2EB50EF22E0912B92365EF94748F404037EA4E476DEDF3CD841C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C81490 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FFC74C814EB

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 512f313be00f819fec3ec57203f9621932ce3d26650fa1bd96bd1172d00ec909
Instruction ID: 64bce95fb62afe292313e633f1438b4dc9023b09ffc3d2f0a5929778c8f89feb
Opcode Fuzzy Hash: 512f313be00f819fec3ec57203f9621932ce3d26650fa1bd96bd1172d00ec909
Instruction Fuzzy Hash: 58215073A18B5AC2EA109F66A1801AA73A4FB85784F844036DB9D07B49EF78E515CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C7F629 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC74C7F9E1), ref: 00007FFC74C7F6CC

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9933a6296932c9aaeac43b8e72c576d6d43d9e66245f160a84ba2bfbc0e42396
Instruction ID: 3db03c29b6514684a77569e3c7a331ff7512a9c6a7c15c7840c1b12cfc32ec26
Opcode Fuzzy Hash: 9933a6296932c9aaeac43b8e72c576d6d43d9e66245f160a84ba2bfbc0e42396
Instruction Fuzzy Hash: 9911C123A2826AC3EA729B21A0C13BA6399FB48780F144537CB9E07795DF3DE445C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C7F642 Relevance: 1.6, APIs: 1, Instructions: 51filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC74C7F9E1), ref: 00007FFC74C7F6CC
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC74C7F9E1), ref: 00007FFC74C7F75A

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: ab920c4048ecd73485d9a24abe9911eec550e0ad73fe64493c44082e69fe9c96
Instruction ID: 7a4cf0b017ffbe9deefbdd8a919ab2f6a12684716bbe659b144adb7043ed7436
Opcode Fuzzy Hash: ab920c4048ecd73485d9a24abe9911eec550e0ad73fe64493c44082e69fe9c96
Instruction Fuzzy Hash: E911C223A2866AC7E6619B21A0C13BA6395FB88780F194137DB8E07795DF3CE441C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C7F658 Relevance: 1.6, APIs: 1, Instructions: 50filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC74C7F9E1), ref: 00007FFC74C7F6CC
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC74C7F9E1), ref: 00007FFC74C7F75A

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: e80f8483cf94c30f6301f3d3c985100ccdfca77954115487aecc5a17041d3c9f
Instruction ID: 2966542c8b8f9139e591d1da5a8a8b441365e12a6cfb03abb33ea567296876db
Opcode Fuzzy Hash: e80f8483cf94c30f6301f3d3c985100ccdfca77954115487aecc5a17041d3c9f
Instruction Fuzzy Hash: 2A11E523A2826AC3E6719B2160C17BA6395FB88780F184137DB9E07795DF3CE441C771

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C7F668 Relevance: 1.5, APIs: 1, Instructions: 47filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC74C7F9E1), ref: 00007FFC74C7F6CC
SetFileTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001,-0000006C,00007FFC74C7F9E1), ref: 00007FFC74C7F75A

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: File$CreateTime
String ID:
API String ID: 1043708186-0
Opcode ID: 6e284fec9c092ab559da79d84b2b54fba405a3312493b2d376a7f6576a005246
Instruction ID: eb5c718e5b608dacf8cff331b80f2d72114f4326320d4982bb8b074279278101
Opcode Fuzzy Hash: 6e284fec9c092ab559da79d84b2b54fba405a3312493b2d376a7f6576a005246
Instruction Fuzzy Hash: 80010823A2826AC2E6729B21B0C13BA6394FB88780F184137DB8D07795DF3CD441C761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C826A0 Relevance: 1.5, APIs: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.KERNELBASE ref: 00007FFC74C82716

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: af68b27f32d806152594ea98ebc8f2426a04b51a09888dca3b9f639ab6fe49d2
Instruction ID: 538f25a3226573fa40108d4c52006088ed136fd11336cd61861760cb59ac8a4a
Opcode Fuzzy Hash: af68b27f32d806152594ea98ebc8f2426a04b51a09888dca3b9f639ab6fe49d2
Instruction Fuzzy Hash: DF113377618B85C6D7209F52F44459AB7A8F788B80F588136EF9D43B04DF38D591CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C670F0 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

RtlCreateHeap.NTDLL ref: 00007FFC74C6713D

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 7e47ca28742369fe6618816808a4c8b1d75f0f49f581dd722c821a23b829cda3
Instruction ID: cb60625c1c6331a805617c32946329ea287646cfd49c95da0a5be674574e5cde
Opcode Fuzzy Hash: 7e47ca28742369fe6618816808a4c8b1d75f0f49f581dd722c821a23b829cda3
Instruction Fuzzy Hash: 6101A726B28669C2E6518B10F99156573A1EF853C4F08C436DA8D067A5EE3CD461CB12

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C694A0 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32 ref: 00007FFC74C694E3

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: dae9426cc7fa4538d72034ffd323e9bcfc8febbe287244ac524ecd089ce4f1d2
Instruction ID: d6b55ccc380c98f59ddf2881fef9f94f627782ddc65d1e281e8fa85900beb355
Opcode Fuzzy Hash: dae9426cc7fa4538d72034ffd323e9bcfc8febbe287244ac524ecd089ce4f1d2
Instruction Fuzzy Hash: CB011262B3856AC2EA10EB55E8D11BA6311FFC4784F409432E98E4769BCE6CD105C762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFC74C67190 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

RtlReleasePrivilege.NTDLL ref: 00007FFC74C671EC

Memory Dump Source

Source File: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFC74C20000, based on PE: true

Associated: 00000014.00000002.430856191.00007FFC74C20000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431055475.00007FFC74CA3000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431094839.00007FFC74CB6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000014.00000002.431113098.00007FFC74CB8000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffc74c20000_CloudNotifications.jbxd

Yara matches

Similarity

API ID: PrivilegeRelease
String ID:
API String ID: 113639715-0
Opcode ID: 4cc1cfa08cb3aa26b208f28932105458a4a2f75863f8a1a8a56e0b8e89d82dcb
Instruction ID: 6cfc7acca6b6db3f5260eeb6931b1524535783d686285622ad8f9e5f49851f1d
Opcode Fuzzy Hash: 4cc1cfa08cb3aa26b208f28932105458a4a2f75863f8a1a8a56e0b8e89d82dcb
Instruction Fuzzy Hash: BFF05E0AF2A26A81FD6853E1589127102C25FC5340F1CC877C81D4A396ED2CEA46C633

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report eWlldJYfLc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe

C:\Users\user\AppData\Local\4O9p1cGN\dwmapi.dll

C:\Users\user\AppData\Local\EQ0DjT2sP\CameraSettingsUIHost.exe

C:\Users\user\AppData\Local\EQ0DjT2sP\DUI70.dll

C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe

C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dll

C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dll

C:\Users\user\AppData\Local\O0z6Mm4\ddodiag.exe

C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe

C:\Users\user\AppData\Local\R7Mg9\UxTheme.dll

C:\Users\user\AppData\Local\aJcBg\DeviceEnroller.exe

C:\Users\user\AppData\Local\aJcBg\XmlLite.dll

C:\Users\user\AppData\Local\bj1HT\MFPlat.DLL

C:\Users\user\AppData\Local\bj1HT\mfpmp.exe

C:\Users\user\AppData\Local\n0R5g\Secur32.dll

C:\Users\user\AppData\Local\n0R5g\mstsc.exe

C:\Users\user\AppData\Local\vFRJtv0CU\ACTIVEDS.dll

C:\Users\user\AppData\Local\vFRJtv0CU\SppExtComObj.Exe

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Windows Analysis Report
eWlldJYfLc