Edit tour

Windows Analysis Report
Installer.msi

Overview

General Information

Sample name:	Installer.msi
Analysis ID:	1362406
MD5:	1e3ff8672dd9df37ac5696222fd0bec7
SHA1:	5437218f7389925a7ea5bc780d1351d6ce3ea067
SHA256:	0e81a36141d196401c46f6ce293a370e8f21c5e074db5442ff2ba6f223c435f5
Tags:	msipikabot
Infos:

Detection

PikaBot

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected PikaBot

Contains functionality to check for running processes (XOR)

Sample uses process hollowing technique

Writes to foreign memory regions

Adds / modifies Windows certificates

Checks for available system drives (often done to infect USB drives)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found evasive API chain checking for process token information

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores large binary data to the registry

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 6832 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Installer.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 6948 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7100 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding FB72CBA66D1B5B7C2EC1EC7FC50D4B55 MD5: 9D09DC1EDA745A5F87553048E57620CF)

SearchProtocolHost.exe (PID: 4488 cmdline: C:\Windows\System32\SearchProtocolHost.exe MD5: 727FE964E574EEAF8917308FFF0880DE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Pikabot	Introducing Pikabot, an emerging malware family that comprises a downloader/installer, a loader, and a core backdoor component. Despite being in the early stages of development, it already demonstrates advanced techniques in evasion, injection, and anti-analysis. Notably, the loader component incorporates an array of sophisticated anti-debugging and anti-VM measures inspired by the open-source Al-Khaser project, while leveraging steganography to conceal its payload. Additionally, Pikabot utilizes a proprietary C2 framework and supports a diverse range of commands, encompassing host enumeration and advanced secondary payload injection options.	No Attribution	https://blog.securityonion.net/2023/09/quick-malware-analysis-pikabot.html https://d01a.github.io/pikabot/ https://medium.com/@DCSO_CyTec/shortandmalicious-pikabot-and-the-matanbuchus-connection-5e302644398 https://minerva-labs.com/blog/beepin-out-of-the-sandbox-analyzing-a-new-extremely-evasive-malware/ https://news.sophos.com/en-us/2023/06/12/deep-dive-into-the-pikabot-cyber-threat/	https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_PikaBot	Yara detected PikaBot	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.SearchProtocolHost.exe.b10000.0.unpack	JoeSecurity_PikaBot	Yara detected PikaBot	Joe Security
3.2.SearchProtocolHost.exe.b10000.0.raw.unpack	JoeSecurity_PikaBot	Yara detected PikaBot	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source:	Binary string: NtPrint.pdbGCTL source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr
Source:	Binary string: NtPrint.pdb source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.186.251
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.186.251
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.186.251
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.186.251
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.186.251
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.186.251
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.186.251
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.186.251
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.186.251
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.186.251
Source: unknown	TCP traffic detected without corresponding DNS query: 172.232.186.251

Source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_
Source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr	String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002CF8000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.3.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: SearchProtocolHost.exe, 00000003.00000003.1831622723.000000000583A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?16b8e16730ac9
Source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr	String found in binary or memory: http://ocsps.ssl.com0
Source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr	String found in binary or memory: http://ocsps.ssl.com0?
Source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr	String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002CB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://172.232.186.251/
Source: SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002CB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://172.232.186.251/9
Source: SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002CB1000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002C86000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://172.232.186.251:5632/Unsqueamishness/P1WaaAvbipOgTBhh7?Regild=ArbutaseCasketlike
Source: SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002CB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://172.232.186.251:5632/Unsqueamishness/P1WaaAvbipOgTBhh7?Regild=ArbutaseCasketlikeI
Source: SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002CB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://172.232.186.251:5632/Unsqueamishness/P1WaaAvbipOgTBhh7?Regild=ArbutaseCasketlikeT
Source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr	String found in binary or memory: https://www.ssl.com/repository0

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe

Code function: 3_2_00B59710 NtPssCaptureVaSpaceBulk,

3_2_00B59710

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\44d546.msi

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSID6AF.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B222B3	3_2_00B222B3
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B1E6B9	3_2_00B1E6B9
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B48E94	3_2_00B48E94
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B3C2E0	3_2_00B3C2E0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B2D2D4	3_2_00B2D2D4
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B252D5	3_2_00B252D5
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B40A2D	3_2_00B40A2D
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B1E205	3_2_00B1E205
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B42000	3_2_00B42000
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B1D1FF	3_2_00B1D1FF
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B335EB	3_2_00B335EB
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B43739	3_2_00B43739
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B20157	3_2_00B20157
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B1DD59	3_2_00B1DD59
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B1D95C	3_2_00B1D95C
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B542B0	3_2_00B542B0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B184A8	3_2_00B184A8
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B3B6A8	3_2_00B3B6A8
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B56297	3_2_00B56297
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B3AAFC	3_2_00B3AAFC
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B1B2ED	3_2_00B1B2ED
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B564DC	3_2_00B564DC
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B5682C	3_2_00B5682C
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B4982E	3_2_00B4982E
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B3F806	3_2_00B3F806
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B4AE0C	3_2_00B4AE0C
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B2AE0C	3_2_00B2AE0C
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B55A67	3_2_00B55A67
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B3E441	3_2_00B3E441
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B1EDBD	3_2_00B1EDBD
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B233BC	3_2_00B233BC
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B1F5BE	3_2_00B1F5BE
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B4FDA0	3_2_00B4FDA0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B583AD	3_2_00B583AD
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B5339E	3_2_00B5339E
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B277ED	3_2_00B277ED
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B4F5D4	3_2_00B4F5D4
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B1C1D6	3_2_00B1C1D6
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B43BC5	3_2_00B43BC5
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B20FCC	3_2_00B20FCC
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B51B26	3_2_00B51B26
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B3D929	3_2_00B3D929
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B4A52E	3_2_00B4A52E
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B2EF16	3_2_00B2EF16
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B31102	3_2_00B31102
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B42702	3_2_00B42702
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B31B09	3_2_00B31B09
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B35573	3_2_00B35573
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B4877B	3_2_00B4877B
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B16360	3_2_00B16360
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B4556C	3_2_00B4556C
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B43750	3_2_00B43750
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B1FF5D	3_2_00B1FF5D
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B14748	3_2_00B14748

Source: Installer.msi	Binary or memory string: OriginalFilenamentprint.exej% vs Installer.msi
Source: Installer.msi	Binary or memory string: OriginalFilenameRTLCPAPI.DLL vs Installer.msi

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netprojw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ghofr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fg122.dll	Jump to behavior

Source: classification engine

Classification label: mal60.troj.evad.winMSI@6/23@0/1

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe

Code function: 3_2_00B252D5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,

3_2_00B252D5

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CMLFFF0.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe

Mutant created: \Sessions\1\BaseNamedObjects\{5A23F24B-9AA8-4106-A0EA-719B96FE488B}

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF71AAADE0E9A6F831.TMP

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: Installer.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 88.31%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Installer.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FB72CBA66D1B5B7C2EC1EC7FC50D4B55
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\SearchProtocolHost.exe C:\Windows\System32\SearchProtocolHost.exe
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FB72CBA66D1B5B7C2EC1EC7FC50D4B55	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\SearchProtocolHost.exe C:\Windows\System32\SearchProtocolHost.exe	Jump to behavior

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source:	Binary string: NtPrint.pdbGCTL source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr
Source:	Binary string: NtPrint.pdb source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr

Data Obfuscation

Contains functionality to check for running processes (XOR)

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe

Code function: CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,

3_2_00B252D5

Source: MSID6AF.tmp.1.dr

Static PE information: real checksum: 0x22896 should be: 0xabfee

Source: MSID6AF.tmp.1.dr

Static PE information: section name: .TEaOloc

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B59710 push dword ptr [00B5A004h]; ret		3_2_00B59774
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B5A054 push edx; retf 006Fh		3_2_00B5A06A

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSID6AF.tmp

Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSID6AF.tmp

Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A Blob

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_3-15095

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002C86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpm
Source: SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002CD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugFlags			Jump to behavior

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B2D115 mov eax, dword ptr fs:[00000030h]		3_2_00B2D115
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 3_2_00B2D101 mov eax, dword ptr fs:[00000030h]		3_2_00B2D101

HIPS / PFW / Operating System Protection Evasion

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\msiexec.exe

Section unmapped: C:\Windows\SysWOW64\SearchProtocolHost.exe base address: B10000

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: C:\Windows\SysWOW64\SearchProtocolHost.exe base: B1632A	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: C:\Windows\SysWOW64\SearchProtocolHost.exe base: B16340	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: C:\Windows\SysWOW64\SearchProtocolHost.exe base: B16352	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: C:\Windows\SysWOW64\SearchProtocolHost.exe base: B16359	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: C:\Windows\SysWOW64\SearchProtocolHost.exe base: B16391	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: C:\Windows\SysWOW64\SearchProtocolHost.exe base: B163CB	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: C:\Windows\SysWOW64\SearchProtocolHost.exe base: B16854	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: C:\Windows\SysWOW64\SearchProtocolHost.exe base: B1685C	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: C:\Windows\SysWOW64\SearchProtocolHost.exe base: B16B7E	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: C:\Windows\SysWOW64\SearchProtocolHost.exe base: B16CB0	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\SearchProtocolHost.exe C:\Windows\System32\SearchProtocolHost.exe

Jump to behavior

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe

Code function: 3_2_00B1EC0E cpuid

3_2_00B1EC0E

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe

Code function: 3_2_00B1D95C GetUserNameW,

3_2_00B1D95C

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A Blob

Jump to behavior

Stealing of Sensitive Information

Yara detected PikaBot

Source: Yara match	File source: 3.2.SearchProtocolHost.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SearchProtocolHost.exe.b10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PikaBot

Source: Yara match	File source: 3.2.SearchProtocolHost.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SearchProtocolHost.exe.b10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
1 Replication Through Removable Media	1 Native API	1 DLL Side-Loading	211 Process Injection	21 Masquerading	OS Credential Dumping	11 Security Software Discovery	1 Replication Through Removable Media	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Virtualization/Sandbox Evasion	Security Account Manager	12 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 Disable or Modify Tools	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	211 Process Injection	LSA Secrets	1 Account Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	22 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
C:\Windows\Installer\MSID6AF.tmp	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://ocsps.ssl.com0?	0%	URL Reputation	safe
http://ocsps.ssl.com0	0%	URL Reputation	safe
https://172.232.186.251:5632/Unsqueamishness/P1WaaAvbipOgTBhh7?Regild=ArbutaseCasketlikeT	0%	Avira URL Cloud	safe
https://172.232.186.251:5632/Unsqueamishness/P1WaaAvbipOgTBhh7?Regild=ArbutaseCasketlikeI	0%	Avira URL Cloud	safe
https://172.232.186.251/9	0%	Avira URL Cloud	safe
https://172.232.186.251:5632/Unsqueamishness/P1WaaAvbipOgTBhh7?Regild=ArbutaseCasketlike	0%	Avira URL Cloud	safe
https://172.232.186.251/	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0	Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr	false		high
https://172.232.186.251/9	SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002CB1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crls.ssl.com/ssl.com-rsa-RootCA.crl0	Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr	false		high
http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0	Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr	false		high
https://172.232.186.251:5632/Unsqueamishness/P1WaaAvbipOgTBhh7?Regild=ArbutaseCasketlikeT	SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002CB1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://172.232.186.251:5632/Unsqueamishness/P1WaaAvbipOgTBhh7?Regild=ArbutaseCasketlike	SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002CB1000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002C86000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002C50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ssl.com/repository0	Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr	false		high
http://ocsps.ssl.com0?	Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr	false	URL Reputation: safe	unknown
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0	Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr	false		high
http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q	Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr	false		high
http://ocsps.ssl.com0	Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr	false	URL Reputation: safe	unknown
http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0	Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr	false		high
http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_	Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr	false		high
http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0	Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr	false		high
https://172.232.186.251:5632/Unsqueamishness/P1WaaAvbipOgTBhh7?Regild=ArbutaseCasketlikeI	SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002CB1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://172.232.186.251/	SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002CB1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.232.186.251	unknown	United States		20940	AKAMAI-ASN1EU	false

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1362406
Start date and time:	2023-12-14 22:01:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Installer.msi
Detection:	MAL
Classification:	mal60.troj.evad.winMSI@6/23@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 23 Number of non-executed functions: 39
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 104.91.175.50, 104.91.175.25, 104.91.175.59, 104.91.175.37, 104.91.175.32, 104.91.175.44, 104.91.175.51, 104.91.175.28, 104.91.175.27
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ocsps.ssl.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
VT rate limit hit for: Installer.msi

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.232.186.251	InstallerMC.msi	Get hash	malicious	PikaBot	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASN1EU	https://0c15ad52-a43103fa.boyarmilller.com/app/office365/exk7kpnt5q6Eao1uy697/sso/wsfed/passive?login_hint=sina.soltani%40amd.com&client-request-id=cf1ebe17-2150-4f20-9bd3-894964d84b11&username=sina.soltani%40amd.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%3drQQIARAA42Kw0skoKSkottLXL8gvKknM0cvNTC7KL85PK8nPy8nMS9VLzs_Vyy9Kz0wBsYqEuATE98mdD1BU8J99udMz5Ya34CpGZcJG6F9gZHzByDiJSaQ4My9Rrzg_pyQxL9MhMRds7C0mQf-idM-U8GK31JTUosSSzPy8R8xYlV5gEXjFwmTA-IOFcREr0DUxEV4HplmHek9zmLVDYhUzwylW_bTIohwTR7csH59KZ9fI0tIcN-OUEG_jvFKDqiQzgxyXHM_QilS_tLTEwkBbCyvDCWxCE9iYTrExfGBj7GBnmMXOcICT8QAvww--Z-0rp7-d-f-txwYBBgA1#	Get hash	malicious	Unknown	Browse	172.233.190.246
	https://2f464efd.b53045dfc6bde98ddc8c0341.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	23.208.28.158
	https://www.dropbox.com/scl/fi/vanar0qpcmj8zdmx4s08c/Circuits-Plus-Inc.-has-shared-a-document-with-you-via-PDF.paper?rlkey=aimalp5hl5bs9se1itohd7dt5&dl=0	Get hash	malicious	HTMLPhisher	Browse	23.208.28.143
	InstallerMC.msi	Get hash	malicious	PikaBot	Browse	172.232.186.251
	0749.pdf.msg	Get hash	malicious	HTMLPhisher	Browse	23.204.76.112
	31.dat.dll	Get hash	malicious	PikaBot	Browse	172.232.175.59
	31.dat.dll	Get hash	malicious	PikaBot	Browse	172.232.175.59
	FW_ Order confirmation PO12308 dated 06.12.2023.eml	Get hash	malicious	Unknown	Browse	23.204.76.112
	AWB_doc_.exe	Get hash	malicious	FormBook	Browse	172.232.128.154
	http://docksofts.com	Get hash	malicious	Unknown	Browse	104.109.132.197
	original (5).eml	Get hash	malicious	HTMLPhisher	Browse	23.222.77.185
	IF-07b_SIGS-EN-ICS-IC-002_SMC-SCU ICD_v31_19-03-2014.pdf.exe	Get hash	malicious	Unknown	Browse	23.204.76.141
	last.hta	Get hash	malicious	AsyncRAT	Browse	23.204.156.159
	https://demandtechreports.com/reports/Flexential-TheEvolved922Download.jsp	Get hash	malicious	Unknown	Browse	23.56.5.144
	https://t.infomail.microsoft.com/r/?id=h3d925265,3d340bb5,3d3443c1&e=b2NpZD1jbW1hbmlleDN4Mg&s=dOx08lLI2TRN0BIlw9eNEyJ6YErr6MWlNX0fFoH6-kQ	Get hash	malicious	HTMLPhisher	Browse	23.205.165.211
	J8KIPSMGVN.exe	Get hash	malicious	RedLine	Browse	172.234.57.195
	https://poste.192-71-172-76.cprapid.com/it/	Get hash	malicious	Unknown	Browse	23.44.193.58
	FED-POL652663234.svg	Get hash	malicious	Unknown	Browse	23.223.245.40
	Mw1Toi3D0h.exe	Get hash	malicious	PrivateLoader, RisePro Stealer	Browse	23.204.156.86
	4lodHjhKT8.exe	Get hash	malicious	PrivateLoader, RisePro Stealer	Browse	104.127.87.210

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	8648
Entropy (8bit):	5.593950058016029
Encrypted:	false
SSDEEP:	96:B1z3zvMkMeihtCUTeD2dARCsThqabUTeD2dARC6jLT+oTzeThqQHyzw2FlywctE6:B5DvMVeg11AkINI1AkAZ2cYAB1pj2
MD5:	4459B1572F86E5D17C1AA19E301402DD
SHA1:	745D5BA2599F6FB6699DD89F802E866F22FE2460
SHA-256:	3D15163BC49E3609B1A2BA15426733D91F5630A2B5C70B869378E316CF44234D
SHA-512:	BFF08D7F2F4974CD4D1BD3E3AC5F8D7A4E34AF64D4D9480E20B2380077B48FC34CCC8FF027D1DFA1BE7F9C081D6A287FCCDE71F9FACC4C529CF9CE4E96CD7BDC
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@B..W.@.....@.....@.....@.....@.....@......&.{E8BC70D1-2863-4379-B219-8656E74FCC1E};.Microsoft Visual C++ 2013 Redistributable (64) - 12.0.39659..Installer.msi.@.....@....@.....@........&.{677686E8-D2EB-4231-BA61-36994AEA93B1}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2013 Redistributable (64) - 12.0.39659......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{AA0FBF6B-45F7-443D-8835-BDF4F3E57D47}&.{E8BC70D1-2863-4379-B219-8656E74FCC1E}.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..&.C:\Users\user\AppData\Local\VcRedist\..../.C:\Users\user\AppData\Local\VcRedist\README.md....RegisterProduct..Registering product..[1]......C:\Windows\Installer\44d548.msi......C:\Windows\Installer\44d548.msi.@....$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\SysWOW64\SearchProtocolHost.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 66791 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	66791
Entropy (8bit):	7.995531727155867
Encrypted:	true
SSDEEP:	1536:drFvD2YSE/sFDqV0FJJynkAhftCvMd3coa282frgW1qgNzU:drVDJSeaDqV0FJwLhVkr282fF5U
MD5:	AC05D27423A85ADC1622C714F2CB6184
SHA1:	B0FE2B1ABDDB97837EA0195BE70AB2FF14D43198
SHA-256:	C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
SHA-512:	6D0EF9050E41FBAE680E0E59DD0F90B6AC7FEA5579EF5708B69D5DA33A0ECE7E8B16574B58B17B64A34CC34A4FFC22B4A62C1ECE61F36C4A11A0665E0536B90D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I.................gW.e .authroot.stl..u/1.5..CK..<Tk...p.k:..c.Y:.(Qc...%Y.f_...$..DHn..6i/.]....-!QQ..}f..f...}..1....9.......pN..mI.a.....!...N.....xP.f6..C.'#.c.@GN(3.<3.......9...('3...l.l....B..x..e...UWFU.TT.l.L...._.l1......w.\..Xb.v..Q......pKP.....M`.Y......Op4=.(=P.e...p.(U.....z7MF..O......V2.....#...pj...z.!...wQ...V&.Gz..Nv.4..y(J...A..':.2Q.^u.y..<.1..2..o........H.D.S.....62.\| w(...B.......h.QZ..'....l.<....6..Z...p?... .pT.......l..S..K....FT?.....p..`.&..y..."T=l.n..egf.w..X.Y...G.m....=.}cO.7.....9....o..:.Y=.-.5....ud.J&.]..Q..._<.S....{a.=.n...PT.Um).\| kpyA....h.PXY.>.......^2U...H.....V<\...k..~....H..p...8..'..?...r>.4..!u......1\.`.<.+..n..p..]...).....L.g....#.<..c]R.U."\i.Z.>...`Q..g6....0.......F.........N.s.Z..A........m.^....a_..>v.-.mk...wt.n.:...>S..;....1...j.+m.&S......$.T...i.B=h.n...c.!e.....Y.#..bw.}...d.. ..w... .&..w.9..}k...\...=....{q.Up..y;..7.-.K.'.....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\SysWOW64\SearchProtocolHost.exe
File Type:	data
Category:	modified
Size (bytes):	330
Entropy (8bit):	3.1210246516316165
Encrypted:	false
SSDEEP:	6:kKtEosurN+SkQlPlEGYRMY9z+4KlDA3RUeWc3l0:FEnPkPlE99SNxAhUeWcC
MD5:	1FDAD253E1FBF3CB17A7269402DF64B2
SHA1:	A2BC4115189925E7F278378DE5B98AE363C32413
SHA-256:	55B8B18BE5ECED5203DEAF69D2A1D998D6BE5C7FE3D12829442C0915BD909575
SHA-512:	0E29FC1E12955F0312EC3DBAFA4D95706D8A3F417A2D5562AB1AC9F777C2836173673A5E5D4E03518EB6FFA37ED63F7F25743DF3F8F3C3E46C22EE5CB46388BE
Malicious:	false
Reputation:	low
Preview:	p...... .........kN.....(....................................................... ..........H"......(...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".3.f.e.4.e.6.1.a.4.8.2.2.d.a.1.:.0."...

C:\Users\user\AppData\Local\VcRedist\README.md

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	106
Entropy (8bit):	4.76842425736778
Encrypted:	false
SSDEEP:	3:Sv9JvxtMLgN7qY0UxMFku2owAWRFmrIjoVKYwo94E:SvrYLI7nFMHZCmrUoVKYd4E
MD5:	5E201DAC2E318092AE4F58540E053A49
SHA1:	0901AA2298BC8F8E7244CEAA7075971FC9A76083
SHA-256:	7E4C2A471969A9076992E17B4355558A5F029C651CFD535CA7C66076791A4E6A
SHA-512:	7DF261FA670572ABEF14F8C88D021285C933C1CCEB394CEFC7D298B421F680B84578CEF2A345D9F015DB18061752AC0D1426C598C460714082B9AD313B32F792
Malicious:	false
Reputation:	low
Preview:	# Chameleon Engine ( PAYLOAD GENERATOR NEW GEN )....Fast and Simply engine for generate payloads for spam!

C:\Windows\Installer\44d546.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft Visual C++ 2013 Redistributable (64) - 12.0.39659, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2013 Redistributable (64) - 12.0.39659., Template: Intel;1033, Revision Number: {677686E8-D2EB-4231-BA61-36994AEA93B1}, Create Time/Date: Thu Dec 14 13:58:56 2023, Last Saved Time/Date: Thu Dec 14 13:58:56 2023, Number of Pages: 400, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	7.607314684857152
Encrypted:	false
SSDEEP:	12288:pTZ2EEko4IoVnBnVzoeOhFyFLgVNjDOX0VsCMd4UvZ9cA/KBOxP2:79VnToWLgVDTMdPn/KBV
MD5:	1E3FF8672DD9DF37AC5696222FD0BEC7
SHA1:	5437218F7389925A7EA5BC780D1351D6CE3EA067
SHA-256:	0E81A36141D196401C46F6CE293A370E8F21C5E074DB5442FF2BA6F223C435F5
SHA-512:	FE2A03675EFD005264E3750F8EAC22548031CF9B7327ADA206184027983B98758552EE222D81265FA000A4B1700DFC5D171FA8B3EA7A1229785F421C5438C09E
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\44d548.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft Visual C++ 2013 Redistributable (64) - 12.0.39659, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2013 Redistributable (64) - 12.0.39659., Template: Intel;1033, Revision Number: {677686E8-D2EB-4231-BA61-36994AEA93B1}, Create Time/Date: Thu Dec 14 13:58:56 2023, Last Saved Time/Date: Thu Dec 14 13:58:56 2023, Number of Pages: 400, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	7.607314684857152
Encrypted:	false
SSDEEP:	12288:pTZ2EEko4IoVnBnVzoeOhFyFLgVNjDOX0VsCMd4UvZ9cA/KBOxP2:79VnToWLgVDTMdPn/KBV
MD5:	1E3FF8672DD9DF37AC5696222FD0BEC7
SHA1:	5437218F7389925A7EA5BC780D1351D6CE3EA067
SHA-256:	0E81A36141D196401C46F6CE293A370E8F21C5E074DB5442FF2BA6F223C435F5
SHA-512:	FE2A03675EFD005264E3750F8EAC22548031CF9B7327ADA206184027983B98758552EE222D81265FA000A4B1700DFC5D171FA8B3EA7A1229785F421C5438C09E
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSID69E.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1804
Entropy (8bit):	5.624559787943555
Encrypted:	false
SSDEEP:	48:7dHPrT7PrhfWhzP3FpQEeUvNnHiiuD4uEVlt+J6N:71z3zZWdReMCvD4uEP4q
MD5:	34AD165E1B4A0F477F3157B85BF90376
SHA1:	5A56E43604609CAE121B73EF0FCE12EBE6D53F88
SHA-256:	5D90CF568348B54AA3A3E9754B3F6254CEE540581DA3518E495FC19EA4B9A515
SHA-512:	6C17E0F381F7CD8D86C72F8CD195CD2F18B3573655F9D7797F60FF9A9146D3EE2DFE778D5A32C07F108C0B2016E7ED8B7B40DA68CAC8F7DDE68CF73EDC657877
Malicious:	false
Preview:	...@IXOS.@.....@;..W.@.....@.....@.....@.....@.....@......&.{E8BC70D1-2863-4379-B219-8656E74FCC1E};.Microsoft Visual C++ 2013 Redistributable (64) - 12.0.39659..Installer.msi.@.....@....@.....@........&.{677686E8-D2EB-4231-BA61-36994AEA93B1}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2013 Redistributable (64) - 12.0.39659......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{AA0FBF6B-45F7-443D-8835-BDF4F3E57D47}/.C:\Users\user\AppData\Local\VcRedist\README.md.@.......@.....@.....@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]...@j....@.....@......&.C:\Users\user\AppData\Local\VcRedist\....1\......Please insert the disk: ..EaIxea0VE.cab.@.....@......C:\Windows\Installer\44d546.msi.........@........README.md..tq0dRhwGZl..README.md.@.....@j....@.......@.............@.........@.....@.....

C:\Windows\Installer\MSID6AF.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	675840
Entropy (8bit):	7.795733158069968
Encrypted:	false
SSDEEP:	12288:EEko4IoVnBnVzoeOhFyFLgVNjDOX0VsCMd4UvZ9cA/KBOxP:E9VnToWLgVDTMdPn/KB
MD5:	7092458FCFD6A24316B91318C2D36260
SHA1:	41DD239D95DEE0E6E59C838B454F38642C423953
SHA-256:	83C9BA686F57363DD27CB87419C8F5DC287ADAB4C3D0378CC19367D89274E1F7
SHA-512:	251E52716C722C0530EE89CD87BD5AB63B4C7BAE81F105837BF7DF2160C3B6BC70C47A86DBDC599A200939EC7CC8854131316FACFCBC939E390D844714411A1A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........a...a...a...r...a...a...a.d.k...a...o...a...`...a...r...a.d.j...a.4.g...a.d.e...a.Rich..a.................PE..L....8.N...........!.....0..........r........@.......................................(.......................................o...........Q..............h....@..`....................................................@...............................text.... .......0.................. ..`.rdata..%E...@...P...@..............@..@.data...DF....... ..................@....rsrc....Q.......`..................@..@.reloc..,/...@...0..................@..B.TEaOloc.....p.......@..................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{E8BC70D1-2863-4379-B219-8656E74FCC1E}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1626835114870153
Encrypted:	false
SSDEEP:	12:JSbX72Fj7tiAGiLIlHVRpiBh/7777777777777777777777777vDHFsLMzYBXnpH:JOQI5AkMMsF
MD5:	EA9B34D05C8288B89C05A73CED0B3264
SHA1:	F52939CF2048866326FE24128DF29006D57EB864
SHA-256:	FE71968DAB6A3C4B924CBC5016FFD783458ED015E52B4EEBB1C0023CD642ABB1
SHA-512:	01DCE21EFA3110433FE7C3BE3EF3895E0D4A675A2A76ECEF781CB49A928F990C1633A61B28CBE70B5671194BC17F579F8157A9D361D99A02EF1AF9981447F778
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.4419282414536245
Encrypted:	false
SSDEEP:	48:p8PhSuRc06WXJajT51jWS5oGrrTSI87ZBKN:khS1RjTnWOTUZB
MD5:	8DA680176F1170DB044E3FEA36899755
SHA1:	E00370626244AA24CF70EFAD630E1636C0540A0B
SHA-256:	4A2B528A391C5CF625AB0B8DBFD2D566EAF8BFB5CC12A610A60CEF2FCA1CF134
SHA-512:	D9801F6F867CAA5C7C66DB71DD1BB9D18CB7F62DC5203E9D693A7619AE730C29AD61485FB475D212157B323BFDFECF4087A0EA807E2FB32D064AECAC164E7BFB
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.3751740216890935
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauW:zTtbmkExhMJCIpErf
MD5:	FBE5B6708BCB168A19E9C69A35702AEA
SHA1:	9EEE19C9A5B254EAD78AF2B573F7024D94B2BC46
SHA-256:	E604E75E4C1240A5E2221B0F713A070BFA785DF3D372793B00F1399A9B9295FB
SHA-512:	89F72EBB9907AB52A43DDFBE57BDA0CF6CC60BD420BB76A4A4590691A3CF243A6C2023A3316E31CA95B45F738CAD2DC55DFACD313E757F8120B471BD8BDEBDF0
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF13D7E8724B90FCF1.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1FEDD9837BEBD059.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.1642326148909647
Encrypted:	false
SSDEEP:	48:nmxP6uqJveFXJtT50jWS5oGrrTSI87ZBKN:nY6EVT8WOTUZB
MD5:	00062BAD6B8B7C39244C2827A6DFF9C6
SHA1:	A10F6BEC63E562B1F5F3747087CAF06F23367979
SHA-256:	B2A51676A1C5BA52D3F4705A6FEDB0A573936CB6472A011A8DB986DDBABDC9B4
SHA-512:	A2FD32DF15F8FB99E4BA1EF41278061779C7A0043A5423037B0EBFE6C7F76CB12A73C69074E8E5A9D1DF050A8111025F063E5372FAFA0CB7704DC5A45B6EC327
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF29492B2735222095.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.4419282414536245
Encrypted:	false
SSDEEP:	48:p8PhSuRc06WXJajT51jWS5oGrrTSI87ZBKN:khS1RjTnWOTUZB
MD5:	8DA680176F1170DB044E3FEA36899755
SHA1:	E00370626244AA24CF70EFAD630E1636C0540A0B
SHA-256:	4A2B528A391C5CF625AB0B8DBFD2D566EAF8BFB5CC12A610A60CEF2FCA1CF134
SHA-512:	D9801F6F867CAA5C7C66DB71DD1BB9D18CB7F62DC5203E9D693A7619AE730C29AD61485FB475D212157B323BFDFECF4087A0EA807E2FB32D064AECAC164E7BFB
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3062DD17BBBFA997.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF327F78088AAFEED8.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF375EE48D958B38FB.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.1642326148909647
Encrypted:	false
SSDEEP:	48:nmxP6uqJveFXJtT50jWS5oGrrTSI87ZBKN:nY6EVT8WOTUZB
MD5:	00062BAD6B8B7C39244C2827A6DFF9C6
SHA1:	A10F6BEC63E562B1F5F3747087CAF06F23367979
SHA-256:	B2A51676A1C5BA52D3F4705A6FEDB0A573936CB6472A011A8DB986DDBABDC9B4
SHA-512:	A2FD32DF15F8FB99E4BA1EF41278061779C7A0043A5423037B0EBFE6C7F76CB12A73C69074E8E5A9D1DF050A8111025F063E5372FAFA0CB7704DC5A45B6EC327
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF71AAADE0E9A6F831.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.09470461534055624
Encrypted:	false
SSDEEP:	24:OeMRZMAKk83ipVvipV7V2BwGI1lrkgq+J:p4ZBKk83S9S5oGrrqE
MD5:	435C8817B725635073171AAB2A4B1D3F
SHA1:	FEDC27493498DDD3B6C0681125546657DDA62AD3
SHA-256:	0E932155099C2E4D17AAF7317FA564CA6CA81AD579FB6B9D3CB8F2BA8502B47F
SHA-512:	1D91952260B9485292631C8EF66E0253C241A377CC6161C987DE1DF7804287C69BAAA14F5B8B82ECAA0325126B730351D65DDDDCC25F11F7198B6D97ED02AFCB
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF809138892F740C8A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB62DA93EF28D9396.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.4419282414536245
Encrypted:	false
SSDEEP:	48:p8PhSuRc06WXJajT51jWS5oGrrTSI87ZBKN:khS1RjTnWOTUZB
MD5:	8DA680176F1170DB044E3FEA36899755
SHA1:	E00370626244AA24CF70EFAD630E1636C0540A0B
SHA-256:	4A2B528A391C5CF625AB0B8DBFD2D566EAF8BFB5CC12A610A60CEF2FCA1CF134
SHA-512:	D9801F6F867CAA5C7C66DB71DD1BB9D18CB7F62DC5203E9D693A7619AE730C29AD61485FB475D212157B323BFDFECF4087A0EA807E2FB32D064AECAC164E7BFB
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC4C97DEBE345A8E9.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFCAF644BBE769D984.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07101630662971534
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOgt24M11YBXLIiVky6l7:2F0i8n0itFzDHFsLMzYBX27
MD5:	349CDA8D2FD0D29E0FB29113F60EEE6E
SHA1:	840BA62FCD747ADE827C4088244A12809B3C163E
SHA-256:	A0763C17CC38315ECBD3D1B560D146B7FDCE31F0F91E197A2A7F3BFE9E39A45C
SHA-512:	EA8BDDC69EA869DAB6D70680908C2574A287A63380B19D5CD52ED71513359EB1A2AA695D80EF97B4F77424E9BAA5EF3DDB6FCB854155E76168F6818B53C3933E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFEC95C52B16B63EDD.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.1642326148909647
Encrypted:	false
SSDEEP:	48:nmxP6uqJveFXJtT50jWS5oGrrTSI87ZBKN:nY6EVT8WOTUZB
MD5:	00062BAD6B8B7C39244C2827A6DFF9C6
SHA1:	A10F6BEC63E562B1F5F3747087CAF06F23367979
SHA-256:	B2A51676A1C5BA52D3F4705A6FEDB0A573936CB6472A011A8DB986DDBABDC9B4
SHA-512:	A2FD32DF15F8FB99E4BA1EF41278061779C7A0043A5423037B0EBFE6C7F76CB12A73C69074E8E5A9D1DF050A8111025F063E5372FAFA0CB7704DC5A45B6EC327
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft Visual C++ 2013 Redistributable (64) - 12.0.39659, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2013 Redistributable (64) - 12.0.39659., Template: Intel;1033, Revision Number: {677686E8-D2EB-4231-BA61-36994AEA93B1}, Create Time/Date: Thu Dec 14 13:58:56 2023, Last Saved Time/Date: Thu Dec 14 13:58:56 2023, Number of Pages: 400, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
Entropy (8bit):	7.607314684857152
TrID:	Microsoft Windows Installer (60509/1) 88.31% Generic OLE2 / Multistream Compound File (8008/1) 11.69%
File name:	Installer.msi
File size:	786'432 bytes
MD5:	1e3ff8672dd9df37ac5696222fd0bec7
SHA1:	5437218f7389925a7ea5bc780d1351d6ce3ea067
SHA256:	0e81a36141d196401c46f6ce293a370e8f21c5e074db5442ff2ba6f223c435f5
SHA512:	fe2a03675efd005264e3750f8eac22548031cf9b7327ada206184027983b98758552ee222d81265fa000a4b1700dfc5d171fa8b3ea7a1229785f421c5438c09e
SSDEEP:	12288:pTZ2EEko4IoVnBnVzoeOhFyFLgVNjDOX0VsCMd4UvZ9cA/KBOxP2:79VnToWLgVDTMdPn/KBV
TLSH:	D0F4020132998175F09D413C8EE243F4EFFFADA49E935A8BAB84B71D0C74B80652B765
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 14, 2023 22:02:10.676770926 CET	49731	5632	192.168.2.4	172.232.186.251
Dec 14, 2023 22:02:10.880620956 CET	5632	49731	172.232.186.251	192.168.2.4
Dec 14, 2023 22:02:10.880903959 CET	49731	5632	192.168.2.4	172.232.186.251
Dec 14, 2023 22:02:10.894131899 CET	49731	5632	192.168.2.4	172.232.186.251
Dec 14, 2023 22:02:11.143018007 CET	5632	49731	172.232.186.251	192.168.2.4
Dec 14, 2023 22:02:11.181126118 CET	5632	49731	172.232.186.251	192.168.2.4
Dec 14, 2023 22:02:11.181188107 CET	5632	49731	172.232.186.251	192.168.2.4
Dec 14, 2023 22:02:11.181206942 CET	49731	5632	192.168.2.4	172.232.186.251
Dec 14, 2023 22:02:11.181248903 CET	49731	5632	192.168.2.4	172.232.186.251
Dec 14, 2023 22:02:12.000256062 CET	49731	5632	192.168.2.4	172.232.186.251
Dec 14, 2023 22:02:12.205058098 CET	5632	49731	172.232.186.251	192.168.2.4
Dec 14, 2023 22:02:12.205144882 CET	49731	5632	192.168.2.4	172.232.186.251
Dec 14, 2023 22:02:12.210377932 CET	49731	5632	192.168.2.4	172.232.186.251
Dec 14, 2023 22:02:12.210480928 CET	49731	5632	192.168.2.4	172.232.186.251
Dec 14, 2023 22:02:12.414055109 CET	5632	49731	172.232.186.251	192.168.2.4
Dec 14, 2023 22:02:12.414298058 CET	5632	49731	172.232.186.251	192.168.2.4
Dec 14, 2023 22:02:12.415297985 CET	5632	49731	172.232.186.251	192.168.2.4
Dec 14, 2023 22:02:12.415333033 CET	5632	49731	172.232.186.251	192.168.2.4
Dec 14, 2023 22:02:13.832534075 CET	5632	49731	172.232.186.251	192.168.2.4
Dec 14, 2023 22:02:13.832693100 CET	49731	5632	192.168.2.4	172.232.186.251
Dec 14, 2023 22:03:28.845606089 CET	5632	49731	172.232.186.251	192.168.2.4
Dec 14, 2023 22:03:28.845660925 CET	5632	49731	172.232.186.251	192.168.2.4
Dec 14, 2023 22:03:28.845900059 CET	49731	5632	192.168.2.4	172.232.186.251

Target ID:	0
Start time:	22:01:51
Start date:	14/12/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Installer.msi"
Imagebase:	0x7ff623ea0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	22:01:51
Start date:	14/12/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff623ea0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	22:01:52
Start date:	14/12/2023
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding FB72CBA66D1B5B7C2EC1EC7FC50D4B55
Imagebase:	0x290000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	22:01:53
Start date:	14/12/2023
Path:	C:\Windows\SysWOW64\SearchProtocolHost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\SearchProtocolHost.exe
Imagebase:	0xb10000
File size:	340'992 bytes
MD5 hash:	727FE964E574EEAF8917308FFF0880DE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PikaBot, Description: Yara detected PikaBot, Source: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	16.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	80.2%
Total number of Nodes:	1685
Total number of Limit Nodes:	44

Executed Functions

Function 00B222B3 Relevance: 83.6, Strings: 65, Instructions: 2399COMMON

Download Yara Rule

Strings

et-EE, xrefs: 00B22E58, 00B23CCB, 00B24335
1, xrefs: 00B23539
iC, xrefs: 00B2242D
#, xrefs: 00B22DDA
yi-001, xrefs: 00B23193
%s\%s.mui, xrefs: 00B22F07
no protocol option, xrefs: 00B22A1F
,, xrefs: 00B23A16
T, xrefs: 00B22B17
de-DE, xrefs: 00B22782
1-", xrefs: 00B223DF
@, xrefs: 00B23A62
E, xrefs: 00B23A34
Y, xrefs: 00B23A82
;, xrefs: 00B234F5
no message, xrefs: 00B22FCB
7, xrefs: 00B239F2
(, xrefs: 00B23283
1, xrefs: 00B24259
W, xrefs: 00B239C0
,, xrefs: 00B23FA9
PartA_PrivTags, xrefs: 00B23C36, 00B23DA7
N, xrefs: 00B23A4E
0, xrefs: 00B23594
,, xrefs: 00B235B0
currentContextMessage, xrefs: 00B22612
d, xrefs: 00B23522
YMWQ, xrefs: 00B241D8
F, xrefs: 00B232C3
), xrefs: 00B24A1F
System, xrefs: 00B24547
%hs!%p: , xrefs: 00B24073
mni-IN, xrefs: 00B222C7
Y, xrefs: 00B235E8
Z, xrefs: 00B2498D
U, xrefs: 00B22C94
;, xrefs: 00B22C8A
R, xrefs: 00B2352B
T, xrefs: 00B239CA
", xrefs: 00B22A54
;, xrefs: 00B2499A
., xrefs: 00B239D4
', xrefs: 00B244AA
WIv, xrefs: 00B241AA
', xrefs: 00B22623
a, xrefs: 00B244B1
^k7y, xrefs: 00B2427E
_YV, xrefs: 00B2231D
B, xrefs: 00B22BE3
C+, xrefs: 00B23FD8
Y, xrefs: 00B2255A
AppID, xrefs: 00B225D2, 00B22957, 00B22D7F, 00B23159, 00B2337E, 00B24316
a, xrefs: 00B23277
K, xrefs: 00B244B8
timed_out, xrefs: 00B223DA
7, xrefs: 00B249A6
de-DE, xrefs: 00B2284E, 00B228FC, 00B22FED, 00B23707, 00B23B95, 00B23E08, 00B23EEF, 00B247CF
permission denied, xrefs: 00B23A96
3, xrefs: 00B246F4
io error, xrefs: 00B24897
O, xrefs: 00B23682
T, xrefs: 00B2298C
w, xrefs: 00B24104
$x, xrefs: 00B240DA
failureId, xrefs: 00B246B4

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: "$#$$x$%hs!%p: $%s\%s.mui$'$'$($)$,$,$,$.$0$1$1$3$7$7$;$;$;$@$AppID$B$C+$E$F$K$N$O$PartA_PrivTags$R$System$T$T$T$U$W$WIv$Y$Y$Y$YMWQ$Z$^k7y$a$a$currentContextMessage$d$de-DE$de-DE$et-EE$failureId$io error$mni-IN$no message$no protocol option$permission denied$timed_out$w$yi-001$1-"$_YV$iC
API String ID: 0-1449502329
Opcode ID: d089ccd52dc50250fdc0e299e7bf78bd8ca311da560b0ea4e6a281a76e81c449
Instruction ID: 812408c96b30e892c423de0d9050f1f24131852f8405ddc276a63d8b3ca3a57e
Opcode Fuzzy Hash: d089ccd52dc50250fdc0e299e7bf78bd8ca311da560b0ea4e6a281a76e81c449
Instruction Fuzzy Hash: 5F33AE71E042A88FDB26CF68D8413EDBBF1AF59304F1486EAD48CAB342D7745A858F54

Uniqueness

Uniqueness Score: -1.00%

Function 00B252D5 Relevance: 82.9, APIs: 3, Strings: 43, Instructions: 2447processCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2D2B3: GetProcAddress.KERNELBASE(00000000,00000000), ref: 00B2D2C0

CreateToolhelp32Snapshot.KERNEL32(?,?,00000013,?,?,00000013,?,00000005,00000005,00000005,?,0000000A,0000000C,00000013,-000017FD), ref: 00B26AAC
Process32FirstW.KERNEL32(00000000,?,?,00000005,00000005,00000005,?,0000000A,0000000C,00000013,-000017FD), ref: 00B26AEF

Strings

D, xrefs: 00B26ECE
DOp, xrefs: 00B270C8
ibb-NG, xrefs: 00B2583C
wrong protocol type, xrefs: 00B26959
Se, xrefs: 00B26B0B
NtQueryWnfStateData, xrefs: 00B26387
j, xrefs: 00B26C6A
HKEY_LOCAL_MACHINE, xrefs: 00B25DC8
ca-ES, xrefs: 00B2600B, 00B26833, 00B26C6E, 00B26C8E, 00B26E55, 00B27110, 00B2723B, 00B27240, 00B2741F
LogHr, xrefs: 00B26C3E
5], xrefs: 00B25CD7
F, xrefs: 00B26EC4
a, xrefs: 00B253C4
fileName, xrefs: 00B26AF9
sr-SP-Cyrl, xrefs: 00B25935, 00B271FD
onecoreuap\base\appmodel\search\common\pkmutild\cregistry.cxx, xrefs: 00B267AC
currentContextId, xrefs: 00B25362, 00B26259, 00B26568
no stream resources, xrefs: 00B270AD
F, xrefs: 00B26293
0, xrefs: 00B266BD
X, xrefs: 00B266B3
too many files open in system, xrefs: 00B2537E, 00B2552E, 00B25952, 00B25BDE, 00B25F56, 00B25FB6, 00B2619B, 00B2621F, 00B26857, 00B2690B, 00B26C89, 00B26D55, 00B26D8A, 00B26D8B, 00B26F24, 00B2710B, 00B27440, 00B27516
RegDeleteKeyExW, xrefs: 00B25B08
network_down, xrefs: 00B25505
address_not_available, xrefs: 00B259B4, 00B259C7, 00B259E6, 00B259E7, 00B25A01, 00B25BB5, 00B25BE4, 00B25C13, 00B25DCD, 00B25EC0, 00B25FC8, 00B265EB, 00B26F99
HKEY_DYN_DATA, xrefs: 00B274FE
ky-KG, xrefs: 00B260DF
w0, xrefs: 00B2691A
,, xrefs: 00B26E99
failureCount, xrefs: 00B256F6
,a, xrefs: 00B26297
ka-GE, xrefs: 00B25F51
#, xrefs: 00B266E3
too_many_files_open, xrefs: 00B27387
sl-SI, xrefs: 00B25CA1
X, xrefs: 00B26913
mq, xrefs: 00B25F80
text file busy, xrefs: 00B26459
3, xrefs: 00B2676B
Z, xrefs: 00B25698
operation would block, xrefs: 00B25FBB, 00B2685C, 00B26A32, 00B26B75, 00B270D2, 00B2710A, 00B27445, 00B275E3
#, xrefs: 00B26F00
r, xrefs: 00B27510

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID: AddressCreateFirstProcProcess32SnapshotToolhelp32
String ID: #$#$,$,a$0$3$5]$D$DOp$F$F$HKEY_DYN_DATA$HKEY_LOCAL_MACHINE$LogHr$NtQueryWnfStateData$RegDeleteKeyExW$X$X$Z$a$address_not_available$ca-ES$currentContextId$failureCount$fileName$ibb-NG$j$ka-GE$ky-KG$mq$network_down$no stream resources$onecoreuap\base\appmodel\search\common\pkmutild\cregistry.cxx$operation would block$r$sl-SI$sr-SP-Cyrl$text file busy$too many files open in system$too_many_files_open$w0$wrong protocol type$Se
API String ID: 1169705608-3400702908
Opcode ID: 6ce84cad4d4f4658150370448c1e102685b8fbd05ff485808b8a86530a610e95
Instruction ID: 92c7b87f3910374781d5f14a56143faff6c8d77beb282dc068cf679c8ee7db9d
Opcode Fuzzy Hash: 6ce84cad4d4f4658150370448c1e102685b8fbd05ff485808b8a86530a610e95
Instruction Fuzzy Hash: BE33C631E042A88FDB15CFA8A8543EDBBF1AF59300F1486EAD8D8E7352D6744A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00B335EB Relevance: 73.7, APIs: 4, Strings: 37, Instructions: 1941networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2D25A: HeapFree.KERNEL32(00000000,00B2C92B,?), ref: 00B2D2AB

InternetConnectW.WININET(?,?,?,?,?,?,?,?), ref: 00B33765

Part of subcall function 00B2D2B3: GetProcAddress.KERNELBASE(00000000,00000000), ref: 00B2D2C0

HttpOpenRequestW.WININET(?,00000000,00000000,?,?,?,00400000), ref: 00B33C64
HttpSendRequestW.WININET(?,00000000,00000000,?,00000000), ref: 00B34B13
InternetCloseHandle.WININET(?), ref: 00B35506

Strings

, xrefs: 00B34613
sr-BA-Cyrl, xrefs: 00B3502B
^, xrefs: 00B3448B
R, xrefs: 00B33B79
X, xrefs: 00B34A28
HostProcessExecution, xrefs: 00B34B29
$, xrefs: 00B3509D
fil-PH, xrefs: 00B3377A
N, xrefs: 00B337AC
;, xrefs: 00B353B5
L, xrefs: 00B35220
\h, xrefs: 00B34DBE
l", xrefs: 00B34E0A
bin-NG, xrefs: 00B3520F
fileName, xrefs: 00B340AE
0, xrefs: 00B34684
zh-Hant, xrefs: 00B33706, 00B33713, 00B338C8, 00B339F3, 00B33A3C, 00B33E99, 00B33F64, 00B3446D, 00B34754, 00B347A3, 00B3490D, 00B34EA3
originatingContextName, xrefs: 00B336E9, 00B338EF, 00B33A60, 00B33D87, 00B33DAA, 00B33DB0, 00B33E69, 00B33E6F, 00B33FFF, 00B34323, 00B34344, 00B34366, 00B34515, 00B3452B, 00B34783, 00B34929, 00B3513C, 00B35411
q, xrefs: 00B34124
W, xrefs: 00B346A0
.Bu{failureId, xrefs: 00B336E3, 00B33715, 00B33897, 00B338A8, 00B338FA, 00B339C4, 00B33A1F, 00B33A34, 00B33A47, 00B33A67, 00B33AC2, 00B33B10, 00B33C7D, 00B33D5D, 00B33DEC, 00B33E9E, 00B33F0A, 00B33F98, 00B3402F, 00B34190, 00B3433E, 00B3436B, 00B344F7, 00B34520, 00B34633, 00B3477D, 00B347B0, 00B348E5, 00B34933, 00B349F6, 00B34A19, 00B34C63, 00B34ECE, 00B34EEE, 00B35418, 00B354A5
4, xrefs: 00B34DC7
1`, xrefs: 00B33D1B
invalid seek, xrefs: 00B345F2
message, xrefs: 00B3427D
$, xrefs: 00B350D3
chr-Cher-US, xrefs: 00B33F20
8q1", xrefs: 00B35073
network reset, xrefs: 00B33914
ext-ms-win-advapi32-eventlog-l1-1-0, xrefs: 00B34D8F
mk-MK, xrefs: 00B34F43
8<wJ, xrefs: 00B35230
), xrefs: 00B33AFD
ks-Arab, xrefs: 00B336BE, 00B3370B, 00B33DA5, 00B33DAF, 00B33E41, 00B33E64, 00B33E6E, 00B34525, 00B3452A, 00B3522B
originatingContextMessage, xrefs: 00B34C9C
threadId, xrefs: 00B348BF
invalid string position, xrefs: 00B33CDA

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID: HttpInternetRequest$AddressCloseConnectFreeHandleHeapOpenProcSend
String ID: $$$$$)$.Bu{failureId$0$1`$4$8<wJ$8q1"$;$HostProcessExecution$L$N$R$W$X$\h$^$bin-NG$chr-Cher-US$ext-ms-win-advapi32-eventlog-l1-1-0$fil-PH$fileName$invalid seek$invalid string position$ks-Arab$l"$message$mk-MK$network reset$originatingContextMessage$originatingContextName$q$sr-BA-Cyrl$threadId$zh-Hant
API String ID: 563973479-2634115502
Opcode ID: ac08804aa6ccbf24e4a85a17240f57eb235e7ec287485aa60c3455dccb42176e
Instruction ID: 67294e9cd00d42c4533aca22b9e3b8688a79546d58135e756001c528a7265fca
Opcode Fuzzy Hash: ac08804aa6ccbf24e4a85a17240f57eb235e7ec287485aa60c3455dccb42176e
Instruction Fuzzy Hash: 5413C171A042A88FDB15CFA8D8513EDBBF1AF59300F1886E9D498B7342DB745A86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B2D2D4 Relevance: 57.6, APIs: 1, Strings: 31, Instructions: 1600COMMON

Download Yara Rule

Strings

", xrefs: 00B2D684
ext-ms-win-advapi32-eventlog-l1-1-1, xrefs: 00B2DB2C
ModuleCollection, xrefs: 00B2DABB, 00B2DD4D, 00B2DD6B, 00B2E100, 00B2E16E, 00B2E297, 00B2E57E, 00B2E60F
6, xrefs: 00B2D975
executable format error, xrefs: 00B2E9AD
et-EE, xrefs: 00B2E082
AppID, xrefs: 00B2D9A4
zQ, xrefs: 00B2D884
B, xrefs: 00B2E24E
generic, xrefs: 00B2D8C8
bg-BG, xrefs: 00B2D745
ext-ms-win-imm-l1-1-0, xrefs: 00B2D3C5
too many files open in system, xrefs: 00B2DC8C
NtUpdateWnfStateData, xrefs: 00B2E449
module, xrefs: 00B2E229
PartA_PrivTags, xrefs: 00B2E7C4
is a directory, xrefs: 00B2D2DF
(, xrefs: 00B2D2F6
L, xrefs: 00B2EAF6
k, xrefs: 00B2D608
ur-PK, xrefs: 00B2DE2E, 00B2E686
TelemetryAssert, xrefs: 00B2D603, 00B2D7A8, 00B2D7B0, 00B2D97D, 00B2DA29, 00B2DA2E, 00B2DA36, 00B2DCED, 00B2E37F, 00B2E559, 00B2E877, 00B2E957, 00B2E95C
4, xrefs: 00B2D3CA
nz, xrefs: 00B2E0BF
QB, xrefs: 00B2E470
argument list too long, xrefs: 00B2D4F8
Local\SM0:%d:%d:%hs, xrefs: 00B2DF69
S, xrefs: 00B2DC9E
$, xrefs: 00B2EAEF
fi-FI, xrefs: 00B2D451, 00B2E2BF, 00B2E5DB, 00B2E930, 00B2E935
inappropriate io control operation, xrefs: 00B2D5E0

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: "$$$($6$AppID$L$Local\SM0:%d:%d:%hs$ModuleCollection$NtUpdateWnfStateData$PartA_PrivTags$QB$S$TelemetryAssert$argument list too long$bg-BG$et-EE$executable format error$ext-ms-win-advapi32-eventlog-l1-1-1$ext-ms-win-imm-l1-1-0$fi-FI$generic$inappropriate io control operation$is a directory$k$module$nz$too many files open in system$ur-PK$zQ$4$B
API String ID: 0-2165300778
Opcode ID: 815db5a1f4687cb57d36203d5aa066988587b3ecdfe3c96534dbeca68e6294af
Instruction ID: 6a7b193a65ba0998a2f56559a4a8e31d0bed1322c2289dbbf24d9007ab5857cc
Opcode Fuzzy Hash: 815db5a1f4687cb57d36203d5aa066988587b3ecdfe3c96534dbeca68e6294af
Instruction Fuzzy Hash: 32E2D731E042A85EDB55CFA9A4503EC7FF1AF19300F6885F9D898E7342EA344A86DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00B3C2E0 Relevance: 45.0, APIs: 1, Strings: 24, Instructions: 1294COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE(00000000,?,?,00000040,?,?,?,?,?,00000009,?,00000015,0000001A,00000018,00000015,?), ref: 00B3D2A8

Part of subcall function 00B2D2B3: GetProcAddress.KERNELBASE(00000000,00000000), ref: 00B2D2C0

Part of subcall function 00B2D25A: HeapFree.KERNEL32(00000000,00B2C92B,?), ref: 00B2D2AB

Strings

originatingContextId, xrefs: 00B3CC6E
th-TH, xrefs: 00B3D0E3
], xrefs: 00B3CAEB
HKEY_CLASSES_ROOT, xrefs: 00B3CF76, 00B3D2CF, 00B3D3D9
km-KH, xrefs: 00B3CCDE, 00B3D00D, 00B3D4B9, 00B3D4BE
0, xrefs: 00B3D556
V, xrefs: 00B3CDB9
imageName, xrefs: 00B3C379
RtlNtStatusToDosErrorNoTeb, xrefs: 00B3CAB5
e#6%, xrefs: 00B3CE49
G, xrefs: 00B3C962
c, xrefs: 00B3C95B
;, xrefs: 00B3D545
id-ID, xrefs: 00B3CE8E
-, xrefs: 00B3CE20
sl-SI, xrefs: 00B3C4E2
3, xrefs: 00B3C969
#&NDB, xrefs: 00B3C6E7
RtlDllShutdownInProgress, xrefs: 00B3C99A
pt-BR, xrefs: 00B3C48C, 00B3C701, 00B3D211, 00B3D369
&, xrefs: 00B3D1EC
address_not_available, xrefs: 00B3C620
failureId, xrefs: 00B3CF57
not supported, xrefs: 00B3C310, 00B3CAE0, 00B3CB94, 00B3D039

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID: AddressFreeHeapInformationProcVolume
String ID: #&NDB$&$-$0$3$;$G$HKEY_CLASSES_ROOT$RtlDllShutdownInProgress$RtlNtStatusToDosErrorNoTeb$V$]$address_not_available$c$e#6%$failureId$id-ID$imageName$km-KH$not supported$originatingContextId$pt-BR$sl-SI$th-TH
API String ID: 1952060866-6681821
Opcode ID: cb0eabaef43b02cc506c05136138189e704044b9164f9f9ee2ce5a28cee94670
Instruction ID: fd9c9a4a0c716ceb0635fc12228490eb7abd3da45e52506a72d3cff66425f01e
Opcode Fuzzy Hash: cb0eabaef43b02cc506c05136138189e704044b9164f9f9ee2ce5a28cee94670
Instruction Fuzzy Hash: E9C2C031A042998EDB15CFA9D8553EDBFF1AF59300F2885EAD889FB381D6344A46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B20157 Relevance: 39.3, APIs: 2, Strings: 20, Instructions: 762
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE(?,00000014,F9D557B4,00000004,?), ref: 00B209F1
FindCloseChangeNotification.KERNELBASE(?,?), ref: 00B20C31

Strings

TypeLib, xrefs: 00B20AAC
message, xrefs: 00B20A8C
F, xrefs: 00B20194
!, xrefs: 00B2018D
PartA_PrivTags, xrefs: 00B201D8, 00B206CB
no buffer space, xrefs: 00B201AF
not a stream, xrefs: 00B202B2, 00B203EC, 00B2060E, 00B2094A
PartA_PrivTags, xrefs: 00B205B5
O, xrefs: 00B20891
function, xrefs: 00B20883
Interface, xrefs: 00B2047A
O, xrefs: 00B20B6E
s, xrefs: 00B20A4D
&, xrefs: 00B20713
Windows Search Service, xrefs: 00B20366
Q, xrefs: 00B2070A
count, xrefs: 00B20B4C
km-KH, xrefs: 00B20731
(, xrefs: 00B204E9
1_, xrefs: 00B2047F

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindInformationNotificationToken
String ID: !$&$($F$Interface$O$PartA_PrivTags$PartA_PrivTags$Q$TypeLib$Windows Search Service$count$function$km-KH$message$no buffer space$not a stream$s$1_$O
API String ID: 584730905-3306895544
Opcode ID: 35d3cdddc9846d17915281404e0c825cceccd1f151da0e9c8697bbb08d7da195
Instruction ID: 85afb85ca29bda82f5e99fd71fdd1508cecb4ca54ef6259365b4896a4affad94
Opcode Fuzzy Hash: 35d3cdddc9846d17915281404e0c825cceccd1f151da0e9c8697bbb08d7da195
Instruction Fuzzy Hash: DE62C531B052A88EDB16DFADA4903ED7FF1AF1A300F5845FAD8C9E7342D2644A45CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00B43750 Relevance: 33.7, APIs: 1, Strings: 18, Instructions: 484
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

?, xrefs: 00B43F4C
too many files open in system, xrefs: 00B43D12, 00B43D17
message_size, xrefs: 00B43B38
module, xrefs: 00B438BE
PPTP00W, xrefs: 00B43ABF
@, xrefs: 00B43EF5
+, xrefs: 00B438D0
message_size, xrefs: 00B43CED
-, xrefs: 00B43FC1
*, xrefs: 00B43F01
P, xrefs: 00B439F6
X, xrefs: 00B43FBA
#, xrefs: 00B43FB3
z0[, xrefs: 00B43A2B
/, xrefs: 00B439EF
zh-Hant, xrefs: 00B43820
es-ES_tradnl, xrefs: 00B43E24
sH(s, xrefs: 00B43A45

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: #$*$+$-$/$?$@$P$PPTP00W$X$es-ES_tradnl$message_size$message_size$module$sH(s$too many files open in system$z0[$zh-Hant
API String ID: 0-3155290421
Opcode ID: 33cd1e4d217db16966d1e25dd21bed1b9f7cd4b281577d790171ed6c9f62d0fb
Instruction ID: 94b75ed3586ac3a9550a9917e6a7de9fc325cb85dc2dea8be133507314b48e5e
Opcode Fuzzy Hash: 33cd1e4d217db16966d1e25dd21bed1b9f7cd4b281577d790171ed6c9f62d0fb
Instruction Fuzzy Hash: 4522BF71D042988FDB45CFA894603ECBFF1AF5A310F2942EAD998B7342D6744A86DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B43739 Relevance: 30.2, APIs: 1, Strings: 16, Instructions: 484
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

?, xrefs: 00B43F4C
too many files open in system, xrefs: 00B43D12, 00B43D17
message_size, xrefs: 00B43B38, 00B43C29
module, xrefs: 00B438BE
PPTP00W, xrefs: 00B43ABF
@, xrefs: 00B43EF5
se-NO, xrefs: 00B43748, 00B43BB7, 00B43BFA, 00B43C61
+, xrefs: 00B438D0
message_size, xrefs: 00B43CED
*, xrefs: 00B43F01
P, xrefs: 00B439F6
z0[, xrefs: 00B43A2B
/, xrefs: 00B439EF
zh-Hant, xrefs: 00B43820
es-ES_tradnl, xrefs: 00B43E24
sH(s, xrefs: 00B43A45

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: *$+$/$?$@$P$PPTP00W$es-ES_tradnl$message_size$message_size$module$sH(s$se-NO$too many files open in system$z0[$zh-Hant
API String ID: 0-22870121
Opcode ID: fdc49d95bbabcb7c607fcf5abafcd91c76c66d3c57ed59fe257cc0bb9680e030
Instruction ID: 41ebd2b458305b33e448290c764ef5b0ffde0277f3aaa8029ca178cdc31fdcd6
Opcode Fuzzy Hash: fdc49d95bbabcb7c607fcf5abafcd91c76c66d3c57ed59fe257cc0bb9680e030
Instruction Fuzzy Hash: C922C071E042A88FDF41CFA994503ECBFF1AF5A300F2941E9D998A7342D6744A86DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00B40A2D Relevance: 29.4, Strings: 23, Instructions: 668
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ydV2, xrefs: 00B40CAF
VR_!, xrefs: 00B40D7A
b, xrefs: 00B40E75
no lock available, xrefs: 00B4122C
*, xrefs: 00B414FE
CLSID, xrefs: 00B40D2A
N, xrefs: 00B40C2D
c+, xrefs: 00B40D95
q, xrefs: 00B40B6F
S, xrefs: 00B41470
currentContextName, xrefs: 00B411E8
,, xrefs: 00B414DC
^<, xrefs: 00B40A54
u%, xrefs: 00B41334
@:M8, xrefs: 00B40AF7
interrupted, xrefs: 00B41309
/, xrefs: 00B40CEB
bfA(, xrefs: 00B40DB3
fileName, xrefs: 00B40F47
$Bf, xrefs: 00B40C7D
], xrefs: 00B41082
N, xrefs: 00B414E8
ti-ET, xrefs: 00B410A5

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: $Bf$*$,$/$@:M8$CLSID$N$N$S$VR_!$]$b$bfA($c+$currentContextName$fileName$interrupted$no lock available$q$ti-ET$u%$ydV2$^<
API String ID: 0-3569637293
Opcode ID: f57a081499bab107e651b844df45580ef2e0c83b90f674279ddf28c68df2894f
Instruction ID: c223b6c057a4ec9f7ef45ae01f984307d0b4ed7bcbf503c5eccbb1a949b07a75
Opcode Fuzzy Hash: f57a081499bab107e651b844df45580ef2e0c83b90f674279ddf28c68df2894f
Instruction Fuzzy Hash: 0162CA71E053A88FCB22CFA898816DDBBB1AF19300F5446E9D498AB242D7744BC5DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00B233BC Relevance: 25.6, Strings: 20, Instructions: 631COMMON

Download Yara Rule

Strings

et-EE, xrefs: 00B23CCB
W, xrefs: 00B239C0
R, xrefs: 00B2352B
1, xrefs: 00B23539
T, xrefs: 00B239CA
PartA_PrivTags, xrefs: 00B23C36, 00B23DA7
., xrefs: 00B239D4
N, xrefs: 00B23A4E
,, xrefs: 00B23A16
0, xrefs: 00B23594
,, xrefs: 00B235B0
de-DE, xrefs: 00B23707, 00B23B95, 00B23E08
permission denied, xrefs: 00B23A96
@, xrefs: 00B23A62
d, xrefs: 00B23522
E, xrefs: 00B23A34
Y, xrefs: 00B23A82
;, xrefs: 00B234F5
7, xrefs: 00B239F2
Y, xrefs: 00B235E8

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: ,$,$.$0$1$7$;$@$E$N$PartA_PrivTags$R$T$W$Y$Y$d$de-DE$et-EE$permission denied
API String ID: 1279760036-3904138336
Opcode ID: af43248484add740d844d59803edcf8b9dd3645ba507944a59ba167d472bd59b
Instruction ID: 7756c81fa37e5f0f1a50740a4b3a9b8acbeab65f19b07aa787a93e8b17fdea06
Opcode Fuzzy Hash: af43248484add740d844d59803edcf8b9dd3645ba507944a59ba167d472bd59b
Instruction Fuzzy Hash: 04528971E002688BDB29DF68D8557EDBBF6EF44304F0481E9E44DAB241DB349A82CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00B42000 Relevance: 25.4, Strings: 20, Instructions: 404
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PG!, xrefs: 00B425C6
', xrefs: 00B4223E
&, xrefs: 00B42264
Software\Microsoft\Windows Search\Tracing, xrefs: 00B42096
6, xrefs: 00B42245
HKEY_CURRENT_USER, xrefs: 00B42582, 00B42587
;, xrefs: 00B42220
jq=&, xrefs: 00B4204A
+$, xrefs: 00B426AD
'a, xrefs: 00B425EC
fi-FI, xrefs: 00B4241F
!, xrefs: 00B42282
D, xrefs: 00B4224C
fil-PH, xrefs: 00B4201A
$, xrefs: 00B4226E
B, xrefs: 00B4225A
address_not_available, xrefs: 00B422EB
1, xrefs: 00B421CF
&, xrefs: 00B425FD
<, xrefs: 00B4228C

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: !$$$&$&$'$1$6$;$<$B$D$HKEY_CURRENT_USER$PG!$Software\Microsoft\Windows Search\Tracing$address_not_available$fi-FI$fil-PH$jq=&$'a$+$
API String ID: 0-1434026967
Opcode ID: d4de2a5ab8063ebcc2eeb54b8945766b4aea2c2d7404df9175d354dc726977e0
Instruction ID: 6eeab67d2e96905fb54792eddadbcfda57ddedc44ed9fdb38ed91bc1ca6cf9ff
Opcode Fuzzy Hash: d4de2a5ab8063ebcc2eeb54b8945766b4aea2c2d7404df9175d354dc726977e0
Instruction Fuzzy Hash: 02020F71D002688FEB25CF68D8857DDBBF1AF55300F2082E9E458BB252DB345A85EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B43BC5 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

?, xrefs: 00B43F4C
too many files open in system, xrefs: 00B43D12, 00B43D17
*, xrefs: 00B43F01
message_size, xrefs: 00B43C29
X, xrefs: 00B43FBA
#, xrefs: 00B43FB3
@, xrefs: 00B43EF5
se-NO, xrefs: 00B43BFA, 00B43C61
0, xrefs: 00B43F2B
-, xrefs: 00B43FC1
message_size, xrefs: 00B43CED
es-ES_tradnl, xrefs: 00B43E24

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: #$*$-$0$?$@$X$es-ES_tradnl$message_size$message_size$se-NO$too many files open in system
API String ID: 0-344358562
Opcode ID: f8a58200516877da0450caa5e075b587ae3c4427e368bfca31d4ad3ad92a5c06
Instruction ID: d706ca553891bdca2d481e2fd2380d909434efc5b8f75be2698e500e5abc4b9b
Opcode Fuzzy Hash: f8a58200516877da0450caa5e075b587ae3c4427e368bfca31d4ad3ad92a5c06
Instruction Fuzzy Hash: CDC1E431D042A88EDB45CFA9D4503ECBFF1AF5A714F2941EAD898B7242D6348B86DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B48E94 Relevance: 20.5, Strings: 16, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fr-FR, xrefs: 00B48F59, 00B490F0, 00B49150
f$, xrefs: 00B49090
=Z, xrefs: 00B49440
X, xrefs: 00B49432
4vln, xrefs: 00B48EF7
C, xrefs: 00B49446
0, xrefs: 00B49304
invalid argument, xrefs: 00B493F1
operation would block, xrefs: 00B49067, 00B490AF, 00B490B0, 00B490C7
gn-PY, xrefs: 00B48EC1
F, xrefs: 00B497FC
l;, xrefs: 00B49043
2, xrefs: 00B492E0
already connected, xrefs: 00B4904D
l;r, xrefs: 00B49075, 00B4936B, 00B493DF, 00B4951D, 00B4939C, 00B491F5
read only file system, xrefs: 00B48EDB

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: 0$2$4vln$=Z$C$F$X$already connected$f$$fr-FR$gn-PY$invalid argument$operation would block$read only file system$l;$l;r
API String ID: 0-2129979259
Opcode ID: 4cc411e097180f84ef784529f3c7ca465725e8f2f0c5e92c305ce02c8d519f92
Instruction ID: 4d7bdbb0315c69e30bb594ae54a7c799b759848b5684333ca7d2c69398d790d9
Opcode Fuzzy Hash: 4cc411e097180f84ef784529f3c7ca465725e8f2f0c5e92c305ce02c8d519f92
Instruction Fuzzy Hash: 74120071E042988BDF05DFA9D8542FEBBF1AF59300F2881E9D889A7381D6354B46DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B1DD59 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameW.KERNEL32(?,?,00000000,00000000), ref: 00B1DFF6

Strings

;, xrefs: 00B1E03E
p, xrefs: 00B1DF01
I, xrefs: 00B1DD7E
callContext, xrefs: 00B1DE24, 00B1E05E, 00B1E083
not supported, xrefs: 00B1DEF3
T, xrefs: 00B1DD70
Component Categories, xrefs: 00B1E006
invalid_argument, xrefs: 00B1DD6B
TI, xrefs: 00B1E195

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID: ;$Component Categories$I$T$TI$callContext$invalid_argument$not supported$p
API String ID: 3545744682-603468243
Opcode ID: 2e196b9965f9dfa68f1c3d7902fdae705ea5b9de712d36aa323ce9c5907e4c61
Instruction ID: 01c711a8a88dc5b54c17b0c8db6f92d9e2eb5b83e8c5045ed818d237dfbc7a3e
Opcode Fuzzy Hash: 2e196b9965f9dfa68f1c3d7902fdae705ea5b9de712d36aa323ce9c5907e4c61
Instruction Fuzzy Hash: 1ED1D372E042AC9EDB02CFAD94842EDBFF1BF19300F5945F9D888A7242D7758A49DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D95C Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(?,?,00000000,6B9470A8), ref: 00B1DB89

Strings

,, xrefs: 00B1DCFC
module, xrefs: 00B1DB93
rm-CH, xrefs: 00B1DBCB
threadId, xrefs: 00B1DA73
], xrefs: 00B1DCF5
@, xrefs: 00B1D970
ModuleCollection, xrefs: 00B1D98A

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID: NameUser
String ID: ,$@$ModuleCollection$]$module$rm-CH$threadId
API String ID: 2645101109-2038467357
Opcode ID: 685853318f035f7be32dacc2534ba569fa179369aeb9ca9420924186ceb3cdb1
Instruction ID: d9f4ec1c9202a58ac246fd2e52bb7e48670cbdce14cb3abc9a1c9f5930cb930b
Opcode Fuzzy Hash: 685853318f035f7be32dacc2534ba569fa179369aeb9ca9420924186ceb3cdb1
Instruction Fuzzy Hash: FAB17571A042AC8FDB12DFADA8902EE7FF1BF19300F5905F9D898A7342C2755A45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D1FF Relevance: 14.3, Strings: 11, Instructions: 507
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

originatingContextId, xrefs: 00B1D6BB
om-ET, xrefs: 00B1D563, 00B1D5CF
R, xrefs: 00B1D20F
RtlRegisterFeatureConfigurationChangeNotification, xrefs: 00B1D7CE
ff-Latn-NG, xrefs: 00B1D541
9, xrefs: 00B1D208
message, xrefs: 00B1D83D
x, xrefs: 00B1D427
*pK, xrefs: 00B1D54C
rm-CH, xrefs: 00B1D3FE
invalid string position, xrefs: 00B1D235

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: *pK$9$R$RtlRegisterFeatureConfigurationChangeNotification$ff-Latn-NG$invalid string position$message$om-ET$originatingContextId$rm-CH$x
API String ID: 0-2873833578
Opcode ID: c44d2873a5ffebf924f6bd847d66dc979a420c173da437cbadf9049b6fc7e64c
Instruction ID: b8edcd82d340d6ff9061e8101b92ef4f150418f035151039d2244eecba213bb3
Opcode Fuzzy Hash: c44d2873a5ffebf924f6bd847d66dc979a420c173da437cbadf9049b6fc7e64c
Instruction Fuzzy Hash: 7D22C831A042988EDB15CFED98902EDBFF1AF1A300F9945FAD8D9A7342C6355945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B1E6B9 Relevance: 14.1, Strings: 11, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

lineNumber, xrefs: 00B1E82A
#, xrefs: 00B1E7EA
,, xrefs: 00B1EB73
L, xrefs: 00B1EB80
lghp, xrefs: 00B1E6D7
Local\SM0:%d:%d:%hs, xrefs: 00B1E7DA
ms-MY, xrefs: 00B1E88C, 00B1E894, 00B1EA08
filename_too_long, xrefs: 00B1E6C5
ur-PK, xrefs: 00B1EAAE
a, xrefs: 00B1E970
1, xrefs: 00B1E9AA

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: #$,$1$L$Local\SM0:%d:%d:%hs$a$filename_too_long$lghp$lineNumber$ms-MY$ur-PK
API String ID: 0-3856692252
Opcode ID: 70ca5a64c2caa13ca31251fc9897d46743a9cce0e9152696037909abd3e76d71
Instruction ID: d628b5fef45501604a238bcc6ada711933d5acf0c9d23957afd4b178dfbddbd4
Opcode Fuzzy Hash: 70ca5a64c2caa13ca31251fc9897d46743a9cce0e9152696037909abd3e76d71
Instruction Fuzzy Hash: DFE11931A042988EDB11CFB9D8413EDBFF1AF59300F5945E5D898A7392D6748E86CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00B1E205 Relevance: 12.8, Strings: 10, Instructions: 305
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

originatingContextId, xrefs: 00B1E219
nf8, xrefs: 00B1E4F5
generic, xrefs: 00B1E412
,, xrefs: 00B1E63A
wilActivity, xrefs: 00B1E3C9, 00B1E3CE
Q, xrefs: 00B1E227
&, xrefs: 00B1E3A8
T, xrefs: 00B1E630
zh-CHT, xrefs: 00B1E4E2
fileName, xrefs: 00B1E5AF

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: &$,$Q$T$fileName$generic$nf8$originatingContextId$wilActivity$zh-CHT
API String ID: 0-2616223789
Opcode ID: d7591e951a853c8fbe8cbedf1e86188a361dec88f344b9ee2eb1001ccf57c074
Instruction ID: f481a3bc106b391ed63e588f70617feced6edf5da98f8feac28ea91e1e772dde
Opcode Fuzzy Hash: d7591e951a853c8fbe8cbedf1e86188a361dec88f344b9ee2eb1001ccf57c074
Instruction Fuzzy Hash: 1DD1CF71D082988BDB01CFB999003EDBFF1AF65304F5946EAD898A7342D3749A86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B59710 Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON

Download Yara Rule

APIs

NtPssCaptureVaSpaceBulk.NTDLL(00000000,00000061), ref: 00B59762

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID: BulkCaptureSpace
String ID:
API String ID: 1541563799-0
Opcode ID: e7f6e9b7806ce31a3c1bcaa21fbe050c7a2ca888be0af505357316badd405d1c
Instruction ID: 69d61087dde54aa048bc98c838d7c2e0c961cb336abe2320dfbf138e0c31b761
Opcode Fuzzy Hash: e7f6e9b7806ce31a3c1bcaa21fbe050c7a2ca888be0af505357316badd405d1c
Instruction Fuzzy Hash: B4F0D4B2520300DFEB02DF14EC217A23BA1F704212B4846E5E849F32A0EB359814DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B32F99 Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 379
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D, xrefs: 00B334F8
b, xrefs: 00B3352D
2, xrefs: 00B33593
.Bu{failureId, xrefs: 00B33226, 00B333B2
W, xrefs: 00B3309C
', xrefs: 00B33589
HKEY_DYN_DATA, xrefs: 00B33075
mni-IN, xrefs: 00B3340F
@B, xrefs: 00B331C0
connection reset, xrefs: 00B332D1
operation_not_supported, xrefs: 00B331B2
zh-Hant, xrefs: 00B331E3

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: '$.Bu{failureId$2$@B$D$HKEY_DYN_DATA$W$b$connection reset$mni-IN$operation_not_supported$zh-Hant
API String ID: 0-2796461677
Opcode ID: ff9c621e8a641308f9e8ef619be92ff6e474effcc82c59be089a9330abd501dc
Instruction ID: 0d727a1d105bc0a568f9ce929081a1c4c98e861c6d4fbf64eaa3ccc868273eba
Opcode Fuzzy Hash: ff9c621e8a641308f9e8ef619be92ff6e474effcc82c59be089a9330abd501dc
Instruction Fuzzy Hash: 2BF1B531A082988EDF55CFA8A8543EDBFF16F1A210F2846F9D8C8E7352D5758A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B1F263 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,00000006,00000031,00000000,00000000), ref: 00B1F54B

Strings

0, xrefs: 00B1F4BB
a, xrefs: 00B1F4F2
(, xrefs: 00B1F562
RtlRegisterFeatureConfigurationChangeNotification, xrefs: 00B1F271
@, xrefs: 00B1F512
d#, xrefs: 00B1F4D7
+, xrefs: 00B1F551
Z, xrefs: 00B1F3AA
argument list too long, xrefs: 00B1F462
1, xrefs: 00B1F2E7
Locale, xrefs: 00B1F399

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus
String ID: ($+$0$1$@$Locale$RtlRegisterFeatureConfigurationChangeNotification$Z$a$argument list too long$d#
API String ID: 1890195054-2893979789
Opcode ID: 13c6b6ca1d525dac2d5d16254407baf5336fab22decd5e658e4dd2581b1697c8
Instruction ID: 78e6bbbc16c3ca075309286b49931a101f110299b2798a7d51a136d6a30c5ab8
Opcode Fuzzy Hash: 13c6b6ca1d525dac2d5d16254407baf5336fab22decd5e658e4dd2581b1697c8
Instruction Fuzzy Hash: FE91B271E052988EEB11CFB9D4502EDBFF1AF56340F1482AAD894B3342D3745A8ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B2D11F Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 94
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000014,0000003F), ref: 00B2D21F

Strings

lineNumber, xrefs: 00B2D151
', xrefs: 00B2D1DE
E, xrefs: 00B2D1CA
=, xrefs: 00B2D1D7
invalid_argument, xrefs: 00B2D18B

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: '$=$E$invalid_argument$lineNumber
API String ID: 1279760036-62853365
Opcode ID: a2a9598c0c6f96ab17fd328ceb9f9e29ab088a0ce3c626c29461de692d5a38e7
Instruction ID: f0b7a00238010f29cea59b459b9473dde3de109c72e28c303fb259ad3bdedb28
Opcode Fuzzy Hash: a2a9598c0c6f96ab17fd328ceb9f9e29ab088a0ce3c626c29461de692d5a38e7
Instruction Fuzzy Hash: A0314872E00328AFEB048F68EC46ADDB7F5EF90315F1482A5E459BB291F7746980CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B2D2B3 Relevance: 1.5, APIs: 1, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(00000000,00000000), ref: 00B2D2C0

Part of subcall function 00B2D25A: HeapFree.KERNEL32(00000000,00B2C92B,?), ref: 00B2D2AB

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID: AddressFreeHeapProc
String ID:
API String ID: 4280525199-0
Opcode ID: 430e64f59d13595127b78d336638fcebf5dd771e011bfbbe02d99df0f54e9fbe
Instruction ID: b39019d8d199dc3cafd039ff3535a33aad7d0d133cc0feb78b464bb3a91e7b42
Opcode Fuzzy Hash: 430e64f59d13595127b78d336638fcebf5dd771e011bfbbe02d99df0f54e9fbe
Instruction Fuzzy Hash: 9BC01222600230538624223A7C0ADABD9ED9ED66B230A00A6F808D3324DE648C0281E0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B35573 Relevance: 160.1, Strings: 124, Instructions: 5066COMMON

Download Yara Rule

Strings

APPID, xrefs: 00B37BC4
bin-NG, xrefs: 00B39D7A
argument list too long, xrefs: 00B35F7A
>ZX, xrefs: 00B36E91
T, xrefs: 00B36BCF
bn-IN, xrefs: 00B37A7A
`, xrefs: 00B38A73
lineNumber, xrefs: 00B3620D, 00B39CA0
ms-MY, xrefs: 00B378F8
%lS\%lS, xrefs: 00B36BA4
!, xrefs: 00B36382
fileName, xrefs: 00B39EAD
J, xrefs: 00B39383
ti-ET, xrefs: 00B37193
not_a_socket, xrefs: 00B38A2D
message, xrefs: 00B37815
+3{m, xrefs: 00B3A3F6
address_in_use, xrefs: 00B359C9, 00B35BB1, 00B35F75, 00B36202, 00B362B3, 00B36B6F, 00B36BA3, 00B373FC, 00B38231, 00B3899A, 00B38A1B, 00B39D40, 00B39DDC
no protocol option, xrefs: 00B35855
ru-RU, xrefs: 00B35A36
ha-Latn-NG, xrefs: 00B39B4D
de-DE, xrefs: 00B399F5
/7, xrefs: 00B389D8
filename_too_long, xrefs: 00B38326
hresult, xrefs: 00B39AC4
onecoreuap\base\AppModel\Search\common\include\PrivateComActivationHelper.h, xrefs: 00B38A20
b, xrefs: 00B37E1C
threadId, xrefs: 00B37450, 00B378DA, 00B38C95
kk-KZ, xrefs: 00B37613
too many links, xrefs: 00B359FF
too many files open, xrefs: 00B359F7
L3]0, xrefs: 00B38070
HKEY_CURRENT_CONFIG, xrefs: 00B3689B
7, xrefs: 00B367CF
J$9, xrefs: 00B35989
invalid string position, xrefs: 00B38605
sr-BA-Cyrl, xrefs: 00B399D7
sw-KE, xrefs: 00B3811A
f+-, xrefs: 00B39C09
CallContext:[%hs] , xrefs: 00B37065
B, xrefs: 00B396FE
PartA_PrivTags, xrefs: 00B362DB
r, xrefs: 00B3766B
ru-RU, xrefs: 00B357AA
network_unreachable, xrefs: 00B35A16, 00B35A29, 00B361DD, 00B361FB, 00B36896, 00B368FB, 00B36B9E, 00B3721D, 00B376C3, 00B378BB, 00B380F6, 00B385D7, 00B3895C, 00B3899F, 00B389A9, 00B38C70, 00B390CD, 00B39573, 00B3A32C, 00B3A637
Locale, xrefs: 00B38DC7
TelemetryAssertDiagTrack, xrefs: 00B390FA
A, xrefs: 00B384A3
%hs(%u)\%hs!%p: , xrefs: 00B35C92
InstallDirectory, xrefs: 00B38983
Software\Microsoft\Windows Search\Tracing\EventThrottleState, xrefs: 00B376DD
permission denied, xrefs: 00B37F27
interrupted, xrefs: 00B3A041
HostProcessExecutionStop, xrefs: 00B38956
@, xrefs: 00B38A7D
operation not supported, xrefs: 00B372FD
address family not supported, xrefs: 00B387FF
callContext, xrefs: 00B38033, 00B3A535
callContext, xrefs: 00B36890
originatingContextMessage, xrefs: 00B395D8, 00B39D29
module, xrefs: 00B360A3
invalid string position, xrefs: 00B3661D
kok-IN, xrefs: 00B35BD4
destination_address_required, xrefs: 00B356F1, 00B35743, 00B35839, 00B359F2, 00B35BC7, 00B35C35, 00B35F6A, 00B366FA, 00B3688B, 00B376D8, 00B3817E, 00B382FA, 00B38951, 00B38A44, 00B38A4E, 00B38CE2, 00B39C72, 00B39F73
kn-IN, xrefs: 00B35613
km-KH, xrefs: 00B389AA
am-ET, xrefs: 00B3A3D6
Msg:[%ws] , xrefs: 00B376CD
x?84, xrefs: 00B398AD
Wadvapi32.dll, xrefs: 00B35BCC
7, xrefs: 00B392AD
PartA_PrivTags, xrefs: 00B35B80, 00B35FB4, 00B39404
onecoreuap\base\AppModel\Search\common\include\lmstr.hxx, xrefs: 00B38961
., xrefs: 00B37E5E
RtlDisownModuleHeapAllocation, xrefs: 00B3827C
ActivityStoppedAutomatically, xrefs: 00B38EC8
fa-IR, xrefs: 00B39033
no such process, xrefs: 00B38209
originatingContextName, xrefs: 00B355B1
lo-LA, xrefs: 00B37237
no lock available, xrefs: 00B38D0D
=, xrefs: 00B35637
ForceRemove, xrefs: 00B36207
sk-SK, xrefs: 00B39B91
wA, xrefs: 00B397B7, 00B397D7
M, xrefs: 00B379B4
A, xrefs: 00B362BD
wilActivity, xrefs: 00B376B3
Z, xrefs: 00B35EB1
ibb-NG, xrefs: 00B39804
wrong protocol type, xrefs: 00B373DF
protocol_not_supported, xrefs: 00B39981
b, xrefs: 00B39283
zh-CHS, xrefs: 00B38A5C
X]., xrefs: 00B386F2
Delete, xrefs: 00B364D2
0, xrefs: 00B393CB
connection_reset, xrefs: 00B38A4F
wE, xrefs: 00B38F2A
zh-HansA, xrefs: 00B37E99
O, xrefs: 00B39708
";6D, xrefs: 00B3A414
40I, xrefs: 00B36FCE
sr-SP-Cyrl, xrefs: 00B36A42
currentContextId, xrefs: 00B3793F
timed_out, xrefs: 00B35F80
my-MM, xrefs: 00B3751E
=, xrefs: 00B39318
std::exception: %hs, xrefs: 00B37D1F
connection_reset, xrefs: 00B38BCA
wilResult, xrefs: 00B389B0
ActivityStoppedAutomatically, xrefs: 00B3A355
sw-KE, xrefs: 00B36197, 00B386A1
Locale, xrefs: 00B35A2A
invalid_argument, xrefs: 00B368E2
#*, xrefs: 00B386C1
ka-GE, xrefs: 00B39E01
U)hr, xrefs: 00B373E6
Hr|, xrefs: 00B36D4B
$, xrefs: 00B388F7
onecoreuap\base\appmodel\search\search\search\gather\usractivity\waitthreadhelper.cxx, xrefs: 00B36BAA
address_in_use, xrefs: 00B392F9
"/, xrefs: 00B36D2B
gn-PY, xrefs: 00B3829E

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID: wA$!$"/$";6D$#*$$$%hs(%u)\%hs!%p: $%lS\%lS$+3{m$.$/7$0$40I$7$7$=$=$@$A$A$APPID$ActivityStoppedAutomatically$ActivityStoppedAutomatically$B$CallContext:[%hs] $Delete$ForceRemove$HKEY_CURRENT_CONFIG$HostProcessExecutionStop$Hr|$InstallDirectory$J$J$9$L3]0$Locale$Locale$M$Msg:[%ws] $O$PartA_PrivTags$PartA_PrivTags$RtlDisownModuleHeapAllocation$Software\Microsoft\Windows Search\Tracing\EventThrottleState$T$TelemetryAssertDiagTrack$U)hr$Wadvapi32.dll$X].$Z$`$address family not supported$address_in_use$address_in_use$am-ET$argument list too long$b$b$bin-NG$bn-IN$callContext$callContext$connection_reset$connection_reset$currentContextId$de-DE$destination_address_required$f+-$fa-IR$fileName$filename_too_long$gn-PY$ha-Latn-NG$hresult$ibb-NG$interrupted$invalid string position$invalid string position$invalid_argument$ka-GE$kk-KZ$km-KH$kn-IN$kok-IN$lineNumber$lo-LA$message$module$ms-MY$my-MM$network_unreachable$no lock available$no protocol option$no such process$not_a_socket$onecoreuap\base\AppModel\Search\common\include\PrivateComActivationHelper.h$onecoreuap\base\AppModel\Search\common\include\lmstr.hxx$onecoreuap\base\appmodel\search\search\search\gather\usractivity\waitthreadhelper.cxx$operation not supported$originatingContextMessage$originatingContextName$permission denied$protocol_not_supported$r$ru-RU$ru-RU$sk-SK$sr-BA-Cyrl$sr-SP-Cyrl$std::exception: %hs$sw-KE$sw-KE$threadId$ti-ET$timed_out$too many files open$too many links$wE$wilActivity$wilResult$wrong protocol type$x?84$zh-CHS$zh-HansA$>ZX
API String ID: 2488874121-3677608480
Opcode ID: 86a13cd2d8de9cd746b15fbaeacae67e0bde1cc629b6d8cb58931d12db9cc5df
Instruction ID: 679213bc44a701fddf13f96c237fd6af9b356560507794e7075597985d996571
Opcode Fuzzy Hash: 86a13cd2d8de9cd746b15fbaeacae67e0bde1cc629b6d8cb58931d12db9cc5df
Instruction Fuzzy Hash: C3B3D471A042A88FDB15CFA8D8543EDBFF1AF5A300F2846E9D488A7342DB744A85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00B277ED Relevance: 125.8, Strings: 98, Instructions: 3295COMMON

Download Yara Rule

Strings

&, xrefs: 00B2932E
V, xrefs: 00B28481
I, xrefs: 00B292B4
>, xrefs: 00B28C6F
c, xrefs: 00B28B30
q, xrefs: 00B28E56
$, xrefs: 00B29139
failureType, xrefs: 00B2A4D8
destination_address_required, xrefs: 00B2A880
result, xrefs: 00B29C95
PPTP00W, xrefs: 00B27D09, 00B27DF8, 00B27EE4, 00B296D9, 00B2A68A, 00B2A77E, 00B2A905
U, xrefs: 00B29310
#U, xrefs: 00B29960
isBackedOff, xrefs: 00B2877C
Interface, xrefs: 00B29017
d/!L, xrefs: 00B28068
dv-MV, xrefs: 00B28E3B
connection already in progress, xrefs: 00B28F3E
", xrefs: 00B27F2E
H, xrefs: 00B29C6A
S, xrefs: 00B29352
A, xrefs: 00B286D4
X, xrefs: 00B29418
tk-TM, xrefs: 00B2868F
#, xrefs: 00B298E3
is-IS, xrefs: 00B2A375
c, xrefs: 00B29F30
5, xrefs: 00B29817
=, xrefs: 00B29C60
^, xrefs: 00B2A16A
C, xrefs: 00B29376
], xrefs: 00B2946E
R, xrefs: 00B28477
V, xrefs: 00B292C4
', xrefs: 00B283FB
a, xrefs: 00B2A3CD
ta-IN, xrefs: 00B27909
wilActivity, xrefs: 00B29127
R(PL, xrefs: 00B2A911
(, xrefs: 00B291F2
^, xrefs: 00B298ED
', xrefs: 00B294DF
4, xrefs: 00B292F6
sl-SI, xrefs: 00B28B0B
7TR, xrefs: 00B280D7
system, xrefs: 00B280C2
originatingContextMessage, xrefs: 00B28A1F
EventThrottleBlockPeriodMs, xrefs: 00B294A0
$, xrefs: 00B293B5
d, xrefs: 00B2A8E0
P, xrefs: 00B29C74
<, xrefs: 00B293FE
3, xrefs: 00B293CF
InstallDirectory, xrefs: 00B29DF8
am-ET, xrefs: 00B299B5
=, xrefs: 00B2906B
operation_not_supported, xrefs: 00B284BF
3, xrefs: 00B2889C
@DiV, xrefs: 00B280EF
kl-GL, xrefs: 00B2A5ED
#, xrefs: 00B29F29
[, xrefs: 00B29436
onecoreuap\base\AppModel\Search\common\include\lmstr.hxx, xrefs: 00B2A143
1, xrefs: 00B292D8
operation_in_progress, xrefs: 00B2A75E
5, xrefs: 00B2936C
\X)#^, xrefs: 00B298F7
D, xrefs: 00B28DE1
PartA_PrivTags, xrefs: 00B2820A
value too large, xrefs: 00B2A23B
M, xrefs: 00B293ED
ko-KR, xrefs: 00B295CC
P, xrefs: 00B292E2
originatingContextName, xrefs: 00B28950
,, xrefs: 00B293AB
;, xrefs: 00B29F37
L, xrefs: 00B29CFB
V, xrefs: 00B293F4
PartA_PrivTags, xrefs: 00B278FD, 00B27FA8, 00B2813D, 00B28C9E, 00B29A11, 00B29B43, 00B29B93, 00B29B94, 00B2A253
FileType, xrefs: 00B29AD3
C, xrefs: 00B28426
sq-AL, xrefs: 00B27A0A
e3r, xrefs: 00B2997D
2, xrefs: 00B2A9DB
C, xrefs: 00B291FF
N3, xrefs: 00B28F30
+, xrefs: 00B29324
no link, xrefs: 00B285F4
std::exception: %hs, xrefs: 00B2A9DF
), xrefs: 00B298D9
d, xrefs: 00B283B4
7, xrefs: 00B29450
5, xrefs: 00B28859
;Qvk, xrefs: 00B280D0
si-LK, xrefs: 00B27D0E, 00B27EC0, 00B2802F, 00B29667, 00B296D8, 00B296DE, 00B299CF, 00B29A17, 00B2A469, 00B2A4A7, 00B2A690, 00B2A8B1, 00B2A904
&, xrefs: 00B27E5B
failureId, xrefs: 00B28854
B, xrefs: 00B2841C

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: "$#$#$#U$$$$$&$&$'$'$($)$+$,$1$2$3$3$4$5$5$5$7$7TR$;$;Qvk$<$=$=$>$@DiV$A$B$C$C$C$D$EventThrottleBlockPeriodMs$FileType$H$I$InstallDirectory$Interface$L$M$N3$P$P$PPTP00W$PartA_PrivTags$PartA_PrivTags$R$R(PL$S$U$V$V$V$X$[$\X)#^$]$^$^$a$am-ET$c$c$connection already in progress$d$d$d/!L$destination_address_required$dv-MV$e3r$failureId$failureType$is-IS$isBackedOff$kl-GL$ko-KR$no link$onecoreuap\base\AppModel\Search\common\include\lmstr.hxx$operation_in_progress$operation_not_supported$originatingContextMessage$originatingContextName$q$result$si-LK$sl-SI$sq-AL$std::exception: %hs$system$ta-IN$tk-TM$value too large$wilActivity
API String ID: 0-1554866968
Opcode ID: 159a5c2eb45c5326b2b5f8a05dfa8b5e37d101d1bd32a000dd2c0717cbe4faf7
Instruction ID: 57ed1dc1d4cfb9c72775237d8262f7b2b1314adb112c8abf4dd0149a11a38733
Opcode Fuzzy Hash: 159a5c2eb45c5326b2b5f8a05dfa8b5e37d101d1bd32a000dd2c0717cbe4faf7
Instruction Fuzzy Hash: 7363F931E052A88FDB15CFA9A8947DDBBF1AF59300F1486FAD89CA7342C6745A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00B184A8 Relevance: 87.4, Strings: 69, Instructions: 1154COMMON

Download Yara Rule

Strings

4, xrefs: 00B18F88
6, xrefs: 00B18930
D, xrefs: 00B191D3
8, xrefs: 00B18BDE
Y, xrefs: 00B1893A
+, xrefs: 00B18B50
`, xrefs: 00B18C88
Z, xrefs: 00B19041
R, xrefs: 00B18B32
3, xrefs: 00B18B00
", xrefs: 00B19331
V, xrefs: 00B18750
., xrefs: 00B18F6E
;, xrefs: 00B1864A
`, xrefs: 00B18DBC
%, xrefs: 00B1867F
F, xrefs: 00B19313
D, xrefs: 00B18C5A
^, xrefs: 00B19327
", xrefs: 00B18714
8, xrefs: 00B18DE4
B, xrefs: 00B18D5C
8, xrefs: 00B18DA8
[, xrefs: 00B18E40
/, xrefs: 00B18CC4
K, xrefs: 00B18B78
,, xrefs: 00B18D48
W, xrefs: 00B18C16
+, xrefs: 00B18732
S, xrefs: 00B186AA
8, xrefs: 00B18BF8
X, xrefs: 00B18EEA
7, xrefs: 00B190B7
0, xrefs: 00B19498
c, xrefs: 00B18778
], xrefs: 00B18C02
a, xrefs: 00B18CA2
H, xrefs: 00B18D8E
C, xrefs: 00B19550
K, xrefs: 00B1931D
>, xrefs: 00B18E22
O, xrefs: 00B18544
1, xrefs: 00B1875A
G, xrefs: 00B18675
d, xrefs: 00B1894E
0, xrefs: 00B18C50
,, xrefs: 00B184C8
@, xrefs: 00B19564
E, xrefs: 00B19055
@, xrefs: 00B18D52
P, xrefs: 00B18D70
, xrefs: 00B194A2
LogHr, xrefs: 00B184E0, 00B184E5, 00B18527, 00B1888F, 00B19270, 00B193D2
T, xrefs: 00B18631
I, xrefs: 00B18E08
*, xrefs: 00B18E4A
ky-KG, xrefs: 00B1900D, 00B1942A, 00B1959C
N, xrefs: 00B186F3
M, xrefs: 00B1948E
@, xrefs: 00B18F7E
$, xrefs: 00B18C7E
^, xrefs: 00B18B1E
, xrefs: 00B185FF
Module, xrefs: 00B1935F, 00B193FF
', xrefs: 00B191BD
^, xrefs: 00B18D34
^, xrefs: 00B18CB0
d, xrefs: 00B18CD8
<, xrefs: 00B18C32

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: $ $"$"$$$%$'$*$+$+$,$,$.$/$0$0$1$3$4$6$7$8$8$8$8$;$<$>$@$@$@$B$C$D$D$E$F$G$H$I$K$K$LogHr$M$Module$N$O$P$R$S$T$V$W$X$Y$Z$[$]$^$^$^$^$`$`$a$c$d$d$ky-KG
API String ID: 0-1522384126
Opcode ID: 570cec24fd7cc4e25d17a2bec5d602dfc5966513b9ef4c76f46bc1aca7814916
Instruction ID: 7ee020b087d91fb13088e93435473428636506c2d8bc6605d7935122acf4f897
Opcode Fuzzy Hash: 570cec24fd7cc4e25d17a2bec5d602dfc5966513b9ef4c76f46bc1aca7814916
Instruction Fuzzy Hash: C8B29D71D046598BEB25CF78DC953DDBBB0AF56304F1483DAD058BA292DB752AC28F00

Uniqueness

Uniqueness Score: -1.00%

Function 00B4AE0C Relevance: 72.7, Strings: 56, Instructions: 2720COMMON

Download Yara Rule

Strings

H, xrefs: 00B4D7FE
, xrefs: 00B4CD90
string too long, xrefs: 00B4C5B1
V2Pl, xrefs: 00B4CF8B
;, xrefs: 00B4CC6D
', xrefs: 00B4DAA0
V, xrefs: 00B4D550
5, xrefs: 00B4AF20
=, xrefs: 00B4D741
L, xrefs: 00B4D40A
E, xrefs: 00B4B3C2
lineNumber, xrefs: 00B4B6CE
unknown error, xrefs: 00B4C25D
,2:s, xrefs: 00B4B599
&, xrefs: 00B4BCE2
Q, xrefs: 00B4D8A9
d, xrefs: 00B4C896
", xrefs: 00B4CD48
PartA_PrivTags, xrefs: 00B4B4ED
4, xrefs: 00B4DAC8
ur-PK, xrefs: 00B4CB7A
HostProcessExecutionStop, xrefs: 00B4B1C3, 00B4B243, 00B4B2E6, 00B4BAA0, 00B4BD1C, 00B4C1C0, 00B4C3C2, 00B4CA27, 00B4CFB5, 00B4D048, 00B4D049, 00B4D0DA, 00B4D483, 00B4D98C
5, xrefs: 00B4CCF3
I, xrefs: 00B4CD98
9, xrefs: 00B4AF41
(, xrefs: 00B4C01A
H, xrefs: 00B4B2A1
e, xrefs: 00B4C0EF
Z, xrefs: 00B4BFC4
!, xrefs: 00B4C664
P, xrefs: 00B4C26E
>, xrefs: 00B4DABD
wrong protocol type, xrefs: 00B4CF96
=, xrefs: 00B4D42B
RtlNtStatusToDosErrorNoTeb, xrefs: 00B4B16B
%iG@, xrefs: 00B4B080
6, xrefs: 00B4C513
originatingContextMessage, xrefs: 00B4B389, 00B4B456, 00B4BA24, 00B4BB2F, 00B4C14B, 00B4C185, 00B4CB00, 00B4D62C
Y, xrefs: 00B4C049
&, xrefs: 00B4D8D6
ja-JP, xrefs: 00B4D186
], xrefs: 00B4D1BA
sr-SP-Cyrl, xrefs: 00B4C937, 00B4CA08
currentContextMessage, xrefs: 00B4B3B6, 00B4B3E0, 00B4B573, 00B4C9B7, 00B4D608, 00B4D67D
#, xrefs: 00B4C05A
4, xrefs: 00B4D415
file exists, xrefs: 00B4C097
sr-SP-Latn, xrefs: 00B4B86D
!, xrefs: 00B4DAAD
:, xrefs: 00B4D749
5, xrefs: 00B4D013
address family not supported, xrefs: 00B4C735
callContext, xrefs: 00B4AF7E
!{,, xrefs: 00B4B58E
currentContextName, xrefs: 00B4BA0C
3, xrefs: 00B4BFED

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID: Heap$AddressAllocateFreeProc
String ID: $!$!$!{,$"$#$%iG@$&$&$'$($,2:s$3$4$4$5$5$5$6$9$:$;$=$=$>$E$H$H$HostProcessExecutionStop$I$L$P$PartA_PrivTags$Q$RtlNtStatusToDosErrorNoTeb$V$V2Pl$Y$Z$]$address family not supported$callContext$currentContextMessage$currentContextName$d$e$file exists$ja-JP$lineNumber$originatingContextMessage$sr-SP-Cyrl$sr-SP-Latn$string too long$unknown error$ur-PK$wrong protocol type
API String ID: 886897068-1189956828
Opcode ID: 68c8aeffb7715594d27b005aa338532bad515538e88e83ec87efc1e2fc7727ed
Instruction ID: 1b8d0a2c4b8d40b5824ce9666657ac3e91fa511aa0e4082bd392d983cff31f1c
Opcode Fuzzy Hash: 68c8aeffb7715594d27b005aa338532bad515538e88e83ec87efc1e2fc7727ed
Instruction Fuzzy Hash: E343CB7150C3808FD325DF38D4517EAFBE0AFDA308F148A6EE5D8A7292E77495858B42

Uniqueness

Uniqueness Score: -1.00%

Function 00B4556C Relevance: 62.9, Strings: 48, Instructions: 2935COMMON

Download Yara Rule

Strings

Q, xrefs: 00B477A3
-, xrefs: 00B48360
APPID, xrefs: 00B478E1
B, xrefs: 00B465FD
device or resource busy, xrefs: 00B46DE0
;, xrefs: 00B4748D
is-IS, xrefs: 00B458B3
(, xrefs: 00B45B7E
b, xrefs: 00B45852
}, xrefs: 00B477E2
tWU,, xrefs: 00B4593A
Q, xrefs: 00B47135
(, xrefs: 00B4737D
1, xrefs: 00B47BA4
s, xrefs: 00B45DDB
:, xrefs: 00B474F6
too many links, xrefs: 00B45F6D
?, xrefs: 00B46BA4
H, xrefs: 00B47F6C
CallContext:[%hs] , xrefs: 00B45DCA
onecoreuap\base\appmodel\search\common\pkmutild\cregistry.cxx, xrefs: 00B460E6
currentContextId, xrefs: 00B46C47
:, xrefs: 00B47E69
eu-ES, xrefs: 00B4776B
8, xrefs: 00B467B8
ig-NG, xrefs: 00B47207
b, xrefs: 00B48034
wilResult, xrefs: 00B467DB
6, xrefs: 00B45B65
la-001, xrefs: 00B46901
b, xrefs: 00B47C7B
', xrefs: 00B47566
originatingContextName, xrefs: 00B45F4B, 00B4654C, 00B47300, 00B4796B, 00B48149
., xrefs: 00B48557
O, xrefs: 00B47D33
>, xrefs: 00B458E6
G, xrefs: 00B47D49
>, xrefs: 00B471D4
2, xrefs: 00B47BD0
G, xrefs: 00B4854C
A, xrefs: 00B47D29
%lS\%lS, xrefs: 00B45721, 00B461C1, 00B473D6, 00B47921, 00B47A3D, 00B47DCB
#, xrefs: 00B47BD8
operation not supported, xrefs: 00B456A4, 00B456D4, 00B45710, 00B45751, 00B457B2, 00B4631E, 00B463B3, 00B464DB, 00B46723, 00B4679B, 00B46A1F, 00B46EBF, 00B47CAC, 00B48268
b, xrefs: 00B4756E
currentContextName, xrefs: 00B45BF4
originatingContextName, xrefs: 00B45A49
ee, xrefs: 00B4597C

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID: Heap$AddressAllocateFreeProc
String ID: #$%lS\%lS$'$($($-$.$1$2$6$8$:$:$;$>$>$?$A$APPID$B$CallContext:[%hs] $G$G$H$O$Q$Q$b$b$b$b$currentContextId$currentContextName$device or resource busy$ee$eu-ES$ig-NG$is-IS$la-001$onecoreuap\base\appmodel\search\common\pkmutild\cregistry.cxx$operation not supported$originatingContextName$originatingContextName$s$tWU,$too many links$wilResult$}
API String ID: 886897068-1057399954
Opcode ID: 206dc046a7a9ce20204528313c5254f06bd7e465efb7a65c59beedba7ba8389c
Instruction ID: 8cec48108b8a6082da93107464539ab153f42b3a3ff9460b35e24608eaa745ca
Opcode Fuzzy Hash: 206dc046a7a9ce20204528313c5254f06bd7e465efb7a65c59beedba7ba8389c
Instruction Fuzzy Hash: 7E53ED7150C7808FD325DF38D89139EFBE1AFDA308F148A6EE1D897292DB7495858B42

Uniqueness

Uniqueness Score: -1.00%

Function 00B16360 Relevance: 60.6, Strings: 48, Instructions: 650COMMON

Download Yara Rule

Strings

, xrefs: 00B1639C
R, xrefs: 00B166F6
J, xrefs: 00B165CC
7, xrefs: 00B164AA
P, xrefs: 00B16478
c10, xrefs: 00B16C9A
B, xrefs: 00B16566
(, xrefs: 00B16902
C, xrefs: 00B1660A
Q, xrefs: 00B1658A
[, xrefs: 00B16812
T, xrefs: 00B16999
6, xrefs: 00B1681E
1, xrefs: 00B16C4C
Y, xrefs: 00B16542
D, xrefs: 00B16694
:, xrefs: 00B16779
1, xrefs: 00B16783
c, xrefs: 00B16832
H, xrefs: 00B165B2
X, xrefs: 00B1648C
G, xrefs: 00B1698F
=, xrefs: 00B169A9
[, xrefs: 00B16725
S, xrefs: 00B166E2
2, xrefs: 00B165E6
M, xrefs: 00B16594
no_buffer_space, xrefs: 00B16B7D, 00B16CAF
I, xrefs: 00B1661E
,, xrefs: 00B164FA
], xrefs: 00B166EC
A, xrefs: 00B164A0
T, xrefs: 00B1676F
X, xrefs: 00B166CE
., xrefs: 00B16828
?, xrefs: 00B1652E
>, xrefs: 00B1673D
", xrefs: 00B1671E
$, xrefs: 00B1675B
0, xrefs: 00B16C59
zh-CHS, xrefs: 00B16853, 00B1685B
E, xrefs: 00B16482
W, xrefs: 00B164DC
D, xrefs: 00B164BE
V, xrefs: 00B164C8
A, xrefs: 00B168EC
!, xrefs: 00B16556
V, xrefs: 00B16747

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: $!$"$$$($,$.$0$1$1$2$6$7$:$=$>$?$A$A$B$C$D$D$E$G$H$I$J$M$P$Q$R$S$T$T$V$V$W$X$X$Y$[$[$]$c$c10$no_buffer_space$zh-CHS
API String ID: 0-4018895200
Opcode ID: e306e7c737bbde3d1899fb5b25530d73d0ca87703d39fc7055f888f678ce7d54
Instruction ID: ef9cbf2aa9c205b570e84c09df62a6c377f6cc25c6ca9795ea5607ad6551090d
Opcode Fuzzy Hash: e306e7c737bbde3d1899fb5b25530d73d0ca87703d39fc7055f888f678ce7d54
Instruction Fuzzy Hash: BA528F71C152598BDB25CF38C9563DCFBB0AF5A348F1493DAD058B6292EB752AC28F04

Uniqueness

Uniqueness Score: -1.00%

Function 00B1B2ED Relevance: 57.2, Strings: 45, Instructions: 943COMMON

Download Yara Rule

Strings

wilActivity, xrefs: 00B1B4E4
`, xrefs: 00B1B9D7
@, xrefs: 00B1C0CE
I, xrefs: 00B1C060
P, xrefs: 00B1B900
-, xrefs: 00B1BE4B
FilterProcessBackoff, xrefs: 00B1B638, 00B1BA4E, 00B1BCB3
HostProcessExecution, xrefs: 00B1B34E
argument out of domain, xrefs: 00B1B879
E, xrefs: 00B1B8C4
A, xrefs: 00B1C131
', xrefs: 00B1C056
M, xrefs: 00B1B7E6
A, xrefs: 00B1B7F0
+, xrefs: 00B1B55E
-, xrefs: 00B1B304
SECURITY, xrefs: 00B1B47A
sr-Cyrl-BA, xrefs: 00B1B5F3
L, xrefs: 00B1B760
+, xrefs: 00B1B8F6
NtQueryWnfStateData, xrefs: 00B1B445, 00B1B473, 00B1B4FC, 00B1B798, 00B1B950
E, xrefs: 00B1BA3A
`, xrefs: 00B1BDD4
address not available, xrefs: 00B1B85B
S, xrefs: 00B1BF97
E, xrefs: 00B1BDDE
), xrefs: 00B1BFFC
c, xrefs: 00B1C0E6
S, xrefs: 00B1B6C4
%, xrefs: 00B1C107
+, xrefs: 00B1C04C
D, xrefs: 00B1B7FA
#, xrefs: 00B1C08B
., xrefs: 00B1B595
-, xrefs: 00B1BFA1
%, xrefs: 00B1BA30
6, xrefs: 00B1B8E7
7, xrefs: 00B1C095
3, xrefs: 00B1C006
]gS, xrefs: 00B1B3BB
onecoreuap\base\AppModel\Search\common\include\errormsg_common.hxx, xrefs: 00B1B622
message, xrefs: 00B1B96B
T, xrefs: 00B1C0A5
D, xrefs: 00B1B648
8, xrefs: 00B1B652

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: #$%$%$'$)$+$+$+$-$-$-$.$3$6$7$8$@$A$A$D$D$E$E$E$FilterProcessBackoff$HostProcessExecution$I$L$M$NtQueryWnfStateData$P$S$S$SECURITY$T$`$`$address not available$argument out of domain$c$message$onecoreuap\base\AppModel\Search\common\include\errormsg_common.hxx$sr-Cyrl-BA$wilActivity$]gS
API String ID: 0-2953502772
Opcode ID: a08d056200f8393b4230f88cfc169f6db4ef580ccc64137eaeae5bf656291d85
Instruction ID: 2674d193debbfd379def2cd1ffa356e61c2633624507d4e7dd1923d04815b4b8
Opcode Fuzzy Hash: a08d056200f8393b4230f88cfc169f6db4ef580ccc64137eaeae5bf656291d85
Instruction Fuzzy Hash: DD92BCB1D042688FEB14CF68D885BDDBBB0AF49314F2482DAD559BB292D7751AC2CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00B5682C Relevance: 50.4, Strings: 39, Instructions: 1693COMMON

Download Yara Rule

Strings

W:M, xrefs: 00B56C04
_, xrefs: 00B57E0B
po-, xrefs: 00B577CD
assertVersion, xrefs: 00B57656
Cwp, xrefs: 00B57EC9
K, xrefs: 00B57B82
\, xrefs: 00B56E90
$, xrefs: 00B57C82
>, xrefs: 00B574ED
K, xrefs: 00B57CE9
V, xrefs: 00B57C8C
H, xrefs: 00B56A95
W, xrefs: 00B581C7
lineNumber, xrefs: 00B57A41
+, xrefs: 00B56BD5
SO1-, xrefs: 00B56A30
!, xrefs: 00B577EC
not_connected, xrefs: 00B57EDA
fileName, xrefs: 00B57910
km-KH, xrefs: 00B56EF3
connection reset, xrefs: 00B57015
$, xrefs: 00B581D7
NtUpdateWnfStateData, xrefs: 00B56877
operation would block, xrefs: 00B577A8
AB, xrefs: 00B568AF
", xrefs: 00B57C78
fr-FR, xrefs: 00B57B42
Y, xrefs: 00B574E6
currentContextMessage, xrefs: 00B56B6E
C, xrefs: 00B574DC
<unknown>, xrefs: 00B57FF0
Q7, xrefs: 00B57497
VAu, xrefs: 00B56BF0
c, xrefs: 00B56A9C
xh-ZA, xrefs: 00B57DC8
originatingContextMessage, xrefs: 00B580D3
(, xrefs: 00B57475
a, xrefs: 00B56A5B
RtlSubscribeWnfStateChangeNotification, xrefs: 00B56D2B, 00B56D68, 00B570C1, 00B57139, 00B571E7, 00B572ED, 00B57438, 00B5754E, 00B57687, 00B5781E, 00B578AD, 00B579E9

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID: AddressFreeHeapProc
String ID: !$"$$$$$($+$<unknown>$>$AB$C$Cwp$H$K$K$NtUpdateWnfStateData$Q7$RtlSubscribeWnfStateChangeNotification$SO1-$V$W$Y$\$_$a$assertVersion$c$connection reset$currentContextMessage$fileName$fr-FR$km-KH$lineNumber$not_connected$operation would block$originatingContextMessage$po-$xh-ZA$VAu$W:M
API String ID: 4280525199-292557719
Opcode ID: 25f6531c457735ea732deafcd33672e159f6b6b4258b91d1bc3bcc82e6bb2e30
Instruction ID: 51b1b547fda0cd81506ae2a53ce731c6e223deeaee753b6004707ca7a7f22dbf
Opcode Fuzzy Hash: 25f6531c457735ea732deafcd33672e159f6b6b4258b91d1bc3bcc82e6bb2e30
Instruction Fuzzy Hash: A2F2BF71E182A88FDB15CFA9D8513EDBBF1AF59300F1481EAD898A7342D7744A86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B2EF16 Relevance: 50.2, Strings: 39, Instructions: 1425COMMON

Download Yara Rule

Strings

\, xrefs: 00B2FB83
ne-NP, xrefs: 00B2F5A1
n=, xrefs: 00B2FB6C
sr-Latn-CS, xrefs: 00B2FCBF
U9., xrefs: 00B2F6CF
2, xrefs: 00B2FF41
RtlUnregisterFeatureConfigurationChangeNotification, xrefs: 00B2FDC5
m, xrefs: 00B302AD
S, xrefs: 00B301D9
a, xrefs: 00B2FAF0
I, xrefs: 00B30055
M, xrefs: 00B2FC47
', xrefs: 00B2F5E1
AppID, xrefs: 00B2FB43
S, xrefs: 00B2F7E2
3, xrefs: 00B2FACC
4, xrefs: 00B2FC3D
fileName, xrefs: 00B2F9AE
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}, xrefs: 00B2F00E, 00B2F114, 00B2F217, 00B2F2FF, 00B2F693, 00B2FE2C, 00B2FEF2, 00B301F5, 00B30321
_, xrefs: 00B2FC2D
/, xrefs: 00B2F6DB
PartA_PrivTags, xrefs: 00B2EF67, 00B2F29B
onecoreuap\base\appmodel\search\search\search\gather\fltrhost\fltrhost.cxx, xrefs: 00B2EF2B, 00B2F3C7, 00B2F4AE, 00B2F745, 00B2FFB7
function, xrefs: 00B2F874
/, xrefs: 00B30024
hresult, xrefs: 00B302E5
[, xrefs: 00B2F7CE
read only file system, xrefs: 00B2F157
illegal byte sequence, xrefs: 00B2F6D6
$, xrefs: 00B3000F
., xrefs: 00B2F312
X, xrefs: 00B2FAE2
Y, xrefs: 00B2F575
&, xrefs: 00B2F2A0
threadId, xrefs: 00B300B5
5, xrefs: 00B2FB78
T, xrefs: 00B2FA88
,, xrefs: 00B2F7F6
filename_too_long, xrefs: 00B2F447

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: $$&$'$,$/$/$2$3$4$5$AppID$I$M$PartA_PrivTags$RtlUnregisterFeatureConfigurationChangeNotification$S$S$Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}$T$U9.$X$Y$[$\$_$a$fileName$filename_too_long$function$hresult$illegal byte sequence$m$n=$ne-NP$onecoreuap\base\appmodel\search\search\search\gather\fltrhost\fltrhost.cxx$read only file system$sr-Latn-CS$threadId$.
API String ID: 0-2740653080
Opcode ID: de0a1d23ab02d967f0c41ddf52f5bb684eb419db2a4801e49c1db715cfeddc65
Instruction ID: cb385b527516e28c7b1f8c6d5ed6b493e9d8804929b38edb6c3d88d727fa76e5
Opcode Fuzzy Hash: de0a1d23ab02d967f0c41ddf52f5bb684eb419db2a4801e49c1db715cfeddc65
Instruction Fuzzy Hash: 84D2C831A042A98FDB15CFA9E8903EDBBF1AF59300F1445FAD89CE7342D6744A85CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E441 Relevance: 47.5, Strings: 37, Instructions: 1297COMMON

Download Yara Rule

Strings

zh-CHT, xrefs: 00B3F1B3
result, xrefs: 00B3EE44
originatingContextName, xrefs: 00B3EB58, 00B3EB6E, 00B3EF24, 00B3F675
R, xrefs: 00B3F60E
`, xrefs: 00B3EDA0
-, xrefs: 00B3F32A
sr-SP-Cyrl, xrefs: 00B3E6DD, 00B3E6E8, 00B3F359
sr-Cyrl-BA, xrefs: 00B3EA52
3H, xrefs: 00B3EE08
Delete, xrefs: 00B3EF44
1, xrefs: 00B3F33F
J, xrefs: 00B3F338
se-NO, xrefs: 00B3F51B
no such file or directory, xrefs: 00B3E71E
cross device link, xrefs: 00B3E5BC
Z), xrefs: 00B3E736
onecoreuap\base\appmodel\search\search\search\gather\usractivity\waitthreadhelper.cxx, xrefs: 00B3EE51
currentContextId, xrefs: 00B3E820
M, xrefs: 00B3E75E
wilActivity, xrefs: 00B3E44C
module, xrefs: 00B3E945
<, xrefs: 00B3F45C
E', xrefs: 00B3E4EE
!, xrefs: 00B3EF67
host_unreachable, xrefs: 00B3F05D
;, xrefs: 00B3F037
&, xrefs: 00B3F2DB
", xrefs: 00B3F331
|, xrefs: 00B3EE1F
XH@}, xrefs: 00B3E8CA
address family not supported, xrefs: 00B3EBDB
/, xrefs: 00B3ED96
l, xrefs: 00B3E4F7
:, xrefs: 00B3F543
PartA_PrivTags, xrefs: 00B3F181
EventThrottleFlushPeriodMs, xrefs: 00B3F15D
Software\Microsoft\Windows Search\Tracing\EventThrottleState, xrefs: 00B3F3E7

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: !$"$&$-$/$1$3H$:$;$<$Delete$E'$EventThrottleFlushPeriodMs$J$M$PartA_PrivTags$R$Software\Microsoft\Windows Search\Tracing\EventThrottleState$XH@}$Z)$`$address family not supported$cross device link$currentContextId$host_unreachable$l$module$no such file or directory$onecoreuap\base\appmodel\search\search\search\gather\usractivity\waitthreadhelper.cxx$originatingContextName$result$se-NO$sr-Cyrl-BA$sr-SP-Cyrl$wilActivity$zh-CHT$|
API String ID: 3298025750-1342568755
Opcode ID: 984de7525d3e3861ce3fe3e33b0fd7b3271ee74f918e9d5ab72ed8869c44ce3f
Instruction ID: 88a020edd612b03b0a78a75d531ace82918784a6c92296be951cd23dda31068a
Opcode Fuzzy Hash: 984de7525d3e3861ce3fe3e33b0fd7b3271ee74f918e9d5ab72ed8869c44ce3f
Instruction Fuzzy Hash: 37C2C631E052988FDB16CFA898507EDBFF1AF59300F1846E9D898A7382D7758A46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B20FCC Relevance: 46.1, Strings: 36, Instructions: 1093COMMON

Download Yara Rule

Strings

EventThrottleMaxControlPeriodMs, xrefs: 00B21404
et-EE, xrefs: 00B21AC1, 00B21BBE, 00B22194
*, xrefs: 00B21EBD
U, xrefs: 00B21ECB
Rn, xrefs: 00B21439
&, xrefs: 00B21417
A, xrefs: 00B2146B
7, xrefs: 00B21C67
h, xrefs: 00B21043
D, xrefs: 00B21DDE
M, xrefs: 00B212C7
`, xrefs: 00B21D83
/, xrefs: 00B212D1
HKEY_PERFORMANCE_DATA, xrefs: 00B216FA
I, xrefs: 00B21C60
ActivityError, xrefs: 00B22017
result, xrefs: 00B218BF
O, xrefs: 00B212B3
J, xrefs: 00B2113D
AppID, xrefs: 00B21099, 00B2117E, 00B21394, 00B214A1, 00B21767, 00B21C4D, 00B21CC9, 00B21E0C, 00B21F8C
bOO/, xrefs: 00B21218
>, xrefs: 00B21EC4
$, xrefs: 00B21133
O/, xrefs: 00B211EB
2, xrefs: 00B21464
currentContextMessage, xrefs: 00B21EF2
de-DE, xrefs: 00B217FB, 00B220E5
G, xrefs: 00B21DAD
|B, xrefs: 00B220C5
resource unavailable try again, xrefs: 00B21573
M, xrefs: 00B21DEB
X7, xrefs: 00B2205C
9, xrefs: 00B21151
C, xrefs: 00B21DCE
1, xrefs: 00B212BD
lb-LU, xrefs: 00B21A32

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: $$&$*$/$1$2$7$9$>$A$ActivityError$AppID$C$D$EventThrottleMaxControlPeriodMs$G$HKEY_PERFORMANCE_DATA$I$J$M$M$O$O/$Rn$U$X7$`$bOO/$currentContextMessage$de-DE$et-EE$h$lb-LU$resource unavailable try again$result$|B
API String ID: 0-1831932925
Opcode ID: 3f92b33d83f03113cfd984bc4720d977774dfeed1e4ba7e3a7a9b657fc2cfa1d
Instruction ID: e42e3725e6b0a4d34059db476e88197a1aa83f76a1f84e387c730a0060cd105b
Opcode Fuzzy Hash: 3f92b33d83f03113cfd984bc4720d977774dfeed1e4ba7e3a7a9b657fc2cfa1d
Instruction Fuzzy Hash: FDB2CE71D052A88BEB16CFA9E8443DCBBF1AF59304F1486EAD88CAB341D7745A85CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00B1C1D6 Relevance: 43.0, Strings: 34, Instructions: 489COMMON

Download Yara Rule

Strings

3, xrefs: 00B1C657
@, xrefs: 00B1C639
", xrefs: 00B1C44B
T, xrefs: 00B1C828
M, xrefs: 00B1C556
d, xrefs: 00B1C989
B, xrefs: 00B1C603
c, xrefs: 00B1C767
lineNumber, xrefs: 00B1C28C
b, xrefs: 00B1C47B
#, xrefs: 00B1C233
, xrefs: 00B1C916
B, xrefs: 00B1C6C7
J, xrefs: 00B1C5B9
;, xrefs: 00B1C249
!, xrefs: 00B1C5CD
c, xrefs: 00B1C902
X, xrefs: 00B1C87C
[, xrefs: 00B1C467
:, xrefs: 00B1C3EF
G, xrefs: 00B1C90C
+, xrefs: 00B1C5D7
H, xrefs: 00B1C224
7, xrefs: 00B1C7C8
^, xrefs: 00B1C886
$, xrefs: 00B1C6FE
message, xrefs: 00B1C22E
`, xrefs: 00B1C4A0
!, xrefs: 00B1C872
,, xrefs: 00B1C643
(, xrefs: 00B1C54C
`, xrefs: 00B1C947
3, xrefs: 00B1C3BF
O, xrefs: 00B1C64D

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: $!$!$"$#$$$($+$,$3$3$7$:$;$@$B$B$G$H$J$M$O$T$X$[$^$`$`$b$c$c$d$lineNumber$message
API String ID: 0-2955436240
Opcode ID: 3e9e9dedd5df7f09522747fd8d8381826f731fcf5dff30037e74253cbccb6cdd
Instruction ID: 54dcfe39dffd5e13f77741a62b60cb2c6a7d77bcd33b4e7994b78c5a970bb475
Opcode Fuzzy Hash: 3e9e9dedd5df7f09522747fd8d8381826f731fcf5dff30037e74253cbccb6cdd
Instruction Fuzzy Hash: E722ABB1D043688BDB21CF78D8853DDBBB1AF5A304F1086DAC599B7282D7B52AC58F50

Uniqueness

Uniqueness Score: -1.00%

Function 00B31B09 Relevance: 42.4, Strings: 33, Instructions: 1136COMMON

Download Yara Rule

Strings

e-mq, xrefs: 00B31EB5
R379, xrefs: 00B31EFE
l, xrefs: 00B32811
s, xrefs: 00B31D78
executable format error, xrefs: 00B32669
HostProcessExecution, xrefs: 00B32D35
K, xrefs: 00B31DB6
k:mD, xrefs: 00B32A7E
2<-&, xrefs: 00B31F3C
zh-Hant, xrefs: 00B32036, 00B32900, 00B3291A, 00B32E29, 00B32E93
gu-IN, xrefs: 00B32198
originatingContextName, xrefs: 00B31B47, 00B32581, 00B326CF, 00B32EA6
0, xrefs: 00B31C68
.Bu{failureId, xrefs: 00B31B87, 00B3216F, 00B324A3, 00B325C2, 00B3267B, 00B32717, 00B327C2, 00B3290A, 00B32943, 00B3297F, 00B32A16, 00B32DCC
timed_out, xrefs: 00B32B8B
B, xrefs: 00B32CCB
KV, xrefs: 00B31FFB
sr-BA-Latn, xrefs: 00B3294D
PartA_PrivTags, xrefs: 00B32420
R, xrefs: 00B32CC4
`, xrefs: 00B31D71
Fbad allocation, xrefs: 00B327A3
'R, xrefs: 00B31D93
2v?, xrefs: 00B32A75
p u, xrefs: 00B32085
%hs!%p: , xrefs: 00B3250B
ks-Arab, xrefs: 00B32384, 00B328DA, 00B32CB8, 00B32E87, 00B32E92
B, xrefs: 00B31F55
currentContextName, xrefs: 00B32A66
6, xrefs: 00B31DBD
=, xrefs: 00B31EA1
8B, xrefs: 00B3230C
invalid string position, xrefs: 00B322DF

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: %hs!%p: $'R$.Bu{failureId$0$2<-&$2v?$6$8B$=$B$B$Fbad allocation$HostProcessExecution$K$KV$PartA_PrivTags$R$R379$`$currentContextName$e-mq$executable format error$gu-IN$invalid string position$k:mD$ks-Arab$originatingContextName$s$sr-BA-Latn$timed_out$zh-Hant$l$p u
API String ID: 0-98647790
Opcode ID: f5a40e020249c264974185b8c2e82627a0fea09257c7fb371e29ba62fe59c3e3
Instruction ID: 295d3f531d1543de5242425d577c4d1038f72dbb433a4f6d98b72d4c3ff0b89c
Opcode Fuzzy Hash: f5a40e020249c264974185b8c2e82627a0fea09257c7fb371e29ba62fe59c3e3
Instruction Fuzzy Hash: 0EC2C271A083A88FDB16CFA898543ECBFF1AF15310F2846E9D488BB352D6744A85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00B4FDA0 Relevance: 39.3, Strings: 30, Instructions: 1817COMMON

Download Yara Rule

Strings

network_reset, xrefs: 00B5015B, 00B50DF0, 00B50F01, 00B50FFF, 00B51040
#, xrefs: 00B50A25
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported, xrefs: 00B51750
K, xrefs: 00B51187
], xrefs: 00B513E1
'3, xrefs: 00B5138C
4], xrefs: 00B506A0
k', xrefs: 00B50A1C
no such file or directory, xrefs: 00B50B59
L, xrefs: 00B511B4
FallbackError, xrefs: 00B515EF
_, xrefs: 00B51034
too many links, xrefs: 00B4FDE6
currentContextName, xrefs: 00B4FE9A, 00B4FFDB, 00B500E6, 00B500F1, 00B507EA, 00B50B06, 00B50DC9, 00B51782, 00B517E7
fi-FI, xrefs: 00B4FF56, 00B5070E
]7IG, xrefs: 00B51542
", xrefs: 00B51347
^, xrefs: 00B50477
]7IG, xrefs: 00B511A1
timed_out, xrefs: 00B5102F
hy-AM, xrefs: 00B5001D
W, xrefs: 00B50A8F
currentContextMessage, xrefs: 00B50685, 00B5084D
address not available, xrefs: 00B505E4, 00B508D6, 00B50ED6, 00B51291, 00B5185F, 00B519C0
9, xrefs: 00B5035A
J, xrefs: 00B51385
R, xrefs: 00B504D2
+, xrefs: 00B5137E
Y, xrefs: 00B51377
invalid string position, xrefs: 00B504AA

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID: Heap$AddressAllocateFreeProc
String ID: "$#$'3$+$4]$9$FallbackError$J$K$L$R$Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported$W$Y$]$]7IG$]7IG$^$address not available$currentContextMessage$currentContextName$fi-FI$hy-AM$invalid string position$k'$network_reset$no such file or directory$timed_out$too many links$_
API String ID: 886897068-447876904
Opcode ID: ce6a0ddff5a28a67766a843585afb57b93a9419ea3fe3f4c90e1a2ccdcbd98d8
Instruction ID: ca39d90c5cc5feb790518548f50cd767d583fad5fced2466d20cf998a454ddc1
Opcode Fuzzy Hash: ce6a0ddff5a28a67766a843585afb57b93a9419ea3fe3f4c90e1a2ccdcbd98d8
Instruction Fuzzy Hash: AA03BE71D042A88FDB15CFA8D8553EDBBF1AF59300F2482EAD858B7382D7745A868F50

Uniqueness

Uniqueness Score: -1.00%

Function 00B51B26 Relevance: 39.0, Strings: 30, Instructions: 1511COMMON

Download Yara Rule

Strings

/, xrefs: 00B52B04
9)<, xrefs: 00B521BA
W, xrefs: 00B53132
q, xrefs: 00B51FB9
Rp, xrefs: 00B52E0D
message, xrefs: 00B520BB, 00B520C1
S`, xrefs: 00B51FB3
_, xrefs: 00B52A76
5, xrefs: 00B52F2B
3., xrefs: 00B51F28
failureType, xrefs: 00B5206A, 00B52DC9
Z, xrefs: 00B5312B
+, xrefs: 00B531F6
%, xrefs: 00B51DCC
B, xrefs: 00B526C4
hresult, xrefs: 00B51DC1, 00B51DC7, 00B527FE, 00B52805, 00B5280C, 00B52C28, 00B52C38, 00B52F83
0|, xrefs: 00B51F3B
network_down, xrefs: 00B52F1C
NtQueryWnfStateData, xrefs: 00B52CCC, 00B53009, 00B53331
hr-HR, xrefs: 00B522DB
invalid_argument, xrefs: 00B51E72
ka-GE, xrefs: 00B52196
currentContextMessage, xrefs: 00B5284F
v=br, xrefs: 00B52377
I, xrefs: 00B529A7
/, xrefs: 00B52381
5Ee%, xrefs: 00B51E0F
7, xrefs: 00B531ED
message, xrefs: 00B51BA8
^, xrefs: 00B53124

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: %$+$/$/$0|$3.$5$5Ee%$7$9)<$B$I$NtQueryWnfStateData$Rp$S`$W$Z$^$_$currentContextMessage$failureType$hr-HR$hresult$invalid_argument$ka-GE$message$message$network_down$q$v=br
API String ID: 0-64005885
Opcode ID: 572d94c1cb7d473ee0cca45e166f96c2f79b6fb315ff9b95bdedd38fbc5d5d11
Instruction ID: 92505f5364069a275327561e7174575c35338b9037a59fb14c38fa0d4c49abac
Opcode Fuzzy Hash: 572d94c1cb7d473ee0cca45e166f96c2f79b6fb315ff9b95bdedd38fbc5d5d11
Instruction Fuzzy Hash: 98E2AC71E042A89FDB15CFA8D8543EDBBF1AF4A304F1482E9D898A7342DB745A85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00B583AD Relevance: 38.8, Strings: 30, Instructions: 1251COMMON

Download Yara Rule

Strings

kernelbase.dll, xrefs: 00B58CDA
}Kxg, xrefs: 00B58B74
(, xrefs: 00B584BF
", xrefs: 00B5894F
assertVersion, xrefs: 00B58B62
P, xrefs: 00B58572
operation would block, xrefs: 00B58C06
4, xrefs: 00B58589
lineNumber, xrefs: 00B5869F, 00B58B8A, 00B58D71, 00B59139
eD, xrefs: 00B58F6D
6, xrefs: 00B58582
]`~-, xrefs: 00B58A84
zfX^, xrefs: 00B58701
fileName, xrefs: 00B587DC
CallContext:[%hs] , xrefs: 00B58E31
failureType, xrefs: 00B59090
4, xrefs: 00B584D0
too many files open in system, xrefs: 00B58A61
wilActivity, xrefs: 00B586E6, 00B588DB
ky-KG, xrefs: 00B583B6
dbb, xrefs: 00B586D3
sq$, xrefs: 00B58F66
operation canceled, xrefs: 00B58515, 00B58979, 00B58D97, 00B58FFF
", xrefs: 00B59314
^v, xrefs: 00B5891C
hresult, xrefs: 00B58FB0
V, xrefs: 00B593DD
;, xrefs: 00B58579
O, xrefs: 00B5892B
(caller: %p) , xrefs: 00B584D7, 00B58536, 00B592B1

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: "$"$($(caller: %p) $4$4$6$;$CallContext:[%hs] $O$P$V$]`~-$^v$assertVersion$dbb$eD$failureType$fileName$hresult$kernelbase.dll$ky-KG$lineNumber$operation canceled$operation would block$sq$$too many files open in system$wilActivity$zfX^$}Kxg
API String ID: 0-2512331295
Opcode ID: 422b93bea1c7ba93eaa2d9d0bda4732153fdbd6c1122e7dddee654455b8cc7f8
Instruction ID: a49448d46f2df65e54778e51f45c26c7cc5f361758b30eaedf5628c65274c578
Opcode Fuzzy Hash: 422b93bea1c7ba93eaa2d9d0bda4732153fdbd6c1122e7dddee654455b8cc7f8
Instruction Fuzzy Hash: E7B2C371A042A88BDB15CFA9D8913EDBBF1AF5A300F1445F9D898A7342CB354E89DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B3F806 Relevance: 36.2, Strings: 28, Instructions: 1220COMMON

Download Yara Rule

Strings

P, xrefs: 00B406EF
l, xrefs: 00B4028A
8RP"l, xrefs: 00B402C2
gl-ES, xrefs: 00B3F947, 00B3FA6E, 00B3FA7B, 00B3FD14, 00B40258, 00B40291, 00B402FD, 00B4030A, 00B4035F, 00B40365, 00B409D7
X, xrefs: 00B40924
N, xrefs: 00B406E8
M, xrefs: 00B408EF
0, xrefs: 00B40409
z#, xrefs: 00B3F9AE
address_not_available, xrefs: 00B3F85A, 00B3F85F, 00B3FBDD
R, xrefs: 00B40413
2, xrefs: 00B40653
too many links, xrefs: 00B3FDB2
Y, xrefs: 00B4065D
lineNumber, xrefs: 00B3FECA, 00B400EC
he-IL, xrefs: 00B3F987, 00B3FA07, 00B3FAC9, 00B3FDC6, 00B3FFC2, 00B4084A, 00B40A07
4, xrefs: 00B40639
:H, xrefs: 00B3FFEB
U, xrefs: 00B3F8C5
6, xrefs: 00B40914
f3, xrefs: 00B4092E
w#, xrefs: 00B3F8CC
&, xrefs: 00B40972
it-IT, xrefs: 00B3FA5C
8, xrefs: 00B404C1
Wadvapi32.dll, xrefs: 00B3FBC2
4Uw#, xrefs: 00B3F8D3
lb-LU, xrefs: 00B3FFCA

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: &$0$2$4$4Uw#$6$8$8RP"l$:H$M$N$P$R$U$Wadvapi32.dll$X$Y$address_not_available$f3$gl-ES$he-IL$it-IT$l$lb-LU$lineNumber$too many links$w#$z#
API String ID: 0-3272103750
Opcode ID: 8690de0d1639a0cb06e437f696bf91d8b47cd44c8fffa19eb97037d06b007a8a
Instruction ID: 7b97ae3cb9288041c2ff617a48b2405823fa62d038cbf68b7b4d214e6ec078ea
Opcode Fuzzy Hash: 8690de0d1639a0cb06e437f696bf91d8b47cd44c8fffa19eb97037d06b007a8a
Instruction Fuzzy Hash: B9B2F271D042588EDB15DFA8D8943ECBBF1AF59300F2442EAD498BB392DB745A86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B3B6A8 Relevance: 33.2, Strings: 26, Instructions: 746COMMON

Download Yara Rule

Strings

e, xrefs: 00B3BAE8
th-TH, xrefs: 00B3BF82
cs-CZ, xrefs: 00B3B8DF
no message available, xrefs: 00B3B814
string too long, xrefs: 00B3BCBD
mt-MT, xrefs: 00B3B902
~, xrefs: 00B3BFB1
W, xrefs: 00B3BF23
{r30, xrefs: 00B3BAC5
message, xrefs: 00B3BBF1
lo-LA, xrefs: 00B3BD81
,-Og, xrefs: 00B3BACC
a, xrefs: 00B3BC9E
h, xrefs: 00B3C0B9
iu-Latn-CA, xrefs: 00B3BE48
1, xrefs: 00B3C18B
nl>X, xrefs: 00B3BADA
F, xrefs: 00B3BA17
identifier removed, xrefs: 00B3B6E0
ti-ET, xrefs: 00B3BD17
fi-FI, xrefs: 00B3BA82
IsLowPriorityConfiguration, xrefs: 00B3C09E
API-MS-Win-Core-LocalRegistry-L1-1-0.dll, xrefs: 00B3B981
4, xrefs: 00B3C184
E, xrefs: 00B3BF2A
X, xrefs: 00B3BCA5

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: ,-Og$1$4$API-MS-Win-Core-LocalRegistry-L1-1-0.dll$E$F$IsLowPriorityConfiguration$W$X$a$cs-CZ$e$fi-FI$h$identifier removed$iu-Latn-CA$lo-LA$message$mt-MT$nl>X$no message available$string too long$th-TH$ti-ET${r30$~
API String ID: 0-764485648
Opcode ID: 77e777f89b639130e64d75276fb66dd6fbe75b0fbb4986b29790d81f1174aa5d
Instruction ID: 7282889e03f48cf5434036628ec668c77c4f3e833da1aa546d49e3e502f42df4
Opcode Fuzzy Hash: 77e777f89b639130e64d75276fb66dd6fbe75b0fbb4986b29790d81f1174aa5d
Instruction Fuzzy Hash: 2862B231A052998EDB15CFAD99947EDBFF1AF1A300F2845FAD898A7342C3748A45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B542B0 Relevance: 32.8, Strings: 25, Instructions: 1598COMMON

Download Yara Rule

Strings

sr-Cyrl-CS, xrefs: 00B542F5
B, xrefs: 00B557F5
HostProcessExecutionStop, xrefs: 00B550F3
Windows Search Service, xrefs: 00B54483, 00B5448F, 00B544DC, 00B5472D, 00B5474D, 00B54945, 00B5495B, 00B549A7, 00B549AC, 00B5519C, 00B552D5
`, xrefs: 00B55803
assertVersion, xrefs: 00B553EA
,, xrefs: 00B557FC
_, xrefs: 00B54FB9
R.x6, xrefs: 00B54322
TelemetryAssert, xrefs: 00B544B6
(, xrefs: 00B558C0
currentContextId, xrefs: 00B5524A
-%uA, xrefs: 00B546A0
+, xrefs: 00B55891
wilActivity, xrefs: 00B548C6
iu-Latn-CA, xrefs: 00B547D0
A, xrefs: 00B54FE7
$, xrefs: 00B5588A
operation_would_block, xrefs: 00B54B47, 00B54D25, 00B54DB4, 00B54ECF, 00B55098, 00B55170, 00B55264, 00B554FA, 00B5581B
=, xrefs: 00B5563F
M, xrefs: 00B558C7
is a directory, xrefs: 00B54409, 00B54561, 00B54597, 00B54774, 00B54B6C, 00B54BE4, 00B54E3F, 00B54F18, 00B54F40, 00B55664, 00B55848
currentContextName, xrefs: 00B5467D
jg{, xrefs: 00B55473
\@l, xrefs: 00B548DE

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: $$($+$,$-%uA$=$A$B$HostProcessExecutionStop$M$R.x6$TelemetryAssert$Windows Search Service$\@l$_$`$assertVersion$currentContextId$currentContextName$is a directory$iu-Latn-CA$jg{$operation_would_block$sr-Cyrl-CS$wilActivity
API String ID: 0-871549327
Opcode ID: d798f1cfa53719a577f3f3c2a0fb63beab9ce7047316c8858279dbfe08af6101
Instruction ID: 7e1b751b636923a5cce8770bb85449f776bb15b51579b495a05423c8e0edd7f2
Opcode Fuzzy Hash: d798f1cfa53719a577f3f3c2a0fb63beab9ce7047316c8858279dbfe08af6101
Instruction Fuzzy Hash: 4FE2C171E042988FDB15CFA8D8543EDBBF1EF55305F2481EAD858AB382D7744A8A8F50

Uniqueness

Uniqueness Score: -1.00%

Function 00B3AAFC Relevance: 28.3, Strings: 22, Instructions: 781COMMON

Download Yara Rule

Strings

eu-ES, xrefs: 00B3AD34
!B8, xrefs: 00B3B0F2
already_connected, xrefs: 00B3B353
4, xrefs: 00B3AE2A
{UnU, xrefs: 00B3B0E9
not a socket, xrefs: 00B3B0DA
", xrefs: 00B3AB12
&, xrefs: 00B3AB1C
dtBI, xrefs: 00B3B103
T, xrefs: 00B3B047
xh-ZA, xrefs: 00B3ABBF, 00B3ABE0, 00B3B114, 00B3B59D
=, xrefs: 00B3B358
[, xrefs: 00B3AFD1
zh-CHS, xrefs: 00B3ABA2
[, xrefs: 00B3AFBC
HKEY_CURRENT_USER, xrefs: 00B3AB3F, 00B3B2A1, 00B3B693
`, xrefs: 00B3B36C
currentContextName, xrefs: 00B3B513
9, xrefs: 00B3AFB5
not enough memory, xrefs: 00B3B21C
Jm, xrefs: 00B3B522
L, xrefs: 00B3AE79

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: !B8$"$&$4$9$=$HKEY_CURRENT_USER$Jm$L$T$[$[$`$already_connected$currentContextName$dtBI$eu-ES$not a socket$not enough memory$xh-ZA$zh-CHS${UnU
API String ID: 0-2561934375
Opcode ID: 4ff5c7b0344e8d13ed0fa86d5aa309a1272818337970648c686ef326ea0c96ca
Instruction ID: 60f91fc7a260213f83ae7ebc4e076660482ed227c8df8d38630242a2613ec3d4
Opcode Fuzzy Hash: 4ff5c7b0344e8d13ed0fa86d5aa309a1272818337970648c686ef326ea0c96ca
Instruction Fuzzy Hash: 0372BF71E042988EDB05CFA998507EDBFF1AF59300F2886EAD898B7382D7745A45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B42702 Relevance: 25.9, Strings: 20, Instructions: 933COMMON

Download Yara Rule

Strings

hresult, xrefs: 00B42941
G, xrefs: 00B42CF4
., xrefs: 00B4328B
ReturnHr, xrefs: 00B42D9F
destination address required, xrefs: 00B42E95
I, xrefs: 00B4330B
5, xrefs: 00B43304
U, xrefs: 00B43274
3, xrefs: 00B43295
), xrefs: 00B431DE
bad address, xrefs: 00B4270E, 00B42720, 00B42BB1, 00B42F5A
connection already in progress, xrefs: 00B429D7
), xrefs: 00B42830
wilActivity, xrefs: 00B42EFC
J, xrefs: 00B4283A
originatingContextName, xrefs: 00B42B0C
fileName, xrefs: 00B42CB3
@, xrefs: 00B42EB6
connection_already_in_progress, xrefs: 00B42765, 00B427B7, 00B42C51, 00B42C83, 00B43221, 00B43242
`, xrefs: 00B431BD

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: )$)$.$3$5$@$G$I$J$ReturnHr$U$`$bad address$connection already in progress$connection_already_in_progress$destination address required$fileName$hresult$originatingContextName$wilActivity
API String ID: 3298025750-1988273597
Opcode ID: a7f5168e19cbdf52f6378e11a8f4d921733f5c4c998675601ed3a2e16bac75a2
Instruction ID: 39ca65f978b800a335621e84e153053392f4c32cd5539e1e9d0c4362a265eede
Opcode Fuzzy Hash: a7f5168e19cbdf52f6378e11a8f4d921733f5c4c998675601ed3a2e16bac75a2
Instruction Fuzzy Hash: B282E571E042988FDB15CFA8D8913DCBBF1AF59300F6441EAE898B7382D7745A86DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00B4982E Relevance: 23.3, Strings: 18, Instructions: 802COMMON

Download Yara Rule

Strings

kk-KZ, xrefs: 00B4987B
_Kt, xrefs: 00B49D3F
I, xrefs: 00B49863
., xrefs: 00B4A0F6
HostProcessExecutionStop, xrefs: 00B4A395
wilActivity, xrefs: 00B49E5E
not supported, xrefs: 00B498DF, 00B4994E, 00B49D65, 00B4A23A, 00B4A27E, 00B4A27F
H, xrefs: 00B4A12F
P, xrefs: 00B4A128
ml-IN, xrefs: 00B49A35
$, xrefs: 00B4A0EC
5, xrefs: 00B4A4FE
invalid argument, xrefs: 00B4A220
ZC, xrefs: 00B4A25E
PQ_S, xrefs: 00B49AD1
threadId, xrefs: 00B49F7D
failureType, xrefs: 00B49D0D
fD4y, xrefs: 00B49B21

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: $$.$5$H$HostProcessExecutionStop$I$P$PQ_S$ZC$_Kt$fD4y$failureType$invalid argument$kk-KZ$ml-IN$not supported$threadId$wilActivity
API String ID: 3298025750-2709668120
Opcode ID: 270ffc96269439378298e555f7fef41071d8c5c896c8061a433dd79a12e6c3bd
Instruction ID: b2a9b4792fb971169087c72ac7f9da348ea173d6e18592c74f85e55093ea4c0a
Opcode Fuzzy Hash: 270ffc96269439378298e555f7fef41071d8c5c896c8061a433dd79a12e6c3bd
Instruction Fuzzy Hash: B472CF71A042A88FDB15CFA99C942EDBBF1BF59300F1445F9E898AB342C3354A49DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00B5339E Relevance: 20.9, Strings: 16, Instructions: 928COMMON

Download Yara Rule

Strings

sr-Latn-CS, xrefs: 00B537D2
WSea, xrefs: 00B536F5
rch, xrefs: 00B536FC
N, xrefs: 00B53FB9
+, xrefs: 00B5402D
_, xrefs: 00B534C1
argument list too long, xrefs: 00B53922
currentContextMessage, xrefs: 00B53437, 00B5382B, 00B53D8B
tr-TR, xrefs: 00B535E0, 00B53CFA
A, xrefs: 00B53FDB
E, xrefs: 00B53F06
so-SO, xrefs: 00B53865, 00B53A86, 00B53A8E, 00B53DB6, 00B53ED0
B, xrefs: 00B54172
B, xrefs: 00B53E4B
|, xrefs: 00B53F1A
onecoreuap\base\appmodel\search\common\pkmutild\cregistry.cxx, xrefs: 00B534F8

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID: AddressFreeHeapProc
String ID: +$A$B$B$E$N$WSea$_$argument list too long$currentContextMessage$onecoreuap\base\appmodel\search\common\pkmutild\cregistry.cxx$rch$so-SO$sr-Latn-CS$tr-TR$|
API String ID: 4280525199-3569377931
Opcode ID: b280e1450768240e91a3aa363c6dd6685a36062e3737644b3075c3144d89a820
Instruction ID: d0bd9ffee4d8cf92706cca182a0462b6fbe77e5aacbb11410564be523ada2bd2
Opcode Fuzzy Hash: b280e1450768240e91a3aa363c6dd6685a36062e3737644b3075c3144d89a820
Instruction Fuzzy Hash: 6B92EC71D042688BDB25CFA8D8857DCBBF1AF59304F1482EAE848BB382D7755A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00B3D929 Relevance: 20.7, Strings: 16, Instructions: 733COMMON

Download Yara Rule

Strings

D, xrefs: 00B3E224
wilResult, xrefs: 00B3DA1F, 00B3DBF1, 00B3DC11, 00B3DE76, 00B3E17B, 00B3E28B, 00B3E3FA, 00B3E424
c+, xrefs: 00B3E092
., xrefs: 00B3D966
;, xrefs: 00B3D970
hresult, xrefs: 00B3D9B0
bad_address, xrefs: 00B3DA9C, 00B3DBDD, 00B3DBE7, 00B3DE53, 00B3DF2D, 00B3E3D7
^, xrefs: 00B3E1E4
zh-CHS, xrefs: 00B3DB3B
argument out of domain, xrefs: 00B3E054, 00B3E059, 00B3E0CA, 00B3E335
not supported, xrefs: 00B3DD9E
unknown error, xrefs: 00B3DC9D
?, xrefs: 00B3E143
originatingContextName, xrefs: 00B3DF72
Q", xrefs: 00B3DC04
Assert, xrefs: 00B3D994

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: .$;$?$Assert$D$Q"$^$argument out of domain$bad_address$c+$hresult$not supported$originatingContextName$unknown error$wilResult$zh-CHS
API String ID: 190572456-1396226173
Opcode ID: 671af3ae1ee305f99aa47880fb980a7ad2a1c61e96ed78a4349427951bdce9dc
Instruction ID: f042ce0bebdbdbbd54e4e104cc54a264317bd6d4571a02d7b42ce90ebee7aef8
Opcode Fuzzy Hash: 671af3ae1ee305f99aa47880fb980a7ad2a1c61e96ed78a4349427951bdce9dc
Instruction Fuzzy Hash: 3A62D271E042988FDB16CFA894503EDBFF1AF5A300F2942EAD895B7342D7349A46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B55A67 Relevance: 20.6, Strings: 16, Instructions: 574COMMON

Download Yara Rule

Strings

ig-NG, xrefs: 00B55CDC
bs-BA-Latn, xrefs: 00B55BA7, 00B561D8
c, xrefs: 00B5607E
E, xrefs: 00B5604A
`, xrefs: 00B55EC1
currentContextMessage, xrefs: 00B561FE
ext-ms-win-advapi32-eventlog-l1-1-0, xrefs: 00B55B68
ff-Latn-NG, xrefs: 00B55A73
`, xrefs: 00B5603F
2Av, xrefs: 00B55CFA
J, xrefs: 00B56064
", xrefs: 00B5606E
Windows Search Service, xrefs: 00B561B0
:, xrefs: 00B56054
:, xrefs: 00B55F6F
PartA_PrivTags, xrefs: 00B55B15, 00B55BF1, 00B55E8E, 00B55F99

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: "$2Av$:$:$E$J$PartA_PrivTags$Windows Search Service$`$`$bs-BA-Latn$c$currentContextMessage$ext-ms-win-advapi32-eventlog-l1-1-0$ff-Latn-NG$ig-NG
API String ID: 0-1470573524
Opcode ID: ad5de50db830f77e5d97ca7e5191dc97a8c1908033dfbc588042a23021d605c8
Instruction ID: 5251595892132ae2cac853b422c0c7b37f7f7bdde4d3500f5824bfd7ed0d738d
Opcode Fuzzy Hash: ad5de50db830f77e5d97ca7e5191dc97a8c1908033dfbc588042a23021d605c8
Instruction Fuzzy Hash: 85322371E002488FEB15CFA8C8953EDBBF1EF49305F2481AAE854BB382D7755A458F54

Uniqueness

Uniqueness Score: -1.00%

Function 00B31102 Relevance: 19.4, Strings: 15, Instructions: 611COMMON

Download Yara Rule

Strings

originatingContextName, xrefs: 00B31470, 00B316B9, 00B319B2, 00B319B8
R, xrefs: 00B3180A
.Bu{failureId, xrefs: 00B3147C, 00B31933, 00B319BC, 00B319FD, 00B31A53
4, xrefs: 00B317EC
Q, xrefs: 00B317FF
Q, xrefs: 00B31678
l!, xrefs: 00B310F9
HostProcessExecution, xrefs: 00B3154E
FallbackError, xrefs: 00B313EF
ks-Arab, xrefs: 00B313EA, 00B313FA, 00B3196C, 00B319B7, 00B319DF
J, xrefs: 00B31772
!A<, xrefs: 00B31894
failureId, xrefs: 00B311DB
currentContextId, xrefs: 00B31849
zh-Hant, xrefs: 00B31956, 00B31A03

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: !A<$.Bu{failureId$4$FallbackError$HostProcessExecution$J$Q$Q$R$currentContextId$failureId$ks-Arab$l!$originatingContextName$zh-Hant
API String ID: 0-1683865593
Opcode ID: d481d5b5f0be82213fa0d47a6fd73b51879a2ed796ff01d9aa0ae2dcf71a5803
Instruction ID: 8be679d765a50f4b76041bd23c5476becb65514075e76696f9a9f5230cbeb7da
Opcode Fuzzy Hash: d481d5b5f0be82213fa0d47a6fd73b51879a2ed796ff01d9aa0ae2dcf71a5803
Instruction Fuzzy Hash: 5C42CF71D083988EDB11CFA898542DCBFF1AF59310F2887AAD498B7352D7745A86CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00B4A52E Relevance: 19.3, Strings: 15, Instructions: 508COMMON

Download Yara Rule

Strings

+\lU, xrefs: 00B4AA74
Q, xrefs: 00B4AC69
message, xrefs: 00B4ABE9
W, xrefs: 00B4A562
Z, xrefs: 00B4AC62
onecoreuap\base\AppModel\Search\common\include\PrivateComActivationHelper.h, xrefs: 00B4AB1E
mt-MT, xrefs: 00B4A6E5
onecoreuap\base\appmodel\search\search\search\gather\fltrhost\fltrhost.cxx, xrefs: 00B4A589
sr-Cyrl-BA, xrefs: 00B4A9DC
-, xrefs: 00B4AC70
N, xrefs: 00B4A556
syr-SY, xrefs: 00B4A819
=jp), xrefs: 00B4AA66
filename_too_long, xrefs: 00B4A904
K, xrefs: 00B4AA96

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID: AddressFreeHeapProc
String ID: +\lU$-$=jp)$K$N$Q$W$Z$filename_too_long$message$mt-MT$onecoreuap\base\AppModel\Search\common\include\PrivateComActivationHelper.h$onecoreuap\base\appmodel\search\search\search\gather\fltrhost\fltrhost.cxx$sr-Cyrl-BA$syr-SY
API String ID: 4280525199-1807326845
Opcode ID: df267ba215de82252689dfd467f355aa7c112a617a2fb2eeac3bbd32eb59bbe0
Instruction ID: 24892403d153c954655fbb589c01b7d8e6eb909983b20dae2dd99798843f2fdf
Opcode Fuzzy Hash: df267ba215de82252689dfd467f355aa7c112a617a2fb2eeac3bbd32eb59bbe0
Instruction Fuzzy Hash: DA22A071E043A88EDB16CFA998902EDBFF2BF19300F1446E9D898A7342D7744A46DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00B1F5BE Relevance: 16.9, Strings: 13, Instructions: 640COMMON

Download Yara Rule

Strings

4, xrefs: 00B1FCC7
sr-Cyrl-CS, xrefs: 00B1F5D2
wilActivity, xrefs: 00B1F9FC
ne-NP, xrefs: 00B1FE54
result, xrefs: 00B1F87C
@!$B, xrefs: 00B1F5FF
Ye, xrefs: 00B1F606
it-IT, xrefs: 00B1FD1A
REGISTRY, xrefs: 00B1F92C
sl-SI, xrefs: 00B1FAE1
bn-IN, xrefs: 00B1FBD4
.\%s.mui, xrefs: 00B1F6FE
currentContextName, xrefs: 00B1F6E7, 00B1F7FF

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: .\%s.mui$4$@!$B$REGISTRY$bn-IN$currentContextName$it-IT$ne-NP$result$sl-SI$sr-Cyrl-CS$wilActivity$Ye
API String ID: 0-595021523
Opcode ID: 3f07a0cad2e099368d959214641dddc1cf24f2aad728feb16ede9ac76e6183cc
Instruction ID: 135a608a1d72934bdfb119383b25321edb2ed896c3c3907fcaa9676210050fe8
Opcode Fuzzy Hash: 3f07a0cad2e099368d959214641dddc1cf24f2aad728feb16ede9ac76e6183cc
Instruction Fuzzy Hash: 5D421831B052A85EEB15CFAD98903EDBFF16F1A300F5945F9D8C8A7342C6244A86CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00B4F5D4 Relevance: 16.7, Strings: 13, Instructions: 409COMMON

Download Yara Rule

Strings

originatingContextMessage, xrefs: 00B4F6F5, 00B4F75F, 00B4F760, 00B4F950
timed_out, xrefs: 00B4F85B
,, xrefs: 00B4F6CA
G, xrefs: 00B4F6B4
., xrefs: 00B4FAFD
hresult, xrefs: 00B4F605, 00B4F7EA, 00B4F8D3, 00B4FAA0, 00B4FAB9, 00B4FACA
R, xrefs: 00B4FA5F
B, xrefs: 00B4F9FA
8, xrefs: 00B4F73F
/, xrefs: 00B4F6BE
connection reset, xrefs: 00B4F6C5
9, xrefs: 00B4FA48
H, xrefs: 00B4FA58

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: ,$.$/$8$9$B$G$H$R$connection reset$hresult$originatingContextMessage$timed_out
API String ID: 0-825078173
Opcode ID: bf00b7885ca4b917e42f80d6cd981428a6c02680f8a49aed556f4d61e0cd9321
Instruction ID: 6c4f7eda15553a5f0310b3ed662ff10a32ea015b363d6ca54d695ec5a48da9c5
Opcode Fuzzy Hash: bf00b7885ca4b917e42f80d6cd981428a6c02680f8a49aed556f4d61e0cd9321
Instruction Fuzzy Hash: 0DF1F371D0429A9FDB04CFA8D8403EDBBF1AF59300F2886AAD495F7281EB745B46DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B1EDBD Relevance: 15.3, Strings: 12, Instructions: 302COMMON

Download Yara Rule

Strings

&, xrefs: 00B1F1D8
failureId, xrefs: 00B1EF48, 00B1EFA1, 00B1F098
onecore\internal\sdk\inc\wil\Staging.h, xrefs: 00B1EF73
P, xrefs: 00B1F177
rR:, xrefs: 00B1EFC3
Windows Search Service, xrefs: 00B1EDF5
[&>, xrefs: 00B1F236
age, xrefs: 00B1F011
M51, xrefs: 00B1EE24
mess, xrefs: 00B1F045
bin-NG, xrefs: 00B1EDD1
>, xrefs: 00B1F1CC

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: &$>$M51$P$Windows Search Service$[&>$age$bin-NG$failureId$mess$onecore\internal\sdk\inc\wil\Staging.h$rR:
API String ID: 0-1572237282
Opcode ID: e7ad5e290be3cb97ef83bb562d7015790a6153c3178f7b9296e85cd3bcbc528c
Instruction ID: 3d313837ae14ffa5059444795d6f26ac8d226803a14b71d2586a3c55f59e474e
Opcode Fuzzy Hash: e7ad5e290be3cb97ef83bb562d7015790a6153c3178f7b9296e85cd3bcbc528c
Instruction Fuzzy Hash: 1DC116326083818EE314CF3994817EEFBE19FD5348F5849BEE8D897293D6748989C752

Uniqueness

Uniqueness Score: -1.00%

Function 00B564DC Relevance: 15.2, Strings: 12, Instructions: 226COMMON

Download Yara Rule

Strings

L, xrefs: 00B56780
E, xrefs: 00B567AD
=, xrefs: 00B566A8
wilActivity, xrefs: 00B564EC
Jp73, xrefs: 00B56509
, xrefs: 00B56733
X, xrefs: 00B56713
d, xrefs: 00B56789
E, xrefs: 00B565FA
;, xrefs: 00B5672C
', xrefs: 00B5671A
@, xrefs: 00B56647

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: $'$;$=$@$E$E$Jp73$L$X$d$wilActivity
API String ID: 0-479315862
Opcode ID: 3d333f375d1675ddb2be9ccb9a660e12b2eb796bb150b31f408809c64cb88aa0
Instruction ID: 9c1b0f5615a6ca37aaf373057248e8d83b3ddea094a5ba1b512fde11277309db
Opcode Fuzzy Hash: 3d333f375d1675ddb2be9ccb9a660e12b2eb796bb150b31f408809c64cb88aa0
Instruction Fuzzy Hash: B091CEB1D002588FDB05CFB8D8883EDBBF1BF48304F5486A9D865B7281DB795A4A8F50

Uniqueness

Uniqueness Score: -1.00%

Function 00B2AE0C Relevance: 14.1, Strings: 11, Instructions: 334COMMON

Download Yara Rule

Strings

8, xrefs: 00B2AE57
W, xrefs: 00B2AE1D
,, xrefs: 00B2B2C7
Z, xrefs: 00B2B0FC
C, xrefs: 00B2AE9D
x, xrefs: 00B2AF05
bin-NG, xrefs: 00B2AE79
H, xrefs: 00B2AFB7
es-ES_tradnl, xrefs: 00B2B0EE
currentContextId, xrefs: 00B2AFBE
[, xrefs: 00B2B2D5

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: ,$8$C$H$W$Z$[$bin-NG$currentContextId$es-ES_tradnl$x
API String ID: 0-9735081
Opcode ID: dcd6c93db9b993f84faabac2d55ddd5d7b4cd4283f24094e8469bcb184304139
Instruction ID: f26d0e378cf5686888b2e5c54e4e40635fdee7df52519562592c5a852de27c2b
Opcode Fuzzy Hash: dcd6c93db9b993f84faabac2d55ddd5d7b4cd4283f24094e8469bcb184304139
Instruction Fuzzy Hash: 97E1CE71D042A88EDB12CFB9E8613DDBBB1AF59304F1482A9D898B7242C7785A45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00B14748 Relevance: 12.0, Strings: 9, Instructions: 772COMMON

Download Yara Rule

Strings

failureType, xrefs: 00B147AB, 00B14BD0, 00B14C37, 00B14F3F, 00B14F97, 00B14FDE
, xrefs: 00B14DF5
=, xrefs: 00B14DE0
B, xrefs: 00B14DEE
C, xrefs: 00B15039
/, xrefs: 00B15042
T, xrefs: 00B14DE7
A$, xrefs: 00B14BC9
P, xrefs: 00B15060

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: $/$=$A$$B$C$P$T$failureType
API String ID: 0-3899794092
Opcode ID: 1343e68bdcbe2e0bd3bff1ac6c69811b6a160aa1a5ab235a8f99c61aa20fceab
Instruction ID: e9200a10051d79064be50cf3abedb732cd5853e3f912fc37dd0bb7587d3a700f
Opcode Fuzzy Hash: 1343e68bdcbe2e0bd3bff1ac6c69811b6a160aa1a5ab235a8f99c61aa20fceab
Instruction Fuzzy Hash: 6172B1B0D046489FDB15CFB8C8956DDBBB0EF5A318F248399D464BB382D7756A86CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00B4877B Relevance: 9.1, Strings: 7, Instructions: 374COMMON

Download Yara Rule

Strings

fr-FR, xrefs: 00B48C6F
0, xrefs: 00B48C88
too_many_files_open, xrefs: 00B48902, 00B48B2E, 00B48DC5, 00B48E0F, 00B48E69
@=), xrefs: 00B4876F, 00B4877D
callContext, xrefs: 00B488C1
wrong_protocol_type, xrefs: 00B48C4C
failureId, xrefs: 00B487C4

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: 0$@=)$callContext$failureId$fr-FR$too_many_files_open$wrong_protocol_type
API String ID: 0-3377890380
Opcode ID: 461a8e977b37522e8ff12a820d9ff262e2dcb7e936a3360bfb9b6dacfdb3a979
Instruction ID: d0af00adc1e272bd3713801bc04f559f39ecfab74bc9b6fdc58a0c95191fb89b
Opcode Fuzzy Hash: 461a8e977b37522e8ff12a820d9ff262e2dcb7e936a3360bfb9b6dacfdb3a979
Instruction Fuzzy Hash: F502AF71E092A88EDB15CFA998543EDBFF1AF15300F2485EAD888BB341C6744B85DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00B56297 Relevance: 5.2, Strings: 4, Instructions: 163COMMON

Download Yara Rule

Strings

L, xrefs: 00B5649D
sd-Deva-IN, xrefs: 00B5634E, 00B56357
km-KH, xrefs: 00B562A0
onecoreuap\base\AppModel\Search\common\include\errormsg_common.hxx, xrefs: 00B563CE

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: L$km-KH$onecoreuap\base\AppModel\Search\common\include\errormsg_common.hxx$sd-Deva-IN
API String ID: 0-2344586223
Opcode ID: e8be75062412f3a43369148b5a29453f91d85b61f6374bb98bb95e1fafbb2a53
Instruction ID: ba88a88935ef2ef257de216aa880a8fcd9aa70ec35e3680ebcee2a15f7ec1d21
Opcode Fuzzy Hash: e8be75062412f3a43369148b5a29453f91d85b61f6374bb98bb95e1fafbb2a53
Instruction Fuzzy Hash: 13514831A042A84ECB158FEDA8903ED7FF16F19311F5941FADCCCA3392C524898ACB64

Uniqueness

Uniqueness Score: -1.00%

Function 00B1FF5D Relevance: 3.9, Strings: 3, Instructions: 137COMMON

Download Yara Rule

Strings

sv-SE, xrefs: 00B1FF66
sr-Latn-BA, xrefs: 00B2006A
b, xrefs: 00B2007D

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID: b$sr-Latn-BA$sv-SE
API String ID: 0-3733230230
Opcode ID: 610d52f40366b2a1cda8ee6a4dac7a5dcbacf2207d7057c760cc79995142f303
Instruction ID: 13d4de92b6cedbc592316461979d018f2384a1b271f133974c718a3ccebf22e9
Opcode Fuzzy Hash: 610d52f40366b2a1cda8ee6a4dac7a5dcbacf2207d7057c760cc79995142f303
Instruction Fuzzy Hash: 8D51C632A042AC4EDB51CFADA8903EDBFE16F55300F1945FAD8DCA7352D9644986CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B1EC0E Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2e543f0822827d83de87c2735d291301b8330a8a321558d2fcc5cac76a72197
Instruction ID: f348ad01077707f187ca1fdc8b1458d16e70365141b2014a633e893796d7c1a7
Opcode Fuzzy Hash: d2e543f0822827d83de87c2735d291301b8330a8a321558d2fcc5cac76a72197
Instruction Fuzzy Hash: ECE0ECB1904708AFDB18CF8AD44189AFBF8EE48360B10C46EE05AE3300D270AD408B50

Uniqueness

Uniqueness Score: -1.00%

Function 00B2D101 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Function 00B2D115 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b10000_SearchProtocolHost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb1dcb45eca10bbd415de50d8dac458e7e42156cf4c282332bc7bc400f2a61b4
Instruction ID: 09a661d3bcde169e3a68bda8983e2d082d1c510c2daa6ab026a58b72df35bac7
Opcode Fuzzy Hash: fb1dcb45eca10bbd415de50d8dac458e7e42156cf4c282332bc7bc400f2a61b4
Instruction Fuzzy Hash: 3AA00235692980CFCE16CF08C290F0073B4F754B40F010490E401C7A21C228ED40C940

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Installer.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\44d547.rbs

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\VcRedist\README.md

C:\Windows\Installer\44d546.msi

C:\Windows\Installer\44d548.msi

C:\Windows\Installer\MSID69E.tmp

C:\Windows\Installer\MSID6AF.tmp

C:\Windows\Installer\SourceHash{E8BC70D1-2863-4379-B219-8656E74FCC1E}

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

C:\Windows\Temp\~DF13D7E8724B90FCF1.TMP

C:\Windows\Temp\~DF1FEDD9837BEBD059.TMP

C:\Windows\Temp\~DF29492B2735222095.TMP

C:\Windows\Temp\~DF3062DD17BBBFA997.TMP

C:\Windows\Temp\~DF327F78088AAFEED8.TMP

C:\Windows\Temp\~DF375EE48D958B38FB.TMP

C:\Windows\Temp\~DF71AAADE0E9A6F831.TMP

Windows Analysis Report
Installer.msi

Function 00B20157 Relevance: 39.3, APIs: 2, Strings: 20, Instructions: 762
COMMON

Function 00B43750 Relevance: 33.7, APIs: 1, Strings: 18, Instructions: 484
COMMON

Function 00B43739 Relevance: 30.2, APIs: 1, Strings: 16, Instructions: 484
COMMON

Function 00B40A2D Relevance: 29.4, Strings: 23, Instructions: 668
COMMON

Function 00B42000 Relevance: 25.4, Strings: 20, Instructions: 404
COMMON

Function 00B43BC5 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 277
COMMON

Function 00B48E94 Relevance: 20.5, Strings: 16, Instructions: 471
COMMON

Function 00B1DD59 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 315
COMMON

Function 00B1D95C Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 274
COMMON

Function 00B1D1FF Relevance: 14.3, Strings: 11, Instructions: 507
COMMON

Function 00B1E6B9 Relevance: 14.1, Strings: 11, Instructions: 370
COMMON

Function 00B1E205 Relevance: 12.8, Strings: 10, Instructions: 305
COMMON

Function 00B32F99 Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 379
COMMON

Function 00B1F263 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 223
COMMON