Edit tour

Windows Analysis Report
EhSODySB7R.exe

Overview

General Information

Sample name:	EhSODySB7R.exe renamed because original name is a hash value
Original sample name:	0a73f48ffa71f2ba878056373570aa08.exe
Analysis ID:	1384579
MD5:	0a73f48ffa71f2ba878056373570aa08
SHA1:	4d5195efeda4ce5c14096a22613d32afb9958808
SHA256:	f14401a595ad551015bce9e8eeaa8f80f2294f8767b654a5650da0f314de5255
Tags:	exe
Infos:

Detection

GhostRat, Nitol, Young Lotus

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GhostRat

Yara detected Nitol

Yara detected Young Lotus

Connects to many ports of the same IP (likely port scanning)

Drops executables to the windows directory (C:\Windows) and starts them

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

EhSODySB7R.exe (PID: 1632 cmdline: C:\Users\user\Desktop\EhSODySB7R.exe MD5: 0A73F48FFA71F2BA878056373570AA08)

msiexec.exe (PID: 5696 cmdline: msiexec.exe /i C:\Users\user\AppData\Local\Temp\MSI99F2.tmp MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 360 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 5176 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 96302FF1609113E413E3406A4F20EA8E MD5: 9D09DC1EDA745A5F87553048E57620CF)

MSIA311.tmp (PID: 1716 cmdline: C:\Windows\Installer\MSIA311.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin "C:\Program Files (x86)\IOPL\gxonecli.exe MD5: 1458A72D86B87E1329CFC549B98D1E4D)

gxonecli.exe (PID: 4816 cmdline: "C:\Program Files (x86)\IOPL\gxonecli.exe" MD5: 206A390B01B76BA387EA40C4A72622CC)

gxonecli.exe (PID: 6300 cmdline: C:\Program Files (x86)\IOPL\gxonecli.exe MD5: 206A390B01B76BA387EA40C4A72622CC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nitol		No Attribution	https://asec.ahnlab.com/en/44504/ https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/ https://en.wikipedia.org/wiki/Nitol_botnet https://krebsonsecurity.com/tag/nitol/	https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.3225077296.0000000002FEB000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
00000006.00000002.3224081616.0000000000AD9000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
00000006.00000002.3224774705.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Process Memory Space: gxonecli.exe PID: 4816	JoeSecurity_Nitol	Yara detected Nitol	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.gxonecli.exe.a09e27.1.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
6.2.gxonecli.exe.a09e27.1.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
6.2.gxonecli.exe.a09e27.1.unpack	JoeSecurity_YoungLotus	Yara detected Young Lotus	Joe Security
6.2.gxonecli.exe.a09e27.1.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_RDP	Detects executables embedding registry key / value combination manipulating RDP / Terminal Services	ditekSHen	0xdd080:$r1: SOFTWARE\Policies\Microsoft\Windows\Installer 0xdd0b0:$k1: EnableAdminTSRemote 0xdc908:$r2: SYSTEM\CurrentControlSet\Control\Terminal Server 0xdcf64:$r2: SYSTEM\CurrentControlSet\Control\Terminal Server 0xdcfcc:$r2: SYSTEM\CurrentControlSet\Control\Terminal Server 0xdd114:$r2: SYSTEM\CurrentControlSet\Control\Terminal Server 0xdd158:$r2: SYSTEM\CurrentControlSet\Control\Terminal Server 0xdd1a0:$r2: SYSTEM\CurrentControlSet\Control\Terminal Server 0xdcfc0:$k2: TSEnabled 0xdd038:$r3: SYSTEM\CurrentControlSet\Services\TermDD 0xdcef8:$r4: SYSTEM\CurrentControlSet\Services\TermService 0xdd000:$r4: SYSTEM\CurrentControlSet\Services\TermService 0xdcdf1:$k3: Start 0xdcdff:$k3: Start 0xdce0d:$k3: Start 0xdce1b:$k3: Start 0xdd064:$k3: Start 0xe21ec:$k3: Start 0xe220c:$k3: Start 0xe223c:$k3: Start 0xdc908:$r5: SYSTEM\CurrentControlSet\Control\Terminal Server
6.2.gxonecli.exe.a09e27.1.unpack	MALWARE_Win_PCRat	Detects PCRat / Gh0st	ditekSHen	0xd9c40:$s1: ClearEventLogA 0xda62c:$s2: NetUserAdd 0xdbb06:$s4: :]%d-%d-%d %d:%d:%d 0xdbb20:$s6: <Enter> 0xdce7c:$s7: \cmd.exe 0xdc714:$a1: 360tray.exe 0xdc6ec:$a2: avp.exe 0xdc6bc:$a3: RavMonD.exe 0xdc6fc:$a4: 360sd.exe 0xdc6a0:$a5: Mcshield.exe 0xdc68c:$a6: egui.exe 0xdc678:$a7: kxetray.exe 0xdc5b4:$a8: knsdtray.exe 0xdc5a0:$a9: TMBMSRV.exe 0xdc65c:$a10: avcenter.exe 0xdc640:$a11: ashDisp.exe
6.2.gxonecli.exe.2e10bd7.3.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
6.2.gxonecli.exe.2e10bd7.3.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
6.2.gxonecli.exe.2e10bd7.3.unpack	JoeSecurity_YoungLotus	Yara detected Young Lotus	Joe Security
6.2.gxonecli.exe.2e10bd7.3.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_RDP	Detects executables embedding registry key / value combination manipulating RDP / Terminal Services	ditekSHen	0xdd080:$r1: SOFTWARE\Policies\Microsoft\Windows\Installer 0xdd0b0:$k1: EnableAdminTSRemote 0xdc908:$r2: SYSTEM\CurrentControlSet\Control\Terminal Server 0xdcf64:$r2: SYSTEM\CurrentControlSet\Control\Terminal Server 0xdcfcc:$r2: SYSTEM\CurrentControlSet\Control\Terminal Server 0xdd114:$r2: SYSTEM\CurrentControlSet\Control\Terminal Server 0xdd158:$r2: SYSTEM\CurrentControlSet\Control\Terminal Server 0xdd1a0:$r2: SYSTEM\CurrentControlSet\Control\Terminal Server 0xdcfc0:$k2: TSEnabled 0xdd038:$r3: SYSTEM\CurrentControlSet\Services\TermDD 0xdcef8:$r4: SYSTEM\CurrentControlSet\Services\TermService 0xdd000:$r4: SYSTEM\CurrentControlSet\Services\TermService 0xdcdf1:$k3: Start 0xdcdff:$k3: Start 0xdce0d:$k3: Start 0xdce1b:$k3: Start 0xdd064:$k3: Start 0xe21ec:$k3: Start 0xe220c:$k3: Start 0xe223c:$k3: Start 0xdc908:$r5: SYSTEM\CurrentControlSet\Control\Terminal Server
6.2.gxonecli.exe.2e10bd7.3.unpack	MALWARE_Win_PCRat	Detects PCRat / Gh0st	ditekSHen	0xd9c40:$s1: ClearEventLogA 0xda62c:$s2: NetUserAdd 0xdbb06:$s4: :]%d-%d-%d %d:%d:%d 0xdbb20:$s6: <Enter> 0xdce7c:$s7: \cmd.exe 0xdc714:$a1: 360tray.exe 0xdc6ec:$a2: avp.exe 0xdc6bc:$a3: RavMonD.exe 0xdc6fc:$a4: 360sd.exe 0xdc6a0:$a5: Mcshield.exe 0xdc68c:$a6: egui.exe 0xdc678:$a7: kxetray.exe 0xdc5b4:$a8: knsdtray.exe 0xdc5a0:$a9: TMBMSRV.exe 0xdc65c:$a10: avcenter.exe 0xdc640:$a11: ashDisp.exe
Click to see the 5 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Windows\Installer\419d6c.msi	Avira: detection malicious, Label: TR/Agent.tqvbm
Source: C:\Users\user\AppData\Local\Temp\MSI99F2.tmp	Avira: detection malicious, Label: TR/Agent.tqvbm

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\IOPL\libcurl32.dll	ReversingLabs: Detection: 62%
Source: C:\Program Files (x86)\IOPL\libcurl32.dll	Virustotal: Detection: 32%			Perma Link

Multi AV Scanner detection for submitted file

Source: EhSODySB7R.exe	ReversingLabs: Detection: 31%
Source: EhSODySB7R.exe	Virustotal: Detection: 52%			Perma Link

Source: EhSODySB7R.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\System32\msiexec.exe

Directory created: C:\Program Files\Microsoft\??

Jump to behavior

Source:	Binary string: e:\po\trunk\modules\gxonecli\Release\gxonecli.pdb source: gxonecli.exe, 00000006.00000000.2005719174.00000000007B9000.00000002.00000001.01000000.00000009.sdmp, gxonecli.exe, 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmp, gxonecli.exe, 00000007.00000002.2024310338.00000000007B9000.00000002.00000001.01000000.00000009.sdmp, gxonecli.exe, 00000007.00000000.2023277833.00000000007B9000.00000002.00000001.01000000.00000009.sdmp, gxonecli.exe.3.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: EhSODySB7R.exe, 419d6c.msi.3.dr, MSIA311.tmp.3.dr, MSI99F2.tmp.0.dr
Source:	Binary string: e:\Develope\msi2exe\release\msi2exestub.pdb source: EhSODySB7R.exe
Source:	Binary string: E:\ag\libcurl32\Release\libcurl32.pdb source: gxonecli.exe, 00000006.00000002.3225335252.000000006C4E5000.00000002.00000001.01000000.0000000A.sdmp, gxonecli.exe, 00000007.00000002.2024701887.000000006C4E5000.00000002.00000001.01000000.0000000A.sdmp, libcurl32.dll.3.dr
Source:	Binary string: 4e:\po\trunk\modules\gxonecli\Release\gxonecli.pdb source: gxonecli.exe, 00000006.00000000.2005719174.00000000007B9000.00000002.00000001.01000000.00000009.sdmp, gxonecli.exe, 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmp, gxonecli.exe, 00000007.00000002.2024310338.00000000007B9000.00000002.00000001.01000000.00000009.sdmp, gxonecli.exe, 00000007.00000000.2023277833.00000000007B9000.00000002.00000001.01000000.00000009.sdmp, gxonecli.exe.3.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: EhSODySB7R.exe, MSIA06B.tmp.3.dr, MSIA11A.tmp.3.dr, 419d6c.msi.3.dr, MSI9F22.tmp.3.dr, MSIA0DA.tmp.3.dr, MSIA14A.tmp.3.dr, MSI99F2.tmp.0.dr, MSIA0AA.tmp.3.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: EhSODySB7R.exe, 419d6c.msi.3.dr, MSIA311.tmp.3.dr, MSI99F2.tmp.0.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Windows\Installer\MSIA311.tmp	Code function: 5_2_006E19F9 FindFirstFileExW,	5_2_006E19F9
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007806E3 PathAppendW,_memset,GetCurrentDirectoryW,PathAppendW,GetFileAttributesW,lstrcpyW,lstrcpyW,PathAppendW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcpyW,PathAppendW,FindNextFileW,FindClose,	6_2_007806E3
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F12B6F SHGetSpecialFolderPathA,_mbscat,FindFirstFileA,_mbscat,strlen,memcpy,strlen,	6_2_02F12B6F
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F15802 FindFirstFileA,memset,memcpy,memcpy,memcpy,memset,FindClose,CloseHandle,CreateFileA,	6_2_02F15802
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F15195 memset,lstrlen,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	6_2_02F15195
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F14FE5 lstrlen,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,strcmp,strcmp,lstrlen,memcpy,memcpy,memcpy,memcpy,FindNextFileA,LocalFree,FindClose,	6_2_02F14FE5
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F15763 memset,_mbscpy,FindFirstFileA,FindClose,	6_2_02F15763
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F1557C __EH_prolog,memset,lstrlen,FindFirstFileA,strlen,FindNextFileA,FindClose,	6_2_02F1557C
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007806E3 PathAppendW,_memset,GetCurrentDirectoryW,PathAppendW,GetFileAttributesW,lstrcpyW,lstrcpyW,PathAppendW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcpyW,PathAppendW,FindNextFileW,FindClose,	7_2_007806E3

Source: C:\Program Files (x86)\IOPL\gxonecli.exe

Code function: 6_2_02F1EB68 GetLogicalDriveStringsA,QueryDosDeviceA,lstrlen,_strncoll,lstrcpy,lstrcpy,lstrcat,

6_2_02F1EB68

Source: C:\Program Files (x86)\IOPL\gxonecli.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\COMCTL32.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	File opened: C:\Windows\SysWOW64\KERNELBASE.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097\gdiplus.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	File opened: C:\Windows\SysWOW64\KERNEL32.DLL	Jump to behavior

Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]		6_2_02E27E77
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]		6_2_02F272A0

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 154.39.251.117 ports 0,4,7,8,9,49780

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 154.39.251.117:49780

Source: Joe Sandbox View

ASN Name: COGENT-174US COGENT-174US

Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117
Source: unknown	TCP traffic detected without corresponding DNS query: 154.39.251.117

Source: C:\Program Files (x86)\IOPL\gxonecli.exe

Code function: 6_2_02F13246 select,memset,recv,

6_2_02F13246

Source: gxonecli.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: gxonecli.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: gxonecli.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: gxonecli.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: gxonecli.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: gxonecli.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: gxonecli.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: gxonecli.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: gxonecli.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: gxonecli.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: gxonecli.exe.3.dr	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: gxonecli.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: gxonecli.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: gxonecli.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: gxonecli.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0L
Source: gxonecli.exe.3.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: gxonecli.exe.3.dr	String found in binary or memory: http://s.symcd.com06
Source: gxonecli.exe, 00000006.00000002.3224599658.0000000002A80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft
Source: gxonecli.exe.3.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: gxonecli.exe.3.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: gxonecli.exe.3.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: gxonecli.exe.3.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: gxonecli.exe.3.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: gxonecli.exe.3.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: gxonecli.exe.3.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: gxonecli.exe.3.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: gxonecli.exe.3.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Program Files (x86)\IOPL\gxonecli.exe

Code function: 6_2_007379A0 ShowWindow,OpenClipboard,MessageBoxW,MessageBoxW,

6_2_007379A0

Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_00781593 EmptyClipboard,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,	6_2_00781593
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F1BFCC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,GlobalFree,CloseClipboard,	6_2_02F1BFCC
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F12F68 strlen,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,_mbscpy,GlobalUnWire,SetClipboardData,CloseClipboard,	6_2_02F12F68
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_00781593 EmptyClipboard,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,	7_2_00781593

Source: C:\Program Files (x86)\IOPL\gxonecli.exe

Code function: 6_2_02F12AF2 OpenClipboard,GetClipboardData,GlobalFix,strlen,GlobalUnWire,CloseClipboard,

6_2_02F12AF2

Source: C:\Program Files (x86)\IOPL\gxonecli.exe

Code function: 6_2_02F16BBD memset,Sleep,lstrlen,memset,memset,GetKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,lstrlen,lstrcat,memset,lstrcat,

6_2_02F16BBD

Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_0074777C GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,		6_2_0074777C
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_0074777C GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,		7_2_0074777C

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.gxonecli.exe.a09e27.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding registry key / value combination manipulating RDP / Terminal Services Author: ditekSHen
Source: 6.2.gxonecli.exe.a09e27.1.unpack, type: UNPACKEDPE	Matched rule: Detects PCRat / Gh0st Author: ditekSHen
Source: 6.2.gxonecli.exe.2e10bd7.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding registry key / value combination manipulating RDP / Terminal Services Author: ditekSHen
Source: 6.2.gxonecli.exe.2e10bd7.3.unpack, type: UNPACKEDPE	Matched rule: Detects PCRat / Gh0st Author: ditekSHen

Source: C:\Program Files (x86)\IOPL\gxonecli.exe

Code function: 6_2_00781164: CreateFileA,DeviceIoControl,

6_2_00781164

Source: C:\Program Files (x86)\IOPL\gxonecli.exe

Code function: 6_2_02F1D08C OpenSCManagerA,_mbscpy,OpenServiceA,GetLastError,QueryServiceStatus,ControlService,DeleteService,Sleep,

6_2_02F1D08C

Source: C:\Program Files (x86)\IOPL\gxonecli.exe

Code function: 6_2_02F190B2 memset,memset,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,SetTokenInformation,CreateProcessAsUserA,FreeLibrary,

6_2_02F190B2

Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F1EAA6 ExitWindowsEx,	6_2_02F1EAA6
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F180EE ExitWindowsEx,	6_2_02F180EE
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F12C67 memcpy,CreateFileA,WriteFile,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,exit,	6_2_02F12C67

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\419d6c.msi

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI9F22.tmp

Jump to behavior

Source: C:\Users\user\Desktop\EhSODySB7R.exe	Code function: 0_2_00404C68	0_2_00404C68
Source: C:\Users\user\Desktop\EhSODySB7R.exe	Code function: 0_2_0040767B	0_2_0040767B
Source: C:\Users\user\Desktop\EhSODySB7R.exe	Code function: 0_2_00402F70	0_2_00402F70
Source: C:\Windows\Installer\MSIA311.tmp	Code function: 5_2_006AD000	5_2_006AD000
Source: C:\Windows\Installer\MSIA311.tmp	Code function: 5_2_006E42D2	5_2_006E42D2
Source: C:\Windows\Installer\MSIA311.tmp	Code function: 5_2_006D7488	5_2_006D7488
Source: C:\Windows\Installer\MSIA311.tmp	Code function: 5_2_006DC746	5_2_006DC746
Source: C:\Windows\Installer\MSIA311.tmp	Code function: 5_2_006E5A16	5_2_006E5A16
Source: C:\Windows\Installer\MSIA311.tmp	Code function: 5_2_006CAB40	5_2_006CAB40
Source: C:\Windows\Installer\MSIA311.tmp	Code function: 5_2_006D0B10	5_2_006D0B10
Source: C:\Windows\Installer\MSIA311.tmp	Code function: 5_2_006D2CFF	5_2_006D2CFF
Source: C:\Windows\Installer\MSIA311.tmp	Code function: 5_2_006D4CB0	5_2_006D4CB0
Source: C:\Windows\Installer\MSIA311.tmp	Code function: 5_2_006DFD29	5_2_006DFD29
Source: C:\Windows\Installer\MSIA311.tmp	Code function: 5_2_006B0E30	5_2_006B0E30
Source: C:\Windows\Installer\MSIA311.tmp	Code function: 5_2_006D0E9E	5_2_006D0E9E
Source: C:\Windows\Installer\MSIA311.tmp	Code function: 5_2_006DEF3D	5_2_006DEF3D
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007AC074	6_2_007AC074
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_0075A0FF	6_2_0075A0FF
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007483E6	6_2_007483E6
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_0078A4F9	6_2_0078A4F9
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007364F0	6_2_007364F0
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007544CD	6_2_007544CD
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_0077C4CD	6_2_0077C4CD
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_0077E68C	6_2_0077E68C
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_0077A865	6_2_0077A865
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007569DB	6_2_007569DB
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007AE9C1	6_2_007AE9C1
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_00754C55	6_2_00754C55
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007A4CE2	6_2_007A4CE2
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007B0CBB	6_2_007B0CBB
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_0079AD6D	6_2_0079AD6D
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_00734D00	6_2_00734D00
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007AEF05	6_2_007AEF05
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_0079AF95	6_2_0079AF95
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007990BB	6_2_007990BB
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_00799170	6_2_00799170
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007A9170	6_2_007A9170
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_0077D130	6_2_0077D130
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007A51B7	6_2_007A51B7
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007412A0	6_2_007412A0
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_0079931E	6_2_0079931E
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007B1478	6_2_007B1478
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007AF449	6_2_007AF449
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007554A9	6_2_007554A9
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007A558B	6_2_007A558B
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_0075361C	6_2_0075361C
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007557E7	6_2_007557E7
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_00739840	6_2_00739840
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_0074D9D1	6_2_0074D9D1
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007A5997	6_2_007A5997
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_00759B7B	6_2_00759B7B
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_0077DB8A	6_2_0077DB8A
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007A5DB7	6_2_007A5DB7
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_0077BEA1	6_2_0077BEA1
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_0079DF5C	6_2_0079DF5C
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007A9FC1	6_2_007A9FC1
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_6C4DEFDE	6_2_6C4DEFDE
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_6C4DEB49	6_2_6C4DEB49
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_6C4DFB36	6_2_6C4DFB36
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_6C4DF74E	6_2_6C4DF74E
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_6C4DF37C	6_2_6C4DF37C
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02A90032	6_2_02A90032
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02A9E0CE	6_2_02A9E0CE
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02A947A7	6_2_02A947A7
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02A95731	6_2_02A95731
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02A9CBD0	6_2_02A9CBD0
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02A9FB22	6_2_02A9FB22
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02A9FD87	6_2_02A9FD87
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02E10032	6_2_02E10032
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02E892B7	6_2_02E892B7
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02E8A2B7	6_2_02E8A2B7
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02E74207	6_2_02E74207
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02E777C7	6_2_02E777C7
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02E257D7	6_2_02E257D7
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02E2A707	6_2_02E2A707
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02E745E7	6_2_02E745E7
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02E76597	6_2_02E76597
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02E70AA7	6_2_02E70AA7
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02E7AAA7	6_2_02E7AAA7
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02E24BA7	6_2_02E24BA7
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02E87807	6_2_02E87807
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02E88F87	6_2_02E88F87
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02E73F57	6_2_02E73F57
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02E6EC37	6_2_02E6EC37
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02E89C17	6_2_02E89C17
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F73A10	6_2_02F73A10
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F76BF0	6_2_02F76BF0
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F883B0	6_2_02F883B0
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F73380	6_2_02F73380
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F29B30	6_2_02F29B30
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F6E060	6_2_02F6E060
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F89040	6_2_02F89040
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F759C0	6_2_02F759C0
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F886E0	6_2_02F886E0
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F896E0	6_2_02F896E0
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F6FED0	6_2_02F6FED0
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F79ED0	6_2_02F79ED0
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F73630	6_2_02F73630
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F23FD0	6_2_02F23FD0
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F86C30	6_2_02F86C30
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F24C00	6_2_02F24C00
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_1000E0F7	6_2_1000E0F7
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_1000FDB0	6_2_1000FDB0
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_1000FB4B	6_2_1000FB4B
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_1000575A	6_2_1000575A
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_100047D0	6_2_100047D0
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_1000CBF9	6_2_1000CBF9
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007AC074	7_2_007AC074
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_0075A0FF	7_2_0075A0FF
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007483E6	7_2_007483E6
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_0078A4F9	7_2_0078A4F9
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007364F0	7_2_007364F0
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007544CD	7_2_007544CD
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_0077C4CD	7_2_0077C4CD
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_0077E68C	7_2_0077E68C
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_0077A865	7_2_0077A865
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007569DB	7_2_007569DB
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007AE9C1	7_2_007AE9C1
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_00754C55	7_2_00754C55
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007A4CE2	7_2_007A4CE2
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007B0CBB	7_2_007B0CBB
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_0079AD6D	7_2_0079AD6D
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_00734D00	7_2_00734D00
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007AEF05	7_2_007AEF05
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_0079AF95	7_2_0079AF95
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007990BB	7_2_007990BB
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_00799170	7_2_00799170
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007A9170	7_2_007A9170
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_0077D130	7_2_0077D130
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007A51B7	7_2_007A51B7
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007412A0	7_2_007412A0
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_0079931E	7_2_0079931E
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007B1478	7_2_007B1478
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007AF449	7_2_007AF449
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007554A9	7_2_007554A9
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007A558B	7_2_007A558B
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_0075361C	7_2_0075361C
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007557E7	7_2_007557E7
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_00739840	7_2_00739840
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_0074D9D1	7_2_0074D9D1
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007A5997	7_2_007A5997
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_00759B7B	7_2_00759B7B
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_0077DB8A	7_2_0077DB8A
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007A5DB7	7_2_007A5DB7
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_0077BEA1	7_2_0077BEA1
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_0079DF5C	7_2_0079DF5C
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007A9FC1	7_2_007A9FC1

Source: Joe Sandbox View	Dropped File: C:\Windows\Installer\MSI9F22.tmp CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
Source: Joe Sandbox View	Dropped File: C:\Windows\Installer\MSIA06B.tmp CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2

Source: C:\Windows\Installer\MSIA311.tmp	Code function: String function: 006C9623 appears 100 times
Source: C:\Windows\Installer\MSIA311.tmp	Code function: String function: 006C9656 appears 69 times
Source: C:\Windows\Installer\MSIA311.tmp	Code function: String function: 006C99E0 appears 39 times
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: String function: 0079E524 appears 84 times
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: String function: 007A8345 appears 108 times
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: String function: 0073C7C0 appears 124 times
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: String function: 02F26220 appears 48 times
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: String function: 02A95317 appears 31 times
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: String function: 0079C30A appears 114 times
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: String function: 00781DF9 appears 32 times
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: String function: 6C4DA060 appears 43 times
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: String function: 0074B1BD appears 52 times
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: String function: 02E26DF7 appears 48 times
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: String function: 0078E87E appears 32 times
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: String function: 0079B4BC appears 160 times
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: String function: 00747518 appears 88 times
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: String function: 007952BF appears 54 times
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: String function: 0079C2A1 appears 372 times
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: String function: 0079C2D4 appears 50 times
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: String function: 0078E8E1 appears 46 times
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: String function: 00735140 appears 60 times
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: String function: 0079D951 appears 48 times
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: String function: 10005340 appears 31 times
Source: C:\Users\user\Desktop\EhSODySB7R.exe	Code function: String function: 00402F0C appears 34 times

Source: EhSODySB7R.exe, 00000000.00000000.1978377364.0000000000412000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameviewer.exeF vs EhSODySB7R.exe
Source: EhSODySB7R.exe, 00000000.00000000.1978377364.0000000000412000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs EhSODySB7R.exe
Source: EhSODySB7R.exe	Binary or memory string: OriginalFilenameviewer.exeF vs EhSODySB7R.exe
Source: EhSODySB7R.exe	Binary or memory string: OriginalFilenameAICustAct.dllF vs EhSODySB7R.exe

Source: C:\Users\user\Desktop\EhSODySB7R.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EhSODySB7R.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: libcurl32.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: libcurl32.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: EhSODySB7R.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6.2.gxonecli.exe.a09e27.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_RDP author = ditekSHen, description = Detects executables embedding registry key / value combination manipulating RDP / Terminal Services
Source: 6.2.gxonecli.exe.a09e27.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_PCRat author = ditekSHen, description = Detects PCRat / Gh0st
Source: 6.2.gxonecli.exe.2e10bd7.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_RDP author = ditekSHen, description = Detects executables embedding registry key / value combination manipulating RDP / Terminal Services
Source: 6.2.gxonecli.exe.2e10bd7.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_PCRat author = ditekSHen, description = Detects PCRat / Gh0st

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/30@0/1

Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02A91B27 LoadLibraryA,GetProcAddress,OpenProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,LoadLibraryA,GetProcAddress,	6_2_02A91B27
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F1EACE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,	6_2_02F1EACE
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F12C67 memcpy,CreateFileA,WriteFile,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,exit,	6_2_02F12C67
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_10001B50 LoadLibraryA,GetProcAddress,OpenProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,LoadLibraryA,GetProcAddress,	6_2_10001B50

Source: C:\Program Files (x86)\IOPL\gxonecli.exe

Code function: 6_2_0073EFD0 PathIsDirectoryW,GetLogicalDrives,GetDriveTypeW,PathIsDirectoryW,GetDiskFreeSpaceExW,lstrlenW,lstrlenW,SHSetValueW,

6_2_0073EFD0

Source: C:\Program Files (x86)\IOPL\gxonecli.exe

Code function: GetModuleFileNameA,GetSystemDirectoryA,strlen,_strncoll,wsprintfA,_mbscat,_mbscat,CopyFileA,memset,_mbscpy,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,_mbscpy,_mbscat,RegOpenKeyA,lstrlen,RegSetValueExA,

6_2_02F196EA

Source: C:\Windows\Installer\MSIA311.tmp

Code function: 5_2_006A6150 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,

5_2_006A6150

Source: C:\Windows\Installer\MSIA311.tmp

Code function: 5_2_006A6E50 CoInitialize,CoCreateInstance,VariantInit,VariantClear,IUnknown_QueryService,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,LocalFree,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error,

5_2_006A6E50

Source: C:\Users\user\Desktop\EhSODySB7R.exe

Code function: 0_2_0040134E __EH_prolog3_catch,_memset,_memset,GetTempPathW,GetTempFileNameW,__CxxThrowException@8,FindResourceW,SizeofResource,LoadResource,LockResource,CreateFileW,ShowWindow,ShowWindow,WriteFile,InvalidateRect,ShowWindow,FindCloseChangeNotification,_swprintf,_memset,CreateProcessW,ExitProcess,

0_2_0040134E

Source: C:\Program Files (x86)\IOPL\gxonecli.exe

Code function: 6_2_02F193D6 GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,memset,GetModuleFileNameA,CreateMutexA,GetLastError,exit,SetUnhandledExceptionFilter,StartServiceCtrlDispatcherA,WSAStartup,Sleep,ExitProcess,SHGetSpecialFolderPathA,GetFileAttributesA,DefineDosDeviceA,CopyFileA,MoveFileExA,SetFileAttributesA,CreateDirectoryA,sprintf,lstrlen,Sleep,

6_2_02F193D6

Source: C:\Program Files (x86)\IOPL\gxonecli.exe

6_2_02F193D6

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files\Microsoft\??

Jump to behavior

Source: C:\Program Files (x86)\IOPL\gxonecli.exe

Mutant created: \Sessions\1\BaseNamedObjects\154.39.251.117:49780:SRDSL

Source: C:\Users\user\Desktop\EhSODySB7R.exe

File created: C:\Users\user\AppData\Local\Temp\MSI99F2.tmp

Jump to behavior

Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Command line argument: OneClientWnd	6_2_007445B0
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Command line argument: .z	6_2_007A2E30
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Command line argument: OneClientWnd	7_2_007445B0
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Command line argument: .z	7_2_007A2E30

Source: EhSODySB7R.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Installer\MSIA311.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\EhSODySB7R.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: EhSODySB7R.exe	ReversingLabs: Detection: 31%
Source: EhSODySB7R.exe	Virustotal: Detection: 52%

Source: EhSODySB7R.exe

String found in binary or memory: ComboBoxListBoxListViewINSERT INTO `` (`Property`, `Order`, `Value`, `Text`,`Binary_`) VALUES (?,?,?,?,?) TEMPORARY` (`Property`, `Order`, `Value`, `Text`) VALUES (?,?,?,?) TEMPORARYSELECT * FROM `%s` WHERE `Property`='%s' AND `Value`='%s'SELECT * FROM `%s` WHERE `Property`='%s'EditSELECT `Message` FROM `Error` WHERE `Error` = %sSELECT `Text` FROM `UIText` WHERE `Key` = '%s'tmpALLUSERS = 1ALLUSERS = 2MSIINSTALLPERUSER = 1AI_PACKAGE_TYPE = "x64"AI_PACKAGE_TYPE = "Intel64"SELECT * FROM `Control` WHERE `Dialog_` = '%s' AND `Control` = '%s'SELECT `Attributes` FROM `Control` WHERE `Dialog_` = '%s' AND `Control` = '%s'$=3WS_BORDERWS_CAPTIONWS_CHILDWS_CHILDWINDOWWS_CLIPCHILDRENWS_CLIPSIBLINGSWS_DISABLEDWS_DLGFRAMEWS_GROUPWS_HSCROLLWS_ICONICWS_SIZEBOXWS_SYSMENUWS_TABSTOPWS_THICKFRAMEWS_VISIBLEWS_VSCROLLWS_MAXIMIZEBOXWS_MAXIMIZEWS_MINIMIZEBOXWS_MINIMIZEWS_OVERLAPPEDWINDOWWS_OVERLAPPEDWS_POPUPWINDOWWS_POPUPWS_TILEDWINDOWWS_TILEDWS_EX_ACCEPTFILESWS_EX_APPWINDOWWS_EX_CLIENTEDGEWS_EX_CONTEXTHELPWS_EX_CONTROLPARENTWS_EX_DLGMODALFRAMEWS_EX_LEFTWS_EX_LEFTSCROLLBARWS_EX_LTRREADINGWS_EX_MDICHILDWS_EX_NOPARENTNOTIFYWS_EX_OVERLAPPEDWINDOWWS_EX_PALETTEWINDOWWS_EX_RTLREADINGWS_EX_STATICEDGEWS_EX_TOOLWINDOWWS_EX_TOPMOSTWS_EX_TRANSPARENTWS_EX_WINDOWEDGEWS_EX_RIGHTSCROLLBARWS_EX_RIGHTWS_EX_LAYEREDWS_EX_NOACTIVATEWS_EX_NOINHERITLAYOUTWS_EX_LAYOUTRTLWS_EX_COMPOSITEDWS_EXAI_TRIAL_MESSAGE_BODYAI_MSM_TRIAL_MESSAGE_BODYAI_APP_FILEAI_README_FILEAI_APP_ARGSAI_RUN_AS_ADMINMsiLogFileLocation[ProgramFilesFolder][LocalAppDataFolder]Programs\[ProgramFiles64Folder][CommonFilesFolder][LocalAppDataFolder]Programs\Common\[CommonFiles64Folder][WindowsFolder][LocalAppDataFolder][SystemFolder][WindowsVolume][ProgramMenuFolder][DesktopFolder][StartupFolder][TemplateFolder][AdminToolsFolder][AI_UserProgramFiles][WindowsVolume]Program Files (x86)\[AI_ProgramFiles][WindowsVolume]Program Files\MIGRATEFindRelatedProductsMigrateFeatureStatesAI_SETMIXINSTLOCATIONAPPDIRAI_RESTORE_LOCATIONSELECT `ActionProperty` FROM `Upgrade`ActionTarget`Action`='SET_APPDIR' OR `Action`='SET_SHORTCUTDIR'CustomActionSET_APPDIRSET_SHORTCUTDIRSHORTCUTDIRProgramMenuFolderAI_SH_INITEDBrowseDlgCancelDlgDiskCostDlgExitDialogMsiRMFilesInUseOutOfDiskDlgOutOfRbDiskDlgDialog_Control_(`Control_` = 'Next' OR `Control_` = 'Install') AND `Event` = 'EndDialog' AND `Argument` = 'Return'ControlEventAI_INSTALLPERUSER = "0"ALLUSERSVersionMsi >= "5.0"2MSIINSTALLPERUSERAI_NEWINSTProductLanguageAI_INTANCE_LOCATIONAI_UPGRADENoLanguageVersionStringInstallLocationAI_REPLACE_PRODUCTSAI_Replaced_Versions_ListAI_Upgrade_Replace_Question_YesBackUp_AI_Upgrade_Question_YesAI_Upgrade_Question_YesAI_Upgrade_Replace_Question_NoBackUp_AI_Upgrade_Question_NoAI_Upgrade_Question_NoYesDELETE FROM `Shortcut` WHERE `Shortcut`.`Directory_`='%s'DELETE FROM `IniFile` WHERE `IniFile`.`Section`='InternetShortcut' AND`IniFile`.`DirProperty`='%s'SELECT * FROM `%s`ShortcutIniFileAI_DESKTOP_SH0AI_STARTMENU_SHAI_STARTUP_SHAI_SHORTCUTSREGNot InstalledDesktopFolderSta

Source: unknown	Process created: C:\Users\user\Desktop\EhSODySB7R.exe C:\Users\user\Desktop\EhSODySB7R.exe
Source: C:\Users\user\Desktop\EhSODySB7R.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i C:\Users\user\AppData\Local\Temp\MSI99F2.tmp
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 96302FF1609113E413E3406A4F20EA8E
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSIA311.tmp C:\Windows\Installer\MSIA311.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin "C:\Program Files (x86)\IOPL\gxonecli.exe
Source: C:\Windows\Installer\MSIA311.tmp	Process created: C:\Program Files (x86)\IOPL\gxonecli.exe "C:\Program Files (x86)\IOPL\gxonecli.exe"
Source: unknown	Process created: C:\Program Files (x86)\IOPL\gxonecli.exe C:\Program Files (x86)\IOPL\gxonecli.exe
Source: C:\Users\user\Desktop\EhSODySB7R.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i C:\Users\user\AppData\Local\Temp\MSI99F2.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 96302FF1609113E413E3406A4F20EA8E	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSIA311.tmp C:\Windows\Installer\MSIA311.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin "C:\Program Files (x86)\IOPL\gxonecli.exe	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Process created: C:\Program Files (x86)\IOPL\gxonecli.exe "C:\Program Files (x86)\IOPL\gxonecli.exe"	Jump to behavior

Source: C:\Windows\Installer\MSIA311.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Directory created: C:\Program Files\Microsoft\??

Jump to behavior

Source: EhSODySB7R.exe

Static file information: File size 2252800 > 1048576

Source: EhSODySB7R.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x216000

Source: EhSODySB7R.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: e:\po\trunk\modules\gxonecli\Release\gxonecli.pdb source: gxonecli.exe, 00000006.00000000.2005719174.00000000007B9000.00000002.00000001.01000000.00000009.sdmp, gxonecli.exe, 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmp, gxonecli.exe, 00000007.00000002.2024310338.00000000007B9000.00000002.00000001.01000000.00000009.sdmp, gxonecli.exe, 00000007.00000000.2023277833.00000000007B9000.00000002.00000001.01000000.00000009.sdmp, gxonecli.exe.3.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: EhSODySB7R.exe, 419d6c.msi.3.dr, MSIA311.tmp.3.dr, MSI99F2.tmp.0.dr
Source:	Binary string: e:\Develope\msi2exe\release\msi2exestub.pdb source: EhSODySB7R.exe
Source:	Binary string: E:\ag\libcurl32\Release\libcurl32.pdb source: gxonecli.exe, 00000006.00000002.3225335252.000000006C4E5000.00000002.00000001.01000000.0000000A.sdmp, gxonecli.exe, 00000007.00000002.2024701887.000000006C4E5000.00000002.00000001.01000000.0000000A.sdmp, libcurl32.dll.3.dr
Source:	Binary string: 4e:\po\trunk\modules\gxonecli\Release\gxonecli.pdb source: gxonecli.exe, 00000006.00000000.2005719174.00000000007B9000.00000002.00000001.01000000.00000009.sdmp, gxonecli.exe, 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmp, gxonecli.exe, 00000007.00000002.2024310338.00000000007B9000.00000002.00000001.01000000.00000009.sdmp, gxonecli.exe, 00000007.00000000.2023277833.00000000007B9000.00000002.00000001.01000000.00000009.sdmp, gxonecli.exe.3.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: EhSODySB7R.exe, MSIA06B.tmp.3.dr, MSIA11A.tmp.3.dr, 419d6c.msi.3.dr, MSI9F22.tmp.3.dr, MSIA0DA.tmp.3.dr, MSIA14A.tmp.3.dr, MSI99F2.tmp.0.dr, MSIA0AA.tmp.3.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: EhSODySB7R.exe, 419d6c.msi.3.dr, MSIA311.tmp.3.dr, MSI99F2.tmp.0.dr

Source: C:\Users\user\Desktop\EhSODySB7R.exe

Code function: 0_2_004065BA LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__invoke_watson,GetProcAddress,GetProcAddress,__invoke_watson,

0_2_004065BA

Source: C:\Users\user\Desktop\EhSODySB7R.exe	Code function: 0_2_00402F51 push ecx; ret	0_2_00402F64
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 1_2_051BF574 push esp; ret	1_2_051BF581
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 1_2_051BF50D push esp; ret	1_2_051BF531
Source: C:\Windows\Installer\MSIA311.tmp	Code function: 5_2_006C9600 push ecx; ret	5_2_006C9613
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_0079C379 push ecx; ret	6_2_0079C38C
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_0079E569 push ecx; ret	6_2_0079E57C
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_6C4D6D45 push ecx; ret	6_2_6C4D6D58
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_6C4DA0A5 push ecx; ret	6_2_6C4DA0B8
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02A9535C push ecx; ret	6_2_02A9536F
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02E26E77 push eax; ret	6_2_02E26EA5
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02E26DF7 push eax; ret	6_2_02E26E15
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F262A0 push eax; ret	6_2_02F262CE
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F26220 push eax; ret	6_2_02F2623E
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_10005385 push ecx; ret	6_2_10005398
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_0079C379 push ecx; ret	7_2_0079C38C
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_0079E569 push ecx; ret	7_2_0079E57C

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\msiexec.exe

Executable created and started: C:\Windows\Installer\MSIA311.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA311.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA0AA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA0DA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA06B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IOPL\gxonecli.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA14A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\IOPL\libcurl32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9F22.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA11A.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA311.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA0AA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA0DA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA06B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA14A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9F22.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA11A.tmp	Jump to dropped file

Source: C:\Program Files (x86)\IOPL\gxonecli.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SRDSL

Jump to behavior

Source: C:\Program Files (x86)\IOPL\gxonecli.exe

6_2_02F193D6

Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007483E6 __EH_prolog3_GS,IsIconic,ScreenToClient,GetCursorPos,ScreenToClient,GetTickCount,GetTickCount,GetActiveWindow,GetWindow,GetWindowLongW,GetParent,SetFocus,DestroyWindow,_memset,BeginPaint,EndPaint,GetClientRect,IsRectEmpty,_memset,BeginPaint,GetUpdateRect,IsRectEmpty,DeleteDC,DeleteDC,DeleteObject,DeleteObject,_memset,CreateCompatibleDC,CreateCompatibleBitmap,_memset,BeginPaint,SelectObject,SaveDC,IsWindow,IsWindowVisible,IntersectRect,CreateCompatibleDC,_memset,SelectObject,SendMessageW,BitBlt,SelectObject,DeleteObject,DeleteDC,RestoreDC,GetWindowRect,CreateCompatibleDC,_memset,SelectObject,_memset,BitBlt,SelectObject,SelectObject,SelectObject,GetStockObject,SelectObject,Rectangle,SelectObject,SaveDC,RestoreDC,EndPaint,GetFocus,GetParent,GetParent,GetTickCount,GetTickCount,GetTickCount,GetTickCount,ScreenToClient,GetTickCount,SendMessageW,GetTickCount,SetFocus,GetTickCount,SendMessageW,TrackMouseEvent,GetTickCount,SendMessageW,IsRectEmpty,IsIconic,GetTickCount,SetFocus,GetTickCount,GetClientRect,SaveDC,GetWindow,GetWindowRect,MapWindowPoints,SetWindowOrgEx,SendMessageW,GetWindow,RestoreDC,SendMessageW,SendMessageW,GetCursorPos,GetWindowRect,IsIconic,GetActiveWindow,PtInRect,SendMessageW,ScreenToClient,SendMessageW,GetTickCount,_memset,SendMessageW,CreateWindowExW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ScreenToClient,GetTickCount,SendMessageW,SetFocus,GetTickCount,	6_2_007483E6
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007483E6 __EH_prolog3_GS,IsIconic,ScreenToClient,GetCursorPos,ScreenToClient,GetTickCount,GetTickCount,GetActiveWindow,GetWindow,GetWindowLongW,GetParent,SetFocus,DestroyWindow,_memset,BeginPaint,EndPaint,GetClientRect,IsRectEmpty,_memset,BeginPaint,GetUpdateRect,IsRectEmpty,DeleteDC,DeleteDC,DeleteObject,DeleteObject,_memset,CreateCompatibleDC,CreateCompatibleBitmap,_memset,BeginPaint,SelectObject,SaveDC,IsWindow,IsWindowVisible,IntersectRect,CreateCompatibleDC,_memset,SelectObject,SendMessageW,BitBlt,SelectObject,DeleteObject,DeleteDC,RestoreDC,GetWindowRect,CreateCompatibleDC,_memset,SelectObject,_memset,BitBlt,SelectObject,SelectObject,SelectObject,GetStockObject,SelectObject,Rectangle,SelectObject,SaveDC,RestoreDC,EndPaint,GetFocus,GetParent,GetParent,GetTickCount,GetTickCount,GetTickCount,GetTickCount,ScreenToClient,GetTickCount,SendMessageW,GetTickCount,SetFocus,GetTickCount,SendMessageW,TrackMouseEvent,GetTickCount,SendMessageW,IsRectEmpty,IsIconic,GetTickCount,SetFocus,GetTickCount,GetClientRect,SaveDC,GetWindow,GetWindowRect,MapWindowPoints,SetWindowOrgEx,SendMessageW,GetWindow,RestoreDC,SendMessageW,SendMessageW,GetCursorPos,GetWindowRect,IsIconic,GetActiveWindow,PtInRect,SendMessageW,ScreenToClient,SendMessageW,GetTickCount,_memset,SendMessageW,CreateWindowExW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ScreenToClient,GetTickCount,SendMessageW,SetFocus,GetTickCount,	6_2_007483E6
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007483E6 __EH_prolog3_GS,IsIconic,ScreenToClient,GetCursorPos,ScreenToClient,GetTickCount,GetTickCount,GetActiveWindow,GetWindow,GetWindowLongW,GetParent,SetFocus,DestroyWindow,_memset,BeginPaint,EndPaint,GetClientRect,IsRectEmpty,_memset,BeginPaint,GetUpdateRect,IsRectEmpty,DeleteDC,DeleteDC,DeleteObject,DeleteObject,_memset,CreateCompatibleDC,CreateCompatibleBitmap,_memset,BeginPaint,SelectObject,SaveDC,IsWindow,IsWindowVisible,IntersectRect,CreateCompatibleDC,_memset,SelectObject,SendMessageW,BitBlt,SelectObject,DeleteObject,DeleteDC,RestoreDC,GetWindowRect,CreateCompatibleDC,_memset,SelectObject,_memset,BitBlt,SelectObject,SelectObject,SelectObject,GetStockObject,SelectObject,Rectangle,SelectObject,SaveDC,RestoreDC,EndPaint,GetFocus,GetParent,GetParent,GetTickCount,GetTickCount,GetTickCount,GetTickCount,ScreenToClient,GetTickCount,SendMessageW,GetTickCount,SetFocus,GetTickCount,SendMessageW,TrackMouseEvent,GetTickCount,SendMessageW,IsRectEmpty,IsIconic,GetTickCount,SetFocus,GetTickCount,GetClientRect,SaveDC,GetWindow,GetWindowRect,MapWindowPoints,SetWindowOrgEx,SendMessageW,GetWindow,RestoreDC,SendMessageW,SendMessageW,GetCursorPos,GetWindowRect,IsIconic,GetActiveWindow,PtInRect,SendMessageW,ScreenToClient,SendMessageW,GetTickCount,_memset,SendMessageW,CreateWindowExW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ScreenToClient,GetTickCount,SendMessageW,SetFocus,GetTickCount,	6_2_007483E6
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007467AC GetWindowRect,GetParent,GetWindow,MonitorFromWindow,GetMonitorInfoW,IsIconic,GetWindowRect,SetWindowPos,	6_2_007467AC
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007483E6 __EH_prolog3_GS,IsIconic,ScreenToClient,GetCursorPos,ScreenToClient,GetTickCount,GetTickCount,GetActiveWindow,GetWindow,GetWindowLongW,GetParent,SetFocus,DestroyWindow,_memset,BeginPaint,EndPaint,GetClientRect,IsRectEmpty,_memset,BeginPaint,GetUpdateRect,IsRectEmpty,DeleteDC,DeleteDC,DeleteObject,DeleteObject,_memset,CreateCompatibleDC,CreateCompatibleBitmap,_memset,BeginPaint,SelectObject,SaveDC,IsWindow,IsWindowVisible,IntersectRect,CreateCompatibleDC,_memset,SelectObject,SendMessageW,BitBlt,SelectObject,DeleteObject,DeleteDC,RestoreDC,GetWindowRect,CreateCompatibleDC,_memset,SelectObject,_memset,BitBlt,SelectObject,SelectObject,SelectObject,GetStockObject,SelectObject,Rectangle,SelectObject,SaveDC,RestoreDC,EndPaint,GetFocus,GetParent,GetParent,GetTickCount,GetTickCount,GetTickCount,GetTickCount,ScreenToClient,GetTickCount,SendMessageW,GetTickCount,SetFocus,GetTickCount,SendMessageW,TrackMouseEvent,GetTickCount,SendMessageW,IsRectEmpty,IsIconic,GetTickCount,SetFocus,GetTickCount,GetClientRect,SaveDC,GetWindow,GetWindowRect,MapWindowPoints,SetWindowOrgEx,SendMessageW,GetWindow,RestoreDC,SendMessageW,SendMessageW,GetCursorPos,GetWindowRect,IsIconic,GetActiveWindow,PtInRect,SendMessageW,ScreenToClient,SendMessageW,GetTickCount,_memset,SendMessageW,CreateWindowExW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ScreenToClient,GetTickCount,SendMessageW,SetFocus,GetTickCount,	7_2_007483E6
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007483E6 __EH_prolog3_GS,IsIconic,ScreenToClient,GetCursorPos,ScreenToClient,GetTickCount,GetTickCount,GetActiveWindow,GetWindow,GetWindowLongW,GetParent,SetFocus,DestroyWindow,_memset,BeginPaint,EndPaint,GetClientRect,IsRectEmpty,_memset,BeginPaint,GetUpdateRect,IsRectEmpty,DeleteDC,DeleteDC,DeleteObject,DeleteObject,_memset,CreateCompatibleDC,CreateCompatibleBitmap,_memset,BeginPaint,SelectObject,SaveDC,IsWindow,IsWindowVisible,IntersectRect,CreateCompatibleDC,_memset,SelectObject,SendMessageW,BitBlt,SelectObject,DeleteObject,DeleteDC,RestoreDC,GetWindowRect,CreateCompatibleDC,_memset,SelectObject,_memset,BitBlt,SelectObject,SelectObject,SelectObject,GetStockObject,SelectObject,Rectangle,SelectObject,SaveDC,RestoreDC,EndPaint,GetFocus,GetParent,GetParent,GetTickCount,GetTickCount,GetTickCount,GetTickCount,ScreenToClient,GetTickCount,SendMessageW,GetTickCount,SetFocus,GetTickCount,SendMessageW,TrackMouseEvent,GetTickCount,SendMessageW,IsRectEmpty,IsIconic,GetTickCount,SetFocus,GetTickCount,GetClientRect,SaveDC,GetWindow,GetWindowRect,MapWindowPoints,SetWindowOrgEx,SendMessageW,GetWindow,RestoreDC,SendMessageW,SendMessageW,GetCursorPos,GetWindowRect,IsIconic,GetActiveWindow,PtInRect,SendMessageW,ScreenToClient,SendMessageW,GetTickCount,_memset,SendMessageW,CreateWindowExW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ScreenToClient,GetTickCount,SendMessageW,SetFocus,GetTickCount,	7_2_007483E6
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007483E6 __EH_prolog3_GS,IsIconic,ScreenToClient,GetCursorPos,ScreenToClient,GetTickCount,GetTickCount,GetActiveWindow,GetWindow,GetWindowLongW,GetParent,SetFocus,DestroyWindow,_memset,BeginPaint,EndPaint,GetClientRect,IsRectEmpty,_memset,BeginPaint,GetUpdateRect,IsRectEmpty,DeleteDC,DeleteDC,DeleteObject,DeleteObject,_memset,CreateCompatibleDC,CreateCompatibleBitmap,_memset,BeginPaint,SelectObject,SaveDC,IsWindow,IsWindowVisible,IntersectRect,CreateCompatibleDC,_memset,SelectObject,SendMessageW,BitBlt,SelectObject,DeleteObject,DeleteDC,RestoreDC,GetWindowRect,CreateCompatibleDC,_memset,SelectObject,_memset,BitBlt,SelectObject,SelectObject,SelectObject,GetStockObject,SelectObject,Rectangle,SelectObject,SaveDC,RestoreDC,EndPaint,GetFocus,GetParent,GetParent,GetTickCount,GetTickCount,GetTickCount,GetTickCount,ScreenToClient,GetTickCount,SendMessageW,GetTickCount,SetFocus,GetTickCount,SendMessageW,TrackMouseEvent,GetTickCount,SendMessageW,IsRectEmpty,IsIconic,GetTickCount,SetFocus,GetTickCount,GetClientRect,SaveDC,GetWindow,GetWindowRect,MapWindowPoints,SetWindowOrgEx,SendMessageW,GetWindow,RestoreDC,SendMessageW,SendMessageW,GetCursorPos,GetWindowRect,IsIconic,GetActiveWindow,PtInRect,SendMessageW,ScreenToClient,SendMessageW,GetTickCount,_memset,SendMessageW,CreateWindowExW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ScreenToClient,GetTickCount,SendMessageW,SetFocus,GetTickCount,	7_2_007483E6
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007467AC GetWindowRect,GetParent,GetWindow,MonitorFromWindow,GetMonitorInfoW,IsIconic,GetWindowRect,SetWindowPos,	7_2_007467AC

Source: C:\Program Files (x86)\IOPL\gxonecli.exe

Code function: 6_2_02F181AA OpenEventLogA,ClearEventLogA,CloseEventLog,

6_2_02F181AA

Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSIA311.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA0DA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA0AA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA06B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA14A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA11A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9F22.tmp	Jump to dropped file

Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_6-115431
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Windows\Installer\MSIA311.tmp

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_5-35815

Source: C:\Windows\Installer\MSIA311.tmp	API coverage: 5.5 %
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	API coverage: 3.7 %
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	API coverage: 2.2 %

Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\Installer\MSIA311.tmp	Code function: 5_2_006E19F9 FindFirstFileExW,	5_2_006E19F9
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007806E3 PathAppendW,_memset,GetCurrentDirectoryW,PathAppendW,GetFileAttributesW,lstrcpyW,lstrcpyW,PathAppendW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcpyW,PathAppendW,FindNextFileW,FindClose,	6_2_007806E3
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F12B6F SHGetSpecialFolderPathA,_mbscat,FindFirstFileA,_mbscat,strlen,memcpy,strlen,	6_2_02F12B6F
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F15802 FindFirstFileA,memset,memcpy,memcpy,memcpy,memset,FindClose,CloseHandle,CreateFileA,	6_2_02F15802
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F15195 memset,lstrlen,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	6_2_02F15195
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F14FE5 lstrlen,wsprintfA,FindFirstFileA,LocalAlloc,LocalReAlloc,strcmp,strcmp,lstrlen,memcpy,memcpy,memcpy,memcpy,FindNextFileA,LocalFree,FindClose,	6_2_02F14FE5
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F15763 memset,_mbscpy,FindFirstFileA,FindClose,	6_2_02F15763
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F1557C __EH_prolog,memset,lstrlen,FindFirstFileA,strlen,FindNextFileA,FindClose,	6_2_02F1557C
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007806E3 PathAppendW,_memset,GetCurrentDirectoryW,PathAppendW,GetFileAttributesW,lstrcpyW,lstrcpyW,PathAppendW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcpyW,PathAppendW,FindNextFileW,FindClose,	7_2_007806E3

Source: C:\Program Files (x86)\IOPL\gxonecli.exe

Code function: 6_2_02F1EB68 GetLogicalDriveStringsA,QueryDosDeviceA,lstrlen,_strncoll,lstrcpy,lstrcpy,lstrcat,

6_2_02F1EB68

Source: C:\Program Files (x86)\IOPL\gxonecli.exe

Code function: 6_2_02A926F6 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

6_2_02A926F6

Source: C:\Program Files (x86)\IOPL\gxonecli.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\COMCTL32.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	File opened: C:\Windows\SysWOW64\KERNELBASE.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	File opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097\gdiplus.dll	Jump to behavior
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	File opened: C:\Windows\SysWOW64\KERNEL32.DLL	Jump to behavior

Source: gxonecli.exe, 00000006.00000002.3224356518.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\\w

Source: C:\Program Files (x86)\IOPL\gxonecli.exe	API call chain: ExitProcess graph end node	graph_6-116276
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	API call chain: ExitProcess graph end node	graph_6-116509
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	API call chain: ExitProcess graph end node	graph_6-116696

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\IOPL\gxonecli.exe

Code function: 6_2_02E10032 GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,LoadLibraryA,LdrGetProcedureAddress,VirtualProtect,

6_2_02E10032

Source: C:\Program Files (x86)\IOPL\gxonecli.exe

Code function: 6_2_02F1B915 BlockInput,InterlockedExchange,BlockInput,InterlockedExchange,InterlockedExchange,

6_2_02F1B915

Source: C:\Users\user\Desktop\EhSODySB7R.exe

Code function: 0_2_0040214A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0040214A

Source: C:\Program Files (x86)\IOPL\gxonecli.exe

Code function: 6_2_02A9A91B ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,

6_2_02A9A91B

Source: C:\Program Files (x86)\IOPL\gxonecli.exe

Code function: 6_2_02A926F6 VirtualProtect ?,-00000001,00000104,?,?,?,0000001C

6_2_02A926F6

Source: C:\Users\user\Desktop\EhSODySB7R.exe

Code function: 0_2_004065BA LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,__invoke_watson,GetProcAddress,GetProcAddress,__invoke_watson,

0_2_004065BA

Source: C:\Windows\Installer\MSIA311.tmp	Code function: 5_2_006E17F8 mov eax, dword ptr fs:[00000030h]	5_2_006E17F8
Source: C:\Windows\Installer\MSIA311.tmp	Code function: 5_2_006D984F mov ecx, dword ptr fs:[00000030h]	5_2_006D984F
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02A90AE4 mov eax, dword ptr fs:[00000030h]	6_2_02A90AE4
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02E10AE4 mov eax, dword ptr fs:[00000030h]	6_2_02E10AE4

Source: C:\Users\user\Desktop\EhSODySB7R.exe

Code function: 0_2_00401D75 GetStartupInfoW,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__amsg_exit,___crtGetCommandLineW,___crtGetEnvironmentStringsW,__wsetargv,__amsg_exit,__wsetenvp,__amsg_exit,__cinit,__amsg_exit,__wwincmdln,

0_2_00401D75

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\Installer\MSIA311.tmp C:\Windows\Installer\MSIA311.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin "C:\Program Files (x86)\IOPL\gxonecli.exe

Jump to behavior

Source: C:\Users\user\Desktop\EhSODySB7R.exe	Code function: 0_2_0040214A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040214A
Source: C:\Users\user\Desktop\EhSODySB7R.exe	Code function: 0_2_00401A49 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00401A49
Source: C:\Users\user\Desktop\EhSODySB7R.exe	Code function: 0_2_0040421E SetUnhandledExceptionFilter,	0_2_0040421E
Source: C:\Users\user\Desktop\EhSODySB7R.exe	Code function: 0_2_00406B47 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00406B47
Source: C:\Windows\Installer\MSIA311.tmp	Code function: 5_2_006C97CD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_006C97CD
Source: C:\Windows\Installer\MSIA311.tmp	Code function: 5_2_006CD7C6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_006CD7C6
Source: C:\Windows\Installer\MSIA311.tmp	Code function: 5_2_006C9963 SetUnhandledExceptionFilter,	5_2_006C9963
Source: C:\Windows\Installer\MSIA311.tmp	Code function: 5_2_006C8FA8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_006C8FA8
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_007A08DC SetUnhandledExceptionFilter,	6_2_007A08DC
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_0079C918 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0079C918
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_0079B1F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0079B1F0
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_0079B7CB _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0079B7CB
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_6C4D6CCD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_6C4D6CCD
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_6C4D99BC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_6C4D99BC
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02A94F47 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_02A94F47
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_02F193D6 GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,memset,GetModuleFileNameA,CreateMutexA,GetLastError,exit,SetUnhandledExceptionFilter,StartServiceCtrlDispatcherA,WSAStartup,Sleep,ExitProcess,SHGetSpecialFolderPathA,GetFileAttributesA,DefineDosDeviceA,CopyFileA,MoveFileExA,SetFileAttributesA,CreateDirectoryA,sprintf,lstrlen,Sleep,	6_2_02F193D6
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 6_2_10004F70 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_10004F70
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_007A08DC SetUnhandledExceptionFilter,	7_2_007A08DC
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_0079C918 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_0079C918
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_0079B1F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0079B1F0
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: 7_2_0079B7CB _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0079B7CB

Source: C:\Windows\Installer\MSIA311.tmp

Code function: 5_2_006A75D0 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetProcessId,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,GetProcessId,Sleep,EnumWindows,SetWindowPos,WaitForSingleObject,GetExitCodeProcess,GetWindowThreadProcessId,GetWindowLongW,

5_2_006A75D0

Source: C:\Program Files (x86)\IOPL\gxonecli.exe

Code function: 6_2_02F1BDAA _ftol,_ftol,MapVirtualKeyA,keybd_event,

6_2_02F1BDAA

Source: C:\Windows\Installer\MSIA311.tmp

Process created: C:\Program Files (x86)\IOPL\gxonecli.exe "C:\Program Files (x86)\IOPL\gxonecli.exe"

Jump to behavior

Source: C:\Program Files (x86)\IOPL\gxonecli.exe

Code function: 6_2_02F19E21 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

6_2_02F19E21

Source: C:\Users\user\Desktop\EhSODySB7R.exe

Code function: 0_2_00409EB9 cpuid

0_2_00409EB9

Source: C:\Users\user\Desktop\EhSODySB7R.exe	Code function: GetLocaleInfoA,	0_2_00409C70
Source: C:\Windows\Installer\MSIA311.tmp	Code function: GetLocaleInfoW,	5_2_006E50B6
Source: C:\Windows\Installer\MSIA311.tmp	Code function: GetLocaleInfoW,	5_2_006DE12F
Source: C:\Windows\Installer\MSIA311.tmp	Code function: GetLocaleInfoEx,FormatMessageA,	5_2_006B2101
Source: C:\Windows\Installer\MSIA311.tmp	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_006E5185
Source: C:\Windows\Installer\MSIA311.tmp	Code function: GetLocaleInfoEx,	5_2_006C85CD
Source: C:\Windows\Installer\MSIA311.tmp	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	5_2_006E4821
Source: C:\Windows\Installer\MSIA311.tmp	Code function: EnumSystemLocalesW,	5_2_006E4AC3
Source: C:\Windows\Installer\MSIA311.tmp	Code function: EnumSystemLocalesW,	5_2_006E4B0E
Source: C:\Windows\Installer\MSIA311.tmp	Code function: EnumSystemLocalesW,	5_2_006E4BA9
Source: C:\Windows\Installer\MSIA311.tmp	Code function: EnumSystemLocalesW,	5_2_006DDBB2
Source: C:\Windows\Installer\MSIA311.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	5_2_006E4C34
Source: C:\Windows\Installer\MSIA311.tmp	Code function: GetLocaleInfoW,	5_2_006E4E87
Source: C:\Windows\Installer\MSIA311.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_006E4FB0
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	6_2_007A40D2
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: GetLocaleInfoA,	6_2_007A6470
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	6_2_007A4598
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	6_2_007A46AF
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	6_2_007A4747
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	6_2_007A47BB
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	6_2_007A29CA
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	6_2_007A2996
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	6_2_007A498D
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_007A4A4E
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	6_2_007A4AF1
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_007A4AB5
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	6_2_007A2B09
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	6_2_007A6BB3
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: GetLocaleInfoA,	6_2_007A6D03
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	6_2_0079D1D2
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	6_2_007A3546
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	6_2_007A3BB4
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	6_2_007A3E0C
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_6C4DE8B5
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	6_2_6C4DE958
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_6C4DE91C
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	6_2_6C4E2A61
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	6_2_6C4E2B3B
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_6C4DE42D
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	6_2_6C4DE522
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	6_2_6C4DE5C9
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	6_2_6C4E05C4
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	6_2_6C4DC592
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: GetLocaleInfoA,	6_2_6C4E2612
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	6_2_6C4DE624
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	6_2_6C4DE7F5
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	6_2_6C4D8190
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	6_2_6C4DD4DC
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	6_2_6C4DD1EE
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	7_2_007A40D2
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: GetLocaleInfoA,	7_2_007A6470
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	7_2_007A4598
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	7_2_007A46AF
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	7_2_007A4747
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	7_2_007A47BB
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	7_2_007A29CA
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	7_2_007A2996
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	7_2_007A498D
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_007A4A4E
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	7_2_007A4AF1
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_007A4AB5
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	7_2_007A2B09
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	7_2_007A6BB3
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: GetLocaleInfoA,	7_2_007A6D03
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	7_2_0079D1D2
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	7_2_007A3546
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	7_2_007A3BB4
Source: C:\Program Files (x86)\IOPL\gxonecli.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	7_2_007A3E0C

Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\EhSODySB7R.exe

Code function: 0_2_00404A38 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00404A38

Source: C:\Program Files (x86)\IOPL\gxonecli.exe

Code function: 6_2_02F15A81 memset,memset,strncpy,GetUserNameA,_strcmpi,Sleep,memset,sprintf,memset,sprintf,memset,sprintf,memset,lstrcpy,CloseHandle,

6_2_02F15A81

Source: C:\Windows\Installer\MSIA311.tmp

Code function: 5_2_006DE59F GetTimeZoneInformation,

5_2_006DE59F

Source: C:\Users\user\Desktop\EhSODySB7R.exe

0_2_00401D75

Source: gxonecli.exe, 00000006.00000002.3225077296.0000000002FEB000.00000004.00001000.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224081616.0000000000AD9000.00000004.00000010.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224774705.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: bdagent.exe
Source: gxonecli.exe, 00000006.00000002.3225077296.0000000002FEB000.00000004.00001000.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224081616.0000000000AD9000.00000004.00000010.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224774705.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: Msmpeng.exe
Source: gxonecli.exe, 00000006.00000002.3225077296.0000000002FEB000.00000004.00001000.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224081616.0000000000AD9000.00000004.00000010.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224774705.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: ayagent.aye
Source: gxonecli.exe, 00000006.00000002.3225077296.0000000002FEB000.00000004.00001000.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224081616.0000000000AD9000.00000004.00000010.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224774705.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: avguard.exe
Source: gxonecli.exe, 00000006.00000002.3225077296.0000000002FEB000.00000004.00001000.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224081616.0000000000AD9000.00000004.00000010.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224774705.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: avcenter.exe
Source: gxonecli.exe, 00000006.00000002.3225077296.0000000002FEB000.00000004.00001000.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224081616.0000000000AD9000.00000004.00000010.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224774705.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: kxetray.exe
Source: gxonecli.exe, 00000006.00000002.3225077296.0000000002FEB000.00000004.00001000.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224081616.0000000000AD9000.00000004.00000010.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224774705.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: gxonecli.exe, 00000006.00000002.3225077296.0000000002FEB000.00000004.00001000.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224081616.0000000000AD9000.00000004.00000010.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224774705.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: rtvscan.exe
Source: gxonecli.exe, 00000006.00000002.3225077296.0000000002FEB000.00000004.00001000.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224081616.0000000000AD9000.00000004.00000010.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224774705.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: 360tray.exe
Source: gxonecli.exe, 00000006.00000002.3225077296.0000000002FEB000.00000004.00001000.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224081616.0000000000AD9000.00000004.00000010.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224774705.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: gxonecli.exe, 00000006.00000002.3225077296.0000000002FEB000.00000004.00001000.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224081616.0000000000AD9000.00000004.00000010.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224774705.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: ashDisp.exe
Source: gxonecli.exe, 00000006.00000002.3225077296.0000000002FEB000.00000004.00001000.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224081616.0000000000AD9000.00000004.00000010.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224774705.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: AYAgent.aye
Source: gxonecli.exe, 00000006.00000002.3225077296.0000000002FEB000.00000004.00001000.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224081616.0000000000AD9000.00000004.00000010.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224774705.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: QUHLPSVC.EXE
Source: gxonecli.exe, 00000006.00000002.3225077296.0000000002FEB000.00000004.00001000.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224081616.0000000000AD9000.00000004.00000010.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224774705.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: RavMonD.exe
Source: gxonecli.exe, 00000006.00000002.3225077296.0000000002FEB000.00000004.00001000.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224081616.0000000000AD9000.00000004.00000010.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224774705.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: Avgui.exe
Source: gxonecli.exe, 00000006.00000002.3225077296.0000000002FEB000.00000004.00001000.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224081616.0000000000AD9000.00000004.00000010.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224774705.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: Mcshield.exe
Source: gxonecli.exe, 00000006.00000002.3225077296.0000000002FEB000.00000004.00001000.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224081616.0000000000AD9000.00000004.00000010.00020000.00000000.sdmp, gxonecli.exe, 00000006.00000002.3224774705.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match	File source: 6.2.gxonecli.exe.a09e27.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.gxonecli.exe.2e10bd7.3.unpack, type: UNPACKEDPE

Yara detected Nitol

Source: Yara match	File source: 6.2.gxonecli.exe.a09e27.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.gxonecli.exe.2e10bd7.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3225077296.0000000002FEB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3224081616.0000000000AD9000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3224774705.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gxonecli.exe PID: 4816, type: MEMORYSTR

Yara detected Young Lotus

Source: Yara match	File source: 6.2.gxonecli.exe.a09e27.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.gxonecli.exe.2e10bd7.3.unpack, type: UNPACKEDPE

Remote Access Functionality

Yara detected GhostRat

Source: Yara match	File source: 6.2.gxonecli.exe.a09e27.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.gxonecli.exe.2e10bd7.3.unpack, type: UNPACKEDPE

Yara detected Nitol

Source: Yara match	File source: 6.2.gxonecli.exe.a09e27.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.gxonecli.exe.2e10bd7.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3225077296.0000000002FEB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3224081616.0000000000AD9000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3224774705.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gxonecli.exe PID: 4816, type: MEMORYSTR

Yara detected Young Lotus

Source: Yara match	File source: 6.2.gxonecli.exe.a09e27.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.gxonecli.exe.2e10bd7.3.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	3 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	1 Replication Through Removable Media	3 Command and Scripting Interpreter	1 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	23 Windows Service	1 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	12 Service Execution	1 Scheduled Task/Job	11 Access Token Manipulation	1 DLL Side-Loading	NTDS	4 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	23 Windows Service	1 File Deletion	LSA Secrets	36 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Process Injection	122 Masquerading	Cached Domain Credentials	141 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	1 Valid Accounts	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Indicator Removal	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
EhSODySB7R.exe	32%	ReversingLabs	Win32.Trojan.Generic
EhSODySB7R.exe	52%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\Installer\419d6c.msi	100%	Avira	TR/Agent.tqvbm
C:\Users\user\AppData\Local\Temp\MSI99F2.tmp	100%	Avira	TR/Agent.tqvbm
C:\Program Files (x86)\IOPL\gxonecli.exe	3%	ReversingLabs
C:\Program Files (x86)\IOPL\gxonecli.exe	3%	Virustotal		Browse
C:\Program Files (x86)\IOPL\libcurl32.dll	62%	ReversingLabs	Win32.Trojan.Generic
C:\Program Files (x86)\IOPL\libcurl32.dll	32%	Virustotal		Browse
C:\Windows\Installer\MSI9F22.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI9F22.tmp	1%	Virustotal		Browse
C:\Windows\Installer\MSIA06B.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA06B.tmp	1%	Virustotal		Browse
C:\Windows\Installer\MSIA0AA.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA0AA.tmp	1%	Virustotal		Browse
C:\Windows\Installer\MSIA0DA.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA0DA.tmp	1%	Virustotal		Browse
C:\Windows\Installer\MSIA11A.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA11A.tmp	1%	Virustotal		Browse
C:\Windows\Installer\MSIA14A.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA14A.tmp	1%	Virustotal		Browse
C:\Windows\Installer\MSIA311.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA311.tmp	0%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://schemas.microsoft	0%	URL Reputation	safe
http://schemas.microsoft	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.microsoft	gxonecli.exe, 00000006.00000002.3224599658.0000000002A80000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.39.251.117	unknown	United States		174	COGENT-174US	true

General Information

Joe Sandbox version:	39.0.0 Ruby
Analysis ID:	1384579
Start date and time:	2024-02-01 09:13:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	EhSODySB7R.exe renamed because original name is a hash value
Original Sample Name:	0a73f48ffa71f2ba878056373570aa08.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/30@0/1
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 99% Number of executed functions: 51 Number of non-executed functions: 335
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msiexec.exe, PID 5696 because there are no executed function
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:13:57	Task Scheduler	Run new task: asphost path: C:\Program Files (x86)\IOPL\gxonecli.exe
09:14:38	API Interceptor	4x Sleep call for process: gxonecli.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COGENT-174US	qmF3fz3Zn4.exe	Get hash	malicious	GuLoader	Browse	38.6.193.13
	NEW_ORDER_LIST.exe	Get hash	malicious	FormBook	Browse	154.55.172.8
	bmRxqHHniX.exe	Get hash	malicious	PureLog Stealer	Browse	38.170.242.108
	SecuriteInfo.com.Program.Itva.3.25171.4872.exe	Get hash	malicious	Unknown	Browse	149.5.241.43
	SecuriteInfo.com.Program.Itva.3.25171.4872.exe	Get hash	malicious	Unknown	Browse	149.5.241.43
	bDGMxPWACb.elf	Get hash	malicious	Mirai	Browse	38.37.189.103
	Cu0TlnUNJM.elf	Get hash	malicious	Mirai	Browse	204.217.21.237
	ygrD2R1gGn.elf	Get hash	malicious	Mirai	Browse	38.72.173.4
	HFx7lxkDe7.elf	Get hash	malicious	Mirai	Browse	204.241.248.195
	paraiso.x86.elf	Get hash	malicious	Mirai	Browse	38.9.235.17

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Installer\MSIA06B.tmp	ScreenBeam_Conference_Windows.msi	Get hash	malicious	Unknown	Browse
	ScreenBeam_Conference_Windows.msi	Get hash	malicious	Unknown	Browse
	ScreenBeam_Conference_Windows.msi	Get hash	malicious	Unknown	Browse
	App_version 3.1.msi	Get hash	malicious	RedLine, SectopRAT	Browse
	promot_s.msi	Get hash	malicious	LummaC Stealer	Browse
	njYYgDgfwY.msi	Get hash	malicious	Unknown	Browse
	Psiphon_3.179.msi	Get hash	malicious	HTMLPhisher	Browse
	q39Ns83JoJ.lnk	Get hash	malicious	NetSupport RAT	Browse
	Driver.Booster.10.6.0.141.msi	Get hash	malicious	Unknown	Browse
C:\Windows\Installer\MSI9F22.tmp	ScreenBeam_Conference_Windows.msi	Get hash	malicious	Unknown	Browse
	ScreenBeam_Conference_Windows.msi	Get hash	malicious	Unknown	Browse
	ScreenBeam_Conference_Windows.msi	Get hash	malicious	Unknown	Browse
	App_version 3.1.msi	Get hash	malicious	RedLine, SectopRAT	Browse
	promot_s.msi	Get hash	malicious	LummaC Stealer	Browse
	njYYgDgfwY.msi	Get hash	malicious	Unknown	Browse
	Psiphon_3.179.msi	Get hash	malicious	HTMLPhisher	Browse
	q39Ns83JoJ.lnk	Get hash	malicious	NetSupport RAT	Browse
	Driver.Booster.10.6.0.141.msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\419d6e.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	1508
Entropy (8bit):	5.726712386792038
Encrypted:	false
SSDEEP:	24:JmBFhFhc4GvjZDLN6ezhFjEhFOarhFJvxhFvhFxtd0o6X/j5V94ADzN9EXf4d7:JmXhFSPvlD4YhFjEhFThFJphFvhFxtd6
MD5:	169E5A828FB4A5117E6F9E003C956263
SHA1:	757B5D260585AE7D89C65FE79D57F391EC9090F1
SHA-256:	C771F0E67D9A3EC3408EC992E4264056F679AC4F9654777728699A80353FA39E
SHA-512:	CBFF7D83E8DDB5C061E38A50D96104F95E09CB01E58D61F4503B1AF25042048E612A559BEB5EF5285F860A74A2FB8BA976D7C6784E992309FAF4F94CDCFC770B
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@.IAX.@.....@.....@.....@.....@.....@......&.{C9747B50-6C7A-41A1-8B0A-F027245A29DE}...R}...........MSI99F2.tmp.@.....@.....@.....@........&.{B90B9E45-791A-4A8D-8B67-CBEA2772C018}.....@.....@.....@.....@.......@.....@.....@.......@.......R}...............Rollback..ck(W.V.n.d\O:.....RollbackCleanup..ck(W Rd..Y.N.e.N...e.N:. .[.1.].....ProcessComponents..ck(W.f.e.~.N.l.Qh...&.{76B9ACC9-E7DA-4F13-B9E8-560738840445}&.{C9747B50-6C7A-41A1-8B0A-F027245A29DE}.@......&.{727A60A0-480F-49E2-BA53-373CEAD7DEB8}&.{C9747B50-6C7A-41A1-8B0A-F027245A29DE}.@......&.{AB01729D-65CC-4E42-A533-9B224936F9CC}&.{C9747B50-6C7A-41A1-8B0A-F027245A29DE}.@......&.{28865FE5-54AE-48FF-84CC-0EBFC9C835A3}&.{C9747B50-6C7A-41A1-8B0A-F027245A29DE}.@......&.{A29DB99C-5B2D-4B00-B18D-AB9ADC0D86B9}&.{C9747B50-6C7A-41A1-8B0A-F027245A29DE}.@........CreateFolders..ck(W.R.^.e.N9Y...e.N9Y:. .[.1.].#...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t.\..R}.\..@........InstallFiles..ck(W.Y6R.e.e.N...e.N:. .[.1.]....v

C:\Program Files (x86)\IOPL\gxonecli.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	776440
Entropy (8bit):	6.625644436100867
Encrypted:	false
SSDEEP:	12288:LNLFGT0If4OUB8S/16jfKiTxLybL5LQFXYYTsyzR5bUmvCgzPGVa4mmhHN1aAeQB:3Cf0B8S/cqLm3UmvCgzPMa4mmhHNY5sP
MD5:	206A390B01B76BA387EA40C4A72622CC
SHA1:	5A9991DA5DF48174E6CD1A9620E21B7E32349E9E
SHA-256:	5A1458D8EDCE0E31B63180B5E94F20ED7AFFB453A6B3EA939091399E80C1FA18
SHA-512:	3BDC7E02E0830844FCD929C41A5E6FB43AC8062D99AD54155EE44BA8545939134DDCFE036E4029AA84BA3E80F5AC9DAC108F9E7F194BE931D5FFE30B063B5EAE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 3%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0...^F..^F..^F..F..^F..F..^F..0F..^F..F..^F..F\|.^F..3F..^F..%F..^F.._F..^F..F..^F..F..^F..F..^FRich..^F........................PE..L......e.................z...,...................@.......................................@..................................1..@.......T....................p..Hy......................................@...............l............................text....y.......z.................. ..`.rdata..h............~..............@..@.data...8p...`...>...D..............@....rsrc...T...........................@..@.reloc......p......................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IOPL\kl.had

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	105947
Entropy (8bit):	6.417796243745669
Encrypted:	false
SSDEEP:	1536:bSEU4dhPCYUkygYdag0bBOwznUlaCnZw6x0wLlYEfucv3l8mg8yfD+xpje:lh6rk1eaBn+9Xx0mK01i3
MD5:	03A345801C7C30EA2B59C84050FBC4DA
SHA1:	663FF96ED5971FA4921828569A64E0E948283244
SHA-256:	1B4BF484BE1CCC849CE246EE64C19A69A4C979E552EFEE9CBB87ECF27BCD458F
SHA-512:	19059494843BDBE6721F55F12F0C3605BBD2E02EA4F491CA22DD01ECDAD6D2F671D4491F0B5BA92607E268E0DE0504F766174306179D725CEB8DBC37873F32D6
Malicious:	false
Reputation:	low
Preview:	^......?S?t.....7td+.............d....^....5r..u7Z..............?2.z....[............?2.x....?2.b......?2.n......?2.l.......?2.j....?......?..?......?..r...?......?......?..V....?:.z....?.x....?".d....?2.l....?".j....?".h...p..>..q...p....q....p...>...q....p...>...p...>....q.....q....>....q....p...>..p...>..>...q.....q....>....q....p...>..p...>...q......p...p2."....>".#...q2. .......>.,....q2.-.....>:.+...q2.(.......p2.........>:.....>...>...>...>:.$.......>.....q2.........p...q.......q....q.......q....>...q.....q2.6.....>".4...p2.5....>2.2...>2.3....q2.0.....>.>...q2.?.......>.;....q2.8.....p2.&....>".'...^.......o.=F^....=n;2.~....?2.Z.....?2.P....?2.R...;..;2.^...?....I`..;...?..?.;...;..?...I..Ie...?..?.;..?.;2.......;..I..Ie...?..?.;2."...?.;2.......;..I..Ie..;...?..?.;2.r.....;..?...I..Ie...?..?.;.?.;2.......;..I..Ie;2.6....?..?.;2.V.....;..?...I..Ie;...?..?.;2....

C:\Program Files (x86)\IOPL\libcurl32.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	116224
Entropy (8bit):	6.329790671133909
Encrypted:	false
SSDEEP:	1536:jBfleO6Yd/gkgv2PcNREDHsdoXvUCbdC6cnyJzu42pnMCBQO+StJz3Uza:jBMYd/gkRDrzRb8429MCBfltJzkz
MD5:	FEA7F6C6782854EE83009239F9875A06
SHA1:	0CCF3BBF1891AC6B3B04E463749EF2A8A3D7B2A1
SHA-256:	A716B98847454CF63775D119AB122421D8E224CD1DA93EE4DDE1894A049DA375
SHA-512:	E774493C87CA1E554380AFFDC1D6FCDBF12E843F76EF9A288167FDA7278B48A355B965DC8B720C3786E0569E8E6AB6326E36A2FD31D647836F00B08532198EE8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 62% Antivirus: Virustotal, Detection: 32%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........p..g#..g#..g#..#..g#..#..g#..#..g#...#..g#..f#..g#..#..g#..#..g#..#..g#Rich..g#........................PE..L.....e...........!.....6...........g.......P............................... .......K....@......................... ...........P...............................<....Q..............................x...@............P..H............................text....4.......6.................. ..`.rdata...S...P...T...:..............@..@.data....4..........................@....rsrc...............................@..@.reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IOPL\xz.had

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1006555
Entropy (8bit):	6.175343964903649
Encrypted:	false
SSDEEP:	12288:8n5aZqiNQJz/o17bt/jJNrCwP4N8pVdG6l5jK3mbIvDG9/ai1:85aZqiNo2NrFS6l5OeZVaO
MD5:	BC01E4FC50AFAC7D48A76FCEBC611021
SHA1:	DB2BE3D2FE2DDD0CE9F71582D5F3DBBCA4F25D1A
SHA-256:	E6232900290EE2A856C2386BAAFD8FB2D92C4DAAFC1F367B02964C7FCBA4F80E
SHA-512:	06B74E2D38F6E51AE030F57F46D187EA87B4C65BFBCAC65F5FDE59EDEAFB64D71A269D839A24F61A211ED253A8EEA9BE7980BE047EDF491C2031C765C4AC6919
Malicious:	false
Reputation:	low
Preview:	^......?S?t.....7td.......M...d....^....5r..u7Z..............?2.z....[............?2.x....?2.b......?2.n......?2.l.......?2.j....?......?..?......?..r...?......?......?..V....?:.z....?.x....?".d....?2.l....?".j....?".h...p..>..q...p....q....p...>...q....p...>...p...>....q.....q....>....q....p...>..p...>..>...q.....q....>....q....p...>..p...>...q......p...p2."....>".#...q2. .......>.,....q2.-.....>:.+...q2.(.......p2.........>:.....>...>...>...>:.$.......>.....q2.........p...q.......q....q.......q....>...q.....q2.6.....>".4...p2.5....>2.2...>2.3....q2.0.....>.>...q2.?.......>.;....q2.8.....p2.&....>".'...^.......o.=F^....=n;2.~....?2.Z.....?2.P....?2.R...;..;2.^...?....I`..;...?..?.;...;..?...I..Ie...?..?.;..?.;2.......;..I..Ie...?..?.;2."...?.;2.......;..I..Ie..;...?..?.;2.r.....;..?...I..Ie...?..?.;.?.;2.......;..I..Ie;2.6....?..?.;2.V.....;..?...I..Ie;...?..?.;2....

C:\Users\user\AppData\Local\Temp\MSI99F2.tmp

Download File

Process:	C:\Users\user\Desktop\EhSODySB7R.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 936, Revision Number: {B90B9E45-791A-4A8D-8B67-CBEA2772C018}, Number of Words: 2, Subject: ...., Author: Microsoft, Name of Creating Application: ...., Template: x64;2052, Comments: Installer .... , Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Jan 1 15:22:46 2024, Number of Pages: 200
Category:	dropped
Size (bytes):	2179072
Entropy (8bit):	7.256929191663023
Encrypted:	false
SSDEEP:	49152:VsO7+DqJsDEiD3PTFRd5CWpk+q4o5q8g73ivJ+hnGkxl52ZeyN5Z:57+uKTFw+XAYhnV7Ip
MD5:	E65996714921C9E1A272079A520A9BF6
SHA1:	0563F428EA2A433E8E95FA1201978BAFA3319E55
SHA-256:	4627F020D2544FC1D8FF070A5643E038BA94EEC044F1668C9F130428DC82E0E3
SHA-512:	6A6528FA10DB751FC90250A3DE6961A87CF88BF95836EC20157E5B7CBBBD5080AE0B871AF8FF6B569DF5CB71749BBB174C267195BD7C9D3EDBBE2BF45B14800A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	......................>..................."...................................\|.......y...............................u...v...w...x...y...z...{...\|...}...~..............................................................................................................................................................................................................................................................................................................................................................................................."...4........................................................................................... ...!...,...2...$...%...&...'...(...)...*...+.......-......./...0...1...5...3...:...=...6...7...8...9...7...;...<.......>...?...@...A...B...6...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e.......g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\419d6c.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 936, Revision Number: {B90B9E45-791A-4A8D-8B67-CBEA2772C018}, Number of Words: 2, Subject: ...., Author: Microsoft, Name of Creating Application: ...., Template: x64;2052, Comments: Installer .... , Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Jan 1 15:22:46 2024, Number of Pages: 200
Category:	dropped
Size (bytes):	2179072
Entropy (8bit):	7.256929191663023
Encrypted:	false
SSDEEP:	49152:VsO7+DqJsDEiD3PTFRd5CWpk+q4o5q8g73ivJ+hnGkxl52ZeyN5Z:57+uKTFw+XAYhnV7Ip
MD5:	E65996714921C9E1A272079A520A9BF6
SHA1:	0563F428EA2A433E8E95FA1201978BAFA3319E55
SHA-256:	4627F020D2544FC1D8FF070A5643E038BA94EEC044F1668C9F130428DC82E0E3
SHA-512:	6A6528FA10DB751FC90250A3DE6961A87CF88BF95836EC20157E5B7CBBBD5080AE0B871AF8FF6B569DF5CB71749BBB174C267195BD7C9D3EDBBE2BF45B14800A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	......................>..................."...................................\|.......y...............................u...v...w...x...y...z...{...\|...}...~..............................................................................................................................................................................................................................................................................................................................................................................................."...4........................................................................................... ...!...,...2...$...%...&...'...(...)...*...+.......-......./...0...1...5...3...:...=...6...7...8...9...7...;...<.......>...?...@...A...B...6...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e.......g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI9F22.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.4696654484377945
Encrypted:	false
SSDEEP:	6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
MD5:	A9941233B9415B479D3B4F3732161EAB
SHA1:	CB2D99AF52B3B1C712943B13E45D85C80C732E57
SHA-256:	CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
SHA-512:	CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Joe Sandbox View:	Filename: ScreenBeam_Conference_Windows.msi, Detection: malicious, Browse Filename: ScreenBeam_Conference_Windows.msi, Detection: malicious, Browse Filename: ScreenBeam_Conference_Windows.msi, Detection: malicious, Browse Filename: App_version 3.1.msi, Detection: malicious, Browse Filename: promot_s.msi, Detection: malicious, Browse Filename: njYYgDgfwY.msi, Detection: malicious, Browse Filename: Psiphon_3.179.msi, Detection: malicious, Browse Filename: q39Ns83JoJ.lnk, Detection: malicious, Browse Filename: Driver.Booster.10.6.0.141.msi, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..\|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA06B.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.4696654484377945
Encrypted:	false
SSDEEP:	6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
MD5:	A9941233B9415B479D3B4F3732161EAB
SHA1:	CB2D99AF52B3B1C712943B13E45D85C80C732E57
SHA-256:	CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
SHA-512:	CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Joe Sandbox View:	Filename: ScreenBeam_Conference_Windows.msi, Detection: malicious, Browse Filename: ScreenBeam_Conference_Windows.msi, Detection: malicious, Browse Filename: ScreenBeam_Conference_Windows.msi, Detection: malicious, Browse Filename: App_version 3.1.msi, Detection: malicious, Browse Filename: promot_s.msi, Detection: malicious, Browse Filename: njYYgDgfwY.msi, Detection: malicious, Browse Filename: Psiphon_3.179.msi, Detection: malicious, Browse Filename: q39Ns83JoJ.lnk, Detection: malicious, Browse Filename: Driver.Booster.10.6.0.141.msi, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..\|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA0AA.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.4696654484377945
Encrypted:	false
SSDEEP:	6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
MD5:	A9941233B9415B479D3B4F3732161EAB
SHA1:	CB2D99AF52B3B1C712943B13E45D85C80C732E57
SHA-256:	CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
SHA-512:	CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..\|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA0DA.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.4696654484377945
Encrypted:	false
SSDEEP:	6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
MD5:	A9941233B9415B479D3B4F3732161EAB
SHA1:	CB2D99AF52B3B1C712943B13E45D85C80C732E57
SHA-256:	CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
SHA-512:	CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..\|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA11A.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.4696654484377945
Encrypted:	false
SSDEEP:	6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
MD5:	A9941233B9415B479D3B4F3732161EAB
SHA1:	CB2D99AF52B3B1C712943B13E45D85C80C732E57
SHA-256:	CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
SHA-512:	CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..\|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA14A.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.4696654484377945
Encrypted:	false
SSDEEP:	6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
MD5:	A9941233B9415B479D3B4F3732161EAB
SHA1:	CB2D99AF52B3B1C712943B13E45D85C80C732E57
SHA-256:	CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
SHA-512:	CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..\|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA1E7.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	2074
Entropy (8bit):	5.356624676094373
Encrypted:	false
SSDEEP:	48:JLXhFSPvlDzVbdoXwjKo/lTLNs1v0c0odBA75VVoiitYC4dh:JLXhIVLNTZMg5VVoi7
MD5:	95BF93400340F2E5F1F3C1D478C65DD8
SHA1:	3E26BFC9437416EFBCF549FCDD076061D1C39BF9
SHA-256:	A26E259EA393E5AC1D1A407ECC4533D26082E93E45EB2B9151F38CDF3C44419A
SHA-512:	4AF4747DE8F50E818F1DD8EBC9D2257BD75E6E2F0759F168E9CBD6C2D524C015C98910B8E2CC56239B661DF7913C8C86AF55DDCBE221ECD62AE0B0A9CE9D83D2
Malicious:	false
Preview:	...@IXOS.@.....@.IAX.@.....@.....@.....@.....@.....@......&.{C9747B50-6C7A-41A1-8B0A-F027245A29DE}...R}...........MSI99F2.tmp.@.....@.....@.....@........&.{B90B9E45-791A-4A8D-8B67-CBEA2772C018}.....@.....@.....@.....@.......@.....@.....@.......@.......R}...............Rollback..ck(W.V.n.d\O:.....RollbackCleanup..ck(W Rd..Y.N.e.N...e.N:. .[.1.]....@.......@........ProcessComponents..ck(W.f.e.~.N.l.Qh....@.....@.....@.]....&.{76B9ACC9-E7DA-4F13-B9E8-560738840445}..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.i.c.r.o.s.o.f.t.\..R}.\..@.......@.....@.....@......&.{727A60A0-480F-49E2-BA53-373CEAD7DEB8}%.0.2.:.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\..R}.........\.V.e.r.s.i.o.n..@.......@.....@.....@......&.{AB01729D-65CC-4E42-A533-9B224936F9CC}".C:\Program Files (x86)\IOPL\kl.had.@.......@.....@.....@......&.{28865FE5-54AE-48FF-84CC-0EBFC9C835A3}(.C:\Program Files (x86)\IOPL\gxonecli.exe.@.......@.....@.....@......&.{A29DB99C-5B2D-4B00-B18D-AB9ADC0D86B9}).C:\Program Files (x86)\IOPL\libcurl32.dll.@..

C:\Windows\Installer\MSIA311.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	429568
Entropy (8bit):	6.534588738111638
Encrypted:	false
SSDEEP:	12288:tbiQnSDqYisDEiD3jbTFiuiSiO+kP53nUNlQ:tbvnSDqJsDEiD3PTFTFiS53UNW
MD5:	1458A72D86B87E1329CFC549B98D1E4D
SHA1:	00D73B4E31B7395EE4BCCAB5B456D1D91C407AB9
SHA-256:	E6368DAD109C3710E17A2B6C123BAFF05B424A3653B5C094E7621AF37A8C824B
SHA-512:	4A7A32F1AE336B2377D3EA476481E8FE4BFAAAF12488CF024E7150DD26A4148DED762442F665EA4A69169D458ADF8DC717A73FF4C8BCD6F34E3A6FD4536B1E46
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..M~m..~m..~m......sm.......m......mm......im....../m......im.......m......gm..~m...m..j...dm..j.s..m..~m...m..j....m..Rich~m..........PE..L......d.........."....$.........................@.................................sf....@..................................4..........8........................:..@...p...............................@...............l............................text...F........................... ..`.rdata...R.......T..................@..@.data....7...P.......,..............@....rsrc...8............F..............@..@.reloc...:.......<...R..............@..B................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{C9747B50-6C7A-41A1-8B0A-F027245A29DE}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.164051437691326
Encrypted:	false
SSDEEP:	12:JSbX72FjuiAGiLIlHVRpY5h/7777777777777777777777777vDHFCdKovjRspdz:JjQI5ew7JF
MD5:	B72072AD2691DD6AD611813845C8DF79
SHA1:	FCE4201FAA6DA90A6FBF69348E4722AB3EAB57D3
SHA-256:	318B604894594C0B116CB51F8FCB4EECB98D0F890E5FD201FCF3E9845FF0277F
SHA-512:	678FF6FB5434A036038573E340B5701CCE8756E8F77D88776C6E35ED60BF72C26A4CB40BC8719D37FA3DD375885639498459A480E5C9C24388521F9525CEC1A9
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.502516201859326
Encrypted:	false
SSDEEP:	48:48PhOuRc06WXJmjT53AnnHbqdbSkdoAEkrCy6o7daSkdWTk:HhO19jTm25RCDfF
MD5:	C3E81CE819018BA873A5DC571AC12616
SHA1:	11359EA7D31265BE60269BCDAE5F3FDE5A888FC9
SHA-256:	55EB5FCBB7DE48071635582A83105618E2FC80E456710FD635E828B1BE82CB95
SHA-512:	56FC3F65A1AB1A9ADF2E2066B1EE55FAD056C2EE4005B7F4A5995B05A611A2532A6EA5E2AD087D7B5A9820A01F78B8A2DB62EC334E1EC819B60B501834DF16D1
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	364483
Entropy (8bit):	5.365485968553111
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauM:zTtbmkExhMJCIpEt
MD5:	568DED1D8C1AD74F48CC5393265AABF7
SHA1:	0534E7773DF3CAA4B97F4B3EC89BECE356E856AB
SHA-256:	82CED9B131911AF4BF0DC9AD60995E71BBD0D345DB22A28DDBFFC8980766272F
SHA-512:	DF4253B7DD5722C3E83FC4F43447F70A83C24674A73508B13097B8358480E6810BB88ABE2F4062E94519876F461A0D0514DC261413016C21A66A722982090F88
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF059B1C27DDD10682.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF085F81FF71451B09.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF09F695D3BE53E930.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.502516201859326
Encrypted:	false
SSDEEP:	48:48PhOuRc06WXJmjT53AnnHbqdbSkdoAEkrCy6o7daSkdWTk:HhO19jTm25RCDfF
MD5:	C3E81CE819018BA873A5DC571AC12616
SHA1:	11359EA7D31265BE60269BCDAE5F3FDE5A888FC9
SHA-256:	55EB5FCBB7DE48071635582A83105618E2FC80E456710FD635E828B1BE82CB95
SHA-512:	56FC3F65A1AB1A9ADF2E2066B1EE55FAD056C2EE4005B7F4A5995B05A611A2532A6EA5E2AD087D7B5A9820A01F78B8A2DB62EC334E1EC819B60B501834DF16D1
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF2673259CC74025C8.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07085259504642283
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKO838tbkKCdKorTjGoVky6lf1:2F0i8n0itFzDHFCdKovjGTd
MD5:	23391C870901A0D0001632106FF1F81F
SHA1:	7A2743C9081D62703B543F5200E014422B8DC564
SHA-256:	B423A2FDE8CAFF845E1A8CB920BF4B628BE45BEDD82BAB1BD56F4DC9CA68C485
SHA-512:	86B64E4ED48157466F616CC1E01B6FD5838C9AAC873E968E48E6ABF1C92CD4F91BFAB8F46F56BECBF52FF8E0A19229FDAB93A7894E2573AF4B365D291F5FF689
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3BF6BBC19487615F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.502516201859326
Encrypted:	false
SSDEEP:	48:48PhOuRc06WXJmjT53AnnHbqdbSkdoAEkrCy6o7daSkdWTk:HhO19jTm25RCDfF
MD5:	C3E81CE819018BA873A5DC571AC12616
SHA1:	11359EA7D31265BE60269BCDAE5F3FDE5A888FC9
SHA-256:	55EB5FCBB7DE48071635582A83105618E2FC80E456710FD635E828B1BE82CB95
SHA-512:	56FC3F65A1AB1A9ADF2E2066B1EE55FAD056C2EE4005B7F4A5995B05A611A2532A6EA5E2AD087D7B5A9820A01F78B8A2DB62EC334E1EC819B60B501834DF16D1
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF70E8428081F4B513.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2078215779087094
Encrypted:	false
SSDEEP:	48:j8mGuWI+CFXJBT5FAnnHbqdbSkdoAEkrCy6o7daSkdWTk:ImGKpTk25RCDfF
MD5:	96D325AD7ED1B88C247FBA36753EBF13
SHA1:	D875B6C5ADCA7E6E59B8D2BC4CDD024EC9F1E3FA
SHA-256:	E7F35766D60BF736E906BC1F9CEF7F6E4016D4E539033E6D8D65010DC08D8E02
SHA-512:	9FF2275597B662BE0411BFFBC1657687B27379ABFFE91CA461601F09516286267197827CF421B1D8986DD1D6EB84DAB25784F22037EBA00469AB9FEFBF32E9EB
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7AF7106CB94DA54C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2078215779087094
Encrypted:	false
SSDEEP:	48:j8mGuWI+CFXJBT5FAnnHbqdbSkdoAEkrCy6o7daSkdWTk:ImGKpTk25RCDfF
MD5:	96D325AD7ED1B88C247FBA36753EBF13
SHA1:	D875B6C5ADCA7E6E59B8D2BC4CDD024EC9F1E3FA
SHA-256:	E7F35766D60BF736E906BC1F9CEF7F6E4016D4E539033E6D8D65010DC08D8E02
SHA-512:	9FF2275597B662BE0411BFFBC1657687B27379ABFFE91CA461601F09516286267197827CF421B1D8986DD1D6EB84DAB25784F22037EBA00469AB9FEFBF32E9EB
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7C8607CA1983D293.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8BC05347DF573D29.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFEE54271F540E341D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF2110DFC9EFEA859.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2078215779087094
Encrypted:	false
SSDEEP:	48:j8mGuWI+CFXJBT5FAnnHbqdbSkdoAEkrCy6o7daSkdWTk:ImGKpTk25RCDfF
MD5:	96D325AD7ED1B88C247FBA36753EBF13
SHA1:	D875B6C5ADCA7E6E59B8D2BC4CDD024EC9F1E3FA
SHA-256:	E7F35766D60BF736E906BC1F9CEF7F6E4016D4E539033E6D8D65010DC08D8E02
SHA-512:	9FF2275597B662BE0411BFFBC1657687B27379ABFFE91CA461601F09516286267197827CF421B1D8986DD1D6EB84DAB25784F22037EBA00469AB9FEFBF32E9EB
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF449F79D48DA9B9F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.11349506444903357
Encrypted:	false
SSDEEP:	24:7lzLVTx+daipV+dA+dlBipV+doAEV+/jCy6oVQwGO9a+2H5I6:15T4daSkd7dbSkdoAEkrCy6o/anH5H
MD5:	C036E9957B414DA2523AB7FB83A4ED06
SHA1:	CC89B5040CB6E1CF6AC5F3E9D5B2E16C9837A1C5
SHA-256:	F806E87ACFA3E6D18FA00E2BC69D3AE08EF769C6858F6DF0526483247159FBA5
SHA-512:	9770E4F58AE3DB238CAC1F71F4DE81C9F44611D8E7548ED0DA7647DA30031813F12910C6D029CB51F8000D92669326CE15252DB82DB40E0B6CB209ABB6FCA75C
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.225751156615419
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	EhSODySB7R.exe
File size:	2'252'800 bytes
MD5:	0a73f48ffa71f2ba878056373570aa08
SHA1:	4d5195efeda4ce5c14096a22613d32afb9958808
SHA256:	f14401a595ad551015bce9e8eeaa8f80f2294f8767b654a5650da0f314de5255
SHA512:	173b99986448480fdfa77880625d43344e0e1034625dfe674d621e669c29881adf76e384a2831902278136f575dcf0e91e22610a7bdbc31721d331dae7d13a87
SSDEEP:	49152:XsO7+DqJsDEiD3PTFRd5CWpk+q4o5q8g73ivJ+hnGkxl52ZeyN5ZY:r7+uKTFw+XAYhnV7IpY
TLSH:	65A5BE22B683C532D12D0276ED19EE5D193DBE73073105EBB7E43EAE48B08C16779A16
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........m..............&~......&m......&n.......^..............&q......&.......&{.....Rich............................PE..L.....kI...

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x401f54
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x496BFC80 [Tue Jan 13 02:29:20 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	0f7d0ed8477bf9ca9b4b2ce07e02a90e

Entrypoint Preview

Instruction
call 00007F59C909E5D4h
jmp 00007F59C909B90Ch
push ebp
mov ebp, esp
push ecx
push esi
mov esi, dword ptr [ebp+0Ch]
push esi
call 00007F59C909F0D6h
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [esi+0Ch]
test al, 82h
pop ecx
jne 00007F59C909BB09h
call 00007F59C909BE1Eh
mov dword ptr [eax], 00000009h
or dword ptr [esi+0Ch], 20h
or eax, FFFFFFFFh
jmp 00007F59C909BC22h
test al, 40h
je 00007F59C909BAFFh
call 00007F59C909BE03h
mov dword ptr [eax], 00000022h
jmp 00007F59C909BAD5h
push ebx
xor ebx, ebx
test al, 01h
je 00007F59C909BB08h
test al, 10h
mov dword ptr [esi+04h], ebx
je 00007F59C909BB7Bh
mov ecx, dword ptr [esi+08h]
and eax, FFFFFFFEh
mov dword ptr [esi], ecx
mov dword ptr [esi+0Ch], eax
mov eax, dword ptr [esi+0Ch]
and eax, FFFFFFEFh
or eax, 02h
test ax, 0000010Ch
mov dword ptr [esi+0Ch], eax
mov dword ptr [esi+04h], ebx
mov dword ptr [ebp-04h], ebx
jne 00007F59C909BB1Eh
call 00007F59C909EEC8h
add eax, 20h
cmp esi, eax
je 00007F59C909BAFEh
call 00007F59C909EEBCh
add eax, 40h
cmp esi, eax
jne 00007F59C909BAFFh
push dword ptr [ebp+0Ch]
call 00007F59C909EE4Fh
test eax, eax
pop ecx
jne 00007F59C909BAF9h
push esi
call 00007F59C909EE00h
pop ecx
test word ptr [esi+0Ch], 0108h
push edi
je 00007F59C909BB76h
mov eax, dword ptr [esi+08h]
mov edi, dword ptr [esi]
lea ecx, dword ptr [eax+01h]
mov dword ptr [esi], ecx
mov ecx, dword ptr [esi+18h]
sub edi, eax

Rich Headers

Programming Language:

[ASM] VS2005 build 50727
[C++] VS2005 build 50727
[ C ] VS2005 build 50727
[RES] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe5e8	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x215658	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc200	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xde78	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc000	0x1b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa494	0xb000	faa20d416cf66a0e758d51d62d506053	False	0.5961692116477273	data	6.374283196502087	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0x2f56	0x3000	191e5dfc6ac85f3b137e574ecc199dee	False	0.3616536458333333	data	5.33958366807718	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xf000	0x2d3c	0x1000	605cb8f363da7eb9d3c143ecb2c1f1c2	False	0.22607421875	data	2.365699420498644	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x12000	0x215658	0x216000	078c737c6d5707c5f21a79c9f78bd178	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
MSI	0x121d4	0x214000	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 936, Revision Number: {B90B9E45-791A-4A8D-8B67-CBEA2772C018}, Number of Words: 2, Subject: ...., Author: Microsoft, Name of Creating Application: ...., Template: x64;2052, Comments: Installer .... , Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Jan 1 15:22:46 2024, Number of Pages: 200	English	United States	0.4290170669555664
RT_ICON	0x2261d4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.4637096774193548
RT_ICON	0x2264bc	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5675675675675675
RT_ICON	0x2265e4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.3935018050541516
RT_ICON	0x226e8c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.4486994219653179
RT_GROUP_ICON	0x2273f4	0x3e	data	English	United States	0.8225806451612904
RT_MANIFEST	0x227434	0x221	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5486238532110091

Imports

DLL	Import
KERNEL32.dll	GetTempPathW, GetTempFileNameW, FindResourceW, SizeofResource, LoadResource, LockResource, CreateThread, CreateFileW, DeleteFileW, CreateFileA, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, ExitProcess, CreateProcessW, GetLastError, WriteFile, FlushFileBuffers, CloseHandle, GetProcAddress, GetModuleHandleA, HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, GetStdHandle, GetModuleFileNameA, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, LoadLibraryA, InitializeCriticalSection, GetModuleFileNameW, FreeEnvironmentStringsA, MultiByteToWideChar, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, HeapDestroy, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, Sleep, HeapSize, RtlUnwind, GetLocaleInfoA, VirtualAlloc, HeapReAlloc, SetStdHandle, RaiseException
USER32.dll	DefWindowProcW, PostQuitMessage, EndPaint, BeginPaint, UpdateWindow, ShowWindow, CreateWindowExW, GetSystemMetrics, RegisterClassExW, GetSysColorBrush, LoadCursorW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, MessageBoxW, InvalidateRect
GDI32.dll	TextOutW, SetBkMode, SelectObject, GetStockObject, DeleteObject

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 1, 2024 09:13:56.747600079 CET	49704	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:13:57.756623030 CET	49704	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:13:59.756589890 CET	49704	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:14:03.756783962 CET	49704	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:14:11.772200108 CET	49704	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:14:17.820127010 CET	49713	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:14:18.834738970 CET	49713	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:14:20.834713936 CET	49713	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:14:24.834780931 CET	49713	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:14:32.834665060 CET	49713	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:14:38.945117950 CET	49714	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:14:39.959696054 CET	49714	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:14:41.959726095 CET	49714	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:14:45.959714890 CET	49714	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:14:53.959708929 CET	49714	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:15:00.070002079 CET	49716	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:15:01.084683895 CET	49716	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:15:03.084549904 CET	49716	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:15:07.084580898 CET	49716	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:15:15.084676981 CET	49716	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:15:21.194623947 CET	49718	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:15:22.209537983 CET	49718	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:15:24.209651947 CET	49718	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:15:28.209697008 CET	49718	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:15:36.209542036 CET	49718	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:15:42.319765091 CET	49719	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:15:43.334656000 CET	49719	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:15:45.334425926 CET	49719	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:15:49.334603071 CET	49719	49780	192.168.2.5	154.39.251.117
Feb 1, 2024 09:15:57.334386110 CET	49719	49780	192.168.2.5	154.39.251.117

Target ID:	0
Start time:	09:13:53
Start date:	01/02/2024
Path:	C:\Users\user\Desktop\EhSODySB7R.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\EhSODySB7R.exe
Imagebase:	0x400000
File size:	2'252'800 bytes
MD5 hash:	0A73F48FFA71F2BA878056373570AA08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:13:53
Start date:	01/02/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	msiexec.exe /i C:\Users\user\AppData\Local\Temp\MSI99F2.tmp
Imagebase:	0x230000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:13:53
Start date:	01/02/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff78d2a0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	09:13:54
Start date:	01/02/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 96302FF1609113E413E3406A4F20EA8E
Imagebase:	0x230000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:13:55
Start date:	01/02/2024
Path:	C:\Windows\Installer\MSIA311.tmp
Wow64 process (32bit):	true
Commandline:	C:\Windows\Installer\MSIA311.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin "C:\Program Files (x86)\IOPL\gxonecli.exe
Imagebase:	0x6a0000
File size:	429'568 bytes
MD5 hash:	1458A72D86B87E1329CFC549B98D1E4D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:13:55
Start date:	01/02/2024
Path:	C:\Program Files (x86)\IOPL\gxonecli.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\IOPL\gxonecli.exe"
Imagebase:	0x730000
File size:	776'440 bytes
MD5 hash:	206A390B01B76BA387EA40C4A72622CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000006.00000002.3225077296.0000000002FEB000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000006.00000002.3224081616.0000000000AD9000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000006.00000002.3224774705.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs Detection: 3%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	09:13:57
Start date:	01/02/2024
Path:	C:\Program Files (x86)\IOPL\gxonecli.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\IOPL\gxonecli.exe
Imagebase:	0x730000
File size:	776'440 bytes
MD5 hash:	206A390B01B76BA387EA40C4A72622CC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.4%
Total number of Nodes:	1888
Total number of Limit Nodes:	25

Executed Functions

Function 0040134E Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 192
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 00401370
_memset.LIBCMT ref: 00401395
_memset.LIBCMT ref: 004013AA
GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,00000088), ref: 004013C6
GetTempFileNameW.KERNELBASE(?,MSI,00000000,?,?,?,?,?,?,00000088), ref: 004013F1
__CxxThrowException@8.LIBCMT ref: 0040140B
FindResourceW.KERNEL32(?,DATA,MSI,?,?,?,?,?,00000088), ref: 00401417
SizeofResource.KERNEL32(?,00000000,?,?,?,?,?,00000088), ref: 00401438
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,00000088), ref: 00401459
LockResource.KERNEL32(00000000,?,?,?,?,?,00000088), ref: 00401475
CreateFileW.KERNELBASE(?,00120116,00000003,00000000,00000002,00000080,00000000,?,?,?,?,?,00000088), ref: 004014AD
ShowWindow.USER32(00000005,?,?,?,?,?,00000088), ref: 004014EF
WriteFile.KERNELBASE(000000FF,?,00002000,?,00000000,?,?,?,?,?,00000088), ref: 0040150B
InvalidateRect.USER32(00000000,00000001,?,?,?,?,?,00000088), ref: 00401540
ShowWindow.USER32(00000000,?,?,?,?,?,00000088), ref: 00401551
FindCloseChangeNotification.KERNELBASE(000000FF,?,?,?,?,?,00000088), ref: 00401556
_swprintf.LIBCMT ref: 00401576
_memset.LIBCMT ref: 00401585
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004015C2
ExitProcess.KERNEL32 ref: 004015C9

Strings

DATA, xrefs: 00401411
%s /i %s, xrefs: 00401568
MSI, xrefs: 004013E4, 004013E9, 00401410
msiexec.exe, xrefs: 00401563

Memory Dump Source

Source File: 00000000.00000002.1981790193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1981768078.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981811999.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981830123.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981851260.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EhSODySB7R.jbxd

Similarity

API ID: Resource$File_memset$CreateFindProcessShowTempWindow$ChangeCloseException@8ExitH_prolog3_catchInvalidateLoadLockNameNotificationPathRectSizeofThrowWrite_swprintf
String ID: %s /i %s$DATA$MSI$msiexec.exe
API String ID: 3524195846-4018923517
Opcode ID: 6749e29da5631927e082cef264a39af6d613541d54a80a6319aa98c742fdb2b9
Instruction ID: 20377c8c5a59a0e20dd786114ab2e7341586cf19af3ec8ffaaf84ee0be96f013
Opcode Fuzzy Hash: 6749e29da5631927e082cef264a39af6d613541d54a80a6319aa98c742fdb2b9
Instruction Fuzzy Hash: 49618B71900218EBDB20DFE5DD89EEE7AB8BB08704F20453AF505F61E1D7789A05CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00401053 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 84
windowthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401148: _memset.LIBCMT ref: 00401158
Part of subcall function 00401148: LoadCursorW.USER32(00000000,00007F00), ref: 0040118A
Part of subcall function 00401148: GetSysColorBrush.USER32(0000000F), ref: 00401195
Part of subcall function 00401148: RegisterClassExW.USER32(00000030), ref: 004011AF

Part of subcall function 004011B8: KiUserCallbackDispatcher.NTDLL(00000010), ref: 004011C2
Part of subcall function 004011B8: GetSystemMetrics.USER32(00000011), ref: 004011C8
Part of subcall function 004011B8: CreateWindowExW.USER32(00000008,msi2exestub_wnd_class,0040DB1C,80400000,-FFFFFED4,-00000050,0000012C,00000050,00000000,00000000,00401087,00000000), ref: 004011FA

CreateThread.KERNELBASE(00000000,00000000,Function_0000134E,?,00000000,?), ref: 004010A1
FindCloseChangeNotification.KERNELBASE(00000000), ref: 004010AC
TranslateMessage.USER32(?), ref: 004010BE
DispatchMessageW.USER32(?), ref: 004010C8
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 004010D5
GetLastError.KERNEL32 ref: 004010E0
_wcsrchr.LIBCMT ref: 00401108
MessageBoxW.USER32(00000000,?,00000002,00000010), ref: 00401127

Strings

%s (code: 0x%08X), xrefs: 004010EC
Main::CreateThread() failure., xrefs: 004010E7

Memory Dump Source

Source File: 00000000.00000002.1981790193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1981768078.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981811999.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981830123.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981851260.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EhSODySB7R.jbxd

Similarity

API ID: Message$CallbackCreateDispatcherUser$BrushChangeClassCloseColorCursorDispatchErrorFindLastLoadMetricsNotificationRegisterSystemThreadTranslateWindow_memset_wcsrchr
String ID: %s (code: 0x%08X)$Main::CreateThread() failure.
API String ID: 1851981397-3924681112
Opcode ID: 049e3ccb6c8dc290916627f97ca683ac69638bb7bcb633166ab5af477786f08e
Instruction ID: 75a78d69b7479f35fcbcbde4da154f35cd85ebbe6c1fc4ca16132148da7ba84c
Opcode Fuzzy Hash: 049e3ccb6c8dc290916627f97ca683ac69638bb7bcb633166ab5af477786f08e
Instruction Fuzzy Hash: F72174716002189BD724EBA5DC89EAF7BBCEF49748F100136F601FB1A1D778A505CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00401294 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStockObject.GDI32(00000011), ref: 004012F2
SelectObject.GDI32(00000000,00000000), ref: 00401302
SetBkMode.GDI32(00000000,00000001), ref: 0040130A
TextOutW.GDI32(00000000,00000014,0000001E,?,00000000,?,?), ref: 00401324
SelectObject.GDI32(00000000,?), ref: 0040132E
DeleteObject.GDI32(00000000), ref: 00401331

Strings

Extract File: %d%% completed., xrefs: 004012DC

Memory Dump Source

Source File: 00000000.00000002.1981790193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1981768078.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981811999.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981830123.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981851260.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EhSODySB7R.jbxd

Similarity

API ID: Object$Select$DeleteModeStockText
String ID: Extract File: %d%% completed.
API String ID: 4006763339-4045747158
Opcode ID: 92dc52152d32e0d1ab26bf13c14b1b0ea2a3de1fe09ef5487dd13f0131aeac37
Instruction ID: 9a93ae32731b2c3143dd3ec75d958d03ebc0d71db21fdddcd7b42a98f2b5aeee
Opcode Fuzzy Hash: 92dc52152d32e0d1ab26bf13c14b1b0ea2a3de1fe09ef5487dd13f0131aeac37
Instruction Fuzzy Hash: 5011D631600108EFE7249BA5DD89EEE7B69E748308F20453EF505F71D1DAB4A8408B68

Uniqueness

Uniqueness Score: -1.00%

Function 004011B8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000010), ref: 004011C2
GetSystemMetrics.USER32(00000011), ref: 004011C8
CreateWindowExW.USER32(00000008,msi2exestub_wnd_class,0040DB1C,80400000,-FFFFFED4,-00000050,0000012C,00000050,00000000,00000000,00401087,00000000), ref: 004011FA
ShowWindow.USER32(00000000,00000000,?,00401087,?,?), ref: 0040120F
UpdateWindow.USER32 ref: 0040121B

Strings

msi2exestub_wnd_class, xrefs: 004011F3

Memory Dump Source

Source File: 00000000.00000002.1981790193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1981768078.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981811999.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981830123.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981851260.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EhSODySB7R.jbxd

Similarity

API ID: Window$CallbackCreateDispatcherMetricsShowSystemUpdateUser
String ID: msi2exestub_wnd_class
API String ID: 3969648196-2601022818
Opcode ID: db02c076b439937e0c775e0810803778dadb1931fdffb0e9f2dc47625363d73f
Instruction ID: ecada5e8bdef915ea8f2e7981d247ba1c1a188f04b7e147b0aa45f142b1714c6
Opcode Fuzzy Hash: db02c076b439937e0c775e0810803778dadb1931fdffb0e9f2dc47625363d73f
Instruction Fuzzy Hash: CDF05932695228B6C6201BF56D0CFCB3E69EB86B60F010735F600F60E1C6F45404CEA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401227 Relevance: 6.0, APIs: 4, Instructions: 42
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00401251
BeginPaint.USER32(?,?), ref: 0040125F
EndPaint.USER32(?,?), ref: 00401271
PostQuitMessage.USER32(?), ref: 0040127D

Memory Dump Source

Source File: 00000000.00000002.1981790193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1981768078.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981811999.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981830123.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981851260.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EhSODySB7R.jbxd

Similarity

API ID: Paint$BeginMessagePostProcQuitWindow
String ID:
API String ID: 1092305367-0
Opcode ID: 597c37589dba2acb60f0748054ab0ab44619a96cf5f086050fe93c53279dbac8
Instruction ID: 24c52d57e56dc4afd828dfb1bcd95dd531efafebb2a06c973aa2dd53e7d3d95f
Opcode Fuzzy Hash: 597c37589dba2acb60f0748054ab0ab44619a96cf5f086050fe93c53279dbac8
Instruction Fuzzy Hash: 61011931501508EBCF01EFA8DE89CAF37B8EF09304B50467AF902F61A1D738EA159B59

Uniqueness

Uniqueness Score: -1.00%

Function 004049DE Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00401E4B,00000001), ref: 004049EF
HeapDestroy.KERNEL32 ref: 00404A25

Memory Dump Source

Source File: 00000000.00000002.1981790193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1981768078.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981811999.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981830123.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981851260.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EhSODySB7R.jbxd

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: 82632065dbaa238cdc2c75c8c16dab901d15a17d5efe5241bd0ff9e4f6f429b6
Instruction ID: 4a707c28839996d09bb20b269c2dbeba270cd3db389e7f498d1c99760f2ed9af
Opcode Fuzzy Hash: 82632065dbaa238cdc2c75c8c16dab901d15a17d5efe5241bd0ff9e4f6f429b6
Instruction Fuzzy Hash: 19E01BB56953019BDB109B30DD057673694DB94787F10843AF505E55E1FBB885405E0D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004065BA Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 164
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(USER32.DLL,00000000,00000000,00000314,?,?,?,00410068,00402A07,00410068,Microsoft Visual C++ Runtime Library,00012010), ref: 004065E7
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00406603

Part of subcall function 00402355: TlsGetValue.KERNEL32(00000000,004023CA,00000000,004065C8,00000000,00000000,00000314,?,?,?,00410068,00402A07,00410068,Microsoft Visual C++ Runtime Library,00012010), ref: 00402362
Part of subcall function 00402355: TlsGetValue.KERNEL32(00000004,?,?,?,00410068,00402A07,00410068,Microsoft Visual C++ Runtime Library,00012010), ref: 00402379

GetProcAddress.KERNEL32(00000000,00000000), ref: 00406620

Part of subcall function 00402355: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00410068,00402A07,00410068,Microsoft Visual C++ Runtime Library,00012010), ref: 0040238E
Part of subcall function 00402355: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 004023A9

GetProcAddress.KERNEL32(00000000,00000000), ref: 00406635
__invoke_watson.LIBCMT ref: 00406656

Part of subcall function 0040214A: _memset.LIBCMT ref: 004021D6
Part of subcall function 0040214A: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 004021F4
Part of subcall function 0040214A: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 004021FE
Part of subcall function 0040214A: UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 00402208
Part of subcall function 0040214A: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 00402223
Part of subcall function 0040214A: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 0040222A

Part of subcall function 004023CC: TlsGetValue.KERNEL32(00000000,00402461,?,?,?,?,?,00000088), ref: 004023D9
Part of subcall function 004023CC: TlsGetValue.KERNEL32(00000004,?,?,?,?,?,00000088), ref: 004023F0

Part of subcall function 004023CC: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,?,?,00000088), ref: 00402405
Part of subcall function 004023CC: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00402420

GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 0040666A
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 00406682
__invoke_watson.LIBCMT ref: 004066F5

Strings

GetUserObjectInformationA, xrefs: 00406664
USER32.DLL, xrefs: 004065E2
MessageBoxA, xrefs: 004065FD
GetProcessWindowStation, xrefs: 0040667C

Memory Dump Source

Source File: 00000000.00000002.1981790193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1981768078.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981811999.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981830123.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981851260.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EhSODySB7R.jbxd

Similarity

API ID: AddressProc$Value$ExceptionFilterHandleModuleProcessUnhandled__invoke_watson$CurrentDebuggerLibraryLoadPresentTerminate_memset
String ID: GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 2940365033-1046234306
Opcode ID: f92e63f97473645d0ee2bbb4634820050cc61aa16b2c6853a90bedad70716cb5
Instruction ID: 903c93859fa46a6f4ea376e20a98d8dd23118c8d58616714cf58463bdc1121ca
Opcode Fuzzy Hash: f92e63f97473645d0ee2bbb4634820050cc61aa16b2c6853a90bedad70716cb5
Instruction Fuzzy Hash: 8641B471900205EADF10AFB59D8596F7BA9AE44348B25093FE40AF32D0DBBC99508B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00401A49 Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004037E1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004037F6
UnhandledExceptionFilter.KERNEL32(0040C8AC), ref: 00403801
GetCurrentProcess.KERNEL32(C0000409), ref: 0040381D
TerminateProcess.KERNEL32(00000000), ref: 00403824

Memory Dump Source

Source File: 00000000.00000002.1981790193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1981768078.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981811999.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981830123.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981851260.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EhSODySB7R.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: e1a142f2597a4008e7613153095846bbf84df19b1d486ef0f12ac1990e7fc7c8
Instruction ID: 3151b91aa872a883dad0193dde7ea169f4a89536d61c20abba83bbf876892fdd
Opcode Fuzzy Hash: e1a142f2597a4008e7613153095846bbf84df19b1d486ef0f12ac1990e7fc7c8
Instruction Fuzzy Hash: 0B21CBB4941208EFD740DF68F9846843BA5FB98305F50913AE909A32A0E7B85AD18F5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040421E Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000041E1), ref: 00404223

Memory Dump Source

Source File: 00000000.00000002.1981790193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1981768078.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981811999.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981830123.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981851260.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EhSODySB7R.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 531bf9125881a94b0db8439539261c5591d31a2986fbad8a3190194338fd3003
Instruction ID: c9ab3a1dd1adf17f36c40b88a96730a33f5791edfa2a03c35caf01849fe1497e
Opcode Fuzzy Hash: 531bf9125881a94b0db8439539261c5591d31a2986fbad8a3190194338fd3003
Instruction Fuzzy Hash: AE9002B8B61100D6D60017B25D4D60565949B9860275145716205F8495DE7442409569

Uniqueness

Uniqueness Score: -1.00%

Function 004028A5 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 156
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strcpy_s.LIBCMT ref: 00402911
__invoke_watson.LIBCMT ref: 00402922
GetModuleFileNameA.KERNEL32(00000000,00410081,00000104,0040259A,00000001,00000214,?,?,?,?,?,00000088), ref: 0040293E
_strcpy_s.LIBCMT ref: 00402953
__invoke_watson.LIBCMT ref: 00402966
_strlen.LIBCMT ref: 0040296F
_strlen.LIBCMT ref: 0040297C
__invoke_watson.LIBCMT ref: 004029A9
_strcat_s.LIBCMT ref: 004029BC
__invoke_watson.LIBCMT ref: 004029CD
_strcat_s.LIBCMT ref: 004029DE
__invoke_watson.LIBCMT ref: 004029EF
GetStdHandle.KERNEL32(000000F4,00000001,00000001,00000000,76EC5E70,00000003,00402A71,000000FC,00407037,00000001,00000000,00000000,?,004061B6,0040259A,00000001), ref: 00402A0E
_strlen.LIBCMT ref: 00402A2F
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,004061B6,0040259A,00000001,00000001,00402B7E,00000018,0040E0A0,0000000C,00402C0D,00000001), ref: 00402A39

Strings

Runtime Error!Program: , xrefs: 00402900
Microsoft Visual C++ Runtime Library, xrefs: 004029FC
<program name unknown>, xrefs: 00402948
..., xrefs: 0040298D

Memory Dump Source

Source File: 00000000.00000002.1981790193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1981768078.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981811999.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981830123.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981851260.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EhSODySB7R.jbxd

Similarity

API ID: __invoke_watson$_strlen$File_strcat_s_strcpy_s$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 1879448924-4022980321
Opcode ID: 409424b9660b85a0269d64acb115b1ad67300d71880ba7c06291fded9d5e2056
Instruction ID: 93a8d7d5ea80ae4c3e828802d8d553a9b5e06a216e86f543143183862d938038
Opcode Fuzzy Hash: 409424b9660b85a0269d64acb115b1ad67300d71880ba7c06291fded9d5e2056
Instruction Fuzzy Hash: 9F3127B3A402007AE52132615E8EF6B364C9B15318F15023BFD0AB52D2EAFD8D5081BD

Uniqueness

Uniqueness Score: -1.00%

Function 00402721 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00401E5D), ref: 00402727
__mtterm.LIBCMT ref: 00402733

Part of subcall function 00402475: TlsFree.KERNEL32(00000002,004028A0), ref: 004024A0
Part of subcall function 00402475: DeleteCriticalSection.KERNEL32(00000000,00000000,7591DFB0,00000001,004028A0), ref: 00402AE2
Part of subcall function 00402475: DeleteCriticalSection.KERNEL32(00000002,7591DFB0,00000001,004028A0), ref: 00402B0C

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00402749
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00402756
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00402763
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00402770
TlsAlloc.KERNEL32 ref: 004027C0
TlsSetValue.KERNEL32(00000000), ref: 004027DB
__init_pointers.LIBCMT ref: 004027E5
__calloc_crt.LIBCMT ref: 0040285A
GetCurrentThreadId.KERNEL32 ref: 0040288A

Strings

KERNEL32.DLL, xrefs: 00402722
FlsFree, xrefs: 00402765
FlsAlloc, xrefs: 00402743
FlsGetValue, xrefs: 0040274B
FlsSetValue, xrefs: 00402758

Memory Dump Source

Source File: 00000000.00000002.1981790193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1981768078.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981811999.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981830123.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981851260.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EhSODySB7R.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 2125014093-3819984048
Opcode ID: d95bc911496358f0c842fd71132bedc0ea270bbad93ccd9a414d7ca50f619fdd
Instruction ID: d02e941b92a81709c8bf7b88b63dabc1874790f769ac485b758b067b94092550
Opcode Fuzzy Hash: d95bc911496358f0c842fd71132bedc0ea270bbad93ccd9a414d7ca50f619fdd
Instruction Fuzzy Hash: 15311931940311DADB21ABB5BE49B463FA5AB09714B14863BF814B62F1DBFCC480CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 004024B2 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 49
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,0040E058,0000000C,004025C3,00000000,00000000,?,?,?,?,?,00000088), ref: 004024C3
GetProcAddress.KERNEL32(?,EncodePointer), ref: 004024F7
GetProcAddress.KERNEL32(?,DecodePointer), ref: 00402507
InterlockedIncrement.KERNEL32(0040F6F8), ref: 00402529
__lock.LIBCMT ref: 00402531
___addlocaleref.LIBCMT ref: 00402550

Strings

EncodePointer, xrefs: 004024E9
KERNEL32.DLL, xrefs: 004024BE
DecodePointer, xrefs: 004024FF

Memory Dump Source

Source File: 00000000.00000002.1981790193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1981768078.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981811999.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981830123.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981851260.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EhSODySB7R.jbxd

Similarity

API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1036688887-2843748187
Opcode ID: 2274a066ac026ae925fe5652a49c290d3624d1abdb19e6b261c600bba24699d5
Instruction ID: fbdbd79d6d8703cd58bfce1346c9629dc42ac9281775cfae9e4e5af3c7655ebc
Opcode Fuzzy Hash: 2274a066ac026ae925fe5652a49c290d3624d1abdb19e6b261c600bba24699d5
Instruction Fuzzy Hash: EA116070940701DED720AFBA9D49B5ABBF0AF00304F10467FA959B26D0CBB89504DF1C

Uniqueness

Uniqueness Score: -1.00%

Function 00404743 Relevance: 13.7, APIs: 9, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32(?), ref: 00404758
__calloc_crt.LIBCMT ref: 0040476B

Part of subcall function 004061E9: __calloc_impl.LIBCMT ref: 004061F7
Part of subcall function 004061E9: Sleep.KERNEL32(00000000,0040259A,00000001,00000214,?,?,?,?,?,00000088), ref: 0040620E

__calloc_crt.LIBCMT ref: 004047EE
GetFileType.KERNEL32(00000038), ref: 0040486E
___crtInitCritSecAndSpinCount.LIBCMT ref: 004048A2
GetStdHandle.KERNEL32(-000000F6), ref: 004048F8
GetFileType.KERNEL32(00000000), ref: 0040490A
___crtInitCritSecAndSpinCount.LIBCMT ref: 00404938
SetHandleCount.KERNEL32 ref: 00404962

Memory Dump Source

Source File: 00000000.00000002.1981790193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1981768078.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981811999.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981830123.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981851260.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EhSODySB7R.jbxd

Similarity

API ID: Count$CritFileHandleInitSpinType___crt__calloc_crt$InfoSleepStartup__calloc_impl
String ID:
API String ID: 1318386821-0
Opcode ID: 549ced214fe30d9228ee0246e29af2e7086a577bc573e2d7a649d7adddc458a1
Instruction ID: d491d6a5f774743e45dc405d5e5e38eec6b60656dbc77cbffaa76a34aa0bb66e
Opcode Fuzzy Hash: 549ced214fe30d9228ee0246e29af2e7086a577bc573e2d7a649d7adddc458a1
Instruction Fuzzy Hash: 676149B59043818FC7209B38C844B567BE0AF96334F258B7BD665BB2E1D738D405CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004058A6 Relevance: 10.7, APIs: 7, Instructions: 158
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getSystemCP.LIBCMT ref: 004058BF

Part of subcall function 0040582C: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00405839
Part of subcall function 0040582C: GetOEMCP.KERNEL32(00000000), ref: 00405853

setSBCS.LIBCMT ref: 004058D1

Part of subcall function 004055A9: _memset.LIBCMT ref: 004055BC

IsValidCodePage.KERNEL32(-00000030), ref: 00405917
GetCPInfo.KERNEL32(00000000,?), ref: 0040592A
_memset.LIBCMT ref: 00405942
setSBUpLow.LIBCMT ref: 00405A15

Memory Dump Source

Source File: 00000000.00000002.1981790193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1981768078.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981811999.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981830123.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981851260.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EhSODySB7R.jbxd

Similarity

API ID: Locale_memset$CodeInfoPageSystemUpdateUpdate::_Valid
String ID:
API String ID: 2658552758-0
Opcode ID: fcad07914a744a3ed406cd8353dc3742bbee728f8a7734bc3712e5eef50fd376
Instruction ID: e73e6ba14706cba1d3f0db2a5a95ade0cfbff73fe22f9ed9fb17c5f14122fbf6
Opcode Fuzzy Hash: fcad07914a744a3ed406cd8353dc3742bbee728f8a7734bc3712e5eef50fd376
Instruction Fuzzy Hash: F351D471A006549BDF259F65C8806BBBBB5EF44314F14817BE886BF2C2D63C8946CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00402355 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32(00000000,004023CA,00000000,004065C8,00000000,00000000,00000314,?,?,?,00410068,00402A07,00410068,Microsoft Visual C++ Runtime Library,00012010), ref: 00402362
TlsGetValue.KERNEL32(00000004,?,?,?,00410068,00402A07,00410068,Microsoft Visual C++ Runtime Library,00012010), ref: 00402379
GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00410068,00402A07,00410068,Microsoft Visual C++ Runtime Library,00012010), ref: 0040238E
GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 004023A9

Strings

EncodePointer, xrefs: 004023A3
KERNEL32.DLL, xrefs: 00402389

Memory Dump Source

Source File: 00000000.00000002.1981790193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1981768078.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981811999.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981830123.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981851260.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EhSODySB7R.jbxd

Similarity

API ID: Value$AddressHandleModuleProc
String ID: EncodePointer$KERNEL32.DLL
API String ID: 1929421221-3682587211
Opcode ID: 2a42737889a403e7d8afdae4d2f3ffc8d2942cebba98d6740baa3c3f948ea94e
Instruction ID: 54e1165a2b9932306059abba70c4f1523072c5380ccb0acef97fefcbe4b4d81e
Opcode Fuzzy Hash: 2a42737889a403e7d8afdae4d2f3ffc8d2942cebba98d6740baa3c3f948ea94e
Instruction Fuzzy Hash: 1AF01D30944213DBC7225BB5EE48A6B3AA49F417507144376ED18F6AF4DBBCCC41CA9D

Uniqueness

Uniqueness Score: -1.00%

Function 004023CC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32(00000000,00402461,?,?,?,?,?,00000088), ref: 004023D9
TlsGetValue.KERNEL32(00000004,?,?,?,?,?,00000088), ref: 004023F0
GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,?,?,00000088), ref: 00402405
GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00402420

Strings

KERNEL32.DLL, xrefs: 00402400
DecodePointer, xrefs: 0040241A

Memory Dump Source

Source File: 00000000.00000002.1981790193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1981768078.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981811999.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981830123.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981851260.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EhSODySB7R.jbxd

Similarity

API ID: Value$AddressHandleModuleProc
String ID: DecodePointer$KERNEL32.DLL
API String ID: 1929421221-629428536
Opcode ID: cafb124f787224b482a95b2ac3b4a91c0234f5a1e4f0cc787b7d164dfc720926
Instruction ID: c78dc7a9585208a99074aea40c6bc01db638a5f6f1ffce41ee587fa2e8510638
Opcode Fuzzy Hash: cafb124f787224b482a95b2ac3b4a91c0234f5a1e4f0cc787b7d164dfc720926
Instruction Fuzzy Hash: 1EF09030905213DBC6255BB5EF88A6B3AA4AF013547148376F808F66F5CB78CC41CA9D

Uniqueness

Uniqueness Score: -1.00%

Function 00401148 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00401158
LoadCursorW.USER32(00000000,00007F00), ref: 0040118A
GetSysColorBrush.USER32(0000000F), ref: 00401195
RegisterClassExW.USER32(00000030), ref: 004011AF

Strings

msi2exestub_wnd_class, xrefs: 004011A5

Memory Dump Source

Source File: 00000000.00000002.1981790193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1981768078.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981811999.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981830123.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981851260.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EhSODySB7R.jbxd

Similarity

API ID: BrushClassColorCursorLoadRegister_memset
String ID: msi2exestub_wnd_class
API String ID: 3090054752-2601022818
Opcode ID: 15c0c6d461e849e98c826dcb55625be3356f68835af37811b6949290c6a09e8e
Instruction ID: fa2573e763f026470a0bce276621579e665c34276362e989892a3b4fe65ab429
Opcode Fuzzy Hash: 15c0c6d461e849e98c826dcb55625be3356f68835af37811b6949290c6a09e8e
Instruction Fuzzy Hash: 2D01A8B1C11228EBDB009FE5D949ADEBFB8EB08704F10416AE515B6285D7B45604CFD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405F3D Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

__flsbuf.LIBCMT ref: 0040600B
__flsbuf.LIBCMT ref: 00406038
_wctomb_s.LIBCMT ref: 0040609B
__flsbuf.LIBCMT ref: 004060D0
__flswbuf.LIBCMT ref: 00406105

Memory Dump Source

Source File: 00000000.00000002.1981790193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1981768078.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981811999.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981830123.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981851260.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EhSODySB7R.jbxd

Similarity

API ID: __flsbuf$__flswbuf_wctomb_s
String ID:
API String ID: 3257920507-0
Opcode ID: 35b271bf05e1c390c82434762bfe095323d7c1b244e28f6ba5340548b9bdc927
Instruction ID: 68cba1bc88cab562efc980cc02a5ce7e65c85dcf13bc00e4bc4d9c561325894c
Opcode Fuzzy Hash: 35b271bf05e1c390c82434762bfe095323d7c1b244e28f6ba5340548b9bdc927
Instruction Fuzzy Hash: 1B511A71014921DEC725DB389C418AB7BA9DE02338335067FF0A6AB2D2EA3ED5118E5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040611B Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00406139

Part of subcall function 00402BF4: __mtinitlocknum.LIBCMT ref: 00402C08
Part of subcall function 00402BF4: __amsg_exit.LIBCMT ref: 00402C14
Part of subcall function 00402BF4: EnterCriticalSection.KERNEL32(0040258B,0040258B,?,00408D0B,00000004,0040E328,0000000C,004061FC,00000000,00000000,00000000,00000000,00000000,0040259A,00000001,00000214), ref: 00402C1C

___sbh_find_block.LIBCMT ref: 00406144
___sbh_free_block.LIBCMT ref: 00406153
HeapFree.KERNEL32(00000000,00000001,0040E260,0000000C,00402BD5,00000000,0040E0A0,0000000C,00402C0D,00000001,0040258B,?,00408D0B,00000004,0040E328,0000000C), ref: 00406183
GetLastError.KERNEL32(?,00408D0B,00000004,0040E328,0000000C,004061FC,00000000,00000000,00000000,00000000,00000000,0040259A,00000001,00000214), ref: 00406194

Memory Dump Source

Source File: 00000000.00000002.1981790193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1981768078.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981811999.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981830123.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981851260.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EhSODySB7R.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: ec309f13ac6ed2460b9bc622685fdac9bcbdfdb6d37f39f168fb5652b14ded11
Instruction ID: 2a96ef66e3485db1b055fe51310aebddc08bfb44f5d3ca0f1bd79134f6b4c0cc
Opcode Fuzzy Hash: ec309f13ac6ed2460b9bc622685fdac9bcbdfdb6d37f39f168fb5652b14ded11
Instruction Fuzzy Hash: D5018F31945202EAEF206FB29D0AB4E3774AF00769F11423FF505BA2C2CA7C95519A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00409AA1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__flush.LIBCMT ref: 00409AD4
__freebuf.LIBCMT ref: 00409ADC
__close.LIBCMT ref: 00409AE8

Strings

@@, xrefs: 00409AA3, 00409AD3, 00409AD9, 00409AE1

Memory Dump Source

Source File: 00000000.00000002.1981790193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1981768078.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981811999.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981830123.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981851260.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EhSODySB7R.jbxd

Similarity

API ID: __close__flush__freebuf
String ID: @@
API String ID: 3722736141-3711295321
Opcode ID: 23ae5e9cf7fc43eeab9271814124b7a6b129034591e83fac89ec1055d0c476e0
Instruction ID: e72f35c0867d74827d445a4e8d748ddb64675d5490647373c0be49720c881198
Opcode Fuzzy Hash: 23ae5e9cf7fc43eeab9271814124b7a6b129034591e83fac89ec1055d0c476e0
Instruction Fuzzy Hash: ADF0C871A04B006ED6207ABB5C8581BB6EC6ED63387144B3FF565F21D3E67C9C018A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004015E3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 004015E3
_wcsrchr.LIBCMT ref: 0040160C
MessageBoxW.USER32(00000000,?,00000002,00000010), ref: 00401630

Strings

%s (code: 0x%08X), xrefs: 004015F2

Memory Dump Source

Source File: 00000000.00000002.1981790193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1981768078.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981811999.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981830123.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981851260.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EhSODySB7R.jbxd

Similarity

API ID: ErrorLastMessage_wcsrchr
String ID: %s (code: 0x%08X)
API String ID: 590718613-1129430558
Opcode ID: 42228ad29eb8e18bd028f04732ce89d2b1ca83b379ec9be87060514659ffc1e2
Instruction ID: 113e6492fe2261a857a4a11bc05034624d92531af5e25fa10a6206bb5dd77c16
Opcode Fuzzy Hash: 42228ad29eb8e18bd028f04732ce89d2b1ca83b379ec9be87060514659ffc1e2
Instruction Fuzzy Hash: F4F01CB5A00208AFE721DB54DC45BEA3768FB08704F044832F941FB2A1C2B9A9818A9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040632B Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0040635B
__isleadbyte_l.LIBCMT ref: 0040638F
MultiByteToWideChar.KERNEL32(?,00000009,00000108,?,?,00000000,?,?,?), ref: 004063C0
MultiByteToWideChar.KERNEL32(?,00000009,00000108,00000001,?,00000000,?,?,?), ref: 0040642E

Memory Dump Source

Source File: 00000000.00000002.1981790193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1981768078.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981811999.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981830123.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981851260.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EhSODySB7R.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 3d6466147ee63cab85e1936a5fef035c853123870c94230fcfdac984927a4de7
Instruction ID: 7491b92a4c32cea02cca1e18898105e8535631cd0ddae29ab752054e9d357e5d
Opcode Fuzzy Hash: 3d6466147ee63cab85e1936a5fef035c853123870c94230fcfdac984927a4de7
Instruction Fuzzy Hash: 7131E230500245EFDB20DFA4C880AAE7BB5FF01310F1A817AE866AB2D1D734DD60DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00405788 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004025E8: __amsg_exit.LIBCMT ref: 004025F6

__amsg_exit.LIBCMT ref: 004057B4
__lock.LIBCMT ref: 004057C4
InterlockedDecrement.KERNEL32(?), ref: 004057E1
InterlockedIncrement.KERNEL32(02482BF8), ref: 0040580C

Memory Dump Source

Source File: 00000000.00000002.1981790193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1981768078.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981811999.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981830123.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981851260.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EhSODySB7R.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__lock
String ID:
API String ID: 4129207761-0
Opcode ID: 92750075eb3ef2bf1ee2714700a2e6cd28c9732acaf63113e8133cc47fa9dec7
Instruction ID: 4349d519936afe56ffc5c276bbf6f90d14a5f85baeece521cae09b1fc0886954
Opcode Fuzzy Hash: 92750075eb3ef2bf1ee2714700a2e6cd28c9732acaf63113e8133cc47fa9dec7
Instruction Fuzzy Hash: 67017936901A12DBD620BBA6994A74B77B0BB04714F04413BE805B76D1CB3CA841EF9D

Uniqueness

Uniqueness Score: -1.00%

Function 00402571 Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,004022AA,00401B88,00000000,00000000,?,004016E4,?,?,?,00000000,00000208,0040157B,?,00000208), ref: 00402573

Part of subcall function 00402443: TlsGetValue.KERNEL32(00000000,00402586,?,?,?,?,?,00000088), ref: 0040244A
Part of subcall function 00402443: TlsSetValue.KERNEL32(00000000,?,?,?,?,00000088), ref: 0040246B

__calloc_crt.LIBCMT ref: 00402595

Part of subcall function 004061E9: __calloc_impl.LIBCMT ref: 004061F7
Part of subcall function 004061E9: Sleep.KERNEL32(00000000,0040259A,00000001,00000214,?,?,?,?,?,00000088), ref: 0040620E

Part of subcall function 004023CC: TlsGetValue.KERNEL32(00000000,00402461,?,?,?,?,?,00000088), ref: 004023D9
Part of subcall function 004023CC: TlsGetValue.KERNEL32(00000004,?,?,?,?,?,00000088), ref: 004023F0

Part of subcall function 004024B2: GetModuleHandleA.KERNEL32(KERNEL32.DLL,0040E058,0000000C,004025C3,00000000,00000000,?,?,?,?,?,00000088), ref: 004024C3
Part of subcall function 004024B2: GetProcAddress.KERNEL32(?,EncodePointer), ref: 004024F7
Part of subcall function 004024B2: GetProcAddress.KERNEL32(?,DecodePointer), ref: 00402507
Part of subcall function 004024B2: InterlockedIncrement.KERNEL32(0040F6F8), ref: 00402529
Part of subcall function 004024B2: __lock.LIBCMT ref: 00402531
Part of subcall function 004024B2: ___addlocaleref.LIBCMT ref: 00402550

GetCurrentThreadId.KERNEL32 ref: 004025C5
SetLastError.KERNEL32(00000000,?,?,?,?,?,00000088), ref: 004025DD

Memory Dump Source

Source File: 00000000.00000002.1981790193.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1981768078.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981811999.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981830123.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981851260.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EhSODySB7R.jbxd

Similarity

API ID: Value$AddressErrorLastProc$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl__lock
String ID:
API String ID: 1081334783-0
Opcode ID: 4b477ac62d0d8da954439966bd98dbafc4556b3d36004d3aa4a932d628616111
Instruction ID: c34bda9c1bb9a39f5e0c4412eb6bf616bca4bee9ab0c0707fc9fbb88643eb821
Opcode Fuzzy Hash: 4b477ac62d0d8da954439966bd98dbafc4556b3d36004d3aa4a932d628616111
Instruction Fuzzy Hash: CDF02832104622EAC2313BB57E0E64B3E518F00771710023FF504BA5E2CEB8C981CA9D

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MSIA311.tmpPID: 1716, Parent PID: 360COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.8%
Total number of Nodes:	338
Total number of Limit Nodes:	8

Executed Functions

Function 006A75D0 Relevance: 45.9, APIs: 18, Strings: 8, Instructions: 391
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryW.KERNEL32(00000010,00000104,?,?), ref: 006A778F
GetForegroundWindow.USER32(?,?), ref: 006A7814
ShellExecuteExW.SHELL32(?), ref: 006A7831
ShellExecuteExW.SHELL32(?), ref: 006A786F
GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?), ref: 006A78B2
GetProcAddress.KERNEL32(00000000), ref: 006A78B9
GetProcessId.KERNELBASE(?,?,?,?), ref: 006A78C0
AllowSetForegroundWindow.USER32(00000000), ref: 006A78C3
GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?), ref: 006A78E3
GetProcAddress.KERNEL32(00000000), ref: 006A78EA
GetProcessId.KERNELBASE(?,?,?,?), ref: 006A78F5
Sleep.KERNELBASE(00000064,?,?,?), ref: 006A7907
EnumWindows.USER32(006A7A10,?), ref: 006A7923
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00004003,?,?,?), ref: 006A7941
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 006A795E
GetExitCodeProcess.KERNEL32(?,?), ref: 006A796B
GetWindowThreadProcessId.USER32(?,?), ref: 006A7A1C
GetWindowLongW.USER32(?,000000F0), ref: 006A7A34

Strings

GetProcessId, xrefs: 006A78A8, 006A78D9
.cmd, xrefs: 006A7750
/C ""%s" %s", xrefs: 006A77B4
.bat, xrefs: 006A771A
open, xrefs: 006A77C8
Kernel32.dll, xrefs: 006A78AD, 006A78DE
%s\System32\cmd.exe, xrefs: 006A779C
runas, xrefs: 006A77E4

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Window$Process$AddressExecuteForegroundHandleModuleProcShellWindows$AllowCodeDirectoryEnumExitLongObjectSingleSleepThreadWait
String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$GetProcessId$Kernel32.dll$open$runas
API String ID: 1995445601-986041216
Opcode ID: 5ca0279dcb3e109874a9126b4c545fe3bd9a19563a2d7c75b27eef4c39728a76
Instruction ID: b0e12c4dcf5f4df0ed35a0eda0281d4b047de856ad94bc603ba80d799c630a4a
Opcode Fuzzy Hash: 5ca0279dcb3e109874a9126b4c545fe3bd9a19563a2d7c75b27eef4c39728a76
Instruction Fuzzy Hash: 5BE18C71A042499FDB10EFA8CC88AEEB7B6EF16310F148169E515EB391DB319E41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 006A5F10 Relevance: 6.0, APIs: 4, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000008,?,210DFF48), ref: 006A5F20
OpenProcessToken.ADVAPI32(00000000), ref: 006A5F27
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 006A5F5C
CloseHandle.KERNEL32(?), ref: 006A5F72

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 7efb6a825da607aee972333e7b87e4794ea711dcff96ce650ac4209033de4171
Instruction ID: 0f7c6dbd6049ebf0c4e2a27666d8d1286afb22a5b693edf159009779c22d79b2
Opcode Fuzzy Hash: 7efb6a825da607aee972333e7b87e4794ea711dcff96ce650ac4209033de4171
Instruction Fuzzy Hash: D5F06274144341AFE710DF10EC45B9AB7E9BB84700F408829F980C62A1D379C61CDE63

Uniqueness

Uniqueness Score: -1.00%

Function 006B19C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32(210DFF48,?,0000FFFF), ref: 006B19ED

Part of subcall function 006A4E50: LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,00000000,00000000,?,?), ref: 006A4E6D

ExitProcess.KERNEL32 ref: 006B1BC7

Part of subcall function 006A8710: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,00000000), ref: 006A878D

Strings

Full command line:, xrefs: 006B1A1E

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: AllocCommandCreateExitFileLineLocalProcess
String ID: Full command line:
API String ID: 1878577176-831861440
Opcode ID: c9abccdb3a6eeaf9d5218050636de78062ad1e525a495bf80a67a9fc520477ea
Instruction ID: d3bc22ad949d282b1fe4f007f7f1a7554fa1af19f4ce7f32d3b6fbc327c1a17b
Opcode Fuzzy Hash: c9abccdb3a6eeaf9d5218050636de78062ad1e525a495bf80a67a9fc520477ea
Instruction Fuzzy Hash: DB517B30D101689ECB95FB24CC69BDEB7B6AF52340F4441D8A009672A2EF745F89CF96

Uniqueness

Uniqueness Score: -1.00%

Function 006A7F50 Relevance: 4.6, APIs: 3, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,006A7F28,210DFF48), ref: 006A7FC4
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,006A7F28,210DFF48), ref: 006A7FCE
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,006A7F28,210DFF48), ref: 006A802A

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: InformationToken$ErrorLast
String ID:
API String ID: 2567405617-0
Opcode ID: 5856150cc9fbadca23de07d0fb3ca25b8f0a8444383342290d13fa47a3086fd1
Instruction ID: a0cc75475e5be1844fdf57a0160aef1e09dba2e8dfb148259311d08670e3f15f
Opcode Fuzzy Hash: 5856150cc9fbadca23de07d0fb3ca25b8f0a8444383342290d13fa47a3086fd1
Instruction Fuzzy Hash: 69314C71A002159FDB20DF99DC45BAFFBFAFB45714F10452EE415A7280DBB5AD048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 006DDB3B Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,006DC3EA,00000001,00000364,?,00000006,000000FF,?,006CD692,?,?,?), ref: 006DDB7C

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 097c9212b7cd853dfd26305a2df4e46e51528fb065886a38b6c1bb1b23bd9688
Instruction ID: e90194a55051f874d313d3caa5272c6db6aaba524ce5c61fe0fbc8f3ec9fae45
Opcode Fuzzy Hash: 097c9212b7cd853dfd26305a2df4e46e51528fb065886a38b6c1bb1b23bd9688
Instruction Fuzzy Hash: 3AF0E9B1E44665BBDB217B26EC05FAB774F9F50774B168127A8149B380CE20D80182E4

Uniqueness

Uniqueness Score: -1.00%

Function 006A7CB0 Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?,210DFF48,00000010,00000010,?,?), ref: 006A7CF2

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 946e85d6383a7bce62f6f7b76d4000848d14b962adf8257c48e74064fc0d93b5
Instruction ID: c77943fc85115d888103444faa68f2183fbcdc66fa90749ee350cddb4ea512f1
Opcode Fuzzy Hash: 946e85d6383a7bce62f6f7b76d4000848d14b962adf8257c48e74064fc0d93b5
Instruction Fuzzy Hash: FCF06D71A44688EFCB10DF69DD44B9ABBF8EB06724F10826AE825D7790D73599048A90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 006A6E50 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 519comCOMMON

Download Yara Rule

APIs

Part of subcall function 006A5F10: GetCurrentProcess.KERNEL32(00000008,?,210DFF48), ref: 006A5F20
Part of subcall function 006A5F10: OpenProcessToken.ADVAPI32(00000000), ref: 006A5F27

CoInitialize.OLE32(00000000), ref: 006A6EC5
CoCreateInstance.OLE32(006EF310,00000000,00000004,006FD320,00000000,?), ref: 006A6EF5
CoUninitialize.OLE32 ref: 006A7465
_com_issue_error.COMSUPP ref: 006A7493

Part of subcall function 006A1910: LocalFree.KERNEL32(?,210DFF48,?,00000000,006EA6C0,000000FF,?,?,00703340,?,006A1E34,80004005), ref: 006A195C

Strings

$, xrefs: 006A73C3

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Process$CreateCurrentFreeInitializeInstanceLocalOpenTokenUninitialize_com_issue_error
String ID: $
API String ID: 2507920217-3993045852
Opcode ID: 942690b0095e2b9be08e0acf17a4bcfb219b698842d54413982ac1019c183293
Instruction ID: 5a13041a260e290e32509fc4eeb5c6c8422b01aac8173f9901a8bc1a9339d773
Opcode Fuzzy Hash: 942690b0095e2b9be08e0acf17a4bcfb219b698842d54413982ac1019c183293
Instruction Fuzzy Hash: 44229D70A08388DFEF11DBA8CD48BAEBBB6AF46304F148199E405EB281D7759E45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 006AD000 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 472COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 006AD1A0
LocalFree.KERNEL32(00000000), ref: 006AD1F7
_swprintf.LIBCMT ref: 006AD3E0
LocalFree.KERNEL32(00000000), ref: 006AD437
_swprintf.LIBCMT ref: 006AD532

Strings

+, xrefs: 006AD4A6
%, xrefs: 006AD4B9

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: _swprintf$FreeLocal
String ID: %$+
API String ID: 2429749586-2626897407
Opcode ID: 222c7a2401b7e6c004d9200b6cd92756b6edda5b4800d306b0f15fc3f8f0a0af
Instruction ID: bac7c4d52605a085610678f43695a581fe6ce291451a26cc4f598f342857c458
Opcode Fuzzy Hash: 222c7a2401b7e6c004d9200b6cd92756b6edda5b4800d306b0f15fc3f8f0a0af
Instruction Fuzzy Hash: 9D02AD71D002199FDB15EFA8D850BEEBBB6FF4A300F144229F812AB281D735AD41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 006B0E30 Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 455registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,-00000002,00000000,00000001,?), ref: 006B1264
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,007077C0,00000800), ref: 006B1281

Strings

/HideWindow, xrefs: 006B1015, 006B101F, 006B104C, 006B105C, 006B107B
/DontWait , xrefs: 006B0ED7, 006B0EE0, 006B0F0C, 006B0F2E
/RunAsAdmin , xrefs: 006B0F6E, 006B0F79, 006B0FA3, 006B0FB3, 006B0FD2
/EnforcedRunAsAdmin , xrefs: 006B0E50, 006B0E5A, 006B0E83, 006B0EA1

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: OpenQueryValue
String ID: /DontWait $/EnforcedRunAsAdmin $/HideWindow$/RunAsAdmin
API String ID: 4153817207-1914306501
Opcode ID: 2160fcc4a381f7b8458b3902fa47fd58cac78d55fefb2a62dfad43948c50f9ce
Instruction ID: b5542ea1d9bcd5fe2696f28a6ae82ff1dc6b59163ccf3df1a647843e5b97961c
Opcode Fuzzy Hash: 2160fcc4a381f7b8458b3902fa47fd58cac78d55fefb2a62dfad43948c50f9ce
Instruction Fuzzy Hash: E5E102A4A042569ADB34AF18C8602F7B7E3FF96780F998469D8458F351E771DDC2C390

Uniqueness

Uniqueness Score: -1.00%

Function 006A6150 Relevance: 10.7, APIs: 7, Instructions: 234processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006A61C2
CloseHandle.KERNEL32(00000000), ref: 006A6205
Process32FirstW.KERNEL32(00000000,0000022C), ref: 006A6261
OpenProcess.KERNEL32(00000410,00000000,?), ref: 006A627D
CloseHandle.KERNEL32(00000000), ref: 006A63C5
Process32NextW.KERNEL32(?,0000022C), ref: 006A63E3
CloseHandle.KERNEL32(00000000), ref: 006A640E

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: CloseHandle$Process32$CreateFirstNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 708755948-0
Opcode ID: ea0b3e9b91e931b8db547ecb77eec40a75ded2d7e171ebcdab941c2184e71908
Instruction ID: 2e3d09efba5d05679a40b491101285e0f9399baca9da6b5ee6c9d6c0b69cb0c1
Opcode Fuzzy Hash: ea0b3e9b91e931b8db547ecb77eec40a75ded2d7e171ebcdab941c2184e71908
Instruction Fuzzy Hash: B1A17B70901269DBDB20EF64CC48BEEBBB6EF45314F1482D9E419A7281D7B56E84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 006E4FB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,006E52CE,00000002,00000000,?,?,?,006E52CE,?,00000000), ref: 006E5049
GetLocaleInfoW.KERNEL32(?,20001004,006E52CE,00000002,00000000,?,?,?,006E52CE,?,00000000), ref: 006E5072
GetACP.KERNEL32(?,?,006E52CE,?,00000000), ref: 006E5087

Strings

OCP, xrefs: 006E5004
ACP, xrefs: 006E4FCE

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: ea719a92188552b30832444850d06e0b8440ba9d304c879253f2efdc2843efbe
Instruction ID: 5fcc9e0392f74cd6ea2eb89217d046807a4c4eefea23cf5d2926fc72c63ad5cc
Opcode Fuzzy Hash: ea719a92188552b30832444850d06e0b8440ba9d304c879253f2efdc2843efbe
Instruction Fuzzy Hash: 21216222602784ABDB348F26C905AD777A7AB54F68B564524F90BDB311FB32DD41C390

Uniqueness

Uniqueness Score: -1.00%

Function 006E5185 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006DC24C: GetLastError.KERNEL32(?,00000008,006E17CC), ref: 006DC250
Part of subcall function 006DC24C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 006DC2F2

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 006E5291
IsValidCodePage.KERNEL32(00000000), ref: 006E52DA
IsValidLocale.KERNEL32(?,00000001), ref: 006E52E9
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 006E5331
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 006E5350

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 9e69b2ff33fb9b57d35e0571d1ecf3dc2cb5e5a782134e01257811b5fc3a4502
Instruction ID: 10dff9b83a0600314c198715484cf5798604cee3dea3cf94d1d6466bf9b078a6
Opcode Fuzzy Hash: 9e69b2ff33fb9b57d35e0571d1ecf3dc2cb5e5a782134e01257811b5fc3a4502
Instruction Fuzzy Hash: 00518171A01749AFDF50DFA6DC41BFF73BAAF09704F144429A602EB290EB709A008B61

Uniqueness

Uniqueness Score: -1.00%

Function 006E4821 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006DC24C: GetLastError.KERNEL32(?,00000008,006E17CC), ref: 006DC250
Part of subcall function 006DC24C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 006DC2F2

GetACP.KERNEL32(?,?,?,?,?,?,006DAD5B,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 006E48E2
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,006DAD5B,?,?,?,00000055,?,-00000050,?,?), ref: 006E490D
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 006E4A70

Strings

utf8, xrefs: 006E49DF

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: 6edf56ede1e9140460b7f6fd5a67241e30316b2e49c7b0b8c464449df8986b0b
Instruction ID: d37cdf811609e8434037bd0d856e6b8f9be408b9917400194fce1899145104ce
Opcode Fuzzy Hash: 6edf56ede1e9140460b7f6fd5a67241e30316b2e49c7b0b8c464449df8986b0b
Instruction Fuzzy Hash: B171E471A42386AADB24AB7ACC46BF773AAEF45710F10403EF505DB281FE70E9418758

Uniqueness

Uniqueness Score: -1.00%

Function 006DC746 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 006DC7D3

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 90cca31b8b8871953aca1477b156b1578240a8b7fa0e55708987db146009c23a
Instruction ID: f60f1a6b7529beb9a88662cc39796c5876c8c0d144b9f9dcbd17a813ced78643
Opcode Fuzzy Hash: 90cca31b8b8871953aca1477b156b1578240a8b7fa0e55708987db146009c23a
Instruction Fuzzy Hash: 5EB13972D0564E9FDB15CF68C891BFEBBA6EF59320F15816BE405AB341D2349D02C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 006C97CD Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 006C97D9
IsDebuggerPresent.KERNEL32 ref: 006C98A5
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006C98C5
UnhandledExceptionFilter.KERNEL32(?), ref: 006C98CF

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 4c380f5c1f5f3bc39978bc69931e53573048230c796520769499d5d14d467457
Instruction ID: f1dde28d31efef787b63c8c0ed3aedc1a87ae702adb63c07bafe746d3c207355
Opcode Fuzzy Hash: 4c380f5c1f5f3bc39978bc69931e53573048230c796520769499d5d14d467457
Instruction Fuzzy Hash: 78310675D0521CDBDB10DFA4D989BCCBBB9AF08304F1040AEE40CAB250EB719A848F55

Uniqueness

Uniqueness Score: -1.00%

Function 006B2101 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,00000000,00000002,?,?,?,006A3220,?), ref: 006B2116
FormatMessageA.KERNEL32(00001300,00000000,210DFF48,00000000,00000000,00000000,00000000,?,?,?,006A3220,?), ref: 006B2138

Strings

!x-sys-default-locale, xrefs: 006B2111

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: 1e92664fb4151bb05206bbe0bab059ff8a5173eb4a19231a3ea81b76597030b4
Instruction ID: 634c7caa5c734906fe1a86e40fdb5b6d96cb1ffb36d5c2195cbd47806f4a2c5b
Opcode Fuzzy Hash: 1e92664fb4151bb05206bbe0bab059ff8a5173eb4a19231a3ea81b76597030b4
Instruction Fuzzy Hash: 4AE030B6150208FFFB149BA0CC4BDFA7A6DEB04751F004114B901D6140D5B16E408B60

Uniqueness

Uniqueness Score: -1.00%

Function 006DE59F Relevance: 1.9, APIs: 1, Instructions: 408timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,006DE9E4,00000000,00000000,00000000), ref: 006DE8A3

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: c1774ea2b9eaee820d16f295ee6f85c503294fe944c752ea7bb0b0aaf6be9879
Instruction ID: df5963d92cf9e2ed3e0224f5532a358cde029043d69a4a1d569777f4f9182344
Opcode Fuzzy Hash: c1774ea2b9eaee820d16f295ee6f85c503294fe944c752ea7bb0b0aaf6be9879
Instruction Fuzzy Hash: F0C1F472D00125EADB64BBA4DC02ABE77AAEF14750F54416BF901EF391E7329E01C794

Uniqueness

Uniqueness Score: -1.00%

Function 006E19F9 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64580efd57d3558214e281ba7851369d6f95ca40f50936d685cd509f6c52d09
Instruction ID: 58d28b6b9b4daa1457728ced7a6bcdbf1d78ef052bacb5e806338f35bc5d769a
Opcode Fuzzy Hash: d64580efd57d3558214e281ba7851369d6f95ca40f50936d685cd509f6c52d09
Instruction Fuzzy Hash: 1531F776901359AFCB20DFBDCC85DFB776EEB85310F144269F8159B240EA30AD409B54

Uniqueness

Uniqueness Score: -1.00%

Function 006E17F8 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
Instruction ID: 46c03048fcad22f6f324859734e74dc6b2e0346297dbf8d20e202c19a356745c
Opcode Fuzzy Hash: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
Instruction Fuzzy Hash: 36E08C32912368EBCB25DBCDC90498AF3EDFB45B00B1104AAF501D7200C270DE00D7D0

Uniqueness

Uniqueness Score: -1.00%

Function 006D984F Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dda80f92e8400fcc772db5e13d420266169146e784e576c0d4a49e31e5b18b9
Instruction ID: 09c8d4e3d447f7f98f6591a04b7a21ba65d85b9844fa82873b20a7c346bd7ef2
Opcode Fuzzy Hash: 3dda80f92e8400fcc772db5e13d420266169146e784e576c0d4a49e31e5b18b9
Instruction Fuzzy Hash: 92C08C34811B4046CF398A1182713E9339AA393F82F90088DC4120F743C62E9C82F660

Uniqueness

Uniqueness Score: -1.00%

Function 006A8710 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 349filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,00000000), ref: 006A878D
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 006A87E0
LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,00000000,006EB685,000000FF), ref: 006A87EF
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 006A880B
WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,006EB685,000000FF), ref: 006A88EB
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,006EB685,000000FF), ref: 006A88F7
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,00000000,006EB685,000000FF), ref: 006A8933
LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,00000000,006EB685,000000FF), ref: 006A8952
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,00000000,006EB685,000000FF), ref: 006A896F
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,006EB685,000000FF), ref: 006A8A03
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 006A8A4E
ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 006A8A9C
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,006EB685,000000FF), ref: 006A8ACB

Strings

URL Shortcut content:, xrefs: 006A8989
[InternetShortcut]URL=, xrefs: 006A881F
open, xrefs: 006A8A47, 006A8A63
-_.~!*'();:@&=+$,/?#[], xrefs: 006A8867, 006A887E

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: ByteCharLocalMultiWide$AllocExecuteFileFreeShell$CloseCreateHandleWrite
String ID: -_.~!*'();:@&=+$,/?#[]$URL Shortcut content:$[InternetShortcut]URL=$open
API String ID: 2199533872-3004881174
Opcode ID: c5eae6ce68ecfb17627dae1b23d531380269f7c3db46905075fedf5859518bea
Instruction ID: 7e138a8ff471cdd8a7c5bfaff9cf34230ae610b67eb28f958815effd5447d544
Opcode Fuzzy Hash: c5eae6ce68ecfb17627dae1b23d531380269f7c3db46905075fedf5859518bea
Instruction Fuzzy Hash: DDC1E3719002499FEB20AF68CC85BFFBBA6EF56700F144129E6059B2C2DB758D05CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 006C8B75 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00706AF8,00000FA0,?,?,006C8B53), ref: 006C8B81
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,006C8B53), ref: 006C8B8C
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,006C8B53), ref: 006C8B9D
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 006C8BAF
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 006C8BBD
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,006C8B53), ref: 006C8BE0
DeleteCriticalSection.KERNEL32(00706AF8,00000007,?,?,006C8B53), ref: 006C8BFC
CloseHandle.KERNEL32(00000000,?,?,006C8B53), ref: 006C8C0C

Strings

SleepConditionVariableCS, xrefs: 006C8BA9
api-ms-win-core-synch-l1-2-0.dll, xrefs: 006C8B87
WakeAllConditionVariable, xrefs: 006C8BB5
kernel32.dll, xrefs: 006C8B98

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: acafaf31128fb003d931442c68802ae76f7b6d3ddaafb34d9abf39eaeb50ad28
Instruction ID: 5ea93fffb760d0ea05297a55f41260a71b013ca14a8944b9dc65488a73e71667
Opcode Fuzzy Hash: acafaf31128fb003d931442c68802ae76f7b6d3ddaafb34d9abf39eaeb50ad28
Instruction Fuzzy Hash: 570192F5B41311EFD7202BA4AD5CEB636ABEB41B01701812AB900EB291DEB48C008661

Uniqueness

Uniqueness Score: -1.00%

Function 006C6254 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 277COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006C625B
collate.LIBCPMT ref: 006C6267

Part of subcall function 006C4F3F: __EH_prolog3_GS.LIBCMT ref: 006C4F46
Part of subcall function 006C4F3F: __Getcoll.LIBCPMT ref: 006C4FAA

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

__Getcoll.LIBCPMT ref: 006C62AA

Part of subcall function 006C4DA3: __EH_prolog3.LIBCMT ref: 006C4DAA
Part of subcall function 006C4DA3: std::_Lockit::_Lockit.LIBCPMT ref: 006C4DB4
Part of subcall function 006C4DA3: std::_Lockit::~_Lockit.LIBCPMT ref: 006C4E25

Part of subcall function 006B454B: __EH_prolog3.LIBCMT ref: 006B4552
Part of subcall function 006B454B: std::_Lockit::_Lockit.LIBCPMT ref: 006B455C
Part of subcall function 006B454B: std::_Lockit::~_Lockit.LIBCPMT ref: 006B4603

numpunct.LIBCPMT ref: 006C64DA

Part of subcall function 006A8440: LocalAlloc.KERNEL32(00000040,00000000,006C97AD,00000000,210DFF48,?,00000000,?,00000000,?,006EE009,000000FF,?,006A17D5,00000000,006EF3BA), ref: 006A8446

Strings

hjp, xrefs: 006C62E3
djp, xrefs: 006C627F
tjp, xrefs: 006C63C1
xjp, xrefs: 006C642D
|jp, xrefs: 006C64AE
pjp, xrefs: 006C637E
ljp, xrefs: 006C6339

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_$Getcoll$AllocH_prolog3_Localcollatenumpunct
String ID: djp$hjp$ljp$pjp$tjp$xjp$|jp
API String ID: 2732324234-329404585
Opcode ID: d6b734d54fb38883db5887b2e1ece4ce17d1c98feff64c0c21ec9b035eb32fd1
Instruction ID: e298d5bdc04b05e6dd2ab9ad4c2ee1bc3e8c86e0999847fa160b3f6d96f1ee88
Opcode Fuzzy Hash: d6b734d54fb38883db5887b2e1ece4ce17d1c98feff64c0c21ec9b035eb32fd1
Instruction Fuzzy Hash: 1591C3B1D01615ABDBA5AF64C805FBF7AE7EF81360F10851DF849A7282DE348D1087A9

Uniqueness

Uniqueness Score: -1.00%

Function 006BE43E Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 433COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006BE445
ctype.LIBCPMT ref: 006BE48C

Part of subcall function 006BDF8B: __Getctype.LIBCPMT ref: 006BDF9A

Part of subcall function 006B7D7D: __EH_prolog3.LIBCMT ref: 006B7D84
Part of subcall function 006B7D7D: std::_Lockit::_Lockit.LIBCPMT ref: 006B7D8E
Part of subcall function 006B7D7D: std::_Lockit::~_Lockit.LIBCPMT ref: 006B7DFF

Part of subcall function 006B7EA7: __EH_prolog3.LIBCMT ref: 006B7EAE
Part of subcall function 006B7EA7: std::_Lockit::_Lockit.LIBCPMT ref: 006B7EB8
Part of subcall function 006B7EA7: std::_Lockit::~_Lockit.LIBCPMT ref: 006B7F29

Part of subcall function 006B8066: __EH_prolog3.LIBCMT ref: 006B806D
Part of subcall function 006B8066: std::_Lockit::_Lockit.LIBCPMT ref: 006B8077
Part of subcall function 006B8066: std::_Lockit::~_Lockit.LIBCPMT ref: 006B80E8

Part of subcall function 006B7FD1: __EH_prolog3.LIBCMT ref: 006B7FD8
Part of subcall function 006B7FD1: std::_Lockit::_Lockit.LIBCPMT ref: 006B7FE2
Part of subcall function 006B7FD1: std::_Lockit::~_Lockit.LIBCPMT ref: 006B8053

Part of subcall function 006B454B: __EH_prolog3.LIBCMT ref: 006B4552
Part of subcall function 006B454B: std::_Lockit::_Lockit.LIBCPMT ref: 006B455C
Part of subcall function 006B454B: std::_Lockit::~_Lockit.LIBCPMT ref: 006B4603

collate.LIBCPMT ref: 006BE5C0
numpunct.LIBCPMT ref: 006BE83A

Part of subcall function 006B8743: __EH_prolog3.LIBCMT ref: 006B874A

Part of subcall function 006B8479: __EH_prolog3.LIBCMT ref: 006B8480
Part of subcall function 006B8479: std::_Lockit::_Lockit.LIBCPMT ref: 006B848A
Part of subcall function 006B8479: std::_Lockit::~_Lockit.LIBCPMT ref: 006B84FB

Part of subcall function 006B85A3: __EH_prolog3.LIBCMT ref: 006B85AA
Part of subcall function 006B85A3: std::_Lockit::_Lockit.LIBCPMT ref: 006B85B4
Part of subcall function 006B85A3: std::_Lockit::~_Lockit.LIBCPMT ref: 006B8625

Part of subcall function 006B454B: Concurrency::cancel_current_task.LIBCPMT ref: 006B460E

Part of subcall function 006B796A: __EH_prolog3.LIBCMT ref: 006B7971
Part of subcall function 006B796A: std::_Lockit::_Lockit.LIBCPMT ref: 006B797B
Part of subcall function 006B796A: std::_Lockit::~_Lockit.LIBCPMT ref: 006B79EC

__Getcoll.LIBCPMT ref: 006BE600

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

Part of subcall function 006A8440: LocalAlloc.KERNEL32(00000040,00000000,006C97AD,00000000,210DFF48,?,00000000,?,00000000,?,006EE009,000000FF,?,006A17D5,00000000,006EF3BA), ref: 006A8446

codecvt.LIBCPMT ref: 006BE8EB

Strings

ip, xrefs: 006BE4C6
ip, xrefs: 006BE50C
ip, xrefs: 006BE5D5
ip, xrefs: 006BE54F

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Lockitstd::_$H_prolog3$Lockit::_Lockit::~_$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalcodecvtcollatectypenumpunct
String ID: ip$ip$ip$ip
API String ID: 613171289-3750973409
Opcode ID: 25a4d9a4103a9e8725e9f6368c14bb132a4e2429aa8ce2c173e1d83e82f5db7a
Instruction ID: 9199ac1f4fc7abc50da70103db999ab28ebdc0c826a1c7b394e9a018942f740a
Opcode Fuzzy Hash: 25a4d9a4103a9e8725e9f6368c14bb132a4e2429aa8ce2c173e1d83e82f5db7a
Instruction Fuzzy Hash: 6CE1C1F180061AAFDBA16F648C029FF7AA7EF41350F14452DF9556B382EF328D908B95

Uniqueness

Uniqueness Score: -1.00%

Function 006AEFB0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 254memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000018,210DFF48,?,00000000), ref: 006AF016
std::_Lockit::_Lockit.LIBCPMT ref: 006AF053
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 006AF0BD
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 006AF259
std::_Lockit::~_Lockit.LIBCPMT ref: 006AF316
Concurrency::cancel_current_task.LIBCPMT ref: 006AF33E

Strings

true, xrefs: 006AF18C
false, xrefs: 006AF176
bad locale name, xrefs: 006AF343

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$AllocConcurrency::cancel_current_taskLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name$false$true
API String ID: 975656625-1062449267
Opcode ID: 1eb8163708fde5f43516b68940b6d8b735d328578fcc324c68dcd80e33f0a70c
Instruction ID: f2f08daa02a22d61adabe9d074c69f4ad9d001cf991c16fc5da78ec7beda0e0c
Opcode Fuzzy Hash: 1eb8163708fde5f43516b68940b6d8b735d328578fcc324c68dcd80e33f0a70c
Instruction Fuzzy Hash: 04B162B1D00348DAEF20DFE4C945BDEBBB5AF15304F1481ADE458AB281E7759A48CF62

Uniqueness

Uniqueness Score: -1.00%

Function 006A69E0 Relevance: 15.1, APIs: 10, Instructions: 137timeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,210DFF48,?,00000000), ref: 006A6A42
OpenProcess.KERNEL32(00000400,00000000,00000000,?,210DFF48,?,00000000), ref: 006A6A63
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,210DFF48,?,00000000), ref: 006A6A96
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,210DFF48,?,00000000), ref: 006A6AA7
CloseHandle.KERNEL32(00000000,?,210DFF48,?,00000000), ref: 006A6AC5
CloseHandle.KERNEL32(00000000,?,210DFF48,?,00000000), ref: 006A6AE1
CloseHandle.KERNEL32(00000000,?,210DFF48,?,00000000), ref: 006A6B09
CloseHandle.KERNEL32(00000000,?,210DFF48,?,00000000), ref: 006A6B25
CloseHandle.KERNEL32(00000000,?,210DFF48,?,00000000), ref: 006A6B43
CloseHandle.KERNEL32(00000000,?,210DFF48,?,00000000), ref: 006A6B5F

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: CloseHandle$Process$OpenTimes
String ID:
API String ID: 1711917922-0
Opcode ID: 70aed56b1b69461d5c6c34db2aa2e8280abcea9f5831ab72415d7aa2adc72db6
Instruction ID: b44e9ed1ed8c9b59f0b1d2e46b372e8d1f5a4c7e5af193d5f06a5b28f44174f3
Opcode Fuzzy Hash: 70aed56b1b69461d5c6c34db2aa2e8280abcea9f5831ab72415d7aa2adc72db6
Instruction Fuzzy Hash: 55514A70E0125CABDB10EF98C984BEEFBB6EF49724F248219E614B7380D7755D058BA4

Uniqueness

Uniqueness Score: -1.00%

Function 006C16BD Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006C16C4

Part of subcall function 006B7BBE: __EH_prolog3.LIBCMT ref: 006B7BC5
Part of subcall function 006B7BBE: std::_Lockit::_Lockit.LIBCPMT ref: 006B7BCF
Part of subcall function 006B7BBE: std::_Lockit::~_Lockit.LIBCPMT ref: 006B7C40

Strings

%d / %m / %y, xrefs: 006C1A27
%H : %M : %S, xrefs: 006C1880
%b %d %H : %M : %S %Y, xrefs: 006C197C
%I : %M : %S %p, xrefs: 006C1A4E
%H : %M, xrefs: 006C1809
:AM:am:PM:pm, xrefs: 006C1A59
%m / %d / %y, xrefs: 006C17C0

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1538362411-2891247106
Opcode ID: 2fac8fa7a030fa9a7e7c1b76d4491474b0a2a526f21e5684427eeb7819476320
Instruction ID: 35e9e0fa549e6b80756fc49b86007f83d2b7117b2ea439d6f9f05bc9df32c7e8
Opcode Fuzzy Hash: 2fac8fa7a030fa9a7e7c1b76d4491474b0a2a526f21e5684427eeb7819476320
Instruction Fuzzy Hash: 12C14376500109AFDF18DF98C966FFE7BBAEB07304F15411EFA46AA252D630DA11CB60

Uniqueness

Uniqueness Score: -1.00%

Function 006C1AAD Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006C1AB4

Part of subcall function 006AB4A0: std::_Lockit::_Lockit.LIBCPMT ref: 006AB4CD
Part of subcall function 006AB4A0: std::_Lockit::_Lockit.LIBCPMT ref: 006AB4F0
Part of subcall function 006AB4A0: std::_Lockit::~_Lockit.LIBCPMT ref: 006AB518
Part of subcall function 006AB4A0: std::_Lockit::~_Lockit.LIBCPMT ref: 006AB5B7

Strings

%d / %m / %y, xrefs: 006C1E17
%H : %M : %S, xrefs: 006C1C70
%b %d %H : %M : %S %Y, xrefs: 006C1D6C
%I : %M : %S %p, xrefs: 006C1E3E
%H : %M, xrefs: 006C1BF9
:AM:am:PM:pm, xrefs: 006C1E49
%m / %d / %y, xrefs: 006C1BB0

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1383202999-2891247106
Opcode ID: b2d66db83b6cfa526ef550bd1d8ad8d52962a51d0cbd13639768d069c3448048
Instruction ID: cf9993be5f522bf4507a7f28094a3e86ee1a2e36fb2d9981fc4b777160ad40d1
Opcode Fuzzy Hash: b2d66db83b6cfa526ef550bd1d8ad8d52962a51d0cbd13639768d069c3448048
Instruction Fuzzy Hash: 6DC13276500109AFDB18DFA8C955EFA77BAEF0B300F15421EFA02EA256D630DE11CB60

Uniqueness

Uniqueness Score: -1.00%

Function 006C6DD9 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006C6DE0

Part of subcall function 006AC530: std::_Lockit::_Lockit.LIBCPMT ref: 006AC55D
Part of subcall function 006AC530: std::_Lockit::_Lockit.LIBCPMT ref: 006AC580
Part of subcall function 006AC530: std::_Lockit::~_Lockit.LIBCPMT ref: 006AC5A8
Part of subcall function 006AC530: std::_Lockit::~_Lockit.LIBCPMT ref: 006AC647

Strings

%d / %m / %y, xrefs: 006C7143
%H : %M : %S, xrefs: 006C6F9C
%b %d %H : %M : %S %Y, xrefs: 006C7098
%I : %M : %S %p, xrefs: 006C716A
%H : %M, xrefs: 006C6F25
:AM:am:PM:pm, xrefs: 006C7175
%m / %d / %y, xrefs: 006C6EDC

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1383202999-2891247106
Opcode ID: 4ad5c05f4d680370fb5ccfe902df768ac6aea4d9875196c4e0a614f08fd8ea10
Instruction ID: aadf4797a1ac7c9bf664c09db4b90f4a68dcb5572f498228b2ab1b8d9f5b0541
Opcode Fuzzy Hash: 4ad5c05f4d680370fb5ccfe902df768ac6aea4d9875196c4e0a614f08fd8ea10
Instruction Fuzzy Hash: F0C183B650410AAFDB18DF68CD56FFF3BAAEB49300F18011DFA06E2651E630DA15CB64

Uniqueness

Uniqueness Score: -1.00%

Function 006A6530 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 258libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 006A6010: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 006A6074
Part of subcall function 006A6010: GetLastError.KERNEL32 ref: 006A6110

GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 006A65B2
ReadProcessMemory.KERNEL32(00000000,?,?,000001D8,00000000,?,?,?,?,00000000), ref: 006A660B
ReadProcessMemory.KERNEL32(00000000,?,?,00000048,00000000,?,?,?,?,?,?,?,00000000), ref: 006A6692
ReadProcessMemory.KERNEL32(00000000,?,?,?,00000000,?,00000000,?,?,?,?,?,?,?,00000000), ref: 006A6776
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 006A67EE
GetLastError.KERNEL32(?,00000000), ref: 006A6849
FreeLibrary.KERNEL32(?,?,00000000), ref: 006A689E

Strings

NtQueryInformationProcess, xrefs: 006A65AC

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: MemoryProcessRead$ErrorFreeLast$AddressDirectoryLibraryLocalProcSystem
String ID: NtQueryInformationProcess
API String ID: 253270903-2781105232
Opcode ID: 6706f51a776b3b5316d2e1d1e956f8acc31dc92ea2a588c5d07a488c287f2ec9
Instruction ID: b599fabaf45e93d0d9486f658ea15ddc00244f37266d80e7c36595a3783135bd
Opcode Fuzzy Hash: 6706f51a776b3b5316d2e1d1e956f8acc31dc92ea2a588c5d07a488c287f2ec9
Instruction Fuzzy Hash: 2FB18D70910749CBEB20DF64C9487AEBBF5EF49308F14465DE449A7280D7B9AAC8CF91

Uniqueness

Uniqueness Score: -1.00%

Function 006BDFC4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 006BDFCB
_Maklocstr.LIBCPMT ref: 006BE034
_Maklocstr.LIBCPMT ref: 006BE046
_Maklocchr.LIBCPMT ref: 006BE05E
_Maklocchr.LIBCPMT ref: 006BE06E
_Getvals.LIBCPMT ref: 006BE090

Part of subcall function 006B7404: _Maklocchr.LIBCPMT ref: 006B7433
Part of subcall function 006B7404: _Maklocchr.LIBCPMT ref: 006B7449

Strings

true, xrefs: 006BE041
false, xrefs: 006BE02F

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
String ID: false$true
API String ID: 3549167292-2658103896
Opcode ID: cc6fabae785a0fd14aeff06e7fe0e479e4e0273fb5ba8bd25161a27bfcd8cab4
Instruction ID: 2537177ae6ebe2dac8db0bb1bb56d0b68475c9568ba668e3bf0335ce5313a902
Opcode Fuzzy Hash: cc6fabae785a0fd14aeff06e7fe0e479e4e0273fb5ba8bd25161a27bfcd8cab4
Instruction Fuzzy Hash: 102195B2D04318AADF14EFA5D885EDF7BAAEF05710F00805AB9049F282DAB1D550CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 006AC960 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 480COMMON

Download Yara Rule

APIs

Part of subcall function 006B5FC6: __EH_prolog3.LIBCMT ref: 006B5FCD
Part of subcall function 006B5FC6: std::_Lockit::_Lockit.LIBCPMT ref: 006B5FD8
Part of subcall function 006B5FC6: std::locale::_Setgloballocale.LIBCPMT ref: 006B5FF3
Part of subcall function 006B5FC6: std::_Lockit::~_Lockit.LIBCPMT ref: 006B6046

std::_Lockit::_Lockit.LIBCPMT ref: 006AC9BA
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 006ACA20
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 006ACAEF

Part of subcall function 006B46EF: __EH_prolog3.LIBCMT ref: 006B46F6

std::_Lockit::~_Lockit.LIBCPMT ref: 006ACBA0
LocalFree.KERNEL32(?,?,?,006FD6C9,00000000,006FD6C9), ref: 006ACCA1
__cftoe.LIBCMT ref: 006ACDFE

Strings

bad locale name, xrefs: 006ACBE1

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$H_prolog3Locinfo::_Lockit::_Lockit::~_$FreeLocalLocinfo_ctorLocinfo_dtorSetgloballocale__cftoestd::locale::_
String ID: bad locale name
API String ID: 2085124900-1405518554
Opcode ID: 17a269b9debe0dc0dc5a3dfdb1a3012cec3ac68c9d9928d5e9d9b480e6918a74
Instruction ID: a5d75fd6878204ffca5ec85d9c8dcadc82906c958681e2907ab2d690983270c1
Opcode Fuzzy Hash: 17a269b9debe0dc0dc5a3dfdb1a3012cec3ac68c9d9928d5e9d9b480e6918a74
Instruction Fuzzy Hash: 13127DB1D00249DFDB10DFA8C985BEEBBB6EF15314F144169E415AB381E735AE04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 006CC63C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 006CC75B
___TypeMatch.LIBVCRUNTIME ref: 006CC869
_UnwindNestedFrames.LIBCMT ref: 006CC9BB
CallUnexpected.LIBVCRUNTIME ref: 006CC9D6

Strings

csm, xrefs: 006CC6E6
csm, xrefs: 006CC679
csm, xrefs: 006CC792

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: ab10bafbb497c3350ae217c008978b3fd7882256aea636c6c2838954251ca7df
Instruction ID: ee718c472bd499c95fb4a66c56f1de4800d799985c1ba94ba3ca91c3899e94da
Opcode Fuzzy Hash: ab10bafbb497c3350ae217c008978b3fd7882256aea636c6c2838954251ca7df
Instruction Fuzzy Hash: 1EB13671800219EFCF19DFA4C881EBEBBB6EF18320B14415EE8196B252D735DA51CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 006B0200 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 270memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,?), ref: 006B02BF
LocalAlloc.KERNEL32(00000040,?), ref: 006B0304
___std_exception_copy.LIBVCRUNTIME ref: 006B037B
LocalFree.KERNEL32(?), ref: 006B03B8
LocalFree.KERNEL32(?,?,?,?,?,210DFF48,210DFF48,?,?), ref: 006B04E6

Strings

iostream, xrefs: 006B0540
ios_base::failbit set, xrefs: 006B0452

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Local$AllocFree$___std_exception_copy
String ID: ios_base::failbit set$iostream
API String ID: 2276494016-302468714
Opcode ID: 5f0c60a0e92cf487e2428a6229f5d070b76cc5ab248a73cacee1be8c847d6b19
Instruction ID: 2f1a3f9d52d01648b725f855c1f87721f1161358d08af5a38119bd123e1ed3c4
Opcode Fuzzy Hash: 5f0c60a0e92cf487e2428a6229f5d070b76cc5ab248a73cacee1be8c847d6b19
Instruction Fuzzy Hash: BFA192B1D00249DFDB08DF68D985BAEFBB6FB49310F10826DE8159B391D7709A84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 006A2BD0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 225encryptionCOMMON

Download Yara Rule

APIs

#224.MSI(?,00000001,00000000,00000000,00000000), ref: 006A2C43
LocalFree.KERNEL32(?), ref: 006A2CA2
LocalFree.KERNEL32(?), ref: 006A2D0C
CertFreeCertificateContext.CRYPT32(00000000), ref: 006A2E94

Part of subcall function 006A3CE0: CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 006A3D23

LocalFree.KERNEL32(?), ref: 006A2E13
LocalFree.KERNEL32(?), ref: 006A2E6B

Strings

HZp, xrefs: 006A2C60

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Free$Local$Cert$#224CertificateContextNameString
String ID: HZp
API String ID: 2665452496-2442772872
Opcode ID: 6a61f7826e5899da25fde5fc7ecaa3b3a2f8c84228819a79889c6f15381487a4
Instruction ID: 7a99c1c04318dc3e2617f339be38a941d185280bd7de2747d5e0d49c85ac86aa
Opcode Fuzzy Hash: 6a61f7826e5899da25fde5fc7ecaa3b3a2f8c84228819a79889c6f15381487a4
Instruction Fuzzy Hash: 8C916C7090024ACFDB18DFA8C55879EFBB2FF85304F14865DD415AB391DBB5AA84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 006AB9D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 195memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000044,210DFF48,?,00000000), ref: 006ABA2B
std::_Lockit::_Lockit.LIBCPMT ref: 006ABA68
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 006ABAD5
__Getctype.LIBCPMT ref: 006ABB1E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 006ABB92
std::_Lockit::~_Lockit.LIBCPMT ref: 006ABC4F

Strings

bad locale name, xrefs: 006ABC6D

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$AllocGetctypeLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 3635123611-1405518554
Opcode ID: f10f7208c12b8c7abaccc8061bf685a7ab88811097a343373847e2d939e90224
Instruction ID: a250d01e3fa1dbd2f135098868b03479e66a3d3749d2ee9f926ede6dba4d565e
Opcode Fuzzy Hash: f10f7208c12b8c7abaccc8061bf685a7ab88811097a343373847e2d939e90224
Instruction Fuzzy Hash: 0D8190B0D04388DFEB10DFA8C945B9EBBF5AF15304F14819DD448AB382EB759A48CB61

Uniqueness

Uniqueness Score: -1.00%

Function 006AC1C0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 170memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000018,210DFF48,?,00000000,?,?,?,?,?,?,?,00000000,006EBFC5,000000FF), ref: 006AC204
std::_Lockit::_Lockit.LIBCPMT ref: 006AC23E
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 006AC2A2
__Getctype.LIBCPMT ref: 006AC2EB
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 006AC331
std::_Lockit::~_Lockit.LIBCPMT ref: 006AC3E5

Strings

bad locale name, xrefs: 006AC400

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$AllocGetctypeLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 3635123611-1405518554
Opcode ID: 7306dc605b91afc6a6d9993fe0077aefa27415c983abb2f30970f12eee0beb80
Instruction ID: 43168a187c5c89ed459cc3970dcb49d5a3e0ac7e6ceffdd54f502f5989a476bc
Opcode Fuzzy Hash: 7306dc605b91afc6a6d9993fe0077aefa27415c983abb2f30970f12eee0beb80
Instruction Fuzzy Hash: D0616BB0D01288EAEF10DFA8C908BDEBFF5AF15314F14815DE454AB381D7B99A08CB61

Uniqueness

Uniqueness Score: -1.00%

Function 006C884A Relevance: 12.2, APIs: 8, Instructions: 224COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?), ref: 006C88D5
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 006C8963
__alloca_probe_16.LIBCMT ref: 006C898D
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006C89D5
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 006C89EF
__alloca_probe_16.LIBCMT ref: 006C8A15
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006C8A52
CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 006C8A6F

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16$CompareInfoString
String ID:
API String ID: 3603178046-0
Opcode ID: a3d753e96919886720ccfb5b4a0b29c3adfc52f789f6580f66559305376bd85d
Instruction ID: 0762284577d81c0ab4566045dd2b0f2ae9ce91860728e9ca7f7342fbaa288c4e
Opcode Fuzzy Hash: a3d753e96919886720ccfb5b4a0b29c3adfc52f789f6580f66559305376bd85d
Instruction Fuzzy Hash: 7A716A3290424AAEDF318BA8CC45FFE7BBBEF89750F19405EE904A7251DE358901DB61

Uniqueness

Uniqueness Score: -1.00%

Function 006C832F Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,CCCCCCCC,006AC67F,?,00000001,00000000,?,00000000,?,006AC67F,?), ref: 006C8378
__alloca_probe_16.LIBCMT ref: 006C83A4
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,006AC67F,?,?,00000000,006ACC73,0000003F,?), ref: 006C83E3
LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,006AC67F,?,?,00000000,006ACC73,0000003F), ref: 006C8400
LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,006AC67F,?,?,00000000,006ACC73,0000003F), ref: 006C843F
__alloca_probe_16.LIBCMT ref: 006C845C
LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,006AC67F,?,?,00000000,006ACC73,0000003F), ref: 006C849E
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,006AC67F,?,?,00000000,006ACC73,0000003F,?), ref: 006C84C1

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 326020df1e70f089a1c21461f7ddd193b7570795101c5ec9810850db053e4b29
Instruction ID: aee3213f8cf8b6891393fa2ab2ebd2445715aad870f209264221eca0c04109d9
Opcode Fuzzy Hash: 326020df1e70f089a1c21461f7ddd193b7570795101c5ec9810850db053e4b29
Instruction Fuzzy Hash: 30519F7260025AAFEB349FA4CC45FFB7BEAEB44750F14852DF9159B250DB348D118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 006A58C0 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 389fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,URL,00000000,?,210DFF48,?,00000004), ref: 006A592A
LocalFree.KERNEL32(?), ref: 006A5A3B
MoveFileW.KERNEL32(?,00000000), ref: 006A5CDB
DeleteFileW.KERNEL32(?), ref: 006A5D23

Strings

url, xrefs: 006A5A5C, 006A5D06
URL, xrefs: 006A5924, 006A5D0B

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: File$DeleteFreeLocalMoveNameTemp
String ID: URL$url
API String ID: 1622375482-346267919
Opcode ID: b3d0d51b6601fec4c518d868a95d78f3a8fdf64238a1fefb1a5f51aa31d0a697
Instruction ID: bccf58722f46e7b6c156d504d98ec9130a2fb6dcd694e4d1bec10f21f1da8d43
Opcode Fuzzy Hash: b3d0d51b6601fec4c518d868a95d78f3a8fdf64238a1fefb1a5f51aa31d0a697
Instruction Fuzzy Hash: 1F025A70A116698BCB64DF28CD9879DB7B2BF55304F1042D9E40AA7251EB74AFC4CF90

Uniqueness

Uniqueness Score: -1.00%

Function 006AF580 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,0000000C,210DFF48,?,00000000,00000000,?,?,?,?,00000000,006EC6D1,000000FF,?,006AEB6A,00000000), ref: 006AF5C4
std::_Lockit::_Lockit.LIBCPMT ref: 006AF5FA
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 006AF65E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 006AF71E
std::_Lockit::~_Lockit.LIBCPMT ref: 006AF7D2

Strings

bad locale name, xrefs: 006AF7EE

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$AllocLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2968629171-1405518554
Opcode ID: 2894fab8f86308f60c1f38c9d7d3db54ca232ec027697c2cb0b91cdd0821c6d7
Instruction ID: f06f9a5d6d34f7cecaf5798c87a0e7541c0c0c5ca24e253965f7f28377362059
Opcode Fuzzy Hash: 2894fab8f86308f60c1f38c9d7d3db54ca232ec027697c2cb0b91cdd0821c6d7
Instruction Fuzzy Hash: 07716DB0D01248EAEF10DFA8C948BDEBFB5AF15314F14416DE414BB381D7B59A04CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 006AF350 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000008,210DFF48,?,00000000,00000000,?,?,?,00000000,006EC5DD,000000FF,?,006AECAA,00000000,?), ref: 006AF394
std::_Lockit::_Lockit.LIBCPMT ref: 006AF3CA
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 006AF42E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 006AF49E
std::_Lockit::~_Lockit.LIBCPMT ref: 006AF552

Strings

bad locale name, xrefs: 006AF56E

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$AllocLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2968629171-1405518554
Opcode ID: 380042e098e15bc6d0862e18099b5becb964287764e7a79ab816f07f7b15e3ee
Instruction ID: d3ee3381509ce5ef0e322db496c4f4e8e6c4eff9eaff779a1bab7c0d565e81f0
Opcode Fuzzy Hash: 380042e098e15bc6d0862e18099b5becb964287764e7a79ab816f07f7b15e3ee
Instruction Fuzzy Hash: E1613BB0D01288EAEF10DFE9C5487DEBBB5AF15314F14416DE454AB381D7799A08CB62

Uniqueness

Uniqueness Score: -1.00%

Function 006CA140 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 006CA177
___except_validate_context_record.LIBVCRUNTIME ref: 006CA17F
_ValidateLocalCookies.LIBCMT ref: 006CA208
__IsNonwritableInCurrentImage.LIBCMT ref: 006CA233
_ValidateLocalCookies.LIBCMT ref: 006CA288

Strings

csm, xrefs: 006CA21D

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 8d34dd191bb5a2ea01f1c9274831f30e6ad812a9b5df7f6746e5b98049437deb
Instruction ID: b3ab817cf24c7bf3dca9ddd70562621d33dd0bbe8ed6edc20a0fd2795a2a51f8
Opcode Fuzzy Hash: 8d34dd191bb5a2ea01f1c9274831f30e6ad812a9b5df7f6746e5b98049437deb
Instruction Fuzzy Hash: B4418334A0025C9BCF10DFA8C844FAEBBA6EF45318F18815DE9155B392D736EA15CB92

Uniqueness

Uniqueness Score: -1.00%

Function 006DDD7B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,006DDE88,?,?,?,00000000,?,?,006DE0B2,00000021,FlsSetValue,006F3E00,006F3E08,?), ref: 006DDE3C

Strings

ext-ms-, xrefs: 006DDDE6
api-ms-, xrefs: 006DDDD2

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 76189d7aa1b2d20f090f9b52a5c006aa589694bc9ca88c8548e1473b6fdde386
Instruction ID: 532cb53967890874dbb60a53dff1295ab0187d82e9f8398e7ca8db6166ea812c
Opcode Fuzzy Hash: 76189d7aa1b2d20f090f9b52a5c006aa589694bc9ca88c8548e1473b6fdde386
Instruction Fuzzy Hash: 1821A871E01211E7C731AB65EC40AEA776B9F557A0F151226E915EF390EB70EE01C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 006B27D3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B27DA
std::_Lockit::_Lockit.LIBCPMT ref: 006B27E4

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

numpunct.LIBCPMT ref: 006B281E
std::_Facet_Register.LIBCPMT ref: 006B2835
std::_Lockit::~_Lockit.LIBCPMT ref: 006B2855

Strings

thp, xrefs: 006B27EF

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
String ID: thp
API String ID: 743221004-1368951053
Opcode ID: aa370367d0a08a518a069c51c5ddcaf6d1eda53560e143128faf5ea4424513a2
Instruction ID: ab8dc390c3ebe980a77c4915ad49bab1c107ed43b387e521712b12daa98af233
Opcode Fuzzy Hash: aa370367d0a08a518a069c51c5ddcaf6d1eda53560e143128faf5ea4424513a2
Instruction Fuzzy Hash: 6211AC769002169BCB04EBA0C865AFE77A2AF84720F24411CF911AB3C1DF349E41CB88

Uniqueness

Uniqueness Score: -1.00%

Function 006B83E4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B83EB
std::_Lockit::_Lockit.LIBCPMT ref: 006B83F5

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

numpunct.LIBCPMT ref: 006B842F
std::_Facet_Register.LIBCPMT ref: 006B8446
std::_Lockit::~_Lockit.LIBCPMT ref: 006B8466

Strings

ip, xrefs: 006B8400

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
String ID: ip
API String ID: 743221004-734542
Opcode ID: cc8f383b52079180c29dc876e5680aadd737e56b92cb1eb791a1c12a3afb750b
Instruction ID: 0fe008ad7c003a97697a22fb6d94f405617684a17fcba91779a9776c16e03a29
Opcode Fuzzy Hash: cc8f383b52079180c29dc876e5680aadd737e56b92cb1eb791a1c12a3afb750b
Instruction Fuzzy Hash: 8A01E1B69001158FCB00BFA4C855AFD77A6AF84720F24840CF8116B281CF349E40CB98

Uniqueness

Uniqueness Score: -1.00%

Function 006B2614 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B261B
std::_Lockit::_Lockit.LIBCPMT ref: 006B2625

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

codecvt.LIBCPMT ref: 006B265F
std::_Facet_Register.LIBCPMT ref: 006B2676
std::_Lockit::~_Lockit.LIBCPMT ref: 006B2696

Strings

xhp, xrefs: 006B2630

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID: xhp
API String ID: 712880209-1484943465
Opcode ID: 30352facf9b3d3ccacde5702d777b601bdb7bd20ed869f85532e2168f7d8d936
Instruction ID: 7385c7a0ef7959c007feb27e99ffcd6d5c831a35431251fcc04fa4e99f8522fe
Opcode Fuzzy Hash: 30352facf9b3d3ccacde5702d777b601bdb7bd20ed869f85532e2168f7d8d936
Instruction Fuzzy Hash: 0601A1B59002199FCB04EBA4C865AFD77A2AF85720F14451CF4116B2D2DF749E818B99

Uniqueness

Uniqueness Score: -1.00%

Function 006C4990 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006C4997
std::_Lockit::_Lockit.LIBCPMT ref: 006C49A1

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

collate.LIBCPMT ref: 006C49DB
std::_Facet_Register.LIBCPMT ref: 006C49F2
std::_Lockit::~_Lockit.LIBCPMT ref: 006C4A12

Strings

djp, xrefs: 006C49AC

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID: djp
API String ID: 1007100420-2139638015
Opcode ID: 0ee18209a4c72fb1f457824199cd165115fec5ade8bc6161d4a5fb20d1ae6062
Instruction ID: 8d3878e6d71507b790f4b200fdcbfdae62007e2f6df4c1e6f02073a1e2e8b72d
Opcode Fuzzy Hash: 0ee18209a4c72fb1f457824199cd165115fec5ade8bc6161d4a5fb20d1ae6062
Instruction Fuzzy Hash: C8018B759002599BCB04FBA4C865BBE7BA2EF88720F14850DF8116B281DF749E01CB98

Uniqueness

Uniqueness Score: -1.00%

Function 006C4A25 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006C4A2C
std::_Lockit::_Lockit.LIBCPMT ref: 006C4A36

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

messages.LIBCPMT ref: 006C4A70
std::_Facet_Register.LIBCPMT ref: 006C4A87
std::_Lockit::~_Lockit.LIBCPMT ref: 006C4AA7

Strings

hjp, xrefs: 006C4A41

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID: hjp
API String ID: 2750803064-1989325211
Opcode ID: 0d149d4fe3d980b8b57b20a482c6a80b90d56015da157a4359903b2d9159166e
Instruction ID: cca5cee62f0210fc3949370e2842186ef18971e9af7afaf92547e7491f7d5745
Opcode Fuzzy Hash: 0d149d4fe3d980b8b57b20a482c6a80b90d56015da157a4359903b2d9159166e
Instruction Fuzzy Hash: D0015E759002199FCB05FBA4C865ABD7766EF84720F25450DF4116B291DF389E41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 006B7A94 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B7A9B
std::_Lockit::_Lockit.LIBCPMT ref: 006B7AA5

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

collate.LIBCPMT ref: 006B7ADF
std::_Facet_Register.LIBCPMT ref: 006B7AF6
std::_Lockit::~_Lockit.LIBCPMT ref: 006B7B16

Strings

ip, xrefs: 006B7AB0

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID: ip
API String ID: 1007100420-734542
Opcode ID: a970d522cd02fbde609f1ec30b48a18ce74ac535d9e91562972d786ff6438666
Instruction ID: 4925f46dd7051212cc5012fdb1e9742df01c7eff96f774d988e11bced1de8e18
Opcode Fuzzy Hash: a970d522cd02fbde609f1ec30b48a18ce74ac535d9e91562972d786ff6438666
Instruction Fuzzy Hash: 7601ADB69042199BCB04BFA4C855AFDBB67AF84720F14450CF9116B2C2DF749E41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 006C4BE4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006C4BEB
std::_Lockit::_Lockit.LIBCPMT ref: 006C4BF5

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

moneypunct.LIBCPMT ref: 006C4C2F
std::_Facet_Register.LIBCPMT ref: 006C4C46
std::_Lockit::~_Lockit.LIBCPMT ref: 006C4C66

Strings

xjp, xrefs: 006C4C00

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID: xjp
API String ID: 419941038-1790186219
Opcode ID: c81f5ded9a52021b45f1a4c299936972f61d8ecf4222ca068539130fd779e534
Instruction ID: e9dbdcd874d7f5fc2c18848ea47ef545e3053813c07acdeefd64e4dcb20759fe
Opcode Fuzzy Hash: c81f5ded9a52021b45f1a4c299936972f61d8ecf4222ca068539130fd779e534
Instruction Fuzzy Hash: EC01E1719006159BCB00FBA0C8A5BFD7762EF85720F24850CF411AB2A1CF389E40CB98

Uniqueness

Uniqueness Score: -1.00%

Function 006C4C79 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006C4C80
std::_Lockit::_Lockit.LIBCPMT ref: 006C4C8A

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

moneypunct.LIBCPMT ref: 006C4CC4
std::_Facet_Register.LIBCPMT ref: 006C4CDB
std::_Lockit::~_Lockit.LIBCPMT ref: 006C4CFB

Strings

tjp, xrefs: 006C4C95

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID: tjp
API String ID: 419941038-1672407951
Opcode ID: cd65f06ccb0914f5e01f63823321a5e109fd149806b2932e8f07b8040cd2f48f
Instruction ID: 849ce481b1a83158fbcf21717c50ea0f22f33821df60d8dfb96e6524091b88d7
Opcode Fuzzy Hash: cd65f06ccb0914f5e01f63823321a5e109fd149806b2932e8f07b8040cd2f48f
Instruction Fuzzy Hash: D801A1759016159BDB04FBA4C865BBD77A2EF84720F25450CF8116B391DF349E018B98

Uniqueness

Uniqueness Score: -1.00%

Function 006AB4A0 Relevance: 9.2, APIs: 6, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 006AB4CD
std::_Lockit::_Lockit.LIBCPMT ref: 006AB4F0
std::_Lockit::~_Lockit.LIBCPMT ref: 006AB518
std::_Facet_Register.LIBCPMT ref: 006AB58D
std::_Lockit::~_Lockit.LIBCPMT ref: 006AB5B7
LocalFree.KERNEL32 ref: 006AB660

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_FreeLocalRegister
String ID:
API String ID: 1378673503-0
Opcode ID: 09d2e32475bae6b21a13792c93830ca7e6bd48d5437f97c45198ee3302612f52
Instruction ID: 9f5f025ad316f47c4e9c80a5720b391aeee0b27016a9f1c4ce7512b08b7a36ba
Opcode Fuzzy Hash: 09d2e32475bae6b21a13792c93830ca7e6bd48d5437f97c45198ee3302612f52
Instruction Fuzzy Hash: 1A519BB1C00248DFDB20EF58D844BAABBB6EB05720F14865DE82567392DB74AE40CF94

Uniqueness

Uniqueness Score: -1.00%

Function 006D6D91 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 369COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 006D6E7B
__freea.LIBCMT ref: 006D6F11
__freea.LIBCMT ref: 006D6F2D

Strings

am/pm, xrefs: 006D6F91
a/p, xrefs: 006D6FF5

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: __freea$__alloca_probe_16
String ID: a/p$am/pm
API String ID: 3509577899-3206640213
Opcode ID: bada76edc76c4816d883084fd180f53ca81955d3ca535c8393a685d56804ea01
Instruction ID: 4c104fb6c9b862521dfe9ec74a3fae7896d39fd36f699efc9f7c61cedcd0e1ca
Opcode Fuzzy Hash: bada76edc76c4816d883084fd180f53ca81955d3ca535c8393a685d56804ea01
Instruction Fuzzy Hash: D3C1D175D08216EADB249F68C845AFAB7B3FF55704F18424BE901AB741E3319D42CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 006CC305 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,006CC2FC,006CAB20,006C99B3), ref: 006CC313
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006CC321
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006CC33A
SetLastError.KERNEL32(00000000,006CC2FC,006CAB20,006C99B3), ref: 006CC38C

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6aee296748004f51db37e967e49f2a639b5195b5b7c321d7c52827ce5efea5ae
Instruction ID: 541fe721011c95e4e8c34cce9b801311b6c11cb6eca751c07ea9ab47a5deebbe
Opcode Fuzzy Hash: 6aee296748004f51db37e967e49f2a639b5195b5b7c321d7c52827ce5efea5ae
Instruction Fuzzy Hash: E401D8722097519FD7642B757C99FBB2687EB01774720833EF21C9A2E0EF958C019988

Uniqueness

Uniqueness Score: -1.00%

Function 006B46EF Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 186COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B46F6

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

Part of subcall function 006A8440: LocalAlloc.KERNEL32(00000040,00000000,006C97AD,00000000,210DFF48,?,00000000,?,00000000,?,006EE009,000000FF,?,006A17D5,00000000,006EF3BA), ref: 006A8446

Part of subcall function 006AC050: __Getctype.LIBCPMT ref: 006AC0B2

Strings

xhp, xrefs: 006B485B
php, xrefs: 006B47A7
thp, xrefs: 006B47EA
lhp, xrefs: 006B4762

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Lockitstd::_$AllocGetctypeH_prolog3LocalLockit::_Lockit::~_
String ID: lhp$php$thp$xhp
API String ID: 3791111190-4061352736
Opcode ID: ccba5860767383972560a49db26279f6de0e320e5f8cf63901ff5eb16f3c5063
Instruction ID: eff0f3bafd9e1630139a6b7f784a33a317a2d94171a43a34bc59b1b6c4914872
Opcode Fuzzy Hash: ccba5860767383972560a49db26279f6de0e320e5f8cf63901ff5eb16f3c5063
Instruction Fuzzy Hash: DC51A7F1900216ABEB917F658C829FF7AAAEF52350F14402DF94557283EF34CD9087A5

Uniqueness

Uniqueness Score: -1.00%

Function 006BDEC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006BDEC7
_Getvals.LIBCPMT ref: 006BDF19
_Mpunct.LIBCPMT ref: 006BDF54
_Mpunct.LIBCPMT ref: 006BDF6E

Strings

$+xv, xrefs: 006BDF79

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Mpunct$GetvalsH_prolog3
String ID: $+xv
API String ID: 2204710431-1686923651
Opcode ID: 041e13b2c7ab05f3296744857569c8e1d38ea3c95a6f40ce32a43028f9b8fcbf
Instruction ID: 40c4e9da689373e911507368ccc02207d51b97c748157bb2a8a67f5cd97e8225
Opcode Fuzzy Hash: 041e13b2c7ab05f3296744857569c8e1d38ea3c95a6f40ce32a43028f9b8fcbf
Instruction Fuzzy Hash: 4021B2B1904B91AED761DF75C490BBBBEF9AB08300F04051EF099CBA41E730EA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 006A8360 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(210DFF48,210DFF48,?,?,00000000,006EB621,000000FF), ref: 006A83FB

Part of subcall function 006C8C81: EnterCriticalSection.KERNEL32(00706AF8,00000000,?,?,006A25B6,0070771C,210DFF48,?,00000000,006EA7ED,000000FF,?,006A1A26), ref: 006C8C8C
Part of subcall function 006C8C81: LeaveCriticalSection.KERNEL32(00706AF8,?,?,006A25B6,0070771C,210DFF48,?,00000000,006EA7ED,000000FF,?,006A1A26,?,?,?,210DFF48), ref: 006C8CC9

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 006A83C0
GetProcAddress.KERNEL32(00000000), ref: 006A83C7

Part of subcall function 006C8C37: EnterCriticalSection.KERNEL32(00706AF8,?,?,006A2627,0070771C,006EE130), ref: 006C8C41
Part of subcall function 006C8C37: LeaveCriticalSection.KERNEL32(00706AF8,?,?,006A2627,0070771C,006EE130), ref: 006C8C74
Part of subcall function 006C8C37: RtlWakeAllConditionVariable.NTDLL ref: 006C8CEB

Strings

kernel32, xrefs: 006A83BB
IsWow64Process, xrefs: 006A83B6

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AddressConditionCurrentHandleModuleProcProcessVariableWake
String ID: IsWow64Process$kernel32
API String ID: 2056477612-3789238822
Opcode ID: 0756e1cef0f7a55833b506829521e3fa0f3a02bef4787a86ca8ecfc369a97d98
Instruction ID: 1fa6c00fc4bd0343a8dd1fa9012b1bf437926c98e1453927784ae00c5ffb14b7
Opcode Fuzzy Hash: 0756e1cef0f7a55833b506829521e3fa0f3a02bef4787a86ca8ecfc369a97d98
Instruction Fuzzy Hash: 4911AFB2D48748DFCB14DFA4EC45BA977E9F709B20F10436AE91197380EB396900CB64

Uniqueness

Uniqueness Score: -1.00%

Function 006B8225 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B822C
std::_Lockit::_Lockit.LIBCPMT ref: 006B8236

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

std::_Facet_Register.LIBCPMT ref: 006B8287
std::_Lockit::~_Lockit.LIBCPMT ref: 006B82A7

Strings

ip, xrefs: 006B8241

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: ip
API String ID: 2854358121-734542
Opcode ID: d987e38fccf0a3a4a7c7dcb4a74428d71b932e38413aebdbf3e670bb67550fa1
Instruction ID: d7561d02a5796a35eb1475d9bcba0240306e20d3e657b5f1268010c587256883
Opcode Fuzzy Hash: d987e38fccf0a3a4a7c7dcb4a74428d71b932e38413aebdbf3e670bb67550fa1
Instruction Fuzzy Hash: BF01CBB59016188FCB40ABA4C856AFD77A6AF84720F14440CF810AB282CF349E40CB98

Uniqueness

Uniqueness Score: -1.00%

Function 006B834F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B8356
std::_Lockit::_Lockit.LIBCPMT ref: 006B8360

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

std::_Facet_Register.LIBCPMT ref: 006B83B1
std::_Lockit::~_Lockit.LIBCPMT ref: 006B83D1

Strings

ip, xrefs: 006B836B

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: ip
API String ID: 2854358121-734542
Opcode ID: 4093906bdee523d79ada879d78627f6776955a5b15cb4cced9bbd3cb0569de2a
Instruction ID: b2dacb49922b0bb1580fec8808bf79ffa0eef74a2b464d7ca1f36a739fdf59d4
Opcode Fuzzy Hash: 4093906bdee523d79ada879d78627f6776955a5b15cb4cced9bbd3cb0569de2a
Instruction Fuzzy Hash: 8B01A1B59002199FCB04BFA4C855AFD77A7AF84B20F14451DF5116B282CF749E41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 006B26A9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B26B0
std::_Lockit::_Lockit.LIBCPMT ref: 006B26BA

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

std::_Facet_Register.LIBCPMT ref: 006B270B
std::_Lockit::~_Lockit.LIBCPMT ref: 006B272B

Strings

lhp, xrefs: 006B26C5

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: lhp
API String ID: 2854358121-1135442885
Opcode ID: 7f7fb2896b8dbafc540ddac63692051b02df7331dc73d85c79ae2ab681cae5f4
Instruction ID: a888836f7814fd5da5cb3f2fdfc0026ffcd7d6363f9abcd0256f1c8b7174d1bd
Opcode Fuzzy Hash: 7f7fb2896b8dbafc540ddac63692051b02df7331dc73d85c79ae2ab681cae5f4
Instruction Fuzzy Hash: 3401ADB590021A9BCB05FBA4C865AFDB7E6AF89720F14451DF8116B2C1CF34DE42CB98

Uniqueness

Uniqueness Score: -1.00%

Function 006B273E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B2745
std::_Lockit::_Lockit.LIBCPMT ref: 006B274F

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

std::_Facet_Register.LIBCPMT ref: 006B27A0
std::_Lockit::~_Lockit.LIBCPMT ref: 006B27C0

Strings

php, xrefs: 006B275A

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: php
API String ID: 2854358121-1452351953
Opcode ID: e590c860ab98f2c4ad9a3e8475cdfc10f128920f66a66b95ce6aa462edb70412
Instruction ID: 6b42f8624ec04ebfd4cfab1563a14a38df19bc6ce9daaad4c50c9ed6999c6aa9
Opcode Fuzzy Hash: e590c860ab98f2c4ad9a3e8475cdfc10f128920f66a66b95ce6aa462edb70412
Instruction Fuzzy Hash: 87016DB590021A9FCB05FBA4C865AFE77A2AF84B20F14451DF8116B2D2DF349E418B98

Uniqueness

Uniqueness Score: -1.00%

Function 006C4ABA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006C4AC1
std::_Lockit::_Lockit.LIBCPMT ref: 006C4ACB

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

std::_Facet_Register.LIBCPMT ref: 006C4B1C
std::_Lockit::~_Lockit.LIBCPMT ref: 006C4B3C

Strings

ljp, xrefs: 006C4AD6

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: ljp
API String ID: 2854358121-1905989959
Opcode ID: 5c7ca35691d9b11bdc1e4bb1c92aeb18f6723c6d66e1ae94dc104fc50cb61b88
Instruction ID: 5b4503b4f045ab4992716e72873af6c67d51123b71a03491d81efa894c6fe161
Opcode Fuzzy Hash: 5c7ca35691d9b11bdc1e4bb1c92aeb18f6723c6d66e1ae94dc104fc50cb61b88
Instruction Fuzzy Hash: ED01AD769006199FCB04FFA5C865BBEB762EF84720F14850DF811AB291DF349E018B98

Uniqueness

Uniqueness Score: -1.00%

Function 006C4B4F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006C4B56
std::_Lockit::_Lockit.LIBCPMT ref: 006C4B60

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

std::_Facet_Register.LIBCPMT ref: 006C4BB1
std::_Lockit::~_Lockit.LIBCPMT ref: 006C4BD1

Strings

pjp, xrefs: 006C4B6B

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: pjp
API String ID: 2854358121-1688683347
Opcode ID: b0c310182338d454ff9080ec6ef680226b94bd4810bd047db3f28b359f25473e
Instruction ID: d781d1070c08eaebdf96b35c4c9f68a3d653570de381427d202e56589bdface5
Opcode Fuzzy Hash: b0c310182338d454ff9080ec6ef680226b94bd4810bd047db3f28b359f25473e
Instruction Fuzzy Hash: 77018B759006199BCB04FBA4C865BBD7763EF84720F24450CF812AB282DF349E018B98

Uniqueness

Uniqueness Score: -1.00%

Function 006C4D0E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006C4D15
std::_Lockit::_Lockit.LIBCPMT ref: 006C4D1F

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

std::_Facet_Register.LIBCPMT ref: 006C4D70
std::_Lockit::~_Lockit.LIBCPMT ref: 006C4D90

Strings

|jp, xrefs: 006C4D2A

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: |jp
API String ID: 2854358121-1841150519
Opcode ID: c2d83e27c85a6ab3a751dddedac003bc1f41289fc23a534632f0be5512464f69
Instruction ID: 3831516bafe62c36dade3da5907ce027f3798a9ff7369d9f0023c251752293c6
Opcode Fuzzy Hash: c2d83e27c85a6ab3a751dddedac003bc1f41289fc23a534632f0be5512464f69
Instruction Fuzzy Hash: 7801A1769005159BCB04FFA4C865BBD7766EF84720F24850DF8126B2D1DF34AE01CB98

Uniqueness

Uniqueness Score: -1.00%

Function 006D9871 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,210DFF48,?,?,00000000,006EE060,000000FF,?,006D9801,?,?,006D97D5,?), ref: 006D98A6
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006D98B8
FreeLibrary.KERNEL32(00000000,?,00000000,006EE060,000000FF,?,006D9801,?,?,006D97D5,?), ref: 006D98DA

Strings

mscoree.dll, xrefs: 006D989F
CorExitProcess, xrefs: 006D98B0

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e1c602b5cc317da0319c5886aab9d2cc5f9502c9120570c2583c9912a9ea8d7d
Instruction ID: c0cdbef10054cf97cd63c81516e3918a9ad000d540ecd55aafec6f091ccd682d
Opcode Fuzzy Hash: e1c602b5cc317da0319c5886aab9d2cc5f9502c9120570c2583c9912a9ea8d7d
Instruction Fuzzy Hash: B601F231900669EFCB018F50CC45BEEBBBAFB05B11F000936F811E2390CB759900CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 006BE91A Relevance: 7.9, APIs: 5, Instructions: 433COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006BE921
collate.LIBCPMT ref: 006BEA9C
numpunct.LIBCPMT ref: 006BED16

Part of subcall function 006B8776: __EH_prolog3.LIBCMT ref: 006B877D

Part of subcall function 006B850E: __EH_prolog3.LIBCMT ref: 006B8515
Part of subcall function 006B850E: std::_Lockit::_Lockit.LIBCPMT ref: 006B851F
Part of subcall function 006B850E: std::_Lockit::~_Lockit.LIBCPMT ref: 006B8590

Part of subcall function 006AEA90: std::_Lockit::_Lockit.LIBCPMT ref: 006AEABD
Part of subcall function 006AEA90: std::_Lockit::_Lockit.LIBCPMT ref: 006AEAE0
Part of subcall function 006AEA90: std::_Lockit::~_Lockit.LIBCPMT ref: 006AEB08
Part of subcall function 006AEA90: std::_Lockit::~_Lockit.LIBCPMT ref: 006AEBA7

Part of subcall function 006B454B: Concurrency::cancel_current_task.LIBCPMT ref: 006B460E

Part of subcall function 006B79FF: __EH_prolog3.LIBCMT ref: 006B7A06
Part of subcall function 006B79FF: std::_Lockit::_Lockit.LIBCPMT ref: 006B7A10
Part of subcall function 006B79FF: std::_Lockit::~_Lockit.LIBCPMT ref: 006B7A81

__Getcoll.LIBCPMT ref: 006BEADC

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

Part of subcall function 006A8440: LocalAlloc.KERNEL32(00000040,00000000,006C97AD,00000000,210DFF48,?,00000000,?,00000000,?,006EE009,000000FF,?,006A17D5,00000000,006EF3BA), ref: 006A8446

Part of subcall function 006AB980: __Getctype.LIBCPMT ref: 006AB98B

Part of subcall function 006B7E12: __EH_prolog3.LIBCMT ref: 006B7E19
Part of subcall function 006B7E12: std::_Lockit::_Lockit.LIBCPMT ref: 006B7E23
Part of subcall function 006B7E12: std::_Lockit::~_Lockit.LIBCPMT ref: 006B7E94

Part of subcall function 006B7F3C: __EH_prolog3.LIBCMT ref: 006B7F43
Part of subcall function 006B7F3C: std::_Lockit::_Lockit.LIBCPMT ref: 006B7F4D
Part of subcall function 006B7F3C: std::_Lockit::~_Lockit.LIBCPMT ref: 006B7FBE

Part of subcall function 006B8190: __EH_prolog3.LIBCMT ref: 006B8197
Part of subcall function 006B8190: std::_Lockit::_Lockit.LIBCPMT ref: 006B81A1
Part of subcall function 006B8190: std::_Lockit::~_Lockit.LIBCPMT ref: 006B8212

Part of subcall function 006B80FB: __EH_prolog3.LIBCMT ref: 006B8102
Part of subcall function 006B80FB: std::_Lockit::_Lockit.LIBCPMT ref: 006B810C
Part of subcall function 006B80FB: std::_Lockit::~_Lockit.LIBCPMT ref: 006B817D

Part of subcall function 006B454B: __EH_prolog3.LIBCMT ref: 006B4552
Part of subcall function 006B454B: std::_Lockit::_Lockit.LIBCPMT ref: 006B455C
Part of subcall function 006B454B: std::_Lockit::~_Lockit.LIBCPMT ref: 006B4603

codecvt.LIBCPMT ref: 006BEDC7

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalcodecvtcollatenumpunct
String ID:
API String ID: 2252558201-0
Opcode ID: 4f45487344a3fd8b0b3194c9213bb1b95a14191857a15b8324ed114042c9d047
Instruction ID: cb80fb68d7fd9f058f0fd58d197bca9eceb5daffb6fc5576cad41c23a5b6cb97
Opcode Fuzzy Hash: 4f45487344a3fd8b0b3194c9213bb1b95a14191857a15b8324ed114042c9d047
Instruction Fuzzy Hash: EFE1A2B180061AAFDBA17F648C029FF7AA7EF41360F14452DF9556B382DF328D908B95

Uniqueness

Uniqueness Score: -1.00%

Function 006DD792 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 006DD819
__alloca_probe_16.LIBCMT ref: 006DD8DA
__freea.LIBCMT ref: 006DD941

Part of subcall function 006DC537: HeapAlloc.KERNEL32(00000000,?,?,?,006DBEBA,?,00000000,?,006CD692,?,?,?,?,?,?,006A1668), ref: 006DC569

__freea.LIBCMT ref: 006DD956
__freea.LIBCMT ref: 006DD966

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 5c80b37d2cd75c8ee31fd31d9a507644680b7abc8238acecea94ba2a8745617f
Instruction ID: 69dcd8ee55cba395e4efd03de51d978273a6b221a16de6588d71104439a93d0f
Opcode Fuzzy Hash: 5c80b37d2cd75c8ee31fd31d9a507644680b7abc8238acecea94ba2a8745617f
Instruction Fuzzy Hash: 88519172E00206AFEB25AE64CC91EFF36ABEB45750B15412EFD04EB341EA31DC1197A4

Uniqueness

Uniqueness Score: -1.00%

Function 006A4A10 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 169memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,80000022,?,?,?,00000000,?,00000000,?,?), ref: 006A4A95
LocalAlloc.KERNEL32(00000040,7FFFFFFF,?,?,?,00000000,?,00000000,?,?), ref: 006A4AB5
LocalFree.KERNEL32(7FFFFFFE,?,?,00000000,?,00000000,?,?), ref: 006A4B3B
LocalFree.KERNEL32(00000000,210DFF48,00000000,00000000,Function_0004A6C0,000000FF,?,?,00000000,?,00000000,?,?), ref: 006A4BBD

Strings

/Bj, xrefs: 006A4A11

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Local$AllocFree
String ID: /Bj
API String ID: 2012307162-2742582542
Opcode ID: f5f7058cbe49cb976d2f6badd7bf54a1a84ff0c843e112294008fa615b948f51
Instruction ID: 31c938dc5a68e2a3e4e49c795650af65b30123bc63d958693f78fade7eb4f3c1
Opcode Fuzzy Hash: f5f7058cbe49cb976d2f6badd7bf54a1a84ff0c843e112294008fa615b948f51
Instruction Fuzzy Hash: 0751D5726042159FC714EF28DC80BABB7EAEB89364F14066EF516D7390DB70DD018B95

Uniqueness

Uniqueness Score: -1.00%

Function 006AC530 Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 006AC55D
std::_Lockit::_Lockit.LIBCPMT ref: 006AC580
std::_Lockit::~_Lockit.LIBCPMT ref: 006AC5A8
std::_Facet_Register.LIBCPMT ref: 006AC61D
std::_Lockit::~_Lockit.LIBCPMT ref: 006AC647

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 036146cbd6b490bfe6b2c4d5ddbc56d7d40306210877f11087ac46a78b155943
Instruction ID: 9b11f0989e8cd45ff007832558a4308c5745d4932f4c78e3024be109b25737b9
Opcode Fuzzy Hash: 036146cbd6b490bfe6b2c4d5ddbc56d7d40306210877f11087ac46a78b155943
Instruction Fuzzy Hash: 7541A971C00259DFDB11EF58D940BAEBBA5EF05320F148259E815AB391DB34AE40CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 006AEA90 Relevance: 7.6, APIs: 5, Instructions: 109COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 006AEABD
std::_Lockit::_Lockit.LIBCPMT ref: 006AEAE0
std::_Lockit::~_Lockit.LIBCPMT ref: 006AEB08
std::_Facet_Register.LIBCPMT ref: 006AEB7D
std::_Lockit::~_Lockit.LIBCPMT ref: 006AEBA7

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 81d62b0ca9b4a2b41c79595d19cad9cdfdf0471fae5ebca275ee23e61ee0e4ec
Instruction ID: 96de39b0fe63b58dcdfef72d7b6ca1492d5efbc197ccd6c3e864ad7b7e3c4dec
Opcode Fuzzy Hash: 81d62b0ca9b4a2b41c79595d19cad9cdfdf0471fae5ebca275ee23e61ee0e4ec
Instruction Fuzzy Hash: EC41E071900219DFCB10DF94CA44BEEBBB5FB05720F148259E81667391DB35AE40CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 006AEBD0 Relevance: 7.6, APIs: 5, Instructions: 109COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 006AEBFD
std::_Lockit::_Lockit.LIBCPMT ref: 006AEC20
std::_Lockit::~_Lockit.LIBCPMT ref: 006AEC48
std::_Facet_Register.LIBCPMT ref: 006AECBD
std::_Lockit::~_Lockit.LIBCPMT ref: 006AECE7

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 075fdcb7738ba7c1f6ca366746ad29e58affecb76f3d765936a1862c0f6fbfe7
Instruction ID: 727cad9f3ff51c5fc54a80d9c8ade13146806e8b42e1e3b8bcc852c15b0bd9bf
Opcode Fuzzy Hash: 075fdcb7738ba7c1f6ca366746ad29e58affecb76f3d765936a1862c0f6fbfe7
Instruction Fuzzy Hash: A241CE71800215DFCB10EF98D840BAEBBB5FB05720F158659E82267391DB35AE44CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 006AED10 Relevance: 7.6, APIs: 5, Instructions: 109COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 006AED3D
std::_Lockit::_Lockit.LIBCPMT ref: 006AED60
std::_Lockit::~_Lockit.LIBCPMT ref: 006AED88
std::_Facet_Register.LIBCPMT ref: 006AEDFD
std::_Lockit::~_Lockit.LIBCPMT ref: 006AEE27

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: c61d04669f4791da25df9f5652ba2773898038e27db78b1cfc1cdb630f305f85
Instruction ID: c23938a1673abe40af0a15bda23b68798f60ee0538716b34aebbdfb58580bf5d
Opcode Fuzzy Hash: c61d04669f4791da25df9f5652ba2773898038e27db78b1cfc1cdb630f305f85
Instruction Fuzzy Hash: 4B419D71800219DFCB11EF98C8407AEBBB6FB05720F248669E814A7391DB35AE40CF95

Uniqueness

Uniqueness Score: -1.00%

Function 006A7BB0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 83COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000010,00000010,?,006A7882,?,?), ref: 006A7BB7

Strings

Last error=, xrefs: 006A7C41
true, xrefs: 006A7BC1
Call to ShellExecuteEx() returned:, xrefs: 006A7BDD
false, xrefs: 006A7BC6

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: ErrorLast
String ID: Call to ShellExecuteEx() returned:$Last error=$false$true
API String ID: 1452528299-1782174991
Opcode ID: d68ebf16ca3ed6cfcea04e3efa7da11d872028099907a3846984d73a3925616d
Instruction ID: 2f9bf1cf08d10e9aac0b0820cad7bf3b9bcb977307780b83b43e1213ae65a3a3
Opcode Fuzzy Hash: d68ebf16ca3ed6cfcea04e3efa7da11d872028099907a3846984d73a3925616d
Instruction Fuzzy Hash: 29216D49A202628ACB702F3C88003B5A6F2EF55758F65187FDDC9D7390E6798CC2C794

Uniqueness

Uniqueness Score: -1.00%

Function 006B7372 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

_Maklocstr.LIBCPMT ref: 006B7392
_Maklocstr.LIBCPMT ref: 006B73AF
_Maklocstr.LIBCPMT ref: 006B73CC
_Maklocchr.LIBCPMT ref: 006B73DE
_Maklocchr.LIBCPMT ref: 006B73F1

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Maklocstr$Maklocchr
String ID:
API String ID: 2020259771-0
Opcode ID: fb97b997aed1d2e33844298a9b62f440629be402d92849dc49c50d5db2492ead
Instruction ID: ac54aab1d6397c275eeaa0ecdc783dbf6edb5d47cd174bbab3de9e650f312a33
Opcode Fuzzy Hash: fb97b997aed1d2e33844298a9b62f440629be402d92849dc49c50d5db2492ead
Instruction Fuzzy Hash: 1D119EF25487847FEB20DBA58881F96B7EDAF88314F04051AF645CBA41D674F99087A8

Uniqueness

Uniqueness Score: -1.00%

Function 006B8066 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B806D
std::_Lockit::_Lockit.LIBCPMT ref: 006B8077

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

moneypunct.LIBCPMT ref: 006B80B1
std::_Facet_Register.LIBCPMT ref: 006B80C8
std::_Lockit::~_Lockit.LIBCPMT ref: 006B80E8

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 704c628bcd7af7656fe8f1f61e915615ccf6e0979f2fd5bb007efc294b6f51d2
Instruction ID: 89a2fe5f501d9eceece73c775311ec7e73e0fa1a456ef67a5decadbb7e052a13
Opcode Fuzzy Hash: 704c628bcd7af7656fe8f1f61e915615ccf6e0979f2fd5bb007efc294b6f51d2
Instruction Fuzzy Hash: 68018BB6900219DFCB05FBA4C859AEE7766AF84720F14850CE9116B2D2CF349E45CB98

Uniqueness

Uniqueness Score: -1.00%

Function 006B80FB Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B8102
std::_Lockit::_Lockit.LIBCPMT ref: 006B810C

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

moneypunct.LIBCPMT ref: 006B8146
std::_Facet_Register.LIBCPMT ref: 006B815D
std::_Lockit::~_Lockit.LIBCPMT ref: 006B817D

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 9db7482167f83b8450c79a64e9df12dc5d68103977ba2c667cb71c2c8581a25d
Instruction ID: afffd2318408d09ec77f0328106132b7ef3c611d349f7536be873eea15d8c9f1
Opcode Fuzzy Hash: 9db7482167f83b8450c79a64e9df12dc5d68103977ba2c667cb71c2c8581a25d
Instruction Fuzzy Hash: 4F01A1B5901516DFCB05BBA8C855AFD7BA7AF84720F14450DF4116B282CF349E42CB98

Uniqueness

Uniqueness Score: -1.00%

Function 006B8190 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B8197
std::_Lockit::_Lockit.LIBCPMT ref: 006B81A1

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

moneypunct.LIBCPMT ref: 006B81DB
std::_Facet_Register.LIBCPMT ref: 006B81F2
std::_Lockit::~_Lockit.LIBCPMT ref: 006B8212

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 20540a7a58ee77cd584b16d6690856304ed57d82a8c0f044eb0b6702fb731f31
Instruction ID: a0f14ae680d481c91af13e91e82e4bcdc488ce5b8ae9dc0b6d7f7374e20b8be9
Opcode Fuzzy Hash: 20540a7a58ee77cd584b16d6690856304ed57d82a8c0f044eb0b6702fb731f31
Instruction Fuzzy Hash: 6B01CBB19006199FCB04BBA4C825AFE7BA7AF84720F24410CE9116B2C2CF349E41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 006B796A Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B7971
std::_Lockit::_Lockit.LIBCPMT ref: 006B797B

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

codecvt.LIBCPMT ref: 006B79B5
std::_Facet_Register.LIBCPMT ref: 006B79CC
std::_Lockit::~_Lockit.LIBCPMT ref: 006B79EC

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: 7413549d09819834ef62fa594dd0fcf4ee17ad357753ec9e0b5cc7be5da7a771
Instruction ID: ab638b91c7e36c82e1686b79b9d443c16e43b475da4bfb747bcd3979b210cbaf
Opcode Fuzzy Hash: 7413549d09819834ef62fa594dd0fcf4ee17ad357753ec9e0b5cc7be5da7a771
Instruction Fuzzy Hash: DC01ADB59002199BCB04BBA4C856AFD7B67AF84720F24450DF811AB2C2CF349E81CB99

Uniqueness

Uniqueness Score: -1.00%

Function 006B79FF Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B7A06
std::_Lockit::_Lockit.LIBCPMT ref: 006B7A10

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

codecvt.LIBCPMT ref: 006B7A4A
std::_Facet_Register.LIBCPMT ref: 006B7A61
std::_Lockit::~_Lockit.LIBCPMT ref: 006B7A81

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: 54a18981ceb78dbaad10c28b846433befd61a9708021e5c857cd59f45de2bca5
Instruction ID: 257bc5b0320b4ac3547d9688a7bd878206830b54116dbf916a544d7c50a9e2e6
Opcode Fuzzy Hash: 54a18981ceb78dbaad10c28b846433befd61a9708021e5c857cd59f45de2bca5
Instruction Fuzzy Hash: CF01E1B69041198FCB40FBA4C815AFD7B63AF84720F24440CF8116B2C1DF749E40CB98

Uniqueness

Uniqueness Score: -1.00%

Function 006B7B29 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B7B30
std::_Lockit::_Lockit.LIBCPMT ref: 006B7B3A

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

collate.LIBCPMT ref: 006B7B74
std::_Facet_Register.LIBCPMT ref: 006B7B8B
std::_Lockit::~_Lockit.LIBCPMT ref: 006B7BAB

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID:
API String ID: 1007100420-0
Opcode ID: f727170cb318fe2a20e7f976ce24b032f2719b80d6672616c2ad9441f4aa522c
Instruction ID: 108f1ac9d785f83ecfc9eeb0f3167ba593ff3bb9c3d6d30fbb30432d6f29ee64
Opcode Fuzzy Hash: f727170cb318fe2a20e7f976ce24b032f2719b80d6672616c2ad9441f4aa522c
Instruction Fuzzy Hash: 9B018BB59002199BCB05FFA4C855AFDB7A2AF84720F14450CE9117B3C2CF349E418B98

Uniqueness

Uniqueness Score: -1.00%

Function 006B7BBE Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B7BC5
std::_Lockit::_Lockit.LIBCPMT ref: 006B7BCF

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

ctype.LIBCPMT ref: 006B7C09
std::_Facet_Register.LIBCPMT ref: 006B7C20
std::_Lockit::~_Lockit.LIBCPMT ref: 006B7C40

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registerctype
String ID:
API String ID: 83828444-0
Opcode ID: e4365524ec79a2bd9c7fe3b3e4c423a6bf3708befb94e33f4e61f11dcba86988
Instruction ID: b57e49b8f41c6fb802d51cf355a9055bad55b31cbd5bde139a4a0232fcf38b8b
Opcode Fuzzy Hash: e4365524ec79a2bd9c7fe3b3e4c423a6bf3708befb94e33f4e61f11dcba86988
Instruction Fuzzy Hash: 2C01ADB59002199FCB05BBA4C855AFD7BA2AF84720F15450CF9116B3D1CF349E419B98

Uniqueness

Uniqueness Score: -1.00%

Function 006B7C53 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B7C5A
std::_Lockit::_Lockit.LIBCPMT ref: 006B7C64

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

messages.LIBCPMT ref: 006B7C9E
std::_Facet_Register.LIBCPMT ref: 006B7CB5
std::_Lockit::~_Lockit.LIBCPMT ref: 006B7CD5

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID:
API String ID: 2750803064-0
Opcode ID: 67d049e5475519214afc0a8cc1631a509c2b24c7da8f73195492e2d4e4a1d23f
Instruction ID: c7a7b742298e0178aa179034ecf94205bb47981b85255fb90ccc453d5af37a9a
Opcode Fuzzy Hash: 67d049e5475519214afc0a8cc1631a509c2b24c7da8f73195492e2d4e4a1d23f
Instruction Fuzzy Hash: 9701ADB59002199FCB05BFA4C855AFD7BA6EF84720F25450CF9116B382CF749E41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 006B7CE8 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B7CEF
std::_Lockit::_Lockit.LIBCPMT ref: 006B7CF9

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

messages.LIBCPMT ref: 006B7D33
std::_Facet_Register.LIBCPMT ref: 006B7D4A
std::_Lockit::~_Lockit.LIBCPMT ref: 006B7D6A

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID:
API String ID: 2750803064-0
Opcode ID: 5f1fd95bdc000552c724f5ed8a3cc98ad143d6fe9c7a801f64c6aa0ce1d62059
Instruction ID: 0a12270b4ffa3c649086bdfa530521dac8cf9eead786f2188aa8f2b5b3b9fb92
Opcode Fuzzy Hash: 5f1fd95bdc000552c724f5ed8a3cc98ad143d6fe9c7a801f64c6aa0ce1d62059
Instruction Fuzzy Hash: C601ADB59002199BCB05FBA4C855AFD7BA2AF84720F14450CF8116B3D2CF349E41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 006B7FD1 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B7FD8
std::_Lockit::_Lockit.LIBCPMT ref: 006B7FE2

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

moneypunct.LIBCPMT ref: 006B801C
std::_Facet_Register.LIBCPMT ref: 006B8033
std::_Lockit::~_Lockit.LIBCPMT ref: 006B8053

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 0805380fccd47bd7dd0e5da4f399e21d8e7d4d4021d975feb08f224d4e9091e2
Instruction ID: 4867bbb748cf5d55c692b7706ed2f5f7fa9ee80c59f05c7aea7abebf5471b7f7
Opcode Fuzzy Hash: 0805380fccd47bd7dd0e5da4f399e21d8e7d4d4021d975feb08f224d4e9091e2
Instruction Fuzzy Hash: E9018EB59006199FCB04FBA4C855AFE77A6AF84720F14450CF9116B381CF389E45CB98

Uniqueness

Uniqueness Score: -1.00%

Function 006C8C37 Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00706AF8,?,?,006A2627,0070771C,006EE130), ref: 006C8C41
LeaveCriticalSection.KERNEL32(00706AF8,?,?,006A2627,0070771C,006EE130), ref: 006C8C74
RtlWakeAllConditionVariable.NTDLL ref: 006C8CEB
SetEvent.KERNEL32(?,006A2627,0070771C,006EE130), ref: 006C8CF5
ResetEvent.KERNEL32(?,006A2627,0070771C,006EE130), ref: 006C8D01

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
String ID:
API String ID: 3916383385-0
Opcode ID: ef8db41a76dbb17fd2fe49e50a6524ac7fdb769ab15199e7d90c3d16edcf3777
Instruction ID: 5583374882af85fccaef6ae31a1e7b368196e0270a33d9dd9c5ba274d6fe1ab6
Opcode Fuzzy Hash: ef8db41a76dbb17fd2fe49e50a6524ac7fdb769ab15199e7d90c3d16edcf3777
Instruction Fuzzy Hash: C8016DB1A01650DFC714AF68FD68A9A37A6FB09301705C17AF8019B321CF781810CFE9

Uniqueness

Uniqueness Score: -1.00%

Function 006A6010 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 006A6074
GetLastError.KERNEL32 ref: 006A6110

Part of subcall function 006A1FC0: FindResourceW.KERNEL32(00000000,?,00000006,?,00000000,006EA78D,000000FF,?,80070057,?,?,00000000,00000010,006A1B09,?), ref: 006A2040

LoadLibraryExW.KERNEL32(?,00000000,00000000,00000009,006FD2DC,00000001,00000000), ref: 006A60CE

Strings

ntdll.dll, xrefs: 006A60A6

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: DirectoryErrorFindLastLibraryLoadResourceSystem
String ID: ntdll.dll
API String ID: 4113295189-2227199552
Opcode ID: a9bd3b58e926dfa8b006853e1c8a486feaf66efe3224f599891af2e81f4fe5ea
Instruction ID: 5d8fffa7af6e6fecfa6e188c86b32a474e30cc73d92f2e9eb6703d541d0bd7c2
Opcode Fuzzy Hash: a9bd3b58e926dfa8b006853e1c8a486feaf66efe3224f599891af2e81f4fe5ea
Instruction Fuzzy Hash: 1D319F716006499BDB20EF68CD44BAEBBF6BF45B10F14862DF525D72C1EB70AA048F50

Uniqueness

Uniqueness Score: -1.00%

Function 006C6128 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006C612F
_Mpunct.LIBCPMT ref: 006C61BC
_Mpunct.LIBCPMT ref: 006C61D6

Strings

$+xv, xrefs: 006C61E1

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Mpunct$H_prolog3
String ID: $+xv
API String ID: 4281374311-1686923651
Opcode ID: 26f4c79b4b7a87eddde655ac6200d9820285c226dcb48129922aab3971dccd1d
Instruction ID: 6ae9372ff89bcdde0033bbe6948a34eb1f36e1518828cb6744e7d0ba8044659b
Opcode Fuzzy Hash: 26f4c79b4b7a87eddde655ac6200d9820285c226dcb48129922aab3971dccd1d
Instruction Fuzzy Hash: C421A3B1904A926EDB61DF75C890B7B7EE9AB08301F04051EF099C7E42D730EA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 006BDDF5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006BDDFC

Part of subcall function 006B7372: _Maklocstr.LIBCPMT ref: 006B7392
Part of subcall function 006B7372: _Maklocstr.LIBCPMT ref: 006B73AF
Part of subcall function 006B7372: _Maklocstr.LIBCPMT ref: 006B73CC
Part of subcall function 006B7372: _Maklocchr.LIBCPMT ref: 006B73DE
Part of subcall function 006B7372: _Maklocchr.LIBCPMT ref: 006B73F1

_Mpunct.LIBCPMT ref: 006BDE89
_Mpunct.LIBCPMT ref: 006BDEA3

Strings

$+xv, xrefs: 006BDEAE

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Maklocstr$MaklocchrMpunct$H_prolog3
String ID: $+xv
API String ID: 2939335142-1686923651
Opcode ID: fc199fee2d7fb82e26b760a1e6efc458ab1c587c67bc290e10cb6222d8c264f0
Instruction ID: cbb602c4fa249b06e670c72bfe9c2378fc541b38395bddc3b8d5d57efacaa6fb
Opcode Fuzzy Hash: fc199fee2d7fb82e26b760a1e6efc458ab1c587c67bc290e10cb6222d8c264f0
Instruction Fuzzy Hash: C021C7F1904B516ED765DF748480BBB7EF9AB0C700F04051EE499CBA41E730EA42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 006CD422 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,006CD3D3,00000000,?,00706EA4,?,?,?,006CD576,00000004,InitializeCriticalSectionEx,006F192C,InitializeCriticalSectionEx), ref: 006CD42F
GetLastError.KERNEL32(?,006CD3D3,00000000,?,00706EA4,?,?,?,006CD576,00000004,InitializeCriticalSectionEx,006F192C,InitializeCriticalSectionEx,00000000,?,006CD32D), ref: 006CD439
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 006CD461

Strings

api-ms-, xrefs: 006CD446

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: ef25fd43f1fccbd264e1d1be444f2c5c1ea1a95f4ff7fa5a71b308057aa8e801
Instruction ID: 6ca0a52d3eb1c71ad98cd18d43833bbc7b693d449f8d0305b897a764d716a592
Opcode Fuzzy Hash: ef25fd43f1fccbd264e1d1be444f2c5c1ea1a95f4ff7fa5a71b308057aa8e801
Instruction Fuzzy Hash: 88E01A30680348B7EB201B61EC46FAC3B97AB01B91F208035FA0DEC1A1D7B2A9519684

Uniqueness

Uniqueness Score: -1.00%

Function 006AE2F0 Relevance: 6.4, APIs: 4, Instructions: 426COMMON

Download Yara Rule

APIs

_strcspn.LIBCMT ref: 006AE390
_strcspn.LIBCMT ref: 006AE3B2
LocalFree.KERNEL32(?), ref: 006AE71B
LocalFree.KERNEL32(?), ref: 006AE763

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: FreeLocal_strcspn
String ID:
API String ID: 2585785616-0
Opcode ID: 6a5dbd8f83a51d6b1b7ebfa72ea3e4214a9da82819d9d192f41752eb61c930e9
Instruction ID: 40f27bad40203b09f368572040e2167363e204b481beb03de216f126755109b6
Opcode Fuzzy Hash: 6a5dbd8f83a51d6b1b7ebfa72ea3e4214a9da82819d9d192f41752eb61c930e9
Instruction Fuzzy Hash: 6CF14675A002499FDF14EFA8C884AEEBBF6EF49304F144169E415AB351D732AE45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 006E878B Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(210DFF48,?,00000000,?), ref: 006E87EE

Part of subcall function 006E143B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,006DD937,?,00000000,-00000008), ref: 006E14E7

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 006E8A49
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 006E8A91
GetLastError.KERNEL32 ref: 006E8B34

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 53137729805adb563567fa45afce43fe816790b2a0594b41729648faac010409
Instruction ID: 463228d9764dbca28824a486f8684ae388adcc24959c1ab2d08072e2fd40eb56
Opcode Fuzzy Hash: 53137729805adb563567fa45afce43fe816790b2a0594b41729648faac010409
Instruction Fuzzy Hash: 1DD15AB5D052889FCB15CFE9C8909EDBBB6FF08300F18416AE859EB351DB30A942CB54

Uniqueness

Uniqueness Score: -1.00%

Function 006B8C6E Relevance: 6.3, APIs: 4, Instructions: 319COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 006B8C75
_strcspn.LIBCMT ref: 006B8CE0
_strcspn.LIBCMT ref: 006B8D00
ctype.LIBCPMT ref: 006B8D70

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID:
API String ID: 838279627-0
Opcode ID: 8aa27dc2e498fd8465c0a0f58dece0b9be822e9379cd672a9db62c0ea900bd4d
Instruction ID: f061ad3a1d33960498617d61fe9c57b24bd290dfcce207df0e61b50c43883e05
Opcode Fuzzy Hash: 8aa27dc2e498fd8465c0a0f58dece0b9be822e9379cd672a9db62c0ea900bd4d
Instruction Fuzzy Hash: 19C16DB1D00209DFDF15DF94C981AEEBBBAFF48310F14405AE905AB251DB34AE86CB65

Uniqueness

Uniqueness Score: -1.00%

Function 006B2A2F Relevance: 6.3, APIs: 4, Instructions: 316COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 006B2A36
_strcspn.LIBCMT ref: 006B2AA1
_strcspn.LIBCMT ref: 006B2AC1
ctype.LIBCPMT ref: 006B2B31

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID:
API String ID: 838279627-0
Opcode ID: d137f2fb6f1263653d6735500e07b8b862efbd09c5ce688e12d62cd40c9edcdf
Instruction ID: 60ed8beb46d00e4de8f912ca046b63dfb9f12e940484f3347d2dbd4b6a766254
Opcode Fuzzy Hash: d137f2fb6f1263653d6735500e07b8b862efbd09c5ce688e12d62cd40c9edcdf
Instruction Fuzzy Hash: 5AC16DB1D0020A9FDF55DF98C9919EEBBFAFF08310F144059E805A7251D734AE85CB65

Uniqueness

Uniqueness Score: -1.00%

Function 006CC3E5 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 006CC4AC
___AdjustPointer.LIBCMT ref: 006CC4CF
___AdjustPointer.LIBCMT ref: 006CC56B

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: b94f5710b794b22872f3e912c16d0cd9a72507d297b6a55ee77f9632c739a7e5
Instruction ID: 8ce92b7b523b93d74c70b7fbb06ec9a529b14075ad8be4f68f939bd367c7233e
Opcode Fuzzy Hash: b94f5710b794b22872f3e912c16d0cd9a72507d297b6a55ee77f9632c739a7e5
Instruction Fuzzy Hash: CD511572600206DFDB298F94C895FBA73E7EF44324F54812DE80A87291D731EC91CB94

Uniqueness

Uniqueness Score: -1.00%

Function 006D8F28 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40504b2621e4f4c3a6294113eb2c9f8f29dd24856aac60a155ce11ec9f0f1e0
Instruction ID: 9dacef62f9ba6c1cf5e431b65b4f7bf2401dd1a5e6323ee2b38cc75a01eb7c4c
Opcode Fuzzy Hash: c40504b2621e4f4c3a6294113eb2c9f8f29dd24856aac60a155ce11ec9f0f1e0
Instruction Fuzzy Hash: 57216A31A08209AFDB61AF65DC89DAA77ABEF443A4710852EF915D7350EF30ED41C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 006A8FA0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,75475490,006A8ABA,00000000,?,?,?,?,?,?,?,00000000,006EB685,000000FF), ref: 006A8FA7

Strings

Last error=, xrefs: 006A9001
Call to ShellExecute() for verb<, xrefs: 006A8FB1
> returned:, xrefs: 006A8FB6

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: ErrorLast
String ID: > returned:$Call to ShellExecute() for verb<$Last error=
API String ID: 1452528299-1781106413
Opcode ID: 68096fb1de10c777883ee33e3a5b55c83ef38745614cc6be3b0208856daea2b2
Instruction ID: 774c230a07c626715c74b3c86829c82a630d1c5117cb57d55a6f13115fa5126a
Opcode Fuzzy Hash: 68096fb1de10c777883ee33e3a5b55c83ef38745614cc6be3b0208856daea2b2
Instruction Fuzzy Hash: 1A219209A1026286CB702F3C8400375A6F3EF55758F25042FD9C8D7390FA658C81C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 006B454B Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B4552
std::_Lockit::_Lockit.LIBCPMT ref: 006B455C
std::_Lockit::~_Lockit.LIBCPMT ref: 006B4603
Concurrency::cancel_current_task.LIBCPMT ref: 006B460E

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Lockitstd::_$Concurrency::cancel_current_taskH_prolog3Lockit::_Lockit::~_
String ID:
API String ID: 4244582100-0
Opcode ID: 6bee0407c7c7ecb91dafb4dc0d54701132d0f73787a168e2b00ad0796ac9b957
Instruction ID: a503d97665511919ec0c24070106739ba2fd909f45e6db65c9735c6af12ac80b
Opcode Fuzzy Hash: 6bee0407c7c7ecb91dafb4dc0d54701132d0f73787a168e2b00ad0796ac9b957
Instruction Fuzzy Hash: 2F216975A00A16AFDB14EF14C8A1AADB762FF49710F018459E9169F7A1CF30EE90CF84

Uniqueness

Uniqueness Score: -1.00%

Function 006B13A0 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,210DFF48), ref: 006B13DC
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 006B13FC
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 006B142D
CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 006B1446

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: 6e1ac46d60b06d9b1fe9d3e57efbbb708fd1b0850a71142801e088d536bd9dd9
Instruction ID: 195cf72f90cbae13e606895beb42c19d4f3c0c6d20b19bff1ff0631f4a9234f3
Opcode Fuzzy Hash: 6e1ac46d60b06d9b1fe9d3e57efbbb708fd1b0850a71142801e088d536bd9dd9
Instruction Fuzzy Hash: 9D218170941358ABD720DF54DC46FEABBF9EB05B24F10422AF610AB2C0D7B46A458B94

Uniqueness

Uniqueness Score: -1.00%

Function 006A2510 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006C8C81: EnterCriticalSection.KERNEL32(00706AF8,00000000,?,?,006A25B6,0070771C,210DFF48,?,00000000,006EA7ED,000000FF,?,006A1A26), ref: 006C8C8C
Part of subcall function 006C8C81: LeaveCriticalSection.KERNEL32(00706AF8,?,?,006A25B6,0070771C,210DFF48,?,00000000,006EA7ED,000000FF,?,006A1A26,?,?,?,210DFF48), ref: 006C8CC9

GetProcessHeap.KERNEL32 ref: 006A2565

Part of subcall function 006C8C37: EnterCriticalSection.KERNEL32(00706AF8,?,?,006A2627,0070771C,006EE130), ref: 006C8C41
Part of subcall function 006C8C37: LeaveCriticalSection.KERNEL32(00706AF8,?,?,006A2627,0070771C,006EE130), ref: 006C8C74
Part of subcall function 006C8C37: RtlWakeAllConditionVariable.NTDLL ref: 006C8CEB

Strings

wp, xrefs: 006A2607
<wp, xrefs: 006A25DA
wp, xrefs: 006A262A

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ConditionHeapProcessVariableWake
String ID: wp$ wp$<wp
API String ID: 325507722-1711493401
Opcode ID: c053c9e5890ed776adeb3069ef95de70bf69581f461d32702bed41a66bcd21a2
Instruction ID: 2928865b4cd2af0cf967ce4d91c2bbd8cdc69d95106bfaa35f5795d39607c4e3
Opcode Fuzzy Hash: c053c9e5890ed776adeb3069ef95de70bf69581f461d32702bed41a66bcd21a2
Instruction Fuzzy Hash: E02159B0C49340DFC718DFA8EC45B9977E2E7053A0F10A769E421973D0DBB96900CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 006B82BA Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B82C1
std::_Lockit::_Lockit.LIBCPMT ref: 006B82CB

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

std::_Facet_Register.LIBCPMT ref: 006B831C
std::_Lockit::~_Lockit.LIBCPMT ref: 006B833C

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 15c26b392c0a54b40162bce6a13ef034a5b0db3c3fbeac1b230121996c041bf9
Instruction ID: 6fdf73ae3e95eb69a8f2e4340d55c19b4012103c979c90ff3462d10632b7f822
Opcode Fuzzy Hash: 15c26b392c0a54b40162bce6a13ef034a5b0db3c3fbeac1b230121996c041bf9
Instruction Fuzzy Hash: 41018EB6900155DFCB05BFA4C855AFD77A6AF85720F14850DE811AB292CF349E41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 006B8479 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B8480
std::_Lockit::_Lockit.LIBCPMT ref: 006B848A

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

std::_Facet_Register.LIBCPMT ref: 006B84DB
std::_Lockit::~_Lockit.LIBCPMT ref: 006B84FB

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 178b9804940c4152d8df02d9351add8b3ae07857c5c50b70c6ffea7de26f0da7
Instruction ID: 36b3a007ad40981325dfc39e1ef4ef6ed06361c381cdec086226e5e0f840cc1d
Opcode Fuzzy Hash: 178b9804940c4152d8df02d9351add8b3ae07857c5c50b70c6ffea7de26f0da7
Instruction Fuzzy Hash: 9B01A1B59002559FCB04FBA4C855AFD77A7AF85720F14451CF9116B391CF389E41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 006B850E Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B8515
std::_Lockit::_Lockit.LIBCPMT ref: 006B851F

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

std::_Facet_Register.LIBCPMT ref: 006B8570
std::_Lockit::~_Lockit.LIBCPMT ref: 006B8590

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 56775c02c822d4727857342c71b947092342c76f1730ba29ed22a32f35a039e0
Instruction ID: 77a2530450da08c8b6be7cc7f19d332b6ee3a2429653116282334d17a2947182
Opcode Fuzzy Hash: 56775c02c822d4727857342c71b947092342c76f1730ba29ed22a32f35a039e0
Instruction Fuzzy Hash: 1501E1B29106199FCB40BFA4C855AFD7BA7AF84720F14451DF5116B382CF349E40CB98

Uniqueness

Uniqueness Score: -1.00%

Function 006B85A3 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B85AA
std::_Lockit::_Lockit.LIBCPMT ref: 006B85B4

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

std::_Facet_Register.LIBCPMT ref: 006B8605
std::_Lockit::~_Lockit.LIBCPMT ref: 006B8625

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: c161493f0b094174ed1001f02d0ee214b1c6993c08c97a0c0bcf632a333cd34e
Instruction ID: e085025e3721af6170ad43519725d395f5f11c49f9d5fbfc6dd9db7bd6568587
Opcode Fuzzy Hash: c161493f0b094174ed1001f02d0ee214b1c6993c08c97a0c0bcf632a333cd34e
Instruction Fuzzy Hash: 26018EB69002159FCB44FBA4C865AEDB766AF84720F14850DE811AB381DF389E41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 006B7D7D Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B7D84
std::_Lockit::_Lockit.LIBCPMT ref: 006B7D8E

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

std::_Facet_Register.LIBCPMT ref: 006B7DDF
std::_Lockit::~_Lockit.LIBCPMT ref: 006B7DFF

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 9a067ea8c17b17164c13027b1e512362ff80e298dda4b582dff744397fe22551
Instruction ID: 4ac2ce997acad46bdea22cd0f8ce980d8eeb7fee05e19ef466be437d2e7cb83d
Opcode Fuzzy Hash: 9a067ea8c17b17164c13027b1e512362ff80e298dda4b582dff744397fe22551
Instruction Fuzzy Hash: CA01ADB59002199BCB05BBA4C855AFE7BB2AF84720F24450DF9116B2D2CF789E418B98

Uniqueness

Uniqueness Score: -1.00%

Function 006C4DA3 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006C4DAA
std::_Lockit::_Lockit.LIBCPMT ref: 006C4DB4

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

std::_Facet_Register.LIBCPMT ref: 006C4E05
std::_Lockit::~_Lockit.LIBCPMT ref: 006C4E25

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 2bf6e8f80e24216d4157c7533b555c693db4ac647e09c464411f7204e0dd018b
Instruction ID: 2c14a1fb1376d2dd9d125359f3ae617272357ee7815b07b2bd6b782b8979dd11
Opcode Fuzzy Hash: 2bf6e8f80e24216d4157c7533b555c693db4ac647e09c464411f7204e0dd018b
Instruction Fuzzy Hash: BD01A1759002159FCB45FBA4C865BBE7762FF84720F15450DF9126B291CF349E01CB99

Uniqueness

Uniqueness Score: -1.00%

Function 006B7E12 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B7E19
std::_Lockit::_Lockit.LIBCPMT ref: 006B7E23

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

std::_Facet_Register.LIBCPMT ref: 006B7E74
std::_Lockit::~_Lockit.LIBCPMT ref: 006B7E94

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: b7d0c2d935d82c1b9d277af5785e58f1c04b719c10d890b7314028aba3d22830
Instruction ID: 09362e40936e1b705982827aabf4ee8515520fc43985e26a409a832075a24f4f
Opcode Fuzzy Hash: b7d0c2d935d82c1b9d277af5785e58f1c04b719c10d890b7314028aba3d22830
Instruction Fuzzy Hash: 8A018EB69002199BCB04EBA4C855AED7762AF84720F14454CF8116B382CF349E418B98

Uniqueness

Uniqueness Score: -1.00%

Function 006B7EA7 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B7EAE
std::_Lockit::_Lockit.LIBCPMT ref: 006B7EB8

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

std::_Facet_Register.LIBCPMT ref: 006B7F09
std::_Lockit::~_Lockit.LIBCPMT ref: 006B7F29

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: d3a927ceb206576e0d254dd08171c05cd8cadb1498fa26c37631ed503e4fb1ee
Instruction ID: b56218672479dccd49f16f575db30c5fd4a39a2ade0aa38573deb0e3d85e5259
Opcode Fuzzy Hash: d3a927ceb206576e0d254dd08171c05cd8cadb1498fa26c37631ed503e4fb1ee
Instruction Fuzzy Hash: AF01E1B29006199BCB00FBA0C855AFD7767AF84720F14450CF8126B2C1CF349E41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 006B7F3C Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B7F43
std::_Lockit::_Lockit.LIBCPMT ref: 006B7F4D

Part of subcall function 006ABC80: std::_Lockit::_Lockit.LIBCPMT ref: 006ABCB0
Part of subcall function 006ABC80: std::_Lockit::~_Lockit.LIBCPMT ref: 006ABCD8

std::_Facet_Register.LIBCPMT ref: 006B7F9E
std::_Lockit::~_Lockit.LIBCPMT ref: 006B7FBE

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 50e5f8bddac55035b34d6f364e2059030fd4523e72df92554227d29695e9a943
Instruction ID: 95f225b0b05b851e8a2b9abfee1fd86be04607bb64c4fe52bcdf7132b84b6ce6
Opcode Fuzzy Hash: 50e5f8bddac55035b34d6f364e2059030fd4523e72df92554227d29695e9a943
Instruction Fuzzy Hash: FC01A1B69001159BCB04FBA4C855AFDB776AF84720F14450DF9116B3C2CF349E41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 006B5FC6 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 006B5FCD
std::_Lockit::_Lockit.LIBCPMT ref: 006B5FD8
std::_Lockit::~_Lockit.LIBCPMT ref: 006B6046

Part of subcall function 006B6128: std::locale::_Locimp::_Locimp.LIBCPMT ref: 006B6140

std::locale::_Setgloballocale.LIBCPMT ref: 006B5FF3

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 418c1dbf3181695349ad18665ff1063d94a124cd5bea6e249027265d1ee5957c
Instruction ID: ee95cafac21c04e39095361b1ea9fc0d66e0f2cf02b77a8cfbd1f68cddcf882c
Opcode Fuzzy Hash: 418c1dbf3181695349ad18665ff1063d94a124cd5bea6e249027265d1ee5957c
Instruction Fuzzy Hash: 6F01BCB5A002109BDB45FF64C855ABD7BA3FF85700B05800CF91157382CF78AE42CB89

Uniqueness

Uniqueness Score: -1.00%

Function 006EA076 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,006E9A43,?,00000001,?,?,?,006E8B88,?,?,00000000), ref: 006EA08D
GetLastError.KERNEL32(?,006E9A43,?,00000001,?,?,?,006E8B88,?,?,00000000,?,?,?,006E910F,?), ref: 006EA099

Part of subcall function 006EA05F: CloseHandle.KERNEL32(FFFFFFFE,006EA0A9,?,006E9A43,?,00000001,?,?,?,006E8B88,?,?,00000000,?,?), ref: 006EA06F

___initconout.LIBCMT ref: 006EA0A9

Part of subcall function 006EA021: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,006EA050,006E9A30,?,?,006E8B88,?,?,00000000,?), ref: 006EA034

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,006E9A43,?,00000001,?,?,?,006E8B88,?,?,00000000,?), ref: 006EA0BE

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 7200c633461d6366c2ef8e3e01330de8e445192415760f7d0b2e2b29374e8bb9
Instruction ID: 88697d8112a143123abf5bca0c399b4e112d0d2be99ff3aa5d5e870b123398ca
Opcode Fuzzy Hash: 7200c633461d6366c2ef8e3e01330de8e445192415760f7d0b2e2b29374e8bb9
Instruction Fuzzy Hash: C6F01C36101699BBCF722FD2DC4898A3F67FF087B4F108120FA198A121DA329820DB95

Uniqueness

Uniqueness Score: -1.00%

Function 006C8D09 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,006C8CA6,00000064), ref: 006C8D2C
LeaveCriticalSection.KERNEL32(00706AF8,?,?,006C8CA6,00000064,?,?,006A25B6,0070771C,210DFF48,?,00000000,006EA7ED,000000FF,?,006A1A26), ref: 006C8D36
WaitForSingleObjectEx.KERNEL32(?,00000000,?,006C8CA6,00000064,?,?,006A25B6,0070771C,210DFF48,?,00000000,006EA7ED,000000FF,?,006A1A26), ref: 006C8D47
EnterCriticalSection.KERNEL32(00706AF8,?,006C8CA6,00000064,?,?,006A25B6,0070771C,210DFF48,?,00000000,006EA7ED,000000FF,?,006A1A26), ref: 006C8D4E

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: fc405ad7e22b6af5767cc4f8594d59bb22eef8c591d620cf8a5155c86288ce61
Instruction ID: 505bfe61c1e7a7c87180484af152a2e4c7951c0a193b66b56171e86aa2442a3e
Opcode Fuzzy Hash: fc405ad7e22b6af5767cc4f8594d59bb22eef8c591d620cf8a5155c86288ce61
Instruction Fuzzy Hash: E8E09BB1641264FBC7113BD0EC24E9D3F66EF04751B11C132F5056B1A1CFB519108BD5

Uniqueness

Uniqueness Score: -1.00%

Function 006E31BC Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 373COMMON

Download Yara Rule

Strings

pPp, xrefs: 006E34CF
pPp, xrefs: 006E31EA

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID:
String ID: pPp$pPp
API String ID: 0-357014332
Opcode ID: ec582ec5182f3f27c4aa1938974ff4dae2f5bc365c91f8d2e2e4f638142d6147
Instruction ID: b85a0291a32ab690071df9719efafadd8f139e0d575a18bcbd34f8c29165d81c
Opcode Fuzzy Hash: ec582ec5182f3f27c4aa1938974ff4dae2f5bc365c91f8d2e2e4f638142d6147
Instruction Fuzzy Hash: EAC195B2E01344BFDB60DBA9CC46FEE77F99B09741F140169FA04EB382E6709A419B54

Uniqueness

Uniqueness Score: -1.00%

Function 006B3D2F Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 352COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 006B3D36

Part of subcall function 006B27D3: __EH_prolog3.LIBCMT ref: 006B27DA
Part of subcall function 006B27D3: std::_Lockit::_Lockit.LIBCPMT ref: 006B27E4
Part of subcall function 006B27D3: std::_Lockit::~_Lockit.LIBCPMT ref: 006B2855

Part of subcall function 006AA250: LocalAlloc.KERNEL32(00000040,80000023,00000000,?,?,?,?,006B403E,00000001,?,00000000,?,?,00000001,?,?), ref: 006AA293
Part of subcall function 006AA250: LocalFree.KERNEL32(7FFFFFFF,?,?), ref: 006AA339

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 006B3D9E
tLk, xrefs: 006B3D58, 006B3D5C

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: LocalLockitstd::_$AllocFreeH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx$tLk
API String ID: 1009823702-4131611741
Opcode ID: 2e258b4b1e1e6b61b7ae742f84787326823a73bbd9dde2ee269351ccfc0bb5b5
Instruction ID: 83cced20fc675295e1a0cb78dddbd84f405656f8b79ac6839b3ef9e91bbc8ada
Opcode Fuzzy Hash: 2e258b4b1e1e6b61b7ae742f84787326823a73bbd9dde2ee269351ccfc0bb5b5
Instruction Fuzzy Hash: B9D18FB0E042989EDF15EFA8C5807ECBBB3AF55300F24405AE5856B383DB319E86CB55

Uniqueness

Uniqueness Score: -1.00%

Function 006D84AD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 006D853D

Strings

pow, xrefs: 006D8515, 006D8532

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: a584257d9960cd79a164d54abe8128e57d224157b96dddc71ced6e7739e27640
Instruction ID: 4cd3789ca624effc5fe4232f193a08c83782c81ac67608e3646a2f7a2ec42552
Opcode Fuzzy Hash: a584257d9960cd79a164d54abe8128e57d224157b96dddc71ced6e7739e27640
Instruction Fuzzy Hash: 79518B61D0A3429EEB51B719DD053FA2BA79B50710F308D6AE0D1433A9EF748CD1CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 006C8040 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 006C81A4

Strings

-, xrefs: 006C81D5
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 006C810A, 006C8141, 006C8146

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: __aulldiv
String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3732870572-1956417402
Opcode ID: df2b03ca7a9eb741470842d9d7326fdc67d02e6a14b154b95578805e59baac0b
Instruction ID: 6dd41a3e38a6ed6b125a4a5e6249d77f17c0e4d12d41d071c7048e377a2f1ece
Opcode Fuzzy Hash: df2b03ca7a9eb741470842d9d7326fdc67d02e6a14b154b95578805e59baac0b
Instruction Fuzzy Hash: FF51F330B0428A9EDB358E6D8851BFEBBFBEF55310F18806EE49197341CA7089478B64

Uniqueness

Uniqueness Score: -1.00%

Function 006AF800 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 006AF9DE

Strings

true, xrefs: 006AF91B
false, xrefs: 006AF905

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: false$true
API String ID: 118556049-2658103896
Opcode ID: aa74f28fdd5ad967691bd957fa49b98d7f323238cd01c33bef2598e21549253f
Instruction ID: 468308ba50e2f481b223e6c66565e3b7308d3f05a7f11ec606c556336ac83db3
Opcode Fuzzy Hash: aa74f28fdd5ad967691bd957fa49b98d7f323238cd01c33bef2598e21549253f
Instruction Fuzzy Hash: 165184B1D003489FDB10DFA4C941BEEB7B9FF05314F14826EE845AB281E775AA45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 006C3133 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 164COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 006C313A
_swprintf.LIBCMT ref: 006C31B2

Part of subcall function 006B7BBE: __EH_prolog3.LIBCMT ref: 006B7BC5
Part of subcall function 006B7BBE: std::_Lockit::_Lockit.LIBCPMT ref: 006B7BCF
Part of subcall function 006B7BBE: std::_Lockit::~_Lockit.LIBCPMT ref: 006B7C40

Strings

%.0Lf, xrefs: 006C31AA

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Lockitstd::_$H_prolog3H_prolog3_Lockit::_Lockit::~__swprintf
String ID: %.0Lf
API String ID: 2348759532-1402515088
Opcode ID: 71128a7f7db921afc733997d6a034a9aba757f94f85b40f01c0c312f0b1385db
Instruction ID: 436e0b41bbe8679c22fcc05d554796700362ba7b494997176359bd4fc8b6a543
Opcode Fuzzy Hash: 71128a7f7db921afc733997d6a034a9aba757f94f85b40f01c0c312f0b1385db
Instruction Fuzzy Hash: B4513971D00218AFDF05EFE4D845AEDBBBAFB08300F108459E506AB2A5DB359A55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 006C342C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 164COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 006C3433
_swprintf.LIBCMT ref: 006C34AB

Part of subcall function 006AB4A0: std::_Lockit::_Lockit.LIBCPMT ref: 006AB4CD
Part of subcall function 006AB4A0: std::_Lockit::_Lockit.LIBCPMT ref: 006AB4F0
Part of subcall function 006AB4A0: std::_Lockit::~_Lockit.LIBCPMT ref: 006AB518
Part of subcall function 006AB4A0: std::_Lockit::~_Lockit.LIBCPMT ref: 006AB5B7

Strings

%.0Lf, xrefs: 006C34A3

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
String ID: %.0Lf
API String ID: 1487807907-1402515088
Opcode ID: cc6cbfaf79fe72a06db8d2d03f3eabe79b3254ef42dd1297773b1033d9047054
Instruction ID: f47ec9751718e980713d1a398f71b7b028ae8dd095819f5e67eef392a04e3c93
Opcode Fuzzy Hash: cc6cbfaf79fe72a06db8d2d03f3eabe79b3254ef42dd1297773b1033d9047054
Instruction Fuzzy Hash: 6E513A71D00218AFCF09EFE4D845AEDBBBAFF09300F108459E506AB2A5DB359A55CF54

Uniqueness

Uniqueness Score: -1.00%

Function 006C79FE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 162COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 006C7A05
_swprintf.LIBCMT ref: 006C7A7D

Part of subcall function 006AC530: std::_Lockit::_Lockit.LIBCPMT ref: 006AC55D
Part of subcall function 006AC530: std::_Lockit::_Lockit.LIBCPMT ref: 006AC580
Part of subcall function 006AC530: std::_Lockit::~_Lockit.LIBCPMT ref: 006AC5A8
Part of subcall function 006AC530: std::_Lockit::~_Lockit.LIBCPMT ref: 006AC647

Strings

%.0Lf, xrefs: 006C7A75

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
String ID: %.0Lf
API String ID: 1487807907-1402515088
Opcode ID: 4d74f2c4704eed6adc8ce7305b3669536910095727143d17c0dfe5769812fc37
Instruction ID: 079aee4ce78ae9cc3cca884abc20d8dfd16101069d3ab989748a2b1917c0830e
Opcode Fuzzy Hash: 4d74f2c4704eed6adc8ce7305b3669536910095727143d17c0dfe5769812fc37
Instruction Fuzzy Hash: D9514771D14208AFCF09EFE4D845AEEBBBAFB48300F10845DE506AB2A5DB359A15CF54

Uniqueness

Uniqueness Score: -1.00%

Function 006A95A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154COMMON

Download Yara Rule

Strings

\\?\, xrefs: 006A96EE, 006A971B
\\?\UNC\, xrefs: 006A9677, 006A96D2

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID:
String ID: \\?\$\\?\UNC\
API String ID: 0-3019864461
Opcode ID: 374bf96e1542e06189d4ef86fc2e54b1961aa4477107ce031a559f1ff7518341
Instruction ID: 4e533058a8a2a51f4aeac42963a8ae7950c88e4cca737ca55eee41f634a98560
Opcode Fuzzy Hash: 374bf96e1542e06189d4ef86fc2e54b1961aa4477107ce031a559f1ff7518341
Instruction Fuzzy Hash: 8E519070E002049BDB14DF64C995BAEB7F6FF9A314F20951DE502A7280DB75AD84CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 006A3CE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131encryptionCOMMON

Download Yara Rule

APIs

CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 006A3D23
CertGetNameStringW.CRYPT32(000000FF,00000004,00000000,00000000,00000010,000000FF), ref: 006A3DBF

Strings

x-j, xrefs: 006A3CFE, 006A3E20, 006A3D55

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: CertNameString
String ID: x-j
API String ID: 149855834-686699091
Opcode ID: a692ddca48a008cca76571eee12a446d7b4c763ef38b592049b7fb8573726664
Instruction ID: 51c30afef5674cc1a35e9efcfc17cb25876e3bddbab5a76d2905655a9d3563b7
Opcode Fuzzy Hash: a692ddca48a008cca76571eee12a446d7b4c763ef38b592049b7fb8573726664
Instruction Fuzzy Hash: 6A41A070A006469FD714EF68CC05BAAFBB5FF85314F20422EE915E7790E7B5AA40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 006CC9E1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 006CCA06

Strings

RCC, xrefs: 006CCA20
MOC, xrefs: 006CCA18

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 48b6c8766eea3d80a7c4c0bdecb3d101d289897d9de7a63fbbf3e71ee90562a0
Instruction ID: a77a2cf35036b0fa7cd8b1f0880dbe0b081c0eac331a246cd385e02ef1cb2953
Opcode Fuzzy Hash: 48b6c8766eea3d80a7c4c0bdecb3d101d289897d9de7a63fbbf3e71ee90562a0
Instruction Fuzzy Hash: 2941347290024DAFCF15DFD8C986EEEBBB6EF48320F18809DF908A6211D735A950DB55

Uniqueness

Uniqueness Score: -1.00%

Function 006C3005 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 006C300C

Part of subcall function 006B7BBE: __EH_prolog3.LIBCMT ref: 006B7BC5
Part of subcall function 006B7BBE: std::_Lockit::_Lockit.LIBCPMT ref: 006B7BCF
Part of subcall function 006B7BBE: std::_Lockit::~_Lockit.LIBCPMT ref: 006B7C40

Strings

%.0Lf, xrefs: 006C3057
0123456789-, xrefs: 006C305C

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Lockitstd::_$H_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: %.0Lf$0123456789-
API String ID: 2728201062-3094241602
Opcode ID: 31b83f30e4a9226e8d4693a50b3573eb85b3d3af512784988bd50c418bbe99e7
Instruction ID: 2c7aefd5ab59931bd6ef614e60e7a70735cdfeaee04d0655e49eef0b1b3564e6
Opcode Fuzzy Hash: 31b83f30e4a9226e8d4693a50b3573eb85b3d3af512784988bd50c418bbe99e7
Instruction Fuzzy Hash: AF413B72A00228DFCF05EFA4D981EEEBBB6FF08310F10405DE901AB251DB319A55CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 006C32FE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 006C3305

Part of subcall function 006AB4A0: std::_Lockit::_Lockit.LIBCPMT ref: 006AB4CD
Part of subcall function 006AB4A0: std::_Lockit::_Lockit.LIBCPMT ref: 006AB4F0
Part of subcall function 006AB4A0: std::_Lockit::~_Lockit.LIBCPMT ref: 006AB518
Part of subcall function 006AB4A0: std::_Lockit::~_Lockit.LIBCPMT ref: 006AB5B7

Strings

0123456789-, xrefs: 006C3350
0123456789-, xrefs: 006C3355

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
String ID: 0123456789-$0123456789-
API String ID: 2088892359-2494171821
Opcode ID: ce3adf5af0cac09e9b0944a21e56e5dd07abada95197e6a9b1e032f2d9b9f025
Instruction ID: 79af2b16c999b9f937eb22419f7f94ff8a81b25aa7ca1652e98e4915576eb0b2
Opcode Fuzzy Hash: ce3adf5af0cac09e9b0944a21e56e5dd07abada95197e6a9b1e032f2d9b9f025
Instruction Fuzzy Hash: 19414931900268DFCF45EFA8C881AEDBBB6FF09310F10405EE905AB252DB309E55CB69

Uniqueness

Uniqueness Score: -1.00%

Function 006C78D2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 006C78D9

Part of subcall function 006AC530: std::_Lockit::_Lockit.LIBCPMT ref: 006AC55D
Part of subcall function 006AC530: std::_Lockit::_Lockit.LIBCPMT ref: 006AC580
Part of subcall function 006AC530: std::_Lockit::~_Lockit.LIBCPMT ref: 006AC5A8
Part of subcall function 006AC530: std::_Lockit::~_Lockit.LIBCPMT ref: 006AC647

Strings

0123456789-, xrefs: 006C7929
0123456789-, xrefs: 006C7924

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
String ID: 0123456789-$0123456789-
API String ID: 2088892359-2494171821
Opcode ID: 464a1eace2226748ac710dc65bda39d38dabbca5dcf239ea1f0d59987fbb49bc
Instruction ID: d5ebf49663c437cca43fcf002dab04feb9243ddb01d383c1d9d1acf1b1addc11
Opcode Fuzzy Hash: 464a1eace2226748ac710dc65bda39d38dabbca5dcf239ea1f0d59987fbb49bc
Instruction Fuzzy Hash: 94414A31904219AFCF45EFA4D991EEEBBB6EF09310F10405EF911A7252DB319A15CF58

Uniqueness

Uniqueness Score: -1.00%

Function 006C7BC1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 006C7BC8
__cftoe.LIBCMT ref: 006C7C59

Strings

!%x, xrefs: 006C7BE2

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: 66bddb62aef2c3f4f4a75a39c7dba20d72af861ed88acbd7c1aff18051030f5b
Instruction ID: b1f4da6b1f12548a668077691cd6d2539b33e53d6bc413f01b2403234fa41dba
Opcode Fuzzy Hash: 66bddb62aef2c3f4f4a75a39c7dba20d72af861ed88acbd7c1aff18051030f5b
Instruction Fuzzy Hash: 8C410274A1425AAFEF45DFA8D881EEEBBB2FF18300F404429F855A7342D6319A05CF64

Uniqueness

Uniqueness Score: -1.00%

Function 006C3E08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 006C3E0F
__cftoe.LIBCMT ref: 006C3EA2

Strings

!%x, xrefs: 006C3E1D

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: ba9f2fef852afdb1ce4f42bd2b278a40e23558944642d6aba5ccb801b7aecfe3
Instruction ID: 54fbb195c2941debd15478bfbb571a9be694540f1da82d30de193840905956bb
Opcode Fuzzy Hash: ba9f2fef852afdb1ce4f42bd2b278a40e23558944642d6aba5ccb801b7aecfe3
Instruction Fuzzy Hash: 3B310771A01219ABDF14DFA8D841AEEB7B2EF48304F10846DF905AB351E775AE05CB64

Uniqueness

Uniqueness Score: -1.00%

Function 006AD570 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 006AD622

Strings

%, xrefs: 006AD5A9
+, xrefs: 006AD596

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: _swprintf
String ID: %$+
API String ID: 589789837-2626897407
Opcode ID: 24d40ad652de8dff02271c549131e0334aa42f3b6827b70e8b0148ebd52238b7
Instruction ID: 31f7e13a439ef63cc4f3ab59b707de45a83b5af35c603dac680bfb9acb39d9d9
Opcode Fuzzy Hash: 24d40ad652de8dff02271c549131e0334aa42f3b6827b70e8b0148ebd52238b7
Instruction Fuzzy Hash: 5E21F6711083849FD711DF18C845B9B7BEAAF8A304F04851DF9958B292D634DD18CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 006AD660 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 006AD709

Strings

+, xrefs: 006AD686
%, xrefs: 006AD699

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: _swprintf
String ID: %$+
API String ID: 589789837-2626897407
Opcode ID: c42968ec6a27f1bcca1ee2e96a5e3982ff16c97eb25ebdd5422514e2baf8545e
Instruction ID: 77410506d0c000143b850f04f77db907f07823a11bc1e89068cfa93b5f366094
Opcode Fuzzy Hash: c42968ec6a27f1bcca1ee2e96a5e3982ff16c97eb25ebdd5422514e2baf8545e
Instruction Fuzzy Hash: 5421D6712087459FD711DF14C845B9BBBEAEF8A310F04881DF99587292C734D919CBA7

Uniqueness

Uniqueness Score: -1.00%

Function 006AD750 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 006AD7F9

Strings

+, xrefs: 006AD776
%, xrefs: 006AD789

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: _swprintf
String ID: %$+
API String ID: 589789837-2626897407
Opcode ID: d7731278f90bf3fbef5fa2c390805f6f7e0650b1ce1c192e040e244dcd6d8423
Instruction ID: 01c1643966638a70ebed837c910190f0cbe3925bf3341e1306a41d795caed7ea
Opcode Fuzzy Hash: d7731278f90bf3fbef5fa2c390805f6f7e0650b1ce1c192e040e244dcd6d8423
Instruction Fuzzy Hash: B121C4712083459FE715DF14C845B9BBBEAEB86310F04881DF99587292CB34D919CBA7

Uniqueness

Uniqueness Score: -1.00%

Function 006A1CB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 006B1E64: EnterCriticalSection.KERNEL32(00706844,?,?,?,006A1CE7,00000000,210DFF48,?,?,?,?,-00000010,006EA740,000000FF,?,006A202C), ref: 006B1E6F
Part of subcall function 006B1E64: LeaveCriticalSection.KERNEL32(00706844,?,?,006A1CE7,00000000,210DFF48,?,?,?,?,-00000010,006EA740,000000FF,?,006A202C), ref: 006B1E9B

FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,210DFF48,?,?,?,?,-00000010,006EA740,000000FF,?,006A202C), ref: 006A1D06

Part of subcall function 006A1D70: LoadResource.KERNEL32(00000000,00000000,210DFF48,00000001,00000000,?,00000000,006EA760,000000FF,?,006A1D1C,00000010,?,?,?,-00000010), ref: 006A1D9B
Part of subcall function 006A1D70: LockResource.KERNEL32(00000000,?,006A1D1C,00000010,?,?,?,-00000010,006EA740,000000FF,?,006A202C,?,00000000,006EA78D,000000FF), ref: 006A1DA6
Part of subcall function 006A1D70: SizeofResource.KERNEL32(00000000,00000000,?,006A1D1C,00000010,?,?,?,-00000010,006EA740,000000FF,?,006A202C,?,00000000,006EA78D), ref: 006A1DB4

Strings

0hp, xrefs: 006A1CDD
0hp, xrefs: 006A1D24

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Resource$CriticalSection$EnterFindLeaveLoadLockSizeof
String ID: 0hp$0hp
API String ID: 529824247-3730856638
Opcode ID: 328ff59bb14d993be1a5cd0047f80d77eb0e911689744009600a7f5ed453256a
Instruction ID: aab7fca8da8c9ad643b96d0cc9f235a4e29a4e5132822a89bd37039fe43dba0d
Opcode Fuzzy Hash: 328ff59bb14d993be1a5cd0047f80d77eb0e911689744009600a7f5ed453256a
Instruction Fuzzy Hash: 1B113A36B04614ABD7249B599C51BBAF3EAEB4AB60F00423EED06DB3C0DB359C018794

Uniqueness

Uniqueness Score: -1.00%

Function 006A8050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ConvertSidToStringSidW.ADVAPI32(?,00000000), ref: 006A8096
LocalFree.KERNEL32(00000000,Invalid SID,0000000B,?,00000000,210DFF48), ref: 006A8105

Strings

Invalid SID, xrefs: 006A80E3

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: ConvertFreeLocalString
String ID: Invalid SID
API String ID: 3201929900-130637731
Opcode ID: 05035a9a50f7c4a56fa3c0c978625303f263fdfe1e23a69da9a7f4e0f09cce04
Instruction ID: 4e4ff12b37f98537bc023d7bc0184fa3ab59e862c651085958d43d7ccf7d17d2
Opcode Fuzzy Hash: 05035a9a50f7c4a56fa3c0c978625303f263fdfe1e23a69da9a7f4e0f09cce04
Instruction Fuzzy Hash: 7121A1B0A003159BDB10DF58C815BAFBBBAEF45704F14861DE902A7380DBB56A448BD0

Uniqueness

Uniqueness Score: -1.00%

Function 006AC0E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 006AC10B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 006AC16E

Strings

bad locale name, xrefs: 006AC191

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: cd578b2793e5d4ecc8a925d2f1a4c04c507407719dc6aaa2ea92c19c392fc126
Instruction ID: 870a1dd1d4371633250d99974432ae0e1501fabfcf943c5d4b2725e80b56190e
Opcode Fuzzy Hash: cd578b2793e5d4ecc8a925d2f1a4c04c507407719dc6aaa2ea92c19c392fc126
Instruction Fuzzy Hash: 7821E4B0909784DED721CF68C90478BBFF4EF15710F10869EE49597781D3B9AA04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 006C8B14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 006C8FDE
___raise_securityfailure.LIBCMT ref: 006C90C6

Strings

@kp, xrefs: 006C90C1

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: @kp
API String ID: 3761405300-1507301250
Opcode ID: b32f000a872dbf16ea1227099602e6e57b0715d54dbadbb4208159580f4e4522
Instruction ID: 8d37ad76241bc27d767dae73d80ae7e2aa560814856fe039b78db9194e10aa52
Opcode Fuzzy Hash: b32f000a872dbf16ea1227099602e6e57b0715d54dbadbb4208159580f4e4522
Instruction Fuzzy Hash: 8121E5B4501204DBE714CF18ED65B567BE6FB08310F10C62AEA44CB3A0DFB864A18F6C

Uniqueness

Uniqueness Score: -1.00%

Function 006B41AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 006B41B1

Strings

true, xrefs: 006B421B
false, xrefs: 006B4208

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: H_prolog3_
String ID: false$true
API String ID: 2427045233-2658103896
Opcode ID: af3129ea8bbcc11bc7b07148b6934df82b65c5e79817c591bd60acc17c70e681
Instruction ID: 327f669605308f6f3a1353a76c19a139375974ef8399f472f486af79e97761d6
Opcode Fuzzy Hash: af3129ea8bbcc11bc7b07148b6934df82b65c5e79817c591bd60acc17c70e681
Instruction Fuzzy Hash: 1511D3B1D007449EC761EFB4C441BDABBF5AF05300F00851EF1968B342EA70E904CB54

Uniqueness

Uniqueness Score: -1.00%

Function 006C90D9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 006C90E4
___raise_securityfailure.LIBCMT ref: 006C91A1

Strings

@kp, xrefs: 006C919C

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: @kp
API String ID: 3761405300-1507301250
Opcode ID: 6bbf2c592707451201a2e860ce262adc2b9dedcd97be797a66fc4eb17df6d909
Instruction ID: 003fc8826913e3f34420c72797933c038cefb615f63b9422629cdf445dc52da1
Opcode Fuzzy Hash: 6bbf2c592707451201a2e860ce262adc2b9dedcd97be797a66fc4eb17df6d909
Instruction Fuzzy Hash: 5811D7B4511208DBE314DF19EDA16527BE5FB08310B10D21AE98887360DFB8A5A58F6D

Uniqueness

Uniqueness Score: -1.00%

Function 006B1DB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 006B0AA0: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,210DFF48,?,006EA7B0,000000FF), ref: 006B0AC7
Part of subcall function 006B0AA0: GetLastError.KERNEL32(?,00000000,00000000,210DFF48,?,006EA7B0,000000FF), ref: 006B0AD1

IsDebuggerPresent.KERNEL32(?,?,00701AD8), ref: 006B1DE8
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,00701AD8), ref: 006B1DF7

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 006B1DF2

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: b072719afcd04cba4708ff1cc4fe721cbcee42a7d36a9178bd7661de524aca9a
Instruction ID: a0b58f139302bbead7cbace036d813a3b01b4f5c3393aa97d5244c16016c1de5
Opcode Fuzzy Hash: b072719afcd04cba4708ff1cc4fe721cbcee42a7d36a9178bd7661de524aca9a
Instruction Fuzzy Hash: 56E06DB0600781CFD3609F29D9187867BE2AF05300F80C82DE892CA741DBB5E884CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 006A6BA0 Relevance: 5.2, APIs: 4, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,40000022,210DFF48,?,00000000,?,?,?,?,006EB1A0,000000FF,?,006A63B2,00000000,?), ref: 006A6C44
LocalAlloc.KERNEL32(00000040,3FFFFFFF,210DFF48,?,00000000,?,?,?,?,006EB1A0,000000FF,?,006A63B2,00000000,?), ref: 006A6C67
LocalFree.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,006EB1A0,000000FF,?,006A63B2,00000000), ref: 006A6D07
LocalFree.KERNEL32(?,210DFF48,00000000,006EA7B0,000000FF,?,00000000,00000000,006EB1A0,000000FF,210DFF48), ref: 006A6D8D

Memory Dump Source

Source File: 00000005.00000002.2028554727.00000000006A1000.00000020.00000001.01000000.00000008.sdmp, Offset: 006A0000, based on PE: true

Associated: 00000005.00000002.2028531216.00000000006A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028646328.00000000006EF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028673060.0000000000705000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2028696413.0000000000709000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a0000_MSIA311.jbxd

Similarity

API ID: Local$AllocFree
String ID:
API String ID: 2012307162-0
Opcode ID: 265e18ceaf5484fe34502e745630437f067520e8dfb9cf1b45ebaf3f0ea0811c
Instruction ID: ee5d09a52dde1ea652782c4ed8041762e9c6c1e19bdde3e8b1507a2a9b902255
Opcode Fuzzy Hash: 265e18ceaf5484fe34502e745630437f067520e8dfb9cf1b45ebaf3f0ea0811c
Instruction Fuzzy Hash: 40518FB5A006099FDB18EF68C985AAEB7B6FB49354F14462DF816E7380D730AD00CF94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: gxonecli.exePID: 4816, Parent PID: 1716COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	31.4%
Signature Coverage:	6.7%
Total number of Nodes:	1164
Total number of Limit Nodes:	28

Executed Functions

Function 02E10032 Relevance: 74.3, APIs: 4, Strings: 38, Instructions: 795memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 02E104AE
VirtualAlloc.KERNEL32(?,?,00003000,00000004), ref: 02E104DE
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 02E104F5
LdrGetProcedureAddress.NTDLL(00000000,?,00000000,?), ref: 02E10810

Strings

Ta, xrefs: 02E1027D
p, xrefs: 02E100F7
a, xrefs: 02E1013E
F, xrefs: 02E1018C
tu, xrefs: 02E10137
o, xrefs: 02E101C9
ee, xrefs: 02E100F0
ctio, xrefs: 02E1026B
A, xrefs: 02E10147
S, xrefs: 02E100E7
mI, xrefs: 02E10221
oc, xrefs: 02E10154
yA, xrefs: 02E10125
tu, xrefs: 02E10166
Rt, xrefs: 02E10233
iv, xrefs: 02E10212
tNat, xrefs: 02E1020A
A, xrefs: 02E10244
P, xrefs: 02E10176
otec, xrefs: 02E1017F
G, xrefs: 02E10205
a, xrefs: 02E1011C
Via, xrefs: 02E10312
Fu, xrefs: 02E1025A
fo, xrefs: 02E1022C
Li, xrefs: 02E1010C
Syst, xrefs: 02E10219
b, xrefs: 02E10287
Lo, xrefs: 02E100FC
t, xrefs: 02E10187
Vi, xrefs: 02E1012C
ushI, xrefs: 02E1019B
b, xrefs: 02E10113
ucti, xrefs: 02E101BE
a, xrefs: 02E10103
st, xrefs: 02E101AD
Cach, xrefs: 02E101FA
a, xrefs: 02E1016D

Memory Dump Source

Source File: 00000006.00000002.3224774705.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2e10000_gxonecli.jbxd

Similarity

API ID: AllocVirtual$AddressInfoNativeProcedureSystem
String ID: A$A$Cach$F$Fu$G$Li$Lo$P$Rt$S$Syst$Ta$Vi$Via$a$a$a$a$b$b$ctio$ee$fo$iv$mI$o$oc$otec$p$st$t$tNat$tu$tu$ucti$ushI$yA
API String ID: 1766404756-2899676511
Opcode ID: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
Instruction ID: c3d9b45b8132815cd0df0274517326095c08188561525e2c616f1b913d80498e
Opcode Fuzzy Hash: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
Instruction Fuzzy Hash: E8629C715483858FD730CF24C840BABBBE5FF94718F04982DE9C99B291E7749988CB96

Uniqueness

Uniqueness Score: -1.00%

Function 02A90032 Relevance: 70.8, APIs: 2, Strings: 38, Instructions: 795memoryCOMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 02A904AE
VirtualAlloc.KERNEL32(?,?,00003000,00000004), ref: 02A904DE

Strings

otec, xrefs: 02A9017F
A, xrefs: 02A90244
b, xrefs: 02A90113
a, xrefs: 02A9013E
fo, xrefs: 02A9022C
a, xrefs: 02A9011C
Vi, xrefs: 02A9012C
A, xrefs: 02A90147
Li, xrefs: 02A9010C
F, xrefs: 02A9018C
Rt, xrefs: 02A90233
tu, xrefs: 02A90166
ee, xrefs: 02A900F0
Lo, xrefs: 02A900FC
Ta, xrefs: 02A9027D
Via, xrefs: 02A90312
mI, xrefs: 02A90221
oc, xrefs: 02A90154
a, xrefs: 02A9016D
Fu, xrefs: 02A9025A
ctio, xrefs: 02A9026B
tNat, xrefs: 02A9020A
ucti, xrefs: 02A901BE
yA, xrefs: 02A90125
P, xrefs: 02A90176
b, xrefs: 02A90287
S, xrefs: 02A900E7
Cach, xrefs: 02A901FA
t, xrefs: 02A90187
p, xrefs: 02A900F7
iv, xrefs: 02A90212
o, xrefs: 02A901C9
Syst, xrefs: 02A90219
ushI, xrefs: 02A9019B
G, xrefs: 02A90205
a, xrefs: 02A90103
tu, xrefs: 02A90137
st, xrefs: 02A901AD

Memory Dump Source

Source File: 00000006.00000002.3224637381.0000000002A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2a90000_gxonecli.jbxd

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID: A$A$Cach$F$Fu$G$Li$Lo$P$Rt$S$Syst$Ta$Vi$Via$a$a$a$a$b$b$ctio$ee$fo$iv$mI$o$oc$otec$p$st$t$tNat$tu$tu$ucti$ushI$yA
API String ID: 2032221330-2899676511
Opcode ID: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
Instruction ID: 5a67a5e0bd2ba73a48b4b33cefe44e60a05a1300d7e7d8b8f430ca96cfab4e59
Opcode Fuzzy Hash: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
Instruction Fuzzy Hash: 82628C71508385CFDB20CF25C880BABBBE5FF94744F04482DE9C99B251EB709988CB96

Uniqueness

Uniqueness Score: -1.00%

Function 02F193D6 Relevance: 68.5, APIs: 24, Strings: 15, Instructions: 229
sleepthreadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetInputState.USER32 ref: 02F193E6
GetCurrentThreadId.KERNEL32 ref: 02F193F1
PostThreadMessageA.USER32(00000000), ref: 02F193F8
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 02F19405
memset.MSVCRT ref: 02F19423
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 02F19434
CreateMutexA.KERNEL32(00000000,00000000,?), ref: 02F19443
GetLastError.KERNEL32 ref: 02F1944D
exit.MSVCRT ref: 02F1945B

Part of subcall function 02F19A16: memset.MSVCRT ref: 02F19A42
Part of subcall function 02F19A16: memset.MSVCRT ref: 02F19A54
Part of subcall function 02F19A16: wsprintfA.USER32 ref: 02F19AFA

SetUnhandledExceptionFilter.KERNEL32(02F19065), ref: 02F194A9
StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 02F194E1
WSAStartup.WS2_32(00000202,?), ref: 02F194F3
Sleep.KERNEL32(000F4240), ref: 02F19503
ExitProcess.KERNEL32 ref: 02F1952F
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 02F1955A
GetFileAttributesA.KERNEL32(?), ref: 02F19595
DefineDosDeviceA.KERNEL32(00000001,02FEC848,?), ref: 02F195D0
CopyFileA.KERNEL32(?,02FEC83C,00000000), ref: 02F195E7
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 02F195F7
SetFileAttributesA.KERNEL32(?,00000002), ref: 02F19606
CreateDirectoryA.KERNEL32(?,00000000), ref: 02F19614
sprintf.MSVCRT ref: 02F19656
lstrlen.KERNEL32(?), ref: 02F196AF
Sleep.KERNEL32(000F4240), ref: 02F196D0

Strings

G, xrefs: 02F19689
u, xrefs: 02F19695
SRDSL, xrefs: 02F194CC, 02F19510, 02F1951A, 02F19525, 02F1953D, 02F19547, 02F19560, 02F19640, 02F19648, 02F1964A, 02F1966C, 02F196BE
t, xrefs: 02F19685
r, xrefs: 02F1968D
o, xrefs: 02F19691
%, xrefs: 02F1964B
n, xrefs: 02F19679
p, xrefs: 02F19699
s, xrefs: 02F1964F
C, xrefs: 02F1966D
e, xrefs: 02F1967D
o, xrefs: 02F19671
c, xrefs: 02F19681
n, xrefs: 02F19675

Memory Dump Source

Source File: 00000006.00000002.3224951471.0000000002F11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f11000_gxonecli.jbxd

Similarity

API ID: File$memset$AttributesCreateMessageSleepThread$CopyCtrlCurrentDefineDeviceDirectoryDispatcherErrorExceptionExitFilterFolderInputLastModuleMoveMutexNamePathPostProcessServiceSpecialStartStartupStateUnhandledexitlstrlensprintfwsprintf
String ID: %$C$G$SRDSL$c$e$n$n$o$o$p$r$s$t$u
API String ID: 1744223243-2739207428
Opcode ID: 785978e0b3b5bcf08a301ab9666d49f3d0ee75951d7e55875da97557862dbe54
Instruction ID: 28933d24d0f0017fe4ed0be8a5bc7833a554492d7aa13dc8aa893f9ce45312d3
Opcode Fuzzy Hash: 785978e0b3b5bcf08a301ab9666d49f3d0ee75951d7e55875da97557862dbe54
Instruction Fuzzy Hash: 4681C4B1D4025CAEEB11DBA4DD98EEEBBBCAF147C4F400496F705A2141DBB49B448FA1

Uniqueness

Uniqueness Score: -1.00%

Function 10001B50 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 10001B99
GetProcAddress.KERNEL32(00000000), ref: 10001BA0

Part of subcall function 10001AB0: _memset.LIBCMT ref: 10001ACC
Part of subcall function 10001AB0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10001AE2
Part of subcall function 10001AB0: Process32First.KERNEL32(00000000,00000128), ref: 10001AF2
Part of subcall function 10001AB0: FindCloseChangeNotification.KERNEL32(00000000), ref: 10001B25

OpenProcess.KERNEL32(00001000,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 10001BC1
OpenProcessToken.ADVAPI32(00000000,000F01FF,?,?,?,?,?,?,?,?,?,?), ref: 10001BD6
LookupPrivilegeValueA.ADVAPI32(00000000,10016908,FFFFFFFF), ref: 10001BE8
AdjustTokenPrivileges.KERNELBASE(?,?,?,?,00000001,?,00000010,00000000,00000000), ref: 10001C1F
LoadLibraryA.KERNEL32(1001692C,1001691C,?,?,?,?,00000001,?,00000010,00000000,00000000), ref: 10001C6C
GetProcAddress.KERNEL32(00000000), ref: 10001C73

Strings

, xrefs: 10001C60
ray., xrefs: 10001B6C
ADVA, xrefs: 10001B7C
.dll, xrefs: 10001B8C
360t, xrefs: 10001BFA
PI32, xrefs: 10001B84
exe, xrefs: 10001C3B

Memory Dump Source

Source File: 00000006.00000002.3225205779.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10001000_gxonecli.jbxd

Similarity

API ID: AddressLibraryLoadOpenProcProcessToken$AdjustChangeCloseCreateFindFirstLookupNotificationPrivilegePrivilegesProcess32SnapshotToolhelp32Value_memset
String ID: $.dll$360t$ADVA$PI32$exe$ray.
API String ID: 1948653106-2325242662
Opcode ID: db1aac61bfbfbedb3c40a891b87708fe5dd75bbf99c62c778880aa74b7f4357a
Instruction ID: 5d9db8125b9bd70de7a63b933078c3cd19c530e595b49123e5552fe6a39f8101
Opcode Fuzzy Hash: db1aac61bfbfbedb3c40a891b87708fe5dd75bbf99c62c778880aa74b7f4357a
Instruction Fuzzy Hash: AB314BB0518385AFE300CF60CD89B9BBBE8FF88755F004A0CF6A496290D7B5D5488B56

Uniqueness

Uniqueness Score: -1.00%

Function 007445B0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 143
windownetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?), ref: 007445D7
LoadIconW.USER32(?,00000065), ref: 007445E2
FindWindowW.USER32(OneClientWnd,00000000), ref: 00744601
IsWindow.USER32(00000000), ref: 0074460A
ShowWindow.USER32(00000000,00000005), ref: 0074461B
SetForegroundWindow.USER32(00000000), ref: 00744622
CreateEventW.KERNEL32(00000000,00000000,00000000,{51908485-3D48-408a-AC9A-8DA4361CCC61}), ref: 00744638
_memset.LIBCMT ref: 0074464A
WSAStartup.WS2_32(00000202,?), ref: 0074465C
curl_global_init.LIBCURL32(00000003), ref: 00744663

Part of subcall function 00798AB7: GetCommandLineW.KERNEL32(00000000,?,?,?,?,0074467D), ref: 00798AC9
Part of subcall function 00798AB7: CommandLineToArgvW.SHELL32(00000000,?,?,?,0074467D), ref: 00798AD0
Part of subcall function 00798AB7: LocalFree.KERNEL32(00000000,?,?,?,0074467D), ref: 00798AE8

Strings

OneClientWnd, xrefs: 007445FC
{51908485-3D48-408a-AC9A-8DA4361CCC61}, xrefs: 0074462D

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Window$CommandLine$ArgvCreateEventFindForegroundFreeHandleIconLoadLocalModuleShowStartup_memsetcurl_global_init
String ID: OneClientWnd${51908485-3D48-408a-AC9A-8DA4361CCC61}
API String ID: 2477215625-659767991
Opcode ID: f705c17f1b9f679891385e97db6e1e1679c1abbab665b6262a4802c80da63b14
Instruction ID: c4e544ca9ac8ff6b7a0c8e3d7c7be75e6d9b534a7f9b5585408d96860780c247
Opcode Fuzzy Hash: f705c17f1b9f679891385e97db6e1e1679c1abbab665b6262a4802c80da63b14
Instruction Fuzzy Hash: 1C51F5B1504300DBD720EF64AC4EB5FB7E8AF85304F008A2DF65997292E778A905C797

Uniqueness

Uniqueness Score: -1.00%

Function 02F1822B Relevance: 60.1, APIs: 3, Strings: 37, Instructions: 75
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 02F1825C
wsprintfA.USER32 ref: 02F18303
lstrlen.KERNEL32(\Services\%s,00000000), ref: 02F18311

Part of subcall function 02F20EA0: LoadLibraryA.KERNEL32(02FECA90,?,?,?,?,02F262F2,02FAC6F8,000000FF,\Services\%s,02F18331,80000002,?,00000076,00000001,0000005C,00000000), ref: 02F20ECD
Part of subcall function 02F20EA0: FreeLibrary.KERNEL32(00000000,?,?,?,02F262F2,02FAC6F8,000000FF,\Services\%s,02F18331,80000002,?,00000076,00000001,0000005C), ref: 02F2100F

Strings

s, xrefs: 02F182FF
C, xrefs: 02F1828F
Y, xrefs: 02F18277
u, xrefs: 02F18293
c, xrefs: 02F182EB
r, xrefs: 02F18297
o, xrefs: 02F182AF
r, xrefs: 02F182DF
o, xrefs: 02F182BF
T, xrefs: 02F1827F
S, xrefs: 02F1827B
\, xrefs: 02F182D3
e, xrefs: 02F182EF
e, xrefs: 02F182DB
t, xrefs: 02F182B7
n, xrefs: 02F182A3
n, xrefs: 02F182B3
t, xrefs: 02F182A7
t, xrefs: 02F182CF
M, xrefs: 02F18287
\, xrefs: 02F182F7
S, xrefs: 02F182D7
e, xrefs: 02F182CB
\, xrefs: 02F1828B
e, xrefs: 02F1829F
r, xrefs: 02F182BB
C, xrefs: 02F182AB
s, xrefs: 02F182F3
l, xrefs: 02F182C3
r, xrefs: 02F1829B
\Services\%s, xrefs: 02F1830E
i, xrefs: 02F182E7
E, xrefs: 02F18283
v, xrefs: 02F182E3
S, xrefs: 02F182C7
%, xrefs: 02F182FB
S, xrefs: 02F1826B

Memory Dump Source

Source File: 00000006.00000002.3224951471.0000000002F11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f11000_gxonecli.jbxd

Similarity

API ID: Library$FreeLoadlstrlenmemsetwsprintf
String ID: %$C$C$E$M$S$S$S$S$T$Y$\$\$\$\Services\%s$c$e$e$e$e$i$l$n$n$o$o$r$r$r$r$s$s$t$t$t$u$v
API String ID: 273645122-2457757079
Opcode ID: 42c5c46862f751cbc67d4c707e6aa396825b689d1ee725c19c4e17d1a7f0d84c
Instruction ID: 0efa39412d7f6d8cfc6b6286d937243bd5e151dfb8af44b26a604fa8071c401b
Opcode Fuzzy Hash: 42c5c46862f751cbc67d4c707e6aa396825b689d1ee725c19c4e17d1a7f0d84c
Instruction Fuzzy Hash: EF31FC50D0C6C9D9EF02C6A8C8087DEBFB51B26749F0840D8D6843A282C6FE5758C7BA

Uniqueness

Uniqueness Score: -1.00%

Function 02F18D76 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 217
stringsynchronizationsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 02F18D7B
wsprintfA.USER32 ref: 02F18DAF
CreateMutexA.KERNEL32(00000000,00000000,?), ref: 02F18DC1
GetLastError.KERNEL32 ref: 02F18DCD
ReleaseMutex.KERNEL32(00000000), ref: 02F18DDB
CloseHandle.KERNEL32(00000000), ref: 02F18DE2
rand.MSVCRT ref: 02F18E0A
Sleep.KERNEL32 ref: 02F18E19
strstr.MSVCRT ref: 02F18E83
strncpy.MSVCRT ref: 02F18EA7
_mbscpy.MSVCRT ref: 02F18EBD
lstrcat.KERNEL32(?,?), ref: 02F18ED3
atoi.MSVCRT ref: 02F18EE0
lstrcat.KERNEL32(00000000,02FEC288), ref: 02F18F00
strcmp.MSVCRT ref: 02F18F12
GetTickCount.KERNEL32 ref: 02F18F27
GetTickCount.KERNEL32 ref: 02F18F45
WaitForSingleObject.KERNEL32(00000064,00000064), ref: 02F18FD4
Sleep.KERNEL32(000001F4), ref: 02F18FE1

Strings

SRDSL, xrefs: 02F18D93

Memory Dump Source

Source File: 00000006.00000002.3224951471.0000000002F11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f11000_gxonecli.jbxd

Similarity

API ID: CountMutexSleepTicklstrcat$CloseCreateErrorH_prologHandleLastObjectReleaseSingleWait_mbscpyatoirandstrcmpstrncpystrstrwsprintf
String ID: SRDSL
API String ID: 2889383824-1106944799
Opcode ID: cc90962cadc22ee2f40b6247911318f30debcc5cf6ba8b52acb53d5c1297d304
Instruction ID: debeba7d51e7b9c6a1ea9d72d146ff7147551017aa4416d131e639a07b1eec4f
Opcode Fuzzy Hash: cc90962cadc22ee2f40b6247911318f30debcc5cf6ba8b52acb53d5c1297d304
Instruction Fuzzy Hash: E571B272D0425DABEF11DBA4DD48BDEBB7DAF447C4F504496E20AE6080DB709A44CF60

Uniqueness

Uniqueness Score: -1.00%

Function 1000329D Relevance: 22.6, APIs: 15, Instructions: 106
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 100032D1
GetCommandLineA.KERNEL32(10017030,00000008,1000348C,?,00000001,?,10017050,0000000C,1000342B,?,00000001,?), ref: 100032D6
___crtGetEnvironmentStringsA.LIBCMT ref: 100032E1

Part of subcall function 100083B5: GetEnvironmentStringsW.KERNEL32(?,?,?,100032E6), ref: 100083BA
Part of subcall function 100083B5: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000001,?,?,?,100032E6), ref: 100083EE
Part of subcall function 100083B5: __malloc_crt.LIBCMT ref: 100083FC
Part of subcall function 100083B5: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000001,?,?,?,100032E6), ref: 10008414
Part of subcall function 100083B5: FreeEnvironmentStringsW.KERNEL32(00000000,?,00000001,?,?,?,100032E6), ref: 10008428

__ioinit.LIBCMT ref: 100032EB

Part of subcall function 10007D02: __lock.LIBCMT ref: 10007D10
Part of subcall function 10007D02: __calloc_crt.LIBCMT ref: 10007D21
Part of subcall function 10007D02: @_EH4_CallFilterFunc@8.LIBCMT ref: 10007D3C

__ioterm.LIBCMT ref: 10003324

Part of subcall function 10007FB7: RtlDeleteCriticalSection.NTDLL ref: 10007FD8

__mtterm.LIBCMT ref: 100032F4

Part of subcall function 10007AAB: RtlDeleteCriticalSection.NTDLL ref: 1000A406
Part of subcall function 10007AAB: RtlDeleteCriticalSection.NTDLL(10018D48), ref: 1000A42F

__setargv.LIBCMT ref: 100032FB
__setenvp.LIBCMT ref: 10003304
__cinit.LIBCMT ref: 1000330F
__ioterm.LIBCMT ref: 1000335C
__mtterm.LIBCMT ref: 10003361

Part of subcall function 10004566: GetProcessHeap.KERNEL32(100032B6,10017030,00000008,1000348C,?,00000001,?,10017050,0000000C,1000342B,?,00000001,?), ref: 10004566

Memory Dump Source

Source File: 00000006.00000002.3225205779.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10001000_gxonecli.jbxd

Similarity

API ID: CriticalDeleteEnvironmentSectionStrings$ByteCharMultiWide__ioterm__mtterm$CallCommandFilterFreeFunc@8HeapInitializeLineProcess___crt__calloc_crt__cinit__ioinit__lock__malloc_crt__setargv__setenvp
String ID:
API String ID: 2078768449-0
Opcode ID: 1ff07e01df41c51f43bc9036101a27d537823a682085b93ab876569799a418f3
Instruction ID: c9926372871ac720ecac5337bd8bd83f916cd25f6754a275e0084185fc4e90cb
Opcode Fuzzy Hash: 1ff07e01df41c51f43bc9036101a27d537823a682085b93ab876569799a418f3
Instruction Fuzzy Hash: 7531A479A046129AF316EB719C8270F77D8FF052E5F22C025F904CA19EDF30F6418666

Uniqueness

Uniqueness Score: -1.00%

Function 007441D0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 87
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00798671: CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,007441F3,007BC15C,00000001,00000001), ref: 0079868E

GetHGlobalFromStream.OLE32(00000001,00000001,007BC15C,00000001,00000001), ref: 0074420B
GlobalLock.KERNEL32(?), ref: 00744216
CreateDialogIndirectParamW.USER32(?,007BC15C,00000000,00744140,?), ref: 00744245
UpdateWindow.USER32(00000000), ref: 0074424E
GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00744262
IsDialogMessageW.USER32(00000000,?), ref: 00744276
TranslateMessage.USER32(?), ref: 00744281
DispatchMessageW.USER32(?), ref: 0074428C
GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0074429D

Strings

@At, xrefs: 007441FD

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Message$Global$CreateDialogStream$DispatchFromIndirectLockParamTranslateUpdateWindow
String ID: @At
API String ID: 2943712338-835821491
Opcode ID: ed1d80b02f7e91fad9e5f903726c41b9c5cdf6a86e0b4a5a7f0ca99124ac53b8
Instruction ID: 16297ef42e52c2175798d41b815db983bd4a4b2cc2c11befd03bc75294a64ab8
Opcode Fuzzy Hash: ed1d80b02f7e91fad9e5f903726c41b9c5cdf6a86e0b4a5a7f0ca99124ac53b8
Instruction Fuzzy Hash: 8A217AB2104306ABC310DF64DC84F6BBBA8FBC8750F008A1DFA5587260E774D906CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 02F20C2F Relevance: 13.7, APIs: 9, Instructions: 183
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 02F20C64
memset.MSVCRT ref: 02F20C77
memset.MSVCRT ref: 02F20C85
LoadLibraryA.KERNEL32(02FECA90,?,?,?,?,?,?,?,00000104,00000000), ref: 02F20C92
RegOpenKeyExA.KERNEL32(?,00000001,00000000,00020019,?,?,?,?,?,?,?,?,00000104,00000000), ref: 02F20D02
strchr.MSVCRT ref: 02F20D9E
lstrcpy.KERNEL32(80000000,?), ref: 02F20E4C
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,00000104,00000000), ref: 02F20E70

Memory Dump Source

Source File: 00000006.00000002.3224951471.0000000002F11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f11000_gxonecli.jbxd

Similarity

API ID: memset$Library$FreeLoadOpenlstrcpystrchr
String ID:
API String ID: 3614705559-0
Opcode ID: f36cf6ea1ae1107ded49093c18672c60087b679093fb9733f5a0a46c0d209669
Instruction ID: 51e6208cd1ac96063cb386af7b7158377d3cf5b0433cb6c0700b4f068da7215e
Opcode Fuzzy Hash: f36cf6ea1ae1107ded49093c18672c60087b679093fb9733f5a0a46c0d209669
Instruction Fuzzy Hash: 9B61BAB2D0022DAFDF219F90DC85AEEBBB9FB19784F00056AF616A1150DB359A54CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02F20EA0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144
registrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(02FECA90,?,?,?,?,02F262F2,02FAC6F8,000000FF,\Services\%s,02F18331,80000002,?,00000076,00000001,0000005C,00000000), ref: 02F20ECD
RegCreateKeyExA.KERNEL32(0000005C,00000001,00000000,00000000,00000000,000F003F,00000000,000000FF,000000FF,?,?,?,02F262F2,02FAC6F8,000000FF,\Services\%s), ref: 02F20F9D
RegOpenKeyExA.KERNEL32(0000005C,00000001,00000000,0002001F,?,?,?,?,02F262F2,02FAC6F8,000000FF,\Services\%s,02F18331,80000002,?,00000076), ref: 02F20FB4
RegSetValueExA.KERNEL32(00000001,00000076,00000000,?,80000002,00000001,?,?,?,02F262F2,02FAC6F8,000000FF,\Services\%s,02F18331,80000002,?), ref: 02F20FF3
FreeLibrary.KERNEL32(00000000,?,?,?,02F262F2,02FAC6F8,000000FF,\Services\%s,02F18331,80000002,?,00000076,00000001,0000005C), ref: 02F2100F

Strings

\Services\%s, xrefs: 02F20EA0

Memory Dump Source

Source File: 00000006.00000002.3224951471.0000000002F11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f11000_gxonecli.jbxd

Similarity

API ID: Library$CreateFreeLoadOpenValue
String ID: \Services\%s
API String ID: 141387270-3692262031
Opcode ID: 3d0a3f9c5bd2eecb977f8793132c209b9fa2e3906c424e974ef135c459ea15af
Instruction ID: 1e96b76b0fcf0430385764001c79cf4375b1077d7ea8e412f44f06d6c42b4b7c
Opcode Fuzzy Hash: 3d0a3f9c5bd2eecb977f8793132c209b9fa2e3906c424e974ef135c459ea15af
Instruction Fuzzy Hash: 79417F72E4012CBFEF119F94CC84EBEBB7DEB05A84F00402AFA25B2150DB318C449B50

Uniqueness

Uniqueness Score: -1.00%

Function 6C4D1A10 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C4D1AFF
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C4D1C08

Strings

Failed to create file., xrefs: 6C4D1A4D
RNl, xrefs: 6C4D1BF5
File created successfully., xrefs: 6C4D1B56
RNl, xrefs: 6C4D1C01

Memory Dump Source

Source File: 00000006.00000002.3225314704.000000006C4D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C4D0000, based on PE: true

Associated: 00000006.00000002.3225298659.000000006C4D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225335252.000000006C4E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225352542.000000006C4EB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225369423.000000006C4EF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c4d0000_gxonecli.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: Failed to create file.$File created successfully.$RNl$RNl
API String ID: 323602529-3141791845
Opcode ID: ac39d55717d1636bcc6027f0a9e53bedbf52f47630d669c3ef8c7ebd479a5743
Instruction ID: b8ec04347027964ac4fe0a660f7943280b16c264b1847f88c261a494aac37039
Opcode Fuzzy Hash: ac39d55717d1636bcc6027f0a9e53bedbf52f47630d669c3ef8c7ebd479a5743
Instruction Fuzzy Hash: 7551A171A003448FDB50DF98C861F99B7B6EF48338F12869CD81A5BB91DB31E945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02F13160 Relevance: 10.6, APIs: 7, Instructions: 85
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02F13534: setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 02F13559
Part of subcall function 02F13534: CancelIo.KERNEL32(?,?,?,?,02F13170), ref: 02F13562
Part of subcall function 02F13534: InterlockedExchange.KERNEL32(?,00000000), ref: 02F1356E
Part of subcall function 02F13534: closesocket.WS2_32(?), ref: 02F13577
Part of subcall function 02F13534: SetEvent.KERNEL32(?,?,?,?,02F13170), ref: 02F13580

ResetEvent.KERNEL32(?), ref: 02F13173
socket.WS2_32(00000002,00000001,00000006), ref: 02F13184
gethostbyname.WS2_32(?), ref: 02F13195
htons.WS2_32(?), ref: 02F131AA
connect.WS2_32(?,00000002,00000010), ref: 02F131C7
setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 02F131EC
WSAIoctl.WS2_32(0000000C,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 02F1321D

Memory Dump Source

Source File: 00000006.00000002.3224951471.0000000002F11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f11000_gxonecli.jbxd

Similarity

API ID: Eventsetsockopt$CancelExchangeInterlockedIoctlResetclosesocketconnectgethostbynamehtonssocket
String ID:
API String ID: 4281462294-0
Opcode ID: 3366ed01becd35d389905439753cf1ef9023ac1953f82ae00d40c8cde3291bc1
Instruction ID: f02e8f3b7bd8f82e5607110292af3d447ce2bfdc03e30efd98c336a4a92a75e0
Opcode Fuzzy Hash: 3366ed01becd35d389905439753cf1ef9023ac1953f82ae00d40c8cde3291bc1
Instruction Fuzzy Hash: C9218FB2940348BFE7109FA5DC89EABBBBDEF043A4F004559F701A6290C7B19D14DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00744140 Relevance: 9.1, APIs: 6, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,000000EB,?), ref: 0074415B
GetWindowLongW.USER32(?,000000EB), ref: 00744164
KiUserCallbackDispatcher.NTDLL(?,000000F2,?), ref: 0074418C
KiUserCallbackDispatcher.NTDLL ref: 00744195
DestroyWindow.USER32(?), ref: 007441A4

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Window$CallbackDispatcherLongUser$Destroy
String ID:
API String ID: 1893564397-0
Opcode ID: 408fab732008b4a313e4e72451d89f8b231bd28cb99966fb8c7b14a98c17dfad
Instruction ID: 047038dbdd3f4d7764177e00cbd7c14bb9d7a1fde37789efb2e31e9e132c6371
Opcode Fuzzy Hash: 408fab732008b4a313e4e72451d89f8b231bd28cb99966fb8c7b14a98c17dfad
Instruction Fuzzy Hash: AB014836204115ABD3219F68DC8CFAB77A9EBD5731F10CB1AF761D21D0C7689851D760

Uniqueness

Uniqueness Score: -1.00%

Function 6C4D1960 Relevance: 9.1, APIs: 6, Instructions: 53
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(6C4D1DC8,80000000,00000000,00000000,00000003,00000080,00000000,?,?,6C4D1DC8,C:\Program Files (x86)\IOPL\kl.had,00000015), ref: 6C4D1984
GetFileSize.KERNEL32(00000000,00000000,?,?,6C4D1DC8,C:\Program Files (x86)\IOPL\kl.had,00000015), ref: 6C4D198F
ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,?,6C4D1DC8), ref: 6C4D19AB
VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040,?,?,6C4D1DC8), ref: 6C4D19DA
_memmove.LIBCMT ref: 6C4D19EF
ImmEnumInputContext.IMM32(00000000,00000000,00000000,?,6C4D1DC8), ref: 6C4D19FC

Memory Dump Source

Source File: 00000006.00000002.3225314704.000000006C4D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C4D0000, based on PE: true

Associated: 00000006.00000002.3225298659.000000006C4D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225335252.000000006C4E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225352542.000000006C4EB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225369423.000000006C4EF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c4d0000_gxonecli.jbxd

Similarity

API ID: File$AllocContextCreateEnumInputReadSizeVirtual_memmove
String ID:
API String ID: 2308737697-0
Opcode ID: d9c72d026f9355017a0f882ad1761901804ead265484850c902977968c981482
Instruction ID: 3cf5b37be065397e72fb164aceae8dd60927b4cc86225317452e8fe023ba31f7
Opcode Fuzzy Hash: d9c72d026f9355017a0f882ad1761901804ead265484850c902977968c981482
Instruction Fuzzy Hash: D201B5716443187AE760F7948C0AFEA367CEB09B1AF110584FB05AA5C1D6A17604C7E5

Uniqueness

Uniqueness Score: -1.00%

Function 02F19A16 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 02F19A42
memset.MSVCRT ref: 02F19A54
wsprintfA.USER32 ref: 02F19AFA

Part of subcall function 02F20C2F: memset.MSVCRT ref: 02F20C64
Part of subcall function 02F20C2F: memset.MSVCRT ref: 02F20C77
Part of subcall function 02F20C2F: memset.MSVCRT ref: 02F20C85
Part of subcall function 02F20C2F: LoadLibraryA.KERNEL32(02FECA90,?,?,?,?,?,?,?,00000104,00000000), ref: 02F20C92
Part of subcall function 02F20C2F: RegOpenKeyExA.KERNEL32(?,00000001,00000000,00020019,?,?,?,?,?,?,?,?,00000104,00000000), ref: 02F20D02
Part of subcall function 02F20C2F: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,00000104,00000000), ref: 02F20E70

Strings

ConnectGroup, xrefs: 02F19A59
urrentControlSet\Services\%s%s, xrefs: 02F19A21

Memory Dump Source

Source File: 00000006.00000002.3224951471.0000000002F11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f11000_gxonecli.jbxd

Similarity

API ID: memset$Library$FreeLoadOpenwsprintf
String ID: ConnectGroup$urrentControlSet\Services\%s%s
API String ID: 3064224090-2179679831
Opcode ID: 5ae7e620b1398e46d738539d0cfac5a9f4be704cda78d06891b50fffd9d3dfa0
Instruction ID: 67625231bebc396e2687ecad275bbe2ec14ff237967a294dbe512aed575a8d48
Opcode Fuzzy Hash: 5ae7e620b1398e46d738539d0cfac5a9f4be704cda78d06891b50fffd9d3dfa0
Instruction Fuzzy Hash: 0D41D250D0C6CDDDEF02C6A8C8487DEBFB55B26349F0840D8D6847A292C6FE575887B6

Uniqueness

Uniqueness Score: -1.00%

Function 10001AB0 Relevance: 7.6, APIs: 5, Instructions: 55processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 10001ACC
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10001AE2
Process32First.KERNEL32(00000000,00000128), ref: 10001AF2
FindCloseChangeNotification.KERNEL32(00000000), ref: 10001B25
CloseHandle.KERNEL32(00000000), ref: 10001B33

Memory Dump Source

Source File: 00000006.00000002.3225205779.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10001000_gxonecli.jbxd

Similarity

API ID: Close$ChangeCreateFindFirstHandleNotificationProcess32SnapshotToolhelp32_memset
String ID:
API String ID: 1719118602-0
Opcode ID: b25bede1868f6f85b4e914f9e5e9c357d8a014039af851461dd1b57e13ef586e
Instruction ID: 58c9c295e5a55647de9048997836f21c034e6ded7aeedff1474f029740eee39c
Opcode Fuzzy Hash: b25bede1868f6f85b4e914f9e5e9c357d8a014039af851461dd1b57e13ef586e
Instruction Fuzzy Hash: 8E018D75E0112867F7119B559C89FDB77ECDB4D392F0041A1F908D2140F774DE958AA1

Uniqueness

Uniqueness Score: -1.00%

Function 007440D0 Relevance: 7.5, APIs: 5, Instructions: 39threadsynchronizationCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?), ref: 007440DF
CreateThread.KERNEL32(00000000,00000000,Function_000141D0,00000000,00000000,00000000), ref: 007440FF
WaitForSingleObject.KERNEL32(00000000,000001F4), ref: 00744116
TerminateThread.KERNEL32(00000000,00000000), ref: 0074411F
CloseHandle.KERNEL32(00000000), ref: 0074412F

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: HandleThread$CloseCreateModuleObjectSingleTerminateWait
String ID:
API String ID: 3884762193-0
Opcode ID: 9f50fd67adf4ba99300d2a1a7ac63f99f929c15b3ab4559955729d6ba58735f9
Instruction ID: 2be6c282476aafda594efdc555e3b10944934c218434eef10851361457dd62bc
Opcode Fuzzy Hash: 9f50fd67adf4ba99300d2a1a7ac63f99f929c15b3ab4559955729d6ba58735f9
Instruction Fuzzy Hash: 74F0F03284263AA7E6212B1C5C0DF9BB654AB21F21F108315FF71B61D0E77C894166D9

Uniqueness

Uniqueness Score: -1.00%

Function 02F13534 Relevance: 7.5, APIs: 5, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 02F13559
CancelIo.KERNEL32(?,?,?,?,02F13170), ref: 02F13562
InterlockedExchange.KERNEL32(?,00000000), ref: 02F1356E
closesocket.WS2_32(?), ref: 02F13577
SetEvent.KERNEL32(?,?,?,?,02F13170), ref: 02F13580

Memory Dump Source

Source File: 00000006.00000002.3224951471.0000000002F11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f11000_gxonecli.jbxd

Similarity

API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
String ID:
API String ID: 1486965892-0
Opcode ID: 2c66b6398db05cf698308b6b7120520df77ead3a88984f2ebffa46fc22a6f82b
Instruction ID: 0937e73b0d8aa573eb94834a5323d027c4657b4e5597142493b699430c8ef81e
Opcode Fuzzy Hash: 2c66b6398db05cf698308b6b7120520df77ead3a88984f2ebffa46fc22a6f82b
Instruction Fuzzy Hash: 92F03072540719AFDB209B95DC0AA4ABBBCFF04354F104928E382955A0DBB1A954DB50

Uniqueness

Uniqueness Score: -1.00%

Function 6C4D1D50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44fileCOMMON

Download Yara Rule

APIs

Part of subcall function 6C4D1CA0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C4D1D2D

DeleteFileA.KERNEL32(C:\Program Files (x86)\IOPL\kl.had,00000015), ref: 6C4D1DB1

Strings

C:\ProgramData\vb.txt, xrefs: 6C4D1D70
C:\Program Files (x86)\IOPL\kl.had, xrefs: 6C4D1DAC, 6C4D1DBE
C:\Program Files (x86)\IOPL\xz.had, xrefs: 6C4D1DCB

Memory Dump Source

Source File: 00000006.00000002.3225314704.000000006C4D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C4D0000, based on PE: true

Associated: 00000006.00000002.3225298659.000000006C4D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225335252.000000006C4E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225352542.000000006C4EB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225369423.000000006C4EF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c4d0000_gxonecli.jbxd

Similarity

API ID: DeleteFileIos_base_dtorstd::ios_base::_
String ID: C:\Program Files (x86)\IOPL\kl.had$C:\Program Files (x86)\IOPL\xz.had$C:\ProgramData\vb.txt
API String ID: 1428711500-2858683103
Opcode ID: 5c79ecbdd024b22a6d03a1aaa5df56f7d39884888c32eb5d7f3785eef404c885
Instruction ID: ed1f0a969c32d4876165fb1f6b7c5e60c70336899144548a79f98d813fa99ae6
Opcode Fuzzy Hash: 5c79ecbdd024b22a6d03a1aaa5df56f7d39884888c32eb5d7f3785eef404c885
Instruction Fuzzy Hash: 3E01F9B54087809BD604FF949850F46B3E4AB4972AF060A6CFC9A12BC2D735F508CBD3

Uniqueness

Uniqueness Score: -1.00%

Function 10001560 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 10001595

Part of subcall function 10002FC9: _malloc.LIBCMT ref: 10002FE1

_com_util::ConvertStringToBSTR.COMSUPP ref: 10001697
InterlockedDecrement.KERNEL32(00000008), ref: 100016D7
SysFreeString.OLEAUT32(00000000), ref: 100016E8

Memory Dump Source

Source File: 00000006.00000002.3225205779.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10001000_gxonecli.jbxd

Similarity

API ID: String$ConvertDecrementFreeInitializeInterlocked_com_util::_malloc
String ID:
API String ID: 2535435469-0
Opcode ID: b73bb679f5d072da733965cc4b63a5fa5d1046bc435166cc34f03a89613c6429
Instruction ID: d996a079971bd67c922b86a1bfa6acac18ee27ea0d097be1e74d043a57693aa1
Opcode Fuzzy Hash: b73bb679f5d072da733965cc4b63a5fa5d1046bc435166cc34f03a89613c6429
Instruction Fuzzy Hash: E951D5B1C00769EBEB11DFACCC45B9EBBB8FF49710F104619E990A7240EB749A44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02F204C9 Relevance: 6.0, APIs: 4, Instructions: 34synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 02F204E2
_beginthreadex.MSVCRT ref: 02F20500
WaitForSingleObject.KERNEL32(?,000000FF), ref: 02F20510
CloseHandle.KERNEL32(?), ref: 02F20519

Memory Dump Source

Source File: 00000006.00000002.3224951471.0000000002F11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f11000_gxonecli.jbxd

Similarity

API ID: CloseCreateEventHandleObjectSingleWait_beginthreadex
String ID:
API String ID: 92035984-0
Opcode ID: 8037fdf9c5cad71e96d6fe2d1b085d5c804cbc711e2c1a5e17d155abde2a1b0a
Instruction ID: af16ba9dd5b511895d1b6f0cc56fcfed4f37c7e3f937c4f1d04e7d22fd4d3561
Opcode Fuzzy Hash: 8037fdf9c5cad71e96d6fe2d1b085d5c804cbc711e2c1a5e17d155abde2a1b0a
Instruction Fuzzy Hash: 2EF0BDB6D0011DFFDF019FA8DD058EEBBB9FB04251B008556FD21E2250E7318E209BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C4D51D9 Relevance: 4.6, APIs: 3, Instructions: 74COMMON

Download Yara Rule

APIs

std::_Xfsopen.LIBCPMT ref: 6C4D5191
std::_Xfsopen.LIBCPMT ref: 6C4D51AD
_fseek.LIBCMT ref: 6C4D51C4

Memory Dump Source

Source File: 00000006.00000002.3225314704.000000006C4D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C4D0000, based on PE: true

Associated: 00000006.00000002.3225298659.000000006C4D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225335252.000000006C4E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225352542.000000006C4EB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225369423.000000006C4EF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c4d0000_gxonecli.jbxd

Similarity

API ID: Xfsopenstd::_$_fseek
String ID:
API String ID: 1675860589-0
Opcode ID: 8bdc07a0eb3a3a7600f37e084f181f83da16c342b04b669b0d046122297f4c93
Instruction ID: 6895f7047bab4c1671fcefaafd8adfd4a164e9ef0e0e122955eb1e67a408d835
Opcode Fuzzy Hash: 8bdc07a0eb3a3a7600f37e084f181f83da16c342b04b669b0d046122297f4c93
Instruction Fuzzy Hash: B71108A2E4220567EB11F5549C31FAF3796DB0639AF270024AE64C1F81DE24F402C280

Uniqueness

Uniqueness Score: -1.00%

Function 02F1742D Relevance: 4.5, APIs: 3, Instructions: 49COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 02F17439
??3@YAXPAX@Z.MSVCRT ref: 02F1748B
??2@YAPAXI@Z.MSVCRT ref: 02F17499

Memory Dump Source

Source File: 00000006.00000002.3224951471.0000000002F11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f11000_gxonecli.jbxd

Similarity

API ID: ??2@$??3@
String ID:
API String ID: 1245774677-0
Opcode ID: 5dabfb546e616d69a54bc86f4f6721239987bcea9cc5490cfcbdcac44bb036b6
Instruction ID: a9b5ac9375326c081752af126fed147257cb48411cf798e99dbb73101842917b
Opcode Fuzzy Hash: 5dabfb546e616d69a54bc86f4f6721239987bcea9cc5490cfcbdcac44bb036b6
Instruction Fuzzy Hash: 231115B1C41218EFD700DF89E589899FBF8FF08790B50C46EE20997251D770AA14DF90

Uniqueness

Uniqueness Score: -1.00%

Function 02F20465 Relevance: 4.5, APIs: 3, Instructions: 34COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02F2046A
memcpy.MSVCRT ref: 02F20489
SetEvent.KERNEL32(?), ref: 02F20494

Part of subcall function 02F2076B: LoadLibraryA.KERNEL32(02FED6D4), ref: 02F20793

Memory Dump Source

Source File: 00000006.00000002.3224951471.0000000002F11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f11000_gxonecli.jbxd

Similarity

API ID: EventH_prologLibraryLoadmemcpy
String ID:
API String ID: 3518138586-0
Opcode ID: bb35768bf5be9c65cc0f38792cbd823de3575de59d6a482112be9b232998f124
Instruction ID: d653ea99023cf9aba913e6ec9b8b49a282540f0abe25ef718c60056f8f607bf8
Opcode Fuzzy Hash: bb35768bf5be9c65cc0f38792cbd823de3575de59d6a482112be9b232998f124
Instruction Fuzzy Hash: A8F0F9B2D00218AFDB01EFA8DE859EEBFB9EF19790F10442AE501B2251D7755A148EA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C4D19B5 Relevance: 4.5, APIs: 3, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000001,00003000,00000040,?,?,6C4D1DC8), ref: 6C4D19DA
_memmove.LIBCMT ref: 6C4D19EF
ImmEnumInputContext.IMM32(00000000,00000000,00000000,?,6C4D1DC8), ref: 6C4D19FC

Memory Dump Source

Source File: 00000006.00000002.3225314704.000000006C4D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C4D0000, based on PE: true

Associated: 00000006.00000002.3225298659.000000006C4D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225335252.000000006C4E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225352542.000000006C4EB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225369423.000000006C4EF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c4d0000_gxonecli.jbxd

Similarity

API ID: AllocContextEnumInputVirtual_memmove
String ID:
API String ID: 3976186603-0
Opcode ID: e4dfab72050ad13f7073ab8df1c6fcfe09acd9e963937dcd5d71f396b90c7aa4
Instruction ID: c0cfaab3ad19560b55dbe829282ded3fdfaa230a051d31409b47db7a5b7c1322
Opcode Fuzzy Hash: e4dfab72050ad13f7073ab8df1c6fcfe09acd9e963937dcd5d71f396b90c7aa4
Instruction Fuzzy Hash: EAE02230A483082AD720F7104C0AFBA37A8EB09B2EF010584FF1C965C1D262211486D2

Uniqueness

Uniqueness Score: -1.00%

Function 6C4D2660 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_fputc.LIBCMT ref: 6C4D26F9

Strings

, xrefs: 6C4D27DD

Memory Dump Source

Source File: 00000006.00000002.3225314704.000000006C4D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C4D0000, based on PE: true

Associated: 00000006.00000002.3225298659.000000006C4D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225335252.000000006C4E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225352542.000000006C4EB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225369423.000000006C4EF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c4d0000_gxonecli.jbxd

Similarity

API ID: _fputc
String ID:
API String ID: 4236582747-3916222277
Opcode ID: d8eeac8ec00e4db613c7292946e3b46e0fce47859498cb9fcbad418bd7cd0149
Instruction ID: 80cb4152e13ee82945c9ba207baf53f9f012c949a395232e34580936f00ccb94
Opcode Fuzzy Hash: d8eeac8ec00e4db613c7292946e3b46e0fce47859498cb9fcbad418bd7cd0149
Instruction Fuzzy Hash: 23718032A016099FCB24DF98D990E9EF7B5FB48715F114A6EE81593B40DB31BD44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00798671 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,007441F3,007BC15C,00000001,00000001), ref: 0079868E

Part of subcall function 007988AF: __aullrem.LIBCMT ref: 007988F9

Part of subcall function 00798926: lstrlenW.KERNEL32(00000008,?,00798701,?,00000002,?,?,?,?,007441F3,007BC15C,00000001,00000001), ref: 00798933

Strings

MS SHELL DLG, xrefs: 0079871C

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: CreateGlobalStream__aullremlstrlen
String ID: MS SHELL DLG
API String ID: 287796976-1522538486
Opcode ID: a752b8dace7724bc3ae0f6e3a3d1cdf02d4006a2f95a78d22583da3b20155504
Instruction ID: 462556b90ec61dab67d9ee29349a445debaad3a5ca59c2ff20f536ca088efafb
Opcode Fuzzy Hash: a752b8dace7724bc3ae0f6e3a3d1cdf02d4006a2f95a78d22583da3b20155504
Instruction Fuzzy Hash: 60212AB5910208AFDB10EFA8DC89EBEB7BCFF8A744B10845DF115DB240DB7499018B61

Uniqueness

Uniqueness Score: -1.00%

Function 6C4D1CA0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 6C4D2550: std::_Lockit::_Lockit.LIBCPMT ref: 6C4D25D2

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C4D1D2D

Part of subcall function 6C4D4F5F: std::ios_base::_Tidy.LIBCPMT ref: 6C4D4F80

Strings

RNl, xrefs: 6C4D1D26

Memory Dump Source

Source File: 00000006.00000002.3225314704.000000006C4D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C4D0000, based on PE: true

Associated: 00000006.00000002.3225298659.000000006C4D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225335252.000000006C4E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225352542.000000006C4EB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225369423.000000006C4EF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c4d0000_gxonecli.jbxd

Similarity

API ID: std::ios_base::_$Ios_base_dtorLockitLockit::_Tidystd::_
String ID: RNl
API String ID: 3925221016-1855566928
Opcode ID: 33dbe3a5b4c562d38a88a1c382c9be5582419b7d54d75ec36e114e4b2b5c2387
Instruction ID: 8569a1775632d59d231eb6d528220a136cafe7aa3ac9ba52f8195e42bc3a1b32
Opcode Fuzzy Hash: 33dbe3a5b4c562d38a88a1c382c9be5582419b7d54d75ec36e114e4b2b5c2387
Instruction Fuzzy Hash: 90115BB19016499BDB14DF88D965FD9B7B4FB08310F10439DE92957BC0DB30AA09CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02F26410 Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 02F2643E
??3@YAXPAX@Z.MSVCRT ref: 02F264A6

Memory Dump Source

Source File: 00000006.00000002.3224951471.0000000002F11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f11000_gxonecli.jbxd

Similarity

API ID: ??3@malloc
String ID:
API String ID: 3530088491-0
Opcode ID: c7b40a89799137a04bdc428f207c7e7bf526b987e2f5367944476573b76949fe
Instruction ID: e474d2b88a2d805049e55b967f3791a0571898183e71d35f907f26960b3307be
Opcode Fuzzy Hash: c7b40a89799137a04bdc428f207c7e7bf526b987e2f5367944476573b76949fe
Instruction Fuzzy Hash: E311E332E152158FE724EF24EA557217BE8F715785F21442EEA82C614CEB38A804CF04

Uniqueness

Uniqueness Score: -1.00%

Function 6C4D64BE Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C4D97C0: __getptd_noexit.LIBCMT ref: 6C4D97C0

__lock_file.LIBCMT ref: 6C4D6505

Part of subcall function 6C4D5D15: __lock.LIBCMT ref: 6C4D5D3A

__fclose_nolock.LIBCMT ref: 6C4D6510

Memory Dump Source

Source File: 00000006.00000002.3225314704.000000006C4D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C4D0000, based on PE: true

Associated: 00000006.00000002.3225298659.000000006C4D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225335252.000000006C4E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225352542.000000006C4EB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225369423.000000006C4EF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c4d0000_gxonecli.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: c1ccf2db6d413218f3dd3e5ec854f0e08e895726a74de6e87c4a43aec08c5975
Instruction ID: 8268589ed36da649300aba94f94a75d186e48e12971ed8fbe9db19e63ed718e6
Opcode Fuzzy Hash: c1ccf2db6d413218f3dd3e5ec854f0e08e895726a74de6e87c4a43aec08c5975
Instruction Fuzzy Hash: 44F062308117159ADB10FF689824FDE7BB06F0133AF138A1D9464DAAC0CB78B5468AD9

Uniqueness

Uniqueness Score: -1.00%

Function 02F19038 Relevance: 3.0, APIs: 2, Instructions: 21synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 02F204C9: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 02F204E2
Part of subcall function 02F204C9: _beginthreadex.MSVCRT ref: 02F20500
Part of subcall function 02F204C9: WaitForSingleObject.KERNEL32(?,000000FF), ref: 02F20510
Part of subcall function 02F204C9: CloseHandle.KERNEL32(?), ref: 02F20519

WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,02F1932B), ref: 02F19053
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,02F1932B), ref: 02F1905A

Memory Dump Source

Source File: 00000006.00000002.3224951471.0000000002F11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f11000_gxonecli.jbxd

Similarity

API ID: CloseHandleObjectSingleWait$CreateEvent_beginthreadex
String ID:
API String ID: 1089044457-0
Opcode ID: e37caede9a6ec690d7db6a52b329d63a30d1027f8d79518ea61ec212471d0e1c
Instruction ID: b816f32eda383f5d0be77c3a0a5c4a140230e8397dcb9fe086562810f0cef699
Opcode Fuzzy Hash: e37caede9a6ec690d7db6a52b329d63a30d1027f8d79518ea61ec212471d0e1c
Instruction Fuzzy Hash: 02D0C9B294A6243EF55026A47D09EBB360CCF226F0B140A51FE19D6184E9545D514AB5

Uniqueness

Uniqueness Score: -1.00%

Function 6C4D1E00 Relevance: 3.0, APIs: 2, Instructions: 3COMMON

Download Yara Rule

APIs

Part of subcall function 6C4D1D50: DeleteFileA.KERNEL32(C:\Program Files (x86)\IOPL\kl.had,00000015), ref: 6C4D1DB1

ExitProcess.KERNEL32 ref: 6C4D1E07

Memory Dump Source

Source File: 00000006.00000002.3225314704.000000006C4D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C4D0000, based on PE: true

Associated: 00000006.00000002.3225298659.000000006C4D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225335252.000000006C4E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225352542.000000006C4EB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225369423.000000006C4EF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c4d0000_gxonecli.jbxd

Similarity

API ID: DeleteExitFileProcess
String ID:
API String ID: 347990711-0
Opcode ID: 799d9c625f25715d7779009bf9a8c86ec680d6e54861193afb42877c425aa66c
Instruction ID: 2f66480227ae62e664e84b74d109bebb8ea85e7b04817810539da787b0e556b9
Opcode Fuzzy Hash: 799d9c625f25715d7779009bf9a8c86ec680d6e54861193afb42877c425aa66c
Instruction Fuzzy Hash: 3990023025410056E990FEA0451DF4C36305B06756F020244F60B645954B50714895D6

Uniqueness

Uniqueness Score: -1.00%

Function 10001730 Relevance: 1.8, APIs: 1, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3225205779.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10001000_gxonecli.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81b4fb6500594eff6a013853db03c6ef7143a8f71c95312bb16587add7143239
Instruction ID: a9ef87dee4ec13ce1e9a5cdf3c439bcb80fbf23240e4ff2530583432088a619a
Opcode Fuzzy Hash: 81b4fb6500594eff6a013853db03c6ef7143a8f71c95312bb16587add7143239
Instruction Fuzzy Hash: B0C1F771A00219AFDB50DFA8CC88FEEBBB9FF49304F104198E509EB250DB75A945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02F1A2F8 Relevance: 1.8, APIs: 1, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3224951471.0000000002F11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f11000_gxonecli.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45499689494fcb9e5811dd326941926bd9784cd5b50696ca477517246bbd160f
Instruction ID: 284c3456a3fa05d8e521997b7cd83a306d1204a44128c26826ccadfeec8472c6
Opcode Fuzzy Hash: 45499689494fcb9e5811dd326941926bd9784cd5b50696ca477517246bbd160f
Instruction Fuzzy Hash: DBB13170540B84AEFB32AF36DC05E6BBFE1EB80B40B01492EF6AB46520D771A855DF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C4D2290 Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6C4D22F3

Memory Dump Source

Source File: 00000006.00000002.3225314704.000000006C4D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C4D0000, based on PE: true

Associated: 00000006.00000002.3225298659.000000006C4D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225335252.000000006C4E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225352542.000000006C4EB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225369423.000000006C4EF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c4d0000_gxonecli.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 3d0b8c23d1b716bd78c2b2216eaa5b86c43b6e07cd4b42719cdb8e675e89483e
Instruction ID: fb6ba3b3e3f5770084ebd5de42efa35632429040fd5be8c5506306907abe19b3
Opcode Fuzzy Hash: 3d0b8c23d1b716bd78c2b2216eaa5b86c43b6e07cd4b42719cdb8e675e89483e
Instruction Fuzzy Hash: CC317E355043159BCB10DE28C854E8A73A0FF45325F158A6EFC6887740DB70EE448BD2

Uniqueness

Uniqueness Score: -1.00%

Function 6C4D3560 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

Part of subcall function 6C4D3DB0: std::_Lockit::_Lockit.LIBCPMT ref: 6C4D3DC1

Part of subcall function 6C4D4540: std::_Lockit::_Lockit.LIBCPMT ref: 6C4D4563
Part of subcall function 6C4D4540: std::_Lockit::_Lockit.LIBCPMT ref: 6C4D4586

std::_Lockit::_Lockit.LIBCPMT ref: 6C4D35DA

Memory Dump Source

Source File: 00000006.00000002.3225314704.000000006C4D1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C4D0000, based on PE: true

Associated: 00000006.00000002.3225298659.000000006C4D0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225335252.000000006C4E5000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225352542.000000006C4EB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.3225369423.000000006C4EF000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6c4d0000_gxonecli.jbxd

Similarity

API ID: LockitLockit::_std::_
String ID:
API String ID: 3382485803-0
Opcode ID: dbe79061a6a4436d188624a18c0e53c67d13a1f2b0c80809ef31fdf908ba9bdf
Instruction ID: 446bf841c2388383238c399333bc9104ec89efeccea92b3bc5fa6ade8adbebbc
Opcode Fuzzy Hash: dbe79061a6a4436d188624a18c0e53c67d13a1f2b0c80809ef31fdf908ba9bdf
Instruction Fuzzy Hash: 6E2195B2A00504ABD710EF58DC50FA9B3B8EB45B24F12472DF82997BC0DB35B904C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 10001CA0 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 10001B50: LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 10001B99
Part of subcall function 10001B50: GetProcAddress.KERNEL32(00000000), ref: 10001BA0
Part of subcall function 10001B50: OpenProcess.KERNEL32(00001000,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 10001BC1
Part of subcall function 10001B50: OpenProcessToken.ADVAPI32(00000000,000F01FF,?,?,?,?,?,?,?,?,?,?), ref: 10001BD6
Part of subcall function 10001B50: LookupPrivilegeValueA.ADVAPI32(00000000,10016908,FFFFFFFF), ref: 10001BE8
Part of subcall function 10001B50: AdjustTokenPrivileges.KERNELBASE(?,?,?,?,00000001,?,00000010,00000000,00000000), ref: 10001C1F
Part of subcall function 10001B50: LoadLibraryA.KERNEL32(1001692C,1001691C,?,?,?,?,00000001,?,00000010,00000000,00000000), ref: 10001C6C
Part of subcall function 10001B50: GetProcAddress.KERNEL32(00000000), ref: 10001C73

Part of subcall function 10001560: CoInitialize.OLE32(00000000), ref: 10001595
Part of subcall function 10001560: _com_util::ConvertStringToBSTR.COMSUPP ref: 10001697

_wprintf.LIBCMT ref: 10001CC4

Memory Dump Source

Source File: 00000006.00000002.3225205779.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10001000_gxonecli.jbxd

Similarity

API ID: AddressLibraryLoadOpenProcProcessToken$AdjustConvertInitializeLookupPrivilegePrivilegesStringValue_com_util::_wprintf
String ID:
API String ID: 3474402026-0
Opcode ID: b16fa08af9a59717ea8b9bb21d24edcea7d0cc9c98c9e52c2ce8b542fce83b8a
Instruction ID: ef113caa98e82db254932f76eb1cecd2457d51a8269c6171abc01cd5d7c1cf58
Opcode Fuzzy Hash: b16fa08af9a59717ea8b9bb21d24edcea7d0cc9c98c9e52c2ce8b542fce83b8a
Instruction Fuzzy Hash: 6CF027786001044BF604EB749C4A9563398DF012C6B00026CFC198B666EB32E860C692

Uniqueness

Uniqueness Score: -1.00%

Function 0079D87F Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0079D894

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 9d03377dca24b8480585aecf951df0f10b8d4b0d9baa6d80ae8dac7056e8fa2b
Instruction ID: 77821e2fe3303e0d987640d7d1a1b38a6aae72bc54009efd439aac1260b9fe82
Opcode Fuzzy Hash: 9d03377dca24b8480585aecf951df0f10b8d4b0d9baa6d80ae8dac7056e8fa2b
Instruction Fuzzy Hash: 4AD05E32591349AAEB105F74BC08B623BECA3C4395F00C476B90CC6150E6B8C9829508

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 007483E6 Relevance: 208.7, APIs: 116, Strings: 2, Instructions: 2151windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 007483F0
IsIconic.USER32(?), ref: 007484AB
ScreenToClient.USER32(?,?), ref: 00748513
GetCursorPos.USER32(?), ref: 007485E7
ScreenToClient.USER32(?,?), ref: 007485FA
GetTickCount.KERNEL32 ref: 00748667
GetTickCount.KERNEL32 ref: 007486BE
GetActiveWindow.USER32 ref: 00748717
GetWindow.USER32(?,00000004), ref: 00748724
GetWindowLongW.USER32(?,000000F0), ref: 00748734
GetParent.USER32(?), ref: 00748747
SetFocus.USER32(00000000), ref: 00748754
DestroyWindow.USER32(00000000), ref: 0074876B
_memset.LIBCMT ref: 0074878D
BeginPaint.USER32(?,?), ref: 0074879F
EndPaint.USER32(?,?), ref: 007487C6
GetClientRect.USER32(?,?), ref: 007487F1
IsRectEmpty.USER32(?), ref: 0074882F
_memset.LIBCMT ref: 0074884B
BeginPaint.USER32(?,?), ref: 00748860
GetUpdateRect.USER32(?,?,00000000), ref: 007488B5
IsRectEmpty.USER32(?), ref: 0074890F
DeleteDC.GDI32(?), ref: 0074894B
DeleteDC.GDI32(?), ref: 0074895C
DeleteObject.GDI32(?), ref: 0074896D
DeleteObject.GDI32(?), ref: 00748980
_memset.LIBCMT ref: 00748B37
CreateCompatibleDC.GDI32(?), ref: 00748BA4
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00748C09
_memset.LIBCMT ref: 00748C25
BeginPaint.USER32(?,?), ref: 00748C3A
SelectObject.GDI32(?,?), ref: 00748C59
SaveDC.GDI32(?), ref: 00748C6B
IsWindow.USER32(00000000), ref: 00748D1F
IsWindowVisible.USER32(00000000), ref: 00748D61
IntersectRect.USER32(00000000,?,?), ref: 00748DA4
CreateCompatibleDC.GDI32(?), ref: 00748DBF
_memset.LIBCMT ref: 00748E1D
SelectObject.GDI32(00000000,?), ref: 00748E2C
SendMessageW.USER32(00000000,00000317,00000000,00000035), ref: 00748E41
BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,00CC0020), ref: 00748EDC
SelectObject.GDI32(00000000,?), ref: 00748EE9
DeleteObject.GDI32(?), ref: 00748EF5
DeleteDC.GDI32(00000000), ref: 00748EFC
RestoreDC.GDI32(?,?), ref: 00748F53
GetWindowRect.USER32(?,00000000), ref: 00748F85
CreateCompatibleDC.GDI32(?), ref: 00749013
_memset.LIBCMT ref: 00749057
SelectObject.GDI32(?,?), ref: 0074906B

Part of subcall function 0074B036: GetWindowRect.USER32(?,?), ref: 0074B042
Part of subcall function 0074B036: ScreenToClient.USER32(?,?), ref: 0074B05B
Part of subcall function 0074B036: ScreenToClient.USER32(?,?), ref: 0074B063

_memset.LIBCMT ref: 0074909C
BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 0074930A
SelectObject.GDI32(?,?), ref: 00749322
SelectObject.GDI32(?), ref: 0074934A
GetStockObject.GDI32(00000005), ref: 00749350
SelectObject.GDI32(?,00000000), ref: 0074935D
Rectangle.GDI32(?,?,?,?,?), ref: 0074937D
SelectObject.GDI32(?,00000000), ref: 0074938A
EndPaint.USER32(?,?), ref: 007493D2

Part of subcall function 00757B98: CreateDIBSection.GDI32(?,00000000,00000000,?,00000000,00000000), ref: 00757BEC

SaveDC.GDI32(?), ref: 00749394
RestoreDC.GDI32(?,00000000), ref: 007493BF
GetFocus.USER32 ref: 00749407
GetParent.USER32(00000000), ref: 00749423
GetTickCount.KERNEL32 ref: 0074959F
GetTickCount.KERNEL32 ref: 00749614
GetTickCount.KERNEL32 ref: 00749694
ScreenToClient.USER32(?,?), ref: 007496FC
GetTickCount.KERNEL32 ref: 00749755
SendMessageW.USER32(?,00002111,00000000,?), ref: 0074978D
GetTickCount.KERNEL32 ref: 007494A2

Part of subcall function 0074777C: GetKeyState.USER32(00000011), ref: 00747788
Part of subcall function 0074777C: GetKeyState.USER32(00000002), ref: 00747794
Part of subcall function 0074777C: GetKeyState.USER32(00000001), ref: 007477A0
Part of subcall function 0074777C: GetKeyState.USER32(00000010), ref: 007477AC
Part of subcall function 0074777C: GetKeyState.USER32(00000012), ref: 007477B8

Strings

tooltips_class32, xrefs: 0074A29B
windowinit, xrefs: 00748AB6

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Object$SelectWindow$CountRectTick_memset$ClientDelete$CreatePaintScreenState$Compatible$Begin$EmptyFocusMessageParentRestoreSaveSend$ActiveBitmapCursorDestroyH_prolog3_IconicIntersectLongRectangleSectionStockUpdateVisible
String ID: tooltips_class32$windowinit
API String ID: 2442542815-1250824750
Opcode ID: 6215948b81dd6d7f99ef1aa01840d75138b396766f0a67ae2e9eb9878899ea01
Instruction ID: bf82ee0968337693092ef4ff0721ce606b51fba0397723a04d145336559ab200
Opcode Fuzzy Hash: 6215948b81dd6d7f99ef1aa01840d75138b396766f0a67ae2e9eb9878899ea01
Instruction Fuzzy Hash: B2232A71900219DFDF61CF68CD84BEAB7B5BF49300F0441A9EA09AB255DB399E84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 007A3546 Relevance: 66.4, APIs: 44, Instructions: 432COMMONLIBRARYCODE

Download Yara Rule

APIs

___getlocaleinfo.LIBCMT ref: 007A357D
___getlocaleinfo.LIBCMT ref: 007A3592
___getlocaleinfo.LIBCMT ref: 007A35A7
___getlocaleinfo.LIBCMT ref: 007A35BC
___getlocaleinfo.LIBCMT ref: 007A35D4
___getlocaleinfo.LIBCMT ref: 007A35E9
___getlocaleinfo.LIBCMT ref: 007A35FB
___getlocaleinfo.LIBCMT ref: 007A3610
___getlocaleinfo.LIBCMT ref: 007A3628
___getlocaleinfo.LIBCMT ref: 007A363D

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ___getlocaleinfo
String ID:
API String ID: 1937885557-0
Opcode ID: 660ecf63642404dad71e0016a8e6e9f3857923b07e439564f96fa1097a436cf5
Instruction ID: 27c496b67cb9494e058949b6f29de2de8be9421a6e503741fb16f38a45c390fc
Opcode Fuzzy Hash: 660ecf63642404dad71e0016a8e6e9f3857923b07e439564f96fa1097a436cf5
Instruction Fuzzy Hash: 7BE1EFB394020DFEEF21DAE0CD85DFF77BEEB04744F05092AB665D2041EA74AA159760

Uniqueness

Uniqueness Score: -1.00%

Function 007364F0 Relevance: 44.2, APIs: 3, Strings: 22, Instructions: 451COMMON

Download Yara Rule

APIs

Part of subcall function 00785864: __EH_prolog3_GS.LIBCMT ref: 0078586E

Part of subcall function 00785F48: __EH_prolog3.LIBCMT ref: 00785F4F
Part of subcall function 00785F48: SHGetValueA.SHLWAPI(80000002,Software\projone\podlp\volatile\,upgraded,-00000020,-0000001C,-00000024,?,lblDepName,00000001,?), ref: 00785FE1

SHGetValueW.SHLWAPI(80000002,Software\projone\podlp\,offlineMode,?,?,?,?,lblRuleUptime,00000001), ref: 00736613

Strings

ruleCleaned, xrefs: 007369CF, 00736A2C
lblRuleUptime, xrefs: 007365C1
Software\projone\podlp\, xrefs: 00736600
offlineMode, xrefs: 007365FB
lblMac, xrefs: 00736866
lblPcName, xrefs: 007368F2
lblOnlineStatus, xrefs: 00736635
btnModifyDepAndName, xrefs: 00736920
lblClienId, xrefs: 007366C6
Software\projone\podlp\volatile\, xrefs: 007369D4, 00736A31
AllowViewRules, xrefs: 00736998
btnViewRule, xrefs: 00736988
lblDepName, xrefs: 00736559
lblClienName, xrefs: 0073664C
lblIp, xrefs: 00736796
btnHardwareCustomWnd, xrefs: 00736954
updaterule.png, xrefs: 00736A54
AllowModifyClientInfo, xrefs: 00736930
lblClientVer, xrefs: 00736583
btnClearRules, xrefs: 00736A05, 00736A63
clearrule.png, xrefs: 00736A5B, 00736A60
AllowModifyHardwareCustom, xrefs: 00736964

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Value$H_prolog3H_prolog3_
String ID: AllowModifyClientInfo$AllowModifyHardwareCustom$AllowViewRules$Software\projone\podlp\$Software\projone\podlp\volatile\$btnClearRules$btnHardwareCustomWnd$btnModifyDepAndName$btnViewRule$clearrule.png$lblClienId$lblClienName$lblClientVer$lblDepName$lblIp$lblMac$lblOnlineStatus$lblPcName$lblRuleUptime$offlineMode$ruleCleaned$updaterule.png
API String ID: 948544424-3623742499
Opcode ID: 125f1b92739dee9bce2f8655d343fe70c3089c0530fc16e929fb6aa1068add87
Instruction ID: fea81759a5e0b65384b5101fb434861f98efb31fff2de09ecbb4f5e5cda5dbad
Opcode Fuzzy Hash: 125f1b92739dee9bce2f8655d343fe70c3089c0530fc16e929fb6aa1068add87
Instruction Fuzzy Hash: E1F1D4B1508340EFE725DB24C885BAFB7E5AFD8304F44892DF58997252EB78E904CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0073EFD0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 290stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00781F0A: __EH_prolog3.LIBCMT ref: 00781F29
Part of subcall function 00781F0A: _memset.LIBCMT ref: 00781F79
Part of subcall function 00781F0A: SHGetValueW.SHLWAPI(80000002,?,?,?,00000000,00000000,?,?,0000001C), ref: 00781F9E
Part of subcall function 00781F0A: _malloc.LIBCMT ref: 00781FBE
Part of subcall function 00781F0A: _memset.LIBCMT ref: 00781FCF
Part of subcall function 00781F0A: SHGetValueW.SHLWAPI(80000002,?,00000007,00000000,00000000,00000000,?,?,?,00000000,00000000,?,?,0000001C), ref: 00781FF0

PathIsDirectoryW.SHLWAPI(?), ref: 0073F17F
GetDiskFreeSpaceExW.KERNEL32(?,00000000,00000000,?), ref: 0073F1A8
PathIsDirectoryW.SHLWAPI(?), ref: 0073F050

Part of subcall function 00781DF9: wvnsprintfW.SHLWAPI(?,00002800,?,?), ref: 00781E33

GetLogicalDrives.KERNEL32 ref: 0073F08D
GetDriveTypeW.KERNEL32(?), ref: 0073F0F9
lstrlenW.KERNEL32(?), ref: 0073F35B
lstrlenW.KERNEL32(?), ref: 0073F368
SHSetValueW.SHLWAPI(80000002,Software\projone\podlp\dlpcore\,bakpath,00000001,?,00000002), ref: 0073F389

Strings

%c:\, xrefs: 0073F0C6
%c:\podlp_backup, xrefs: 0073F152, 0073F305
Software\projone\podlp\dlpcore\, xrefs: 0073F01E, 0073F26B, 0073F37F
bakpath, xrefs: 0073F019, 0073F266, 0073F37A

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Value$DirectoryPath_memsetlstrlen$DiskDriveDrivesFreeH_prolog3LogicalSpaceType_mallocwvnsprintf
String ID: %c:\$%c:\podlp_backup$Software\projone\podlp\dlpcore\$bakpath
API String ID: 4032481001-2789667252
Opcode ID: d380211109647c6267b9013583b49b32ed98685d87a2af890235abe3f55af01e
Instruction ID: 924c21230ca20bda022c8a6f736b233cf4a010a354fa7610c8a807f2b6ae8533
Opcode Fuzzy Hash: d380211109647c6267b9013583b49b32ed98685d87a2af890235abe3f55af01e
Instruction Fuzzy Hash: 81B19C71908384DBEB20DF24D845BAFB7E9BF85B40F104A2DF59987292E738D904CB56

Uniqueness

Uniqueness Score: -1.00%

Function 007806E3 Relevance: 19.6, APIs: 13, Instructions: 149stringfileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00780760
GetCurrentDirectoryW.KERNEL32(00000208,?,?,00000000,00000000), ref: 00780774
PathAppendW.SHLWAPI(?,00000000), ref: 00780782
GetFileAttributesW.KERNEL32(00000000,?,00000000,00000000), ref: 0078078B
lstrcpyW.KERNEL32(?,00000000), ref: 007807B0
PathAppendW.SHLWAPI(?,007BFFE0), ref: 007807BE
FindFirstFileW.KERNEL32(?,?), ref: 007807CE
lstrcmpW.KERNEL32(?,007C7D98), ref: 007807F9
lstrcmpW.KERNEL32(?,007C7D9C), ref: 00780813
lstrcpyW.KERNEL32(?,00000000), ref: 00780836
PathAppendW.SHLWAPI(?,?), ref: 00780846
FindNextFileW.KERNEL32(?,?), ref: 007808DA
FindClose.KERNEL32(?), ref: 007808FA

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: AppendFileFindPath$lstrcmplstrcpy$AttributesCloseCurrentDirectoryFirstNext_memset
String ID:
API String ID: 223570037-0
Opcode ID: 01eedaf9fa56e46139f8684ac3c0c16078a3828821f36bd86797210f41989de1
Instruction ID: 274aae2e1f5cee40cbf9e8b4300136d611942c8b00ae28ca1974081f519c9c66
Opcode Fuzzy Hash: 01eedaf9fa56e46139f8684ac3c0c16078a3828821f36bd86797210f41989de1
Instruction Fuzzy Hash: 31512072A4031D9BDFA0AB64DC48FD977B8BF05310F0085A9E619E2550DB789EC8DF91

Uniqueness

Uniqueness Score: -1.00%

Function 007467AC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 131windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,00000000), ref: 007467CB
GetParent.USER32(?), ref: 007467E1
GetWindow.USER32(?,00000004), ref: 007467EC
MonitorFromWindow.USER32(?,00000002), ref: 00746813
GetMonitorInfoW.USER32(00000000), ref: 0074681A
IsIconic.USER32(00000000), ref: 00746833
GetWindowRect.USER32(00000000,00000000), ref: 00746844
SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015), ref: 007468D2

Strings

(, xrefs: 0074680C

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Window$MonitorRect$FromIconicInfoParent
String ID: (
API String ID: 1680950861-3887548279
Opcode ID: acde1ab57701873b5407cabaab5133c12de640f41ac5d0f44bc9633727ff52a0
Instruction ID: c1ec7497d1180b8352b5a82bf039b0f5a22252e2717ae4cc91332d584b2a6665
Opcode Fuzzy Hash: acde1ab57701873b5407cabaab5133c12de640f41ac5d0f44bc9633727ff52a0
Instruction Fuzzy Hash: 93416D32A00609AFDF01CFB8CC89AEEBBBAFB49315F158624E605F7190D774AD458B51

Uniqueness

Uniqueness Score: -1.00%

Function 00781593 Relevance: 13.5, APIs: 9, Instructions: 41clipboardstringmemoryCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 00781594
lstrlenW.KERNEL32(00000004,?,?,00737C8A), ref: 007815A8
GlobalAlloc.KERNEL32(00000002,?,?,00737C8A), ref: 007815B5
GlobalLock.KERNEL32(00000000,?,00737C8A), ref: 007815C2
lstrcpyW.KERNEL32(00000000,00000004), ref: 007815CE
GlobalUnlock.KERNEL32(00000000,?,00737C8A), ref: 007815D5
SetClipboardData.USER32(0000000D,00000000), ref: 007815DE
GlobalFree.KERNEL32(00000000), ref: 007815EC
CloseClipboard.USER32 ref: 007815F3

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Global$Clipboard$AllocCloseDataEmptyFreeLockUnlocklstrcpylstrlen
String ID:
API String ID: 423645850-0
Opcode ID: 5710c3aae00e70ba41fa74e49c0664d4248f70bf2c1070997509605d0387fe94
Instruction ID: 4b1cc746c113141a0188a4b888acfa174fac7cc4415123bc3325b5eb35082401
Opcode Fuzzy Hash: 5710c3aae00e70ba41fa74e49c0664d4248f70bf2c1070997509605d0387fe94
Instruction Fuzzy Hash: 3DF04F31641626ABD7112BB5AC4CF5B3A6CBF497027448214FB17C1251CF2CC916C769

Uniqueness

Uniqueness Score: -1.00%

Function 0079B1F0 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0079C466
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0079C47B
UnhandledExceptionFilter.KERNEL32(007B9820), ref: 0079C486
GetCurrentProcess.KERNEL32(C0000409), ref: 0079C4A2
TerminateProcess.KERNEL32(00000000), ref: 0079C4A9

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 5b6f1d319a8d2325ea92432f45fbbfeac2477e0face45338ae7ca715caa51f88
Instruction ID: 23093d9796d94114b0222cf92f30d50b880d93e9076da99c79454f7c9545f771
Opcode Fuzzy Hash: 5b6f1d319a8d2325ea92432f45fbbfeac2477e0face45338ae7ca715caa51f88
Instruction Fuzzy Hash: 3C21CFB65022089FDB00DF68FA49A443BB1FB48305F54C21BE71987270E7B99881DB09

Uniqueness

Uniqueness Score: -1.00%

Function 0074777C Relevance: 7.5, APIs: 5, Instructions: 34keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 00747788
GetKeyState.USER32(00000002), ref: 00747794
GetKeyState.USER32(00000001), ref: 007477A0
GetKeyState.USER32(00000010), ref: 007477AC
GetKeyState.USER32(00000012), ref: 007477B8

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 9428577f1cde27624cdac7298a58162273303164d0e97bd4a35c1c8c11ef8b7f
Instruction ID: a8ecf9db214d8635127736f50da40074e128ff49afac5345ed6fdeea636092cf
Opcode Fuzzy Hash: 9428577f1cde27624cdac7298a58162273303164d0e97bd4a35c1c8c11ef8b7f
Instruction Fuzzy Hash: 7DE09A2AF476AA90FD5621A62E4AFFA0D554BD0FD4FC20062EB442B0C89FD4084396B1

Uniqueness

Uniqueness Score: -1.00%

Function 00781164 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00781E54: wvnsprintfA.SHLWAPI(?,00002800,?,?), ref: 00781E8C

CreateFileA.KERNEL32(-00000004,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?), ref: 007811A8
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00781211

Strings

\\?\%c:, xrefs: 0078117C

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ControlCreateDeviceFilewvnsprintf
String ID: \\?\%c:
API String ID: 2159692393-379940513
Opcode ID: f2a5f1622b57cbfa1e17b5da499fb4ac5a6d40c9f1d1e6b2c4a1cdd7f35d3ef6
Instruction ID: 5484badb12d518a24a59b7dec9cce0fabbfb091c09ada08f40e26cc555a61499
Opcode Fuzzy Hash: f2a5f1622b57cbfa1e17b5da499fb4ac5a6d40c9f1d1e6b2c4a1cdd7f35d3ef6
Instruction Fuzzy Hash: 8D216072E4021CABDB14EBA5EC49EEEBBBCEB04720F504156F611A71D1DB74AE05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0074C00E Relevance: 103.7, APIs: 42, Strings: 17, Instructions: 461COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0074C025
__wcstoi64.LIBCMT ref: 0074C051
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000016,?,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0074C089
__wcstoi64.LIBCMT ref: 0074C03A

Part of subcall function 007A88EE: wcstoxl.LIBCMT ref: 007A890F

__wcsicoll.LIBCMT ref: 0074C09A
__wcstoi64.LIBCMT ref: 0074C0B8
__wcstoi64.LIBCMT ref: 0074C0CF
__wcstoi64.LIBCMT ref: 0074C0E6
__wcstoi64.LIBCMT ref: 0074C0FD

Strings

layeredopacity, xrefs: 0074C31F
linkfontcolor, xrefs: 0074C436
maxinfo, xrefs: 0074C226
roundcorner, xrefs: 0074C190
size, xrefs: 0074C01D
mininfo, xrefs: 0074C1DB
sizebox, xrefs: 0074C094
opacity, xrefs: 0074C2F5
disabledfontcolor, xrefs: 0074C3BA
true, xrefs: 0074C282, 0074C2D7
layeredimage, xrefs: 0074C372
caption, xrefs: 0074C10A
noactivate, xrefs: 0074C2A4
showdirty, xrefs: 0074C271
defaultfontcolor, xrefs: 0074C3F8
selectedcolor, xrefs: 0074C4AC
linkhoverfontcolor, xrefs: 0074C471

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: __wcstoi64$__wcsicoll$Windowwcstoxl
String ID: caption$defaultfontcolor$disabledfontcolor$layeredimage$layeredopacity$linkfontcolor$linkhoverfontcolor$maxinfo$mininfo$noactivate$opacity$roundcorner$selectedcolor$showdirty$size$sizebox$true
API String ID: 3742662505-519944345
Opcode ID: 1a40cbd52746796bcbe28e39d6517071fe7d5ce7e9e0f74e550681751293b87e
Instruction ID: 057cc75afbdba087ace54628f1055661d647016b27677823df9664fbb137b098
Opcode Fuzzy Hash: 1a40cbd52746796bcbe28e39d6517071fe7d5ce7e9e0f74e550681751293b87e
Instruction Fuzzy Hash: 3DE105B2901305BADB91AF38CC42FFB37ACAF96754F108529F905DA142EB7CDA408656

Uniqueness

Uniqueness Score: -1.00%

Function 0074D406 Relevance: 88.0, APIs: 34, Strings: 16, Instructions: 462COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0074D483
__wcsicoll.LIBCMT ref: 0074D4D4
__wcsicoll.LIBCMT ref: 0074D4F2
__wcsicoll.LIBCMT ref: 0074D597
__wcsicoll.LIBCMT ref: 0074D605
__wcstoi64.LIBCMT ref: 0074D618
__wcsicoll.LIBCMT ref: 0074D649
__wcstoi64.LIBCMT ref: 0074D65C
__wcsicoll.LIBCMT ref: 0074D7B3
__wcsicoll.LIBCMT ref: 0074D800
__wcsicoll.LIBCMT ref: 0074D817
__wcsicoll.LIBCMT ref: 0074D82E
__wcsicoll.LIBCMT ref: 0074D83F
__wcsicoll.LIBCMT ref: 0074D881
__wcsicoll.LIBCMT ref: 0074D8C6
__wcstoi64.LIBCMT ref: 0074D8D9
__wcsicoll.LIBCMT ref: 0074D8ED
__wcsicoll.LIBCMT ref: 0074D62F

Part of subcall function 007A8345: __wcsicmp_l.LIBCMT ref: 007A83CC

__wcsicoll.LIBCMT ref: 0074D95E

Strings

Default, xrefs: 0074D7AD
Font, xrefs: 0074D591
restype, xrefs: 0074D4EC
size, xrefs: 0074D643
mask, xrefs: 0074D503
value, xrefs: 0074D811, 0074D8E7
bold, xrefs: 0074D66D
italic, xrefs: 0074D6C0
Window, xrefs: 0074D958
MultiLanguage, xrefs: 0074D87B
Image, xrefs: 0074D47D
underline, xrefs: 0074D698
shared, xrefs: 0074D539, 0074D70E, 0074D828
true, xrefs: 0074D54A, 0074D67E, 0074D6A9, 0074D6D1, 0074D6F9, 0074D71F, 0074D839
name, xrefs: 0074D4CC, 0074D629, 0074D7F8
default, xrefs: 0074D6E8

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: __wcsicoll$__wcstoi64$__wcsicmp_l
String ID: Default$Font$Image$MultiLanguage$Window$bold$default$italic$mask$name$restype$shared$size$true$underline$value
API String ID: 4023467804-1487863511
Opcode ID: 573715f01d75dbaa4210205dd5a57986c0e2bcf6309a3662be2d41a2b5fa5948
Instruction ID: 3162a477b94bfb2da1f603a76240127f2b9dbbdbc05d85eef85a0228f4ec0b2c
Opcode Fuzzy Hash: 573715f01d75dbaa4210205dd5a57986c0e2bcf6309a3662be2d41a2b5fa5948
Instruction Fuzzy Hash: 57E19231509342EFD761AB248C46A6FB7E8AFD6B24F10092EF48092152EB7DDD058B93

Uniqueness

Uniqueness Score: -1.00%

Function 00788CB9 Relevance: 61.7, APIs: 31, Strings: 4, Instructions: 471COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00788CC3
curl_easy_init.LIBCURL32(00000000,?,000000DC,00789422,?,?), ref: 00788D08
curl_formadd.LIBCURL32(?,?,0000000A,?,00000001,?,00000011,?,?,?,?,000000DC,00789422,?,?), ref: 00788DC9
curl_formadd.LIBCURL32(?,?,0000000E,00000000,0000000C,00000010,0000000D,00000000,00000001,?,00000011,?,?,?,000000DC,00789422), ref: 00788E19
curl_formadd.LIBCURL32(?,?,00000001,?,00000004,00000010,00000006,00000000,00000011,?,?,?,000000DC,00789422,?,?), ref: 00788E49
curl_slist_append.LIBCURL32(00000000,Expect:,?,?,?,000000DC,00789422,?,?), ref: 00788E81
curl_slist_append.LIBCURL32(?,-00000004), ref: 00788F11
curl_slist_append.LIBCURL32(?,Content-Type: application/x-www-form-urlencoded,00000000,00789422,?,?), ref: 00788FAF

Part of subcall function 00788B91: __EH_prolog3.LIBCMT ref: 00788B98

curl_easy_reset.LIBCURL32(?,00000000,00000000,000000FF,00000000,00000000,00789422,?,?), ref: 00789049
curl_easy_setopt.LIBCURL32(?,00002712,?), ref: 00789069
curl_easy_setopt.LIBCURL32(?,0000004E,00000005), ref: 00789073
curl_easy_setopt.LIBCURL32(?,00004E2B,00789252), ref: 00789083
curl_easy_setopt.LIBCURL32(?,00002711,?), ref: 00789094
curl_easy_setopt.LIBCURL32(?,00002728,?), ref: 007890A2
curl_easy_setopt.LIBCURL32(?,00002727,?), ref: 007890B0
curl_easy_setopt.LIBCURL32(?,00002776,007BC514), ref: 007890C0
curl_easy_setopt.LIBCURL32(?,0000271F,?), ref: 007890DE
PathFileExistsA.SHLWAPI(007DB648), ref: 007890F1
curl_easy_setopt.LIBCURL32(?,0000272F,007DB648), ref: 00789106
curl_easy_setopt.LIBCURL32(?,00002734,00000024), ref: 00789126
curl_easy_setopt.LIBCURL32(?,00000034,00000001), ref: 00789130
curl_easy_setopt.LIBCURL32(?,00000040,00000000), ref: 00789143
curl_easy_setopt.LIBCURL32(?,00000051,00000000), ref: 0078914D

Part of subcall function 0073CCE0: std::_String_base::_Xlen.LIBCPMT ref: 0073CD2F
Part of subcall function 0073CCE0: _memcpy_s.LIBCMT ref: 0073CD9A

curl_easy_setopt.LIBCURL32(?,00002751,00000000), ref: 00789175
curl_easy_perform.LIBCURL32(?), ref: 007891A3
curl_formfree.LIBCURL32(?), ref: 007891B4
curl_slist_free_all.LIBCURL32(?), ref: 007891C3
curl_easy_strerror.LIBCURL32(00000000), ref: 007891CF
curl_easy_cleanup.LIBCURL32(?,00000000), ref: 007891E0
curl_easy_getinfo.LIBCURL32(?,00200002,?), ref: 00789219
curl_easy_cleanup.LIBCURL32(?), ref: 00789223

Strings

Expect:, xrefs: 00788E7A
easy_init failed, xrefs: 00788D15
Content-Type: application/x-www-form-urlencoded, xrefs: 00788FA7
`, xrefs: 00788E6A

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: curl_easy_setopt$curl_formaddcurl_slist_append$curl_easy_cleanup$ExistsFileH_prolog3H_prolog3_PathString_base::_Xlen_memcpy_scurl_easy_getinfocurl_easy_initcurl_easy_performcurl_easy_resetcurl_easy_strerrorcurl_formfreecurl_slist_free_allstd::_
String ID: Content-Type: application/x-www-form-urlencoded$Expect:$`$easy_init failed
API String ID: 363877404-2120193120
Opcode ID: b5ba21aaf8ffb7dc38246df206e97b24ca85f632bac4c3d59d7051bd24c287b3
Instruction ID: cc6272602b9adaba5f544c4fab34e7da8d8d218d64702cba1720ae84baa5e9be
Opcode Fuzzy Hash: b5ba21aaf8ffb7dc38246df206e97b24ca85f632bac4c3d59d7051bd24c287b3
Instruction Fuzzy Hash: D002BD30D40218EFDF65EFA4DC89BEDBBB4BF04300F54415AE615AB182DB789A40DB62

Uniqueness

Uniqueness Score: -1.00%

Function 007884B2 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 007884BC
curl_easy_init.LIBCURL32 ref: 007884F8
curl_slist_append.LIBCURL32(?,-00000004), ref: 0078858B
curl_easy_reset.LIBCURL32(?,?,00000000,000000FF,00000000), ref: 00788661
curl_easy_setopt.LIBCURL32(?,00002712,000000AC), ref: 00788681
curl_easy_setopt.LIBCURL32(?,0000004E,00000005), ref: 0078868B
curl_easy_setopt.LIBCURL32(?,00004E2B,007887D5), ref: 0078869B
curl_easy_setopt.LIBCURL32(?,00002711,?), ref: 007886A9
curl_easy_setopt.LIBCURL32(?,00002727,?), ref: 007886B7
curl_easy_setopt.LIBCURL32(?,0000272F,007BC514), ref: 007886CB
curl_easy_setopt.LIBCURL32(?,00002776,007BC514), ref: 007886DA
curl_easy_setopt.LIBCURL32(?,00000034,00000001), ref: 007886E4
curl_easy_setopt.LIBCURL32(?,00000040,00000000), ref: 007886F7
curl_easy_setopt.LIBCURL32(?,00000051,00000000), ref: 00788701
curl_easy_setopt.LIBCURL32(?,00002751,00000000), ref: 00788729
PathFileExistsA.SHLWAPI(007DB648), ref: 0078873C
curl_easy_setopt.LIBCURL32(?,0000272F,007DB648), ref: 0078874D
curl_easy_perform.LIBCURL32(?), ref: 00788772
curl_slist_free_all.LIBCURL32(00000000), ref: 00788784
curl_easy_strerror.LIBCURL32(00000000), ref: 00788790
curl_easy_cleanup.LIBCURL32(?), ref: 007887A3

Strings

easy_init failed, xrefs: 00788505
invalid param 2, xrefs: 007884E0

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: curl_easy_setopt$ExistsFileH_prolog3_Pathcurl_easy_cleanupcurl_easy_initcurl_easy_performcurl_easy_resetcurl_easy_strerrorcurl_slist_appendcurl_slist_free_all
String ID: easy_init failed$invalid param 2
API String ID: 3440280746-1662159081
Opcode ID: acb5eeb33388f0ed79992c9d1337360bea04e740c2e6af03bf2b97fee61eb73c
Instruction ID: ba72560acdf2ae215745644613d487451f05e65b94b4cd9eea0a11fc8a6d655c
Opcode Fuzzy Hash: acb5eeb33388f0ed79992c9d1337360bea04e740c2e6af03bf2b97fee61eb73c
Instruction Fuzzy Hash: 0891BE31D40208EBDB51EBA4DC89FEEBBB4EF04714F54401AF505A7292EB7C9944DB62

Uniqueness

Uniqueness Score: -1.00%

Function 007965D2 Relevance: 36.1, APIs: 8, Strings: 16, Instructions: 71stringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32(?,PoLogInfoA,-000000FC,00796860), ref: 007965E7
lstrcmpA.KERNEL32(?,PoLogInfoW), ref: 007965FA

Strings

PoLogWarnA, xrefs: 00796607
PoLogWarnW, xrefs: 0079661A
PoLogPrintA, xrefs: 00796653
PoLogInfoW, xrefs: 007965F4
E7248973, xrefs: 00796626
PoLogPrintW, xrefs: 00796666
E7248972, xrefs: 00796613
PoLogInfoA, xrefs: 007965E1
E7248976, xrefs: 0079665F
E7248974, xrefs: 00796639
PoLogErrW, xrefs: 00796640
E7248971, xrefs: 00796600
E7248975, xrefs: 0079664C
E7248970, xrefs: 007965ED
E7248977, xrefs: 00796672
PoLogErrA, xrefs: 0079662D

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: lstrcmp
String ID: E7248970$E7248971$E7248972$E7248973$E7248974$E7248975$E7248976$E7248977$PoLogErrA$PoLogErrW$PoLogInfoA$PoLogInfoW$PoLogPrintA$PoLogPrintW$PoLogWarnA$PoLogWarnW
API String ID: 1534048567-1828307511
Opcode ID: fc68ca24fd1e1df1c4efe0a7528eba7ff6eefe8b170db5885fcf697111916d6e
Instruction ID: 5a5f5750a630bbed093266b74cc22b56875f45fd5f2d30c71240c96b488093bd
Opcode Fuzzy Hash: fc68ca24fd1e1df1c4efe0a7528eba7ff6eefe8b170db5885fcf697111916d6e
Instruction Fuzzy Hash: 900196427456A6A11FD1212D3E49FFA0F698BD1F9930242BEFE04DA289E74CCC8365A5

Uniqueness

Uniqueness Score: -1.00%

Function 007393E0 Relevance: 35.3, APIs: 9, Strings: 11, Instructions: 284windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00785688: __EH_prolog3_GS.LIBCMT ref: 0078568F

MessageBoxW.USER32(?,007BCED0,007BC428,00000010), ref: 00739496
SHGetValueW.SHLWAPI(80000002,Software\projone\podlp\volatile\,ruleCleaned,?,?,?), ref: 007394DE
SHDeleteValueW.SHLWAPI(80000002,Software\projone\podlp\volatile\,ruleCleaned), ref: 00739503

Part of subcall function 00733CE0: OpenEventW.KERNEL32(00000002,00000000,-00000004,00000000,?,?,?,?,?,?,?,?,?,00000000,007B55A9,000000FF), ref: 00733D7D
Part of subcall function 00733CE0: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,007B55A9,000000FF,0079650E,-00000094,-000000C4), ref: 00733D8F
Part of subcall function 00733CE0: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,007B55A9,000000FF,0079650E,-00000094,-000000C4), ref: 00733D98

MessageBoxW.USER32(?,007BCF24,Oo`,00000040), ref: 00739523
MessageBoxW.USER32(?,007BCF78,007BCF6C,00000040), ref: 00739707
SHDeleteValueW.SHLWAPI(80000002,Software\projone\podlp\,ruleupt,cbe_type), ref: 0073973F
_memset.LIBCMT ref: 007397B9
ShellExecuteW.SHELL32(00000000,runas,?,/clearRules,00000000,00000001), ref: 007397F0
MessageBoxW.USER32(?,007BCFF4,007BC428,00000010), ref: 00739813

Strings

Software\projone\podlp\volatile\, xrefs: 007394CB, 007394F9, 0073971B
runas, xrefs: 007397EA
Global\{B9A7C12B-AB68-49ff-9A08-080F1B1E0200}, xrefs: 00739509
Oo`, xrefs: 00739518
cbe_details, xrefs: 00739595
ruleupt, xrefs: 00739730
ruleCleaned, xrefs: 007394C6, 007394F4, 00739716
Software\projone\podlp\, xrefs: 00739735
cbe_type, xrefs: 007395FE
clientstat.exe, xrefs: 007397CE
/clearRules, xrefs: 007397DD

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Message$Value$DeleteEvent$CloseExecuteH_prolog3_HandleOpenShell_memset
String ID: /clearRules$Global\{B9A7C12B-AB68-49ff-9A08-080F1B1E0200}$Software\projone\podlp\$Software\projone\podlp\volatile\$cbe_details$cbe_type$clientstat.exe$ruleCleaned$ruleupt$runas$Oo`
API String ID: 3873154455-629460141
Opcode ID: 81a2b8f0a2b0e6c57d77fb1ca060d4ef74d9ffb2d85a2f535675ba6d0103c5c8
Instruction ID: eb4be0233f29f806d4e6732c8bf7c5937b2ab649cf6506c2d64e016be0d74118
Opcode Fuzzy Hash: 81a2b8f0a2b0e6c57d77fb1ca060d4ef74d9ffb2d85a2f535675ba6d0103c5c8
Instruction Fuzzy Hash: C5B1A3B1548380DFE721EB64D84AB9FB7E5AB94700F10891DF28957293DBBD9804CB53

Uniqueness

Uniqueness Score: -1.00%

Function 0073F7B0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 136windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(007BF3BC,007BC428,00000010,00000008), ref: 0073F7ED
MessageBoxW.USER32(00000000), ref: 0073F7F4
GetForegroundWindow.USER32(007BF3FC,007BC428,00000010,00000008), ref: 0073F82D
MessageBoxW.USER32(00000000), ref: 0073F834

Part of subcall function 00735140: SHGetValueW.SHLWAPI ref: 00735168

_memset.LIBCMT ref: 0073F862
GetModuleHandleW.KERNEL32(00000000,wfchost.exe,?,00000104,?,?,?,00000008), ref: 0073F87B
PathFileExistsW.SHLWAPI(?,?,?,?,00000008), ref: 0073F88D
GetForegroundWindow.USER32(007BF42C,007BC428,00000010,?,?,?,00000008), ref: 0073F8A3
MessageBoxW.USER32(00000000), ref: 0073F8AA

Strings

"%s" %s, xrefs: 0073F8F3
wfchost.exe, xrefs: 0073F874
DecryptNeedToApprove, xrefs: 0073F8D1
/encrypt, xrefs: 0073F8CA
AllowManualDecrypt, xrefs: 0073F810
AllowManualEncrypt, xrefs: 0073F7D0
/decryptNoReq, xrefs: 0073F8E7, 0073F8ED
/decrypt, xrefs: 0073F8E0

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ForegroundMessageWindow$ExistsFileHandleModulePathValue_memset
String ID: "%s" %s$/decrypt$/decryptNoReq$/encrypt$AllowManualDecrypt$AllowManualEncrypt$DecryptNeedToApprove$wfchost.exe
API String ID: 2305115084-3222097620
Opcode ID: dec28cdb940222f583fb29c8e117bb3c06e8bb92c70e05959a3fe29b4edef66c
Instruction ID: 9e0764832e86eec016642e3dc0f6a41c628e8c751f4f15a8b31c6726f2c6be9d
Opcode Fuzzy Hash: dec28cdb940222f583fb29c8e117bb3c06e8bb92c70e05959a3fe29b4edef66c
Instruction Fuzzy Hash: 184125B5A40340ABDA207BA4BC0FFEF7394AF58B04F408538F64A97193EB3C95048766

Uniqueness

Uniqueness Score: -1.00%

Function 00731550 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 340filewindowCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?), ref: 00731648
SetLastError.KERNEL32(00000002), ref: 00731655
SetFileAttributesW.KERNEL32(?,00000000), ref: 00731666
DeleteFileW.KERNEL32(?), ref: 0073166D
GetParent.USER32(?), ref: 00731679
EnableWindow.USER32(00000000), ref: 00731680
IsWindow.USER32(?), ref: 0073168A
PostMessageW.USER32(?,00000010,00000002,00000000), ref: 007316A2

Strings

btnClose, xrefs: 007315FA
combToolType, xrefs: 0073181E
btnToolPath, xrefs: 007316AD
btnToolImage, xrefs: 00731725
textchanged, xrefs: 00731865
itemselect, xrefs: 007317E1
click, xrefs: 007315B4
btnAddTool, xrefs: 00731796
edtWebToolUrl, xrefs: 007318AA

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: File$AttributesWindow$DeleteEnableErrorLastMessageParentPost
String ID: btnAddTool$btnClose$btnToolImage$btnToolPath$click$combToolType$edtWebToolUrl$itemselect$textchanged
API String ID: 226735038-3089785121
Opcode ID: 53447c4f912c7e62879eb105242d717d7f1b7df688441ec69e653d1fcbea10b8
Instruction ID: a037be399895ef5539056806a9564801a37c50e551a825f9443b3b03a7464784
Opcode Fuzzy Hash: 53447c4f912c7e62879eb105242d717d7f1b7df688441ec69e653d1fcbea10b8
Instruction Fuzzy Hash: CEC1F377200201DBFB248B34CC45BE673A1BF65B64FD88A28E556AB2D2E739ED01C351

Uniqueness

Uniqueness Score: -1.00%

Function 00772DF2 Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 283COMMON

Download Yara Rule

APIs

CharNextW.USER32(?), ref: 00772F85
__wcstoui64.LIBCMT ref: 00772F96
CharNextW.USER32(?), ref: 00772FED
__wcstoui64.LIBCMT ref: 00772FFE
CharNextW.USER32(?), ref: 00773055
__wcstoui64.LIBCMT ref: 00773066
CharNextW.USER32(?), ref: 007730BA
__wcstoui64.LIBCMT ref: 007730CB

Strings

itemhottextcolor, xrefs: 00772FB1
itemtextcolor, xrefs: 00772F49
itemminwidth, xrefs: 00772EFB
selitemtextcolor, xrefs: 00773019
true, xrefs: 00772E34, 00772EB2
visiblefolderbtn, xrefs: 00772DFE
selitemhottextcolor, xrefs: 0077307E
visiblecheckbtn, xrefs: 00772E7D

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: CharNext__wcstoui64
String ID: itemhottextcolor$itemminwidth$itemtextcolor$selitemhottextcolor$selitemtextcolor$true$visiblecheckbtn$visiblefolderbtn
API String ID: 216335860-1882295018
Opcode ID: b2bd4bd5e216d1284bb9e7005afb7304e26e16bee0515137cb5faa5787d8e3a2
Instruction ID: e12f0d92811b9f2e5444fe3fe71299cbbae61dad93003f080827f35ef23fafb1
Opcode Fuzzy Hash: b2bd4bd5e216d1284bb9e7005afb7304e26e16bee0515137cb5faa5787d8e3a2
Instruction Fuzzy Hash: B89193212101129ADF14AF34CC55BB63376AF31BE4B54C668E82DCB296E77BDE82D350

Uniqueness

Uniqueness Score: -1.00%

Function 0076A0B5 Relevance: 26.7, APIs: 3, Strings: 12, Instructions: 404windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000C5,00000000,00000000), ref: 0076A313
CharNextW.USER32(?), ref: 0076A51B
__wcstoui64.LIBCMT ref: 0076A52B

Strings

password, xrefs: 0076A1C4
numberonly, xrefs: 0076A13C
nativebkcolor, xrefs: 0076A4DF
autoselall, xrefs: 0076A244
normalimage, xrefs: 0076A321
hotimage, xrefs: 0076A3CA
readonly, xrefs: 0076A0C2
true, xrefs: 0076A0FA, 0076A171, 0076A1F9, 0076A279
maxchar, xrefs: 0076A2BA
placeholder, xrefs: 0076A379
disabledimage, xrefs: 0076A473
focusedimage, xrefs: 0076A422

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: CharMessageNextSend__wcstoui64
String ID: autoselall$disabledimage$focusedimage$hotimage$maxchar$nativebkcolor$normalimage$numberonly$password$placeholder$readonly$true
API String ID: 3741776718-2618076580
Opcode ID: 0a9ebfa2ed8a97da9df39ac7e07903392760d04c373f2cc35374dd0af0f6739c
Instruction ID: b7b9c4cb64f37ea2f00a0e0387ed5afeb1feaf744a0fe47a98545f67394711d8
Opcode Fuzzy Hash: 0a9ebfa2ed8a97da9df39ac7e07903392760d04c373f2cc35374dd0af0f6739c
Instruction Fuzzy Hash: 19D1B111250406AACB26AF28CC509B53363EF71B707E94665EC17AF299E72BCD81CB53

Uniqueness

Uniqueness Score: -1.00%

Function 00732050 Relevance: 26.6, APIs: 6, Strings: 9, Instructions: 369windowstringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,addimage.png,?,?,?,btnToolImage,00000001), ref: 007321FB
PathFileExistsW.SHLWAPI(?,?,?,?,?,B04868B4), ref: 0073229B
PathFindFileNameW.SHLWAPI(?,00000000,?,00000000,000000FF), ref: 0073236A
MessageBoxW.USER32(?,-00000004,007BC428,00000010), ref: 0073254E
IsWindow.USER32(?), ref: 00732597
PostMessageW.USER32(?,00000010,00000001,00000000), ref: 007325AB

Strings

edtStartParam, xrefs: 00732275
chkAdmin, xrefs: 0073248F
btn_%s_%d, xrefs: 00732371
edtToolName, xrefs: 007320BA, 0073246E
btnToolPath, xrefs: 0073225E
addimage.png, xrefs: 007321F5
btnToolImage, xrefs: 0073212E, 0073243B
edtToolDesc, xrefs: 00732483
edtWebToolUrl, xrefs: 007320AE

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: FileMessagePath$ExistsFindNamePostWindowlstrcmpi
String ID: addimage.png$btnToolImage$btnToolPath$btn_%s_%d$chkAdmin$edtStartParam$edtToolDesc$edtToolName$edtWebToolUrl
API String ID: 3840965363-1781643441
Opcode ID: d453dfed8f7c37f3504a648b1a530084db0cf5473f32af4bd6701229b9ea4d00
Instruction ID: a176d1589b5e68380bd4159ae46b1872fcdb7f925d930a2a3761306d922bd241
Opcode Fuzzy Hash: d453dfed8f7c37f3504a648b1a530084db0cf5473f32af4bd6701229b9ea4d00
Instruction Fuzzy Hash: 4EE1E3B1604341DFE724DF14C885BAB77E9AF84300F048968FA899F293D779E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 007695FC Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 271timeCOMMON

Download Yara Rule

APIs

GetCaretBlinkTime.USER32(00000000), ref: 0076963A
SetTimer.USER32(?,00000014,00000000), ref: 00769646
GetClientRect.USER32(?,?), ref: 007696BA
InvalidateRect.USER32(?,?,00000000), ref: 007696CA
GetClientRect.USER32(?,?), ref: 007697A2
GetCaretPos.USER32(?), ref: 007697AD
GetClientRect.USER32(?,?), ref: 0076981C
InvalidateRect.USER32(?,?,00000000), ref: 0076982C
SetBkMode.GDI32(?,00000001), ref: 00769887
SetTextColor.GDI32(?,?), ref: 007698B5
DeleteObject.GDI32(?), ref: 007698CE
CreatePatternBrush.GDI32(00000000), ref: 00769910
DeleteObject.GDI32(00000000), ref: 0076991A
CreateSolidBrush.GDI32(?), ref: 00769944

Part of subcall function 007699B4: GetWindowTextLengthW.USER32(?), ref: 007699CF
Part of subcall function 007699B4: GetWindowTextW.USER32(?,?,00000001), ref: 007699EE

Strings

return, xrefs: 007696F8

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Rect$ClientText$BrushCaretCreateDeleteInvalidateObjectWindow$BlinkColorLengthModePatternSolidTimeTimer
String ID: return
API String ID: 1094564555-2812165903
Opcode ID: 5a15ffd84c6085b8a425ed123c1f2346adedc16c775dd6ad8c302db309361173
Instruction ID: 0d11f2146095480090f53a96d0af90d7d350911800331c273f7197cf7cb7a3af
Opcode Fuzzy Hash: 5a15ffd84c6085b8a425ed123c1f2346adedc16c775dd6ad8c302db309361173
Instruction Fuzzy Hash: 5FA17271504210EFDF14DF64C988BAA3BE9EF89314F0445A9FE568B2A2C739DD14CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00733150 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 181windowmemoryfileCOMMON

Download Yara Rule

APIs

GetIconInfo.USER32(?,?), ref: 0073319C
GetObjectW.GDI32(?,00000018,?), ref: 007331B9
_memset.LIBCMT ref: 007331CF
GetVersionExW.KERNEL32 ref: 007331EA
GdipGetImageHeight.GDIPLUS(?,?,?,?,?,00000000), ref: 00733226
GdipGetImageWidth.GDIPLUS(?,?,?,?,?,?,?,00000000), ref: 00733243
GdipGetImagePixelFormat.GDIPLUS(?,?,?,?,?,?,?,?,?,00000000), ref: 0073326C
GdipBitmapLockBits.GDIPLUS(?,?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0073328D
GdipAlloc.GDIPLUS(00000010,?,?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0073329B
GdipSaveImageToFile.GDIPLUS(?,?,?,00000000,?,?,?,00000000), ref: 00733317

Strings

, xrefs: 007331F0

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Gdip$Image$AllocBitmapBitsFileFormatHeightIconInfoLockObjectPixelSaveVersionWidth_memset
String ID:
API String ID: 2869424869-3916222277
Opcode ID: 2dd64bf91ee1b0513376d42bd324b8f889304f3144e608cf9f56967432051936
Instruction ID: c6d768931c79174d6dc185ea5387d664c9eb287ca42077a9e30d8221ec0dcd01
Opcode Fuzzy Hash: 2dd64bf91ee1b0513376d42bd324b8f889304f3144e608cf9f56967432051936
Instruction Fuzzy Hash: B2616FB1508345AFE720DF64D885A6BB7E4BFC8700F40892DF69987252E738E944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0074CD75 Relevance: 24.8, APIs: 4, Strings: 10, Instructions: 304COMMON

Download Yara Rule

APIs

CharNextW.USER32(?), ref: 0074D04D
__wcstoui64.LIBCMT ref: 0074D05D
CharNextW.USER32(?), ref: 0074D0AC
__wcstoui64.LIBCMT ref: 0074D0BC

Strings

selectedhotimage, xrefs: 0074CEA1
selectedimage, xrefs: 0074CE49
disablednormalimage, xrefs: 0074CEF9
true, xrefs: 0074CDFE
disabledselectedimage, xrefs: 0074CF51
foreimage, xrefs: 0074CFA2
selected, xrefs: 0074CDC9
selectedtextcolor, xrefs: 0074D070
group, xrefs: 0074CD82
selectedbkcolor, xrefs: 0074D011

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: CharNext__wcstoui64
String ID: disablednormalimage$disabledselectedimage$foreimage$group$selected$selectedbkcolor$selectedhotimage$selectedimage$selectedtextcolor$true
API String ID: 216335860-3755474186
Opcode ID: b09a8c16e7a2eaff59fe6f952259d2c165c4d2026d8f15178343635b221a0f74
Instruction ID: be376fd1ccf9061388686ced5fb4c06bcded544ecbf357b041e2982c23b4e891
Opcode Fuzzy Hash: b09a8c16e7a2eaff59fe6f952259d2c165c4d2026d8f15178343635b221a0f74
Instruction Fuzzy Hash: 31A1C022311012DACF76AF34C851AF57363AB32B24B944629E565CB294F73FCE86D781

Uniqueness

Uniqueness Score: -1.00%

Function 0075C955 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 132windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 0075C982
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0075C9B8
SelectObject.GDI32(?,?), ref: 0075C9C7
CreateCompatibleDC.GDI32(?), ref: 0075CA2D
CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 0075CA4B
SelectObject.GDI32(00000000,00000000), ref: 0075CA5C
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 0075CA7A

Strings

(, xrefs: 0075CA1A

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Create$Compatible$ObjectSelect$BitmapSection
String ID: (
API String ID: 2425437800-3887548279
Opcode ID: c9ab20ae3a85963d79eb8e71bf3eb473b4619ad209770f651a24eb33a8c3f965
Instruction ID: 91b53941a3c20da8e403108acb96414b022c16d7032b6ef1e7af8a68374d1f15
Opcode Fuzzy Hash: c9ab20ae3a85963d79eb8e71bf3eb473b4619ad209770f651a24eb33a8c3f965
Instruction Fuzzy Hash: 3751F27190025AEFDF019FA4DC48BEEBFB6FF48301F108129FA25A6260D7799954DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0076EDC8 Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 405COMMON

Download Yara Rule

APIs

IntersectRect.USER32(?,?,?), ref: 0076EE1A
IntersectRect.USER32(?,?,?), ref: 0076EF32
IntersectRect.USER32(?,?,00000000), ref: 0076EF80

Strings

IListItem, xrefs: 0076F05D

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: IntersectRect
String ID: IListItem
API String ID: 481094312-3953988410
Opcode ID: af4d57b3450de84d020e2872d2a56969ff3c201f82927e04b94680c2442b693a
Instruction ID: 9464fa026308a4feb426e56f788f0dd55c30128319bf9ef3f99da6ec359d38e8
Opcode Fuzzy Hash: af4d57b3450de84d020e2872d2a56969ff3c201f82927e04b94680c2442b693a
Instruction Fuzzy Hash: 4AF14635204205DFCB10DF24C888EAA77E6FF89744F0844A9FD8A9B261DB36E945CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00765583 Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 405COMMON

Download Yara Rule

APIs

IntersectRect.USER32(?,?,?), ref: 007655D5
IntersectRect.USER32(?,?,?), ref: 007656ED
IntersectRect.USER32(?,?,00000000), ref: 0076573B

Strings

IListItem, xrefs: 00765818

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: IntersectRect
String ID: IListItem
API String ID: 481094312-3953988410
Opcode ID: 9be67c23abf26316b64e8142d6fe04c207eee163e8b74cd676b5aa06188b9af7
Instruction ID: b663d9c1f7ef6df6f7179f590c51fdf0c74c5433ea86c135244fa7a47a9f6367
Opcode Fuzzy Hash: 9be67c23abf26316b64e8142d6fe04c207eee163e8b74cd676b5aa06188b9af7
Instruction Fuzzy Hash: E2F15A31204605DFCB10DF64C888EAA7BF6FF88704F084569FD869B251DB36E915DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0079CD9B Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,007CCCF0,0000000C,0079CED6,00000000,00000000,?,?,00747EC5,00000053,?,?,?,0073137A,?,B04868B4), ref: 0079CDAD
__crt_waiting_on_module_handle.LIBCMT ref: 0079CDB8

Part of subcall function 0079E70C: Sleep.KERNEL32(000003E8,00000000,?,0079CCFE,KERNEL32.DLL,?,0079CD4A,?,?,00747EC5,00000053,?,?,?,0073137A,?), ref: 0079E718
Part of subcall function 0079E70C: GetModuleHandleW.KERNEL32(?,?,0079CCFE,KERNEL32.DLL,?,0079CD4A,?,?,00747EC5,00000053,?,?,?,0073137A,?,B04868B4), ref: 0079E721

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0079CDE1
GetProcAddress.KERNEL32(?,DecodePointer), ref: 0079CDF1
__lock.LIBCMT ref: 0079CE13
InterlockedIncrement.KERNEL32(007D6430), ref: 0079CE20
__lock.LIBCMT ref: 0079CE34
___addlocaleref.LIBCMT ref: 0079CE52

Strings

0d}, xrefs: 0079CE0A
`i}, xrefs: 0079CE47
KERNEL32.DLL, xrefs: 0079CDA7, 0079CDAC, 0079CDB7
EncodePointer, xrefs: 0079CDD5
DecodePointer, xrefs: 0079CDE9

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: 0d}$DecodePointer$EncodePointer$KERNEL32.DLL$`i}
API String ID: 1028249917-3577627642
Opcode ID: cb148ded4e51b870f2473bc732ad86a7d045a07edd7ed3f80418aaeaf2df78bf
Instruction ID: d47a2ead2f15789b9b0fc1c6de519fd6c050cfd49358e1a19db6968420065d14
Opcode Fuzzy Hash: cb148ded4e51b870f2473bc732ad86a7d045a07edd7ed3f80418aaeaf2df78bf
Instruction Fuzzy Hash: 7611D271900705DFDF20EF79A80AB9ABBF0AF00310F10851EE6A9A63A1CB7C9940CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0075F3AF Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 264windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0075F4E6
ScreenToClient.USER32(?,?), ref: 0075F508
PtInRect.USER32(?,?,?), ref: 0075F51B
SetFocus.USER32(?), ref: 0075F583
GetCaretPos.USER32(?), ref: 0075F5ED
ImmGetContext.IMM32(?), ref: 0075F600
ImmSetCompositionWindow.IMM32(00000000,00000020), ref: 0075F62B
GetObjectW.GDI32(00000000,0000005C,?), ref: 0075F649
ImmSetCompositionFontW.IMM32(00000000,?), ref: 0075F655
ImmReleaseContext.IMM32(?,00000000), ref: 0075F668
ScreenToClient.USER32(?,?), ref: 0075F69C

Strings

, xrefs: 0075F60A

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ClientCompositionContextScreen$CaretCursorFocusFontObjectRectReleaseWindow
String ID:
API String ID: 850084529-3916222277
Opcode ID: 86ca2ddd13f6a8b8dab704faf3f1c8d520ba1e6abeb51b0e1bc1bc15e6337e90
Instruction ID: e17dfb84d9d8f90d1916e24e47a4147f3e6df13d471b8fe23e7131d2bac84bcb
Opcode Fuzzy Hash: 86ca2ddd13f6a8b8dab704faf3f1c8d520ba1e6abeb51b0e1bc1bc15e6337e90
Instruction Fuzzy Hash: EAA169712042418FDB24CF24C988BBE7BE5FF88301F140569F996872A2DBB9DD59CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00762989 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(errorLine), ref: 007629DA
SysAllocString.OLEAUT32(errorCharacter), ref: 007629E4
SysAllocString.OLEAUT32(errorCode), ref: 007629EE
SysAllocString.OLEAUT32(errorMessage), ref: 007629F8
SysAllocString.OLEAUT32(errorUrl), ref: 00762A02
SysFreeString.OLEAUT32(?), ref: 00762A99

Strings

errorCharacter, xrefs: 007629DC
errorUrl, xrefs: 007629FA
(, xrefs: 007629B4
errorLine, xrefs: 007629CC
errorCode, xrefs: 007629E6
errorMessage, xrefs: 007629F0

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: String$Alloc$Free
String ID: ($errorCharacter$errorCode$errorLine$errorMessage$errorUrl
API String ID: 2383597386-2821095632
Opcode ID: ba91d4e7186ae60fffc54e873064da09c67405ce79963ae043ac6ab77520a5fd
Instruction ID: 929d4685c69bad3191c61c96b08417e6f5e7b34d6a9265059d29daa4a8f0a4a6
Opcode Fuzzy Hash: ba91d4e7186ae60fffc54e873064da09c67405ce79963ae043ac6ab77520a5fd
Instruction Fuzzy Hash: F3412BB5A00309AFDF10DFA4C889EAE7B74FF48714F108569F915AB291D7B49A41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0073C710 Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 46libraryloaderwindowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0073C71B
GetModuleHandleW.KERNEL32(kernel32.dll,GetTickCount64), ref: 0073C72F
GetProcAddress.KERNEL32(00000000), ref: 0073C736
GetTickCount.KERNEL32 ref: 0073C753
GetModuleHandleW.KERNEL32(kernel32.dll,GetTickCount64), ref: 0073C76C
GetProcAddress.KERNEL32(00000000), ref: 0073C773
OutputDebugStringW.KERNEL32([OneClient]exit on expired), ref: 0073C7A7
ExitProcess.KERNEL32 ref: 0073C7AF

Strings

[OneClient]exit on expired, xrefs: 0073C7A2
GetTickCount64, xrefs: 0073C721
kernel32.dll, xrefs: 0073C726

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: AddressHandleModuleProc$CountDebugExitOutputProcessStringTickVisibleWindow
String ID: GetTickCount64$[OneClient]exit on expired$kernel32.dll
API String ID: 3855475818-2553938042
Opcode ID: dfeb6a49a26ec9689521635944f43a3ec701908370a8a6f21ea3bfdcd55bb603
Instruction ID: dc88203bbb821fe7f48b08543548d3a267fe32fcff454bf17b64cd93a3292fd7
Opcode Fuzzy Hash: dfeb6a49a26ec9689521635944f43a3ec701908370a8a6f21ea3bfdcd55bb603
Instruction Fuzzy Hash: 8C016D70A0120ADFDB14AFB9AD4DB593BB4BB8C701F04CA59EB15E1271EB3C9400DB29

Uniqueness

Uniqueness Score: -1.00%

Function 0075E620 Relevance: 19.9, APIs: 13, Instructions: 433COMMON

Download Yara Rule

APIs

IntersectRect.USER32(?,?,?), ref: 0075E66B

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: IntersectRect
String ID:
API String ID: 481094312-0
Opcode ID: ff72138471a37a95f4aa516d8641a83df3817e1b623cf5f27afa0477d5655537
Instruction ID: 79f5bdf24ce5a8e67c730c7d2383d895ca0fa3b09a0dc24e6d1f59cafc233996
Opcode Fuzzy Hash: ff72138471a37a95f4aa516d8641a83df3817e1b623cf5f27afa0477d5655537
Instruction Fuzzy Hash: A6024871204200DFDB14DF64C888EAA7BF6FF88701F0549A9FD858B261DB76EA49CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0074B69D Relevance: 19.7, APIs: 13, Instructions: 181COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0074B6C8
GetStockObject.GDI32(00000011), ref: 0074B6D8
GetObjectW.GDI32(00000000,?,00000000), ref: 0074B6DF
_wcsncpy.LIBCMT ref: 0074B6EC
CreateFontIndirectW.GDI32(?), ref: 0074B725
_memset.LIBCMT ref: 0074B764
SelectObject.GDI32(?,?), ref: 0074B7B2
GetTextMetricsW.GDI32(?,00000090), ref: 0074B7C4
SelectObject.GDI32(?,?), ref: 0074B7D3
__itow.LIBCMT ref: 0074B7E8
DeleteObject.GDI32(00000000), ref: 0074B819
DeleteObject.GDI32(00000000), ref: 0074B855
DeleteObject.GDI32(?), ref: 0074B885

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Object$Delete$Select_memset$CreateFontIndirectMetricsStockText__itow_wcsncpy
String ID:
API String ID: 1063276355-0
Opcode ID: 0964ab0869c7f2c3b3056e475afc9f657eaba6b1fd19c346c819363570ab4f36
Instruction ID: bfaa7b0129e2b7de90538286e21e898695cf535ce1d495b415f748b2913e22a3
Opcode Fuzzy Hash: 0964ab0869c7f2c3b3056e475afc9f657eaba6b1fd19c346c819363570ab4f36
Instruction Fuzzy Hash: B6619071900249EBDF11AFA4DC45FDE7BBCAF09300F148069F955A7252DB78D948CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0076930B Relevance: 19.6, APIs: 13, Instructions: 149windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000030,?,00000001), ref: 007693C2
SendMessageW.USER32(?,000000C5,?,00000000), ref: 007693D6
SendMessageW.USER32(?,000000CC,?,00000000), ref: 007693F5
SetWindowTextW.USER32(?,00000000), ref: 0076940B
SendMessageW.USER32(?,000000B9,00000000,00000000), ref: 00769426
SendMessageW.USER32(?,000000D3,00000003,00000000), ref: 00769433
EnableWindow.USER32(?,00000000), ref: 0076944B
SendMessageW.USER32(?,000000CF,00000000,00000000), ref: 0076946A
ShowWindow.USER32(?,00000004), ref: 00769471
SetFocus.USER32(?), ref: 0076947A
GetWindowTextLengthW.USER32(?), ref: 0076948F
GetWindowTextLengthW.USER32(?), ref: 007694A0
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007694B0

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: MessageSend$Window$Text$Length$EnableFocusShow
String ID:
API String ID: 772611947-0
Opcode ID: 00ee76b28acd8720aae0d7b430833632ce221efb1a6d6097f594b11d61d8a0b0
Instruction ID: 88cf90643a83cb1aca161e8bcf95c2a4a786c72e70cf2867f181bc725e873a13
Opcode Fuzzy Hash: 00ee76b28acd8720aae0d7b430833632ce221efb1a6d6097f594b11d61d8a0b0
Instruction Fuzzy Hash: CD517B71500250EFDB119F24CD89E6A3FAAEF49704F0481A5FE1A9F2A6CB76DC51CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0078CFD8 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 130COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0078CFDF

Strings

allowDroppedNullPlaceholders, xrefs: 0078D076
strictRoot, xrefs: 0078D04B
allowComments, xrefs: 0078D027
rejectDupKeys, xrefs: 0078D153
allowNumericKeys, xrefs: 0078D0A1
collectComments, xrefs: 0078CFFB
allowSingleQuotes, xrefs: 0078D0CC
failIfExtra, xrefs: 0078D128
stackLimit, xrefs: 0078D0FA
allowSpecialFloats, xrefs: 0078D17E

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3
String ID: allowComments$allowDroppedNullPlaceholders$allowNumericKeys$allowSingleQuotes$allowSpecialFloats$collectComments$failIfExtra$rejectDupKeys$stackLimit$strictRoot
API String ID: 431132790-1556308682
Opcode ID: 2f9d9935d26e68742d3809923fbfd7c4821089ad9deb5a37cc844bd3b606f7a4
Instruction ID: 385523c13af2e4b7ff3ebb6248c27dc820131ba4524c711d3c8fe056fdeed63a
Opcode Fuzzy Hash: 2f9d9935d26e68742d3809923fbfd7c4821089ad9deb5a37cc844bd3b606f7a4
Instruction Fuzzy Hash: CD416CB0D81215EBD790BBAD890B74DBBB5BB44721F608158F414A7682DB7C4F0197D3

Uniqueness

Uniqueness Score: -1.00%

Function 0078EE53 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 116COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 0078EE7B

Part of subcall function 007A921D: __vsprintf_s_l.LIBCMT ref: 007A9231

__finite.LIBCMT ref: 0078EE88
swprintf.LIBCMT ref: 0078EEA5
swprintf.LIBCMT ref: 0078EF54

Strings

-Infinity, xrefs: 0078EF2F
-1e+9999, xrefs: 0078EF36
1e+9999, xrefs: 0078EF48, 0078EF4D
Infinity, xrefs: 0078EF41
%%.%dg, xrefs: 0078EE73
null, xrefs: 0078EF18
NaN, xrefs: 0078EF11

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: swprintf$__finite__vsprintf_s_l
String ID: %%.%dg$-1e+9999$-Infinity$1e+9999$Infinity$NaN$null
API String ID: 2780222078-1955747591
Opcode ID: f0c5632662ca63494203f9214e49ffbc8eb889612c48b726326e28c7ef5a9a2e
Instruction ID: 040f259fba22a6bb067ccfed3cc5477748af16c556cc3a8cd033335e8d4ef54a
Opcode Fuzzy Hash: f0c5632662ca63494203f9214e49ffbc8eb889612c48b726326e28c7ef5a9a2e
Instruction Fuzzy Hash: 1E313971A4420DE6DF54EA64E849FDE77A8EF59324F10007EF641A60C1EF7DD5408761

Uniqueness

Uniqueness Score: -1.00%

Function 00734A70 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(pobus32.dll,00000000,00734B31,?), ref: 00734A85
GetModuleHandleA.KERNEL32(pobus64.dll), ref: 00734A90
GetModuleHandleA.KERNEL32(poda32.dll), ref: 00734A9B
GetModuleHandleA.KERNEL32(poda64.dll), ref: 00734AA6
GetProcAddress.KERNEL32(00000000,E1034A78), ref: 00734AAE

Strings

E1034A78, xrefs: 00734AA8
getRuleContent, xrefs: 00734AC4
poda32.dll, xrefs: 00734A96
pobus32.dll, xrefs: 00734A80
poda64.dll, xrefs: 00734AA1
pobus64.dll, xrefs: 00734A8B

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: E1034A78$getRuleContent$pobus32.dll$pobus64.dll$poda32.dll$poda64.dll
API String ID: 1883125708-481540518
Opcode ID: 7a7000aff2a546202affb301e85cfe08b5f02739b25594f6a28b9f5106827614
Instruction ID: 575b93d7327dbbdc324428eaf04587d38897d14b8f438607de1a3a32f559c0b1
Opcode Fuzzy Hash: 7a7000aff2a546202affb301e85cfe08b5f02739b25594f6a28b9f5106827614
Instruction Fuzzy Hash: BFE0E5F1BC1316B9BB1497B58D09F2A3B986D65B82704804EFA40D1084F75CE8008AA8

Uniqueness

Uniqueness Score: -1.00%

Function 007466C0 Relevance: 18.1, APIs: 12, Instructions: 76windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000004), ref: 007466D2
ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 007466E0
EnableWindow.USER32(?,00000000), ref: 007466F0
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0074670A
EnableWindow.USER32(?,00000001), ref: 0074672D
SetFocus.USER32(?), ref: 00746732
TranslateMessage.USER32(?), ref: 00746747
DispatchMessageW.USER32(?), ref: 00746750
IsWindow.USER32(?), ref: 0074675F
EnableWindow.USER32(?,00000001), ref: 0074676E
SetFocus.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00746773
PostQuitMessage.USER32(?), ref: 00746782

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Window$Message$Enable$Focus$DispatchPostQuitShowTranslate
String ID:
API String ID: 200552106-0
Opcode ID: e52ebdd5c8800ee6d361a9be2e7f77493a18c73851fc5955353d7d4951f0f504
Instruction ID: f22b4da020fa82a63739df7c85c83b7ed1f07dd4014c563d43012f96b38d7b16
Opcode Fuzzy Hash: e52ebdd5c8800ee6d361a9be2e7f77493a18c73851fc5955353d7d4951f0f504
Instruction Fuzzy Hash: BE213971900208EFDF229FA4DE89EDEBBB9EF49305F108554E611B2160C73A9D41DB24

Uniqueness

Uniqueness Score: -1.00%

Function 0076F513 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 393COMMON

Download Yara Rule

Strings

ScrollBar, xrefs: 0076F840, 0076F9CC
VerticalLayout, xrefs: 0076F5D8
|f|, xrefs: 0076F5A4

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: _malloc
String ID: ScrollBar$VerticalLayout$|f|
API String ID: 1579825452-230747103
Opcode ID: a1d59d01200a73ca5dc5f824b001315e7d6662ae06db964f5fa16e9785f74387
Instruction ID: 84bdd0e34141f73aab113b2ee8a6d6c8a6d5428298896e0bf10eeaff3dbb4b0b
Opcode Fuzzy Hash: a1d59d01200a73ca5dc5f824b001315e7d6662ae06db964f5fa16e9785f74387
Instruction Fuzzy Hash: 67F1AA71504201DFCB10DF28D888BAA77E5FF89314F1449B9FD5A9B262DB34E845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00797112 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 365COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0079711C

Strings

GET, xrefs: 00797315, 0079731A, 0079743A
name, xrefs: 007971C8
%s/auth/testLogin?data=%s, xrefs: 007972AD
otp, xrefs: 00797510
%s/auth/_sso?data=%s, xrefs: 00797588
%s/auth/_ssoOtp, xrefs: 00797418
type, xrefs: 00797192
password, xrefs: 00797235
&_uri=%s, xrefs: 007975FA

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3_
String ID: %s/auth/_sso?data=%s$%s/auth/_ssoOtp$%s/auth/testLogin?data=%s$&_uri=%s$GET$name$otp$password$type
API String ID: 2427045233-1961936128
Opcode ID: 6aafb44ea7433b62f2886c65c98953dad14946b3c6fcd81049461e6e4ae2a95b
Instruction ID: 17e8d03bd9efcdb8b3807d74c4cada88e7608fef0ae240a00ae1bebe414a9dd6
Opcode Fuzzy Hash: 6aafb44ea7433b62f2886c65c98953dad14946b3c6fcd81049461e6e4ae2a95b
Instruction Fuzzy Hash: 61F14C31C14198DBEF59EBA4D849BDDB7B8AF14300F5480D9E48973282DB786F89CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00734AD0 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 169libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(pobus32.dll), ref: 00734BB8
GetModuleHandleA.KERNEL32(pobus64.dll), ref: 00734BC3
GetModuleHandleA.KERNEL32(poda32.dll), ref: 00734BCE
GetModuleHandleA.KERNEL32(poda64.dll), ref: 00734BD9
GetProcAddress.KERNEL32(00000000,FB7C34E6), ref: 00734BE1

Part of subcall function 00785778: _memset.LIBCMT ref: 007857A7
Part of subcall function 00785778: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 007857B8
Part of subcall function 00785778: PathAppendW.SHLWAPI(?,Logs\accelerator), ref: 007857C7

Strings

poda32.dll, xrefs: 00734BC9
pobus32.dll, xrefs: 00734BB3
FB7C34E6, xrefs: 00734BDB
poda64.dll, xrefs: 00734BD4
pobus64.dll, xrefs: 00734BBE

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: HandleModule$AddressAppendDirectoryPathProcWindows_memset
String ID: FB7C34E6$pobus32.dll$pobus64.dll$poda32.dll$poda64.dll
API String ID: 3762593170-2537450736
Opcode ID: e948f6c79e49e338b805d1a9e21470b9a7a4e339f5dbafd3c8ff15b6a083c2fb
Instruction ID: 881e26c75a5988d51253617dc996e8a922f037cbf2e17c71be54a3b7fe8c73a0
Opcode Fuzzy Hash: e948f6c79e49e338b805d1a9e21470b9a7a4e339f5dbafd3c8ff15b6a083c2fb
Instruction Fuzzy Hash: 23519DB1508341DFE714DF28C889B1BBBE8BB85700F04491EF595872A2D779E948CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00782426 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 118comCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00782430
CoInitialize.OLE32(00000000), ref: 0078246A
CoCreateInstance.OLE32(007BBD3C,00000000,00000001,007B971C,?), ref: 00782483
_memset.LIBCMT ref: 007824E3
PathFileExistsW.SHLWAPI(?,?,?,?,?), ref: 00782532
StrStrIW.SHLWAPI(?,\program files (x86)\,?,?,?), ref: 0078254D
_memset.LIBCMT ref: 00782569

Part of subcall function 00781C7F: StrStrIW.SHLWAPI(?,?), ref: 00781CB3
Part of subcall function 00781C7F: lstrcpynW.KERNEL32(?,?,00000104), ref: 00781CC9

PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?), ref: 00782595

Strings

\program files (x86)\, xrefs: 00782541, 0078257D
\program files\, xrefs: 00782578

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ExistsFilePath_memset$CreateH_prolog3_InitializeInstancelstrcpyn
String ID: \program files (x86)\$\program files\
API String ID: 817452057-2186182958
Opcode ID: be47a22c2ffd33595823d79062d7df2810bcd6e12227793dbdf2c2090f3c5780
Instruction ID: d06d78d31e331afed0bcefb8e90ecc129289381a8e7ffc7c371459dc473f81b2
Opcode Fuzzy Hash: be47a22c2ffd33595823d79062d7df2810bcd6e12227793dbdf2c2090f3c5780
Instruction Fuzzy Hash: B3415EB0A44218DFDB20EF61CC4DE9A77B9AF84704F0041D9B509D7152DB799E91CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0075311D Relevance: 16.8, APIs: 11, Instructions: 325COMMON

Download Yara Rule

APIs

IntersectRect.USER32(?,?,?), ref: 00753168
IntersectRect.USER32(?,?,?), ref: 0075325D
IntersectRect.USER32(?,?,00000000), ref: 007532AB

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: IntersectRect
String ID:
API String ID: 481094312-0
Opcode ID: ad21facde136117d6e44919668051a31c5eb75ca07852ff762c339d245c0aae1
Instruction ID: f352ef81ea9c70705ac99a02e4e6913f8020cdeee295659d21244adf92dfd262
Opcode Fuzzy Hash: ad21facde136117d6e44919668051a31c5eb75ca07852ff762c339d245c0aae1
Instruction Fuzzy Hash: 3ED16831204245DFCB01DF64C888EEA77E6FF88345F0449A8FD859B261DB76EA19CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0074B52F Relevance: 16.6, APIs: 11, Instructions: 109COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0074B552
GetStockObject.GDI32(00000011), ref: 0074B562
GetObjectW.GDI32(00000000,?,00000000), ref: 0074B569
_wcsncpy.LIBCMT ref: 0074B576
CreateFontIndirectW.GDI32(00000000), ref: 0074B5AF
DeleteObject.GDI32 ref: 0074B5CB
DeleteObject.GDI32(00000380), ref: 0074B611
_memset.LIBCMT ref: 0074B656
SelectObject.GDI32(?,00000000), ref: 0074B670
GetTextMetricsW.GDI32(?,00000410), ref: 0074B67C
SelectObject.GDI32(?,?), ref: 0074B68B

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Object$DeleteSelect_memset$CreateFontIndirectMetricsStockText_wcsncpy
String ID:
API String ID: 945672544-0
Opcode ID: 67da9a178d4d64c3c84d4c2e8a23fa6ce4325971dfa715c181f5a0dbbd3e2c02
Instruction ID: b3998998d86d24269d644df5cc114e94e23d33fba5a9880bbb59d4680059bd94
Opcode Fuzzy Hash: 67da9a178d4d64c3c84d4c2e8a23fa6ce4325971dfa715c181f5a0dbbd3e2c02
Instruction Fuzzy Hash: 40410270904388EFDB11DFB4DC09BDEBFF8AB09300F04801AEA95A7252C7789A15CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00798AF4 Relevance: 16.6, APIs: 11, Instructions: 79windowstringCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00798AFE
SendDlgItemMessageW.USER32(?,00000321,0000000E,00000000,00000000), ref: 00798B1A
_malloc.LIBCMT ref: 00798B29

Part of subcall function 0079B6F2: __FF_MSGBANNER.LIBCMT ref: 0079B715
Part of subcall function 0079B6F2: __NMSG_WRITE.LIBCMT ref: 0079B71C
Part of subcall function 0079B6F2: HeapAlloc.KERNEL32(00000000,?,00000001,00000000,00000000,?,0079EA5D,?,00000001,?,?,0079D9B5,00000018,007CCD60,0000000C,0079DA46), ref: 0079B769

_memset.LIBCMT ref: 00798B3C
SendDlgItemMessageW.USER32(?,00000321,0000000D,-00000064,00000000), ref: 00798B4E
MessageBoxW.USER32(?,007C9638,00000000,00000010), ref: 00798B6E

Part of subcall function 0079B615: __lock.LIBCMT ref: 0079B633
Part of subcall function 0079B615: ___sbh_find_block.LIBCMT ref: 0079B63E
Part of subcall function 0079B615: ___sbh_free_block.LIBCMT ref: 0079B64D
Part of subcall function 0079B615: HeapFree.KERNEL32(00000000,?,007CCC68,0000000C,00746E35,?,007474B5,?,?,?,?,00747EC5,00000053,?,?,?), ref: 0079B67D
Part of subcall function 0079B615: GetLastError.KERNEL32(?,?,00747EC5,00000053,?,?,?,0073137A,?,B04868B4,?,?,?), ref: 0079B68E

SendDlgItemMessageW.USER32(?,00000321,000000B1,00000000,000000FF), ref: 00798B89
GetDlgItem.USER32(?,00000321), ref: 00798B94
SetFocus.USER32(00000000,?,?,?,?,00798C07,?), ref: 00798B9B
lstrcpynW.KERNEL32(?,00000000,?), ref: 00798BAD
EndDialog.USER32(?,00000001), ref: 00798BB6

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ItemMessage$Send$Heap$AllocDialogErrorFocusFreeLastLongWindow___sbh_find_block___sbh_free_block__lock_malloc_memsetlstrcpyn
String ID:
API String ID: 1398144274-0
Opcode ID: 3142befa1ba7b2404857a3136bb6b2a2d074ed06333ad0351054bf55b46842bf
Instruction ID: 8849e39acf8b414cb018a031f8e71c5eab35136d36f357c32f8fbc36e999a0fc
Opcode Fuzzy Hash: 3142befa1ba7b2404857a3136bb6b2a2d074ed06333ad0351054bf55b46842bf
Instruction Fuzzy Hash: ED21D2B2200344BFDF205F91EC4AF973BACEF86711F044154FB11A51E1CBA9E801CA65

Uniqueness

Uniqueness Score: -1.00%

Function 00796C18 Relevance: 16.1, APIs: 2, Strings: 7, Instructions: 325COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00796C22

Part of subcall function 007883FD: CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00788426
Part of subcall function 007883FD: GetHGlobalFromStream.OLE32(?,?), ref: 00788459
Part of subcall function 007883FD: GlobalLock.KERNEL32(?), ref: 00788463
Part of subcall function 007883FD: GlobalSize.KERNEL32(?), ref: 0078846F

Strings

POST, xrefs: 00796D64
GET, xrefs: 00796C5E
POST failed: %s, http code: %d, error: %s, xrefs: 00796E55
data, xrefs: 00796D85
GET failed: %s, http code: %d, error: %s, xrefs: 00796CFF
invalid response: %s, xrefs: 00796F5C
response code: %d %s, xrefs: 00797026

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Global$Stream$CreateFromH_prolog3_LockSize
String ID: GET$GET failed: %s, http code: %d, error: %s$POST$POST failed: %s, http code: %d, error: %s$data$invalid response: %s$response code: %d %s
API String ID: 3490692027-3015434781
Opcode ID: ff248d83bafe9eeb04553997bb39e4547a1ded326e58111612965a1cb457b335
Instruction ID: b1594a083cabba56a742ef89a97b65ccc9e26eb41ab112af41b722552165f3e0
Opcode Fuzzy Hash: ff248d83bafe9eeb04553997bb39e4547a1ded326e58111612965a1cb457b335
Instruction Fuzzy Hash: 96D14B72C10218DBEF25EBA4DC49ADDB7B8AF14304F104199E50AB7153EB38AF49DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0076CCEB Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 220COMMON

Download Yara Rule

APIs

__wcstoi64.LIBCMT ref: 0076CE5B
__wcstoi64.LIBCMT ref: 0076CE74

Strings

imm, xrefs: 0076CED2
thumbpushedimage, xrefs: 0076CDA6
thumbhotimage, xrefs: 0076CD56
thumbimage, xrefs: 0076CCFE
true, xrefs: 0076CF09
step, xrefs: 0076CE8D
thumbsize, xrefs: 0076CE14

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: __wcstoi64
String ID: imm$step$thumbhotimage$thumbimage$thumbpushedimage$thumbsize$true
API String ID: 398114495-535450508
Opcode ID: e4928af2cae2e21b05d72b36d9d0b83cd6b1eca603f7880e370b6bf2cd0fd19b
Instruction ID: bb7e767eb9bde5ce2a65f5ed88c96e7cc04a50a25e3a73bb48e8507d8191eee0
Opcode Fuzzy Hash: e4928af2cae2e21b05d72b36d9d0b83cd6b1eca603f7880e370b6bf2cd0fd19b
Instruction Fuzzy Hash: F471E72271011296CB12AF38C9416B636A6AF30BA4B484675EC9BCF299F73BCD45C390

Uniqueness

Uniqueness Score: -1.00%

Function 00796164 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 162timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00796256
wnsprintfA.SHLWAPI ref: 00796297
PathFindFileNameW.SHLWAPI(00000000), ref: 007962DE

Strings

attach_name, xrefs: 0079631C
%04d-%02d-%02d %02d:%02d:%02d, xrefs: 0079628C
client_unique, xrefs: 00796195
data_time, xrefs: 0079622A, 007962B2
user_name, xrefs: 007961AE
attachment, xrefs: 00796388

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: FileFindLocalNamePathTimewnsprintf
String ID: %04d-%02d-%02d %02d:%02d:%02d$attach_name$attachment$client_unique$data_time$user_name
API String ID: 3579529655-3153199785
Opcode ID: 76ec62e921107777ee2f0c6c3fa40bca4d3a5d8f63cb9064833e378f296c3702
Instruction ID: 03b60126ee4577b05e1ae93a86cb94e05943dc7b4ab178ed055c1316ce449e77
Opcode Fuzzy Hash: 76ec62e921107777ee2f0c6c3fa40bca4d3a5d8f63cb9064833e378f296c3702
Instruction Fuzzy Hash: 3D618A31C15198EADB61F7A8C90EBDDBBB96F08300F5840D9B548A3282DB3C4F45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0078617C Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 156windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00786186
_memset.LIBCMT ref: 007861B3
LoadIconW.USER32(?,?), ref: 007861C1

Part of subcall function 00798C9B: __EH_prolog3.LIBCMT ref: 00798CA2
Part of subcall function 00798C9B: DialogBoxIndirectParamW.USER32(?,00000000,?,00798BBE,-00000030), ref: 00798D5E

MessageBoxW.USER32(?,007C81E8,007BC428,00000010), ref: 0078639B

Strings

manageCfg, xrefs: 00786294
pswd, xrefs: 00786317
e0db72c158a7c82c08d868688263265f9dec1813, xrefs: 00786356
c7b6f156f689ab10d397df6461de7f6bd87f5ff6, xrefs: 0078626F
{'pswd':''}, xrefs: 007862CA

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: DialogH_prolog3H_prolog3_IconIndirectLoadMessageParam_memset
String ID: c7b6f156f689ab10d397df6461de7f6bd87f5ff6$e0db72c158a7c82c08d868688263265f9dec1813$manageCfg$pswd${'pswd':''}
API String ID: 341358064-3633196096
Opcode ID: fdccc1ae34d2f5de018d0b4eb237043ff939525e285cf8c7d5803c58aae6a23b
Instruction ID: 55c6bac3fecd3fab697c05419dbc6fce8b809cab35c0d332ddda8e48c0acf033
Opcode Fuzzy Hash: fdccc1ae34d2f5de018d0b4eb237043ff939525e285cf8c7d5803c58aae6a23b
Instruction Fuzzy Hash: 71517B7284126CEADF21EBA0CC4DBEDB7B8AF14300F1440D9E509A3182EB785F898F51

Uniqueness

Uniqueness Score: -1.00%

Function 007822B4 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 105stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007822FF
_memset.LIBCMT ref: 00782317

Part of subcall function 0078227C: lstrcpynW.KERNEL32(00001000,00000000,00001000,0078232D), ref: 00782290

GetOpenFileNameW.COMDLG32 ref: 0078236D
PathFindExtensionW.SHLWAPI(?), ref: 0078238E
PathFindExtensionW.SHLWAPI(?,.lnk), ref: 007823A1
lstrcmpiW.KERNEL32(00000000), ref: 007823A4

Part of subcall function 00782426: __EH_prolog3_GS.LIBCMT ref: 00782430
Part of subcall function 00782426: CoInitialize.OLE32(00000000), ref: 0078246A
Part of subcall function 00782426: CoCreateInstance.OLE32(007BBD3C,00000000,00000001,007B971C,?), ref: 00782483
Part of subcall function 00782426: _memset.LIBCMT ref: 007824E3
Part of subcall function 00782426: PathFileExistsW.SHLWAPI(?,?,?,?,?), ref: 00782532
Part of subcall function 00782426: StrStrIW.SHLWAPI(?,\program files (x86)\,?,?,?), ref: 0078254D
Part of subcall function 00782426: _memset.LIBCMT ref: 00782569

lstrcpynW.KERNEL32(?,?,00000104), ref: 007823E7

Strings

.lnk, xrefs: 00782394
X, xrefs: 0078230F

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: _memset$Path$ExtensionFileFindlstrcpyn$CreateExistsH_prolog3_InitializeInstanceNameOpenlstrcmpi
String ID: .lnk$X
API String ID: 4132724601-3682976568
Opcode ID: fd402cf740b96831771cff7690f73b83827b04f6fffcb374d95b19b50f8ede55
Instruction ID: 61c15ec5bb2a5c35e455f4bcfd6a82e4cc642de479b0740a2b3fff3cb767ee11
Opcode Fuzzy Hash: fd402cf740b96831771cff7690f73b83827b04f6fffcb374d95b19b50f8ede55
Instruction Fuzzy Hash: DB411B71508389DBD720EF65D849A9BB7E8FF88301F40492EF698C3152EB38D9458B96

Uniqueness

Uniqueness Score: -1.00%

Function 007963C7 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 98timeCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 007963D1
_memset.LIBCMT ref: 0079642A
GetLocalTime.KERNEL32(-000000A8), ref: 00796439
wnsprintfW.SHLWAPI ref: 00796490

Part of subcall function 0078D9A3: __EH_prolog3.LIBCMT ref: 0078D9AA

Strings

Software\projone\podlp\rptcache\pendings\, xrefs: 007964D3, 0079651E
CachedReport write register failed: %s.%s %d, xrefs: 0079651F
%04d-%02d-%02d %02d:%02d:%02d_%d_%08x, xrefs: 00796482
Global\{D36B0A68-AE78-4fa2-BD9C-05FD95224F52}, xrefs: 00796504

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3H_prolog3_LocalTime_memsetwnsprintf
String ID: %04d-%02d-%02d %02d:%02d:%02d_%d_%08x$CachedReport write register failed: %s.%s %d$Global\{D36B0A68-AE78-4fa2-BD9C-05FD95224F52}$Software\projone\podlp\rptcache\pendings\
API String ID: 699482863-3899848512
Opcode ID: 2e8922432f0a843ed64229c58f0abeda6ffcd06e633db92cc9e253346bd7c527
Instruction ID: f88edac16392db73009d300433e65272a7254e36850b8c45ddc34441a70b544e
Opcode Fuzzy Hash: 2e8922432f0a843ed64229c58f0abeda6ffcd06e633db92cc9e253346bd7c527
Instruction Fuzzy Hash: 3D310571940158EADF60EBA4DD59FEA73B8AF08301F4041D6F649A3152DA3C9F84DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00774701 Relevance: 15.4, APIs: 10, Instructions: 411COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 00774885
PtInRect.USER32(?,?,?), ref: 007748BE
PtInRect.USER32(?,?,?), ref: 00774B56
PtInRect.USER32(?,?,?), ref: 00774B85
PtInRect.USER32(?,?,?), ref: 00774BAA

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Rect
String ID:
API String ID: 400858303-0
Opcode ID: 61717dd5612bd822df21388984d8fd52ca8a938a8c4f9763d3292833d4db1a97
Instruction ID: b337bdda053fc7adbc2cce02ac15c92c13c3e0f926f0e0cc89f399ba755f2e4a
Opcode Fuzzy Hash: 61717dd5612bd822df21388984d8fd52ca8a938a8c4f9763d3292833d4db1a97
Instruction Fuzzy Hash: DC023671605A06DFDB28CF38C988BAAB7E5BF81385F14896CE1AF87150C779B851CB41

Uniqueness

Uniqueness Score: -1.00%

Function 007771C2 Relevance: 15.2, APIs: 10, Instructions: 199fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,007D8120,B04868B4), ref: 00777253
GetFileSize.KERNEL32(00000000,00000000), ref: 00777278
CloseHandle.KERNEL32(00000000), ref: 00777285
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 007772A5
CloseHandle.KERNEL32(00000000), ref: 007772AC
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 007773A1
GetFileSize.KERNEL32(00000000,00000000), ref: 007773B0
CloseHandle.KERNEL32(00000000), ref: 007773BD
ReadFile.KERNEL32(00000000,00000000,00000000,007D81AC,00000000), ref: 007773DD
CloseHandle.KERNEL32(00000000), ref: 007773E4

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: File$CloseHandle$CreateReadSize
String ID:
API String ID: 3664964396-0
Opcode ID: 2460487e729ff2f1f135a5807eebfab1154cd474379bf55f0635d6a5e2fe7f3f
Instruction ID: 4592194c7e0345b502fbd4281db44027a2bff19ac15bcf980372f704e01ed7ac
Opcode Fuzzy Hash: 2460487e729ff2f1f135a5807eebfab1154cd474379bf55f0635d6a5e2fe7f3f
Instruction Fuzzy Hash: 3C61E27150C341EFCB24AF24DC49E6ABBF8FB85354F108B2EF56592291DB388D00DA56

Uniqueness

Uniqueness Score: -1.00%

Function 0075F867 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 252COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 0075F92D

Strings

menu, xrefs: 0075F9C9

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Rect
String ID: menu
API String ID: 400858303-2097494675
Opcode ID: 5178e454cfb530ec63daf4aae36c9b686f29164846dbdffd1cbe71c03ad56373
Instruction ID: 635a8dfbe62bc6bbdc82c566cd4daa32c4977e172c5b64fed67e02d1f18603ad
Opcode Fuzzy Hash: 5178e454cfb530ec63daf4aae36c9b686f29164846dbdffd1cbe71c03ad56373
Instruction Fuzzy Hash: E3912670700602EFCB208F38C898FF8B7A6BF42312F148579E95997291CBADAC19D741

Uniqueness

Uniqueness Score: -1.00%

Function 0076656B Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 219COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 007666E3
LoadCursorW.USER32(00000000,00007F84), ref: 007666F0
SetCursor.USER32(00000000), ref: 007666F7

Strings

@, xrefs: 007667DA
headerclick, xrefs: 00766807

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Cursor$LoadRect
String ID: @$headerclick
API String ID: 2669548683-2283687668
Opcode ID: 7bf00ce3570d171e7071c515cafef66173e5fa675c53dbcd3a8e70ef6d3885ac
Instruction ID: 2b1f4e366c08db7097b1a709f1390a9a44ec6b2ba9982958b7250769df166049
Opcode Fuzzy Hash: 7bf00ce3570d171e7071c515cafef66173e5fa675c53dbcd3a8e70ef6d3885ac
Instruction Fuzzy Hash: 8F815DB16002028FDF109F38C889A6577A9AF45354F8889B9ED5B9B656DB39EC04CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0076D2EA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 0076D34F
PtInRect.USER32(?,?,?), ref: 0076D3A3
PtInRect.USER32(?,?,?), ref: 0076D3F0
PtInRect.USER32(?,?,?), ref: 0076D462
LoadCursorW.USER32(00000000,00007F89), ref: 0076D483
SetCursor.USER32(00000000), ref: 0076D48A

Strings

link, xrefs: 0076D4A0

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Rect$Cursor$Load
String ID: link
API String ID: 1264107634-917281265
Opcode ID: 5617c86fae527169040f892b4e2e5d57af180b01710c6660829a25cd8db5142b
Instruction ID: 259e3f41bfc5b91fc1bc2f527f46ac36b66ba4c8b1c2517346dacde28e2013a1
Opcode Fuzzy Hash: 5617c86fae527169040f892b4e2e5d57af180b01710c6660829a25cd8db5142b
Instruction Fuzzy Hash: 97618F30B10702DFD730CF64D488A69BBA5BF40314F144A2EE96797291EB79EC65CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0076F2EE Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

MapWindowPoints.USER32(?,00000000,?,00000002), ref: 0076F406
MonitorFromWindow.USER32(?,00000001), ref: 0076F426
GetMonitorInfoW.USER32(00000000), ref: 0076F42D
MapWindowPoints.USER32(?,00000000,?,00000002), ref: 0076F480
GetParent.USER32(?), ref: 0076F4BA
GetParent.USER32(?), ref: 0076F4BF
ShowWindow.USER32(?,00000005), ref: 0076F4CA

Strings

(, xrefs: 0076F41F

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Window$MonitorParentPoints$FromInfoShow
String ID: (
API String ID: 1723949065-3887548279
Opcode ID: d36d770bbb1abf748369e4aeb90a156ab0d428565c4aa573c403cff0b018c6a8
Instruction ID: 25d92269831d4ff0886274deac1cb803a95b081ce6e28e7fd00ae683d4f6c4dc
Opcode Fuzzy Hash: d36d770bbb1abf748369e4aeb90a156ab0d428565c4aa573c403cff0b018c6a8
Instruction Fuzzy Hash: EB71F775A002199FCF04CFA8C984AAEBBB2BF49310F158169E91ABB351DB75A901CF54

Uniqueness

Uniqueness Score: -1.00%

Function 007967EC Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 103librarystringloaderCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00796832
wnsprintfA.SHLWAPI ref: 0079684F

Part of subcall function 007965D2: lstrcmpA.KERNEL32(?,PoLogInfoA,-000000FC,00796860), ref: 007965E7

GetProcAddress.KERNEL32(00000000,00000000), ref: 0079686A
lstrcpyW.KERNEL32(007DBC38,?), ref: 007968FB
wvnsprintfW.SHLWAPI(?,00000800,-00000094,?), ref: 00796923

Strings

Po%s%s, xrefs: 00796844
Software\projone\podlp\rptcache\pendings\, xrefs: 00796813
LogErr, xrefs: 0079683F

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: AddressProc_memsetlstrcmplstrcpywnsprintfwvnsprintf
String ID: LogErr$Po%s%s$Software\projone\podlp\rptcache\pendings\
API String ID: 3667124596-3740059535
Opcode ID: dd24be5e6db391c927e48e9645a6919e910362339fe8ab0272a1f505e65bb4f9
Instruction ID: bfda28fd8c14e16945188db66d7ca6ef791fea2e273c229f6f14ddbb321a6733
Opcode Fuzzy Hash: dd24be5e6db391c927e48e9645a6919e910362339fe8ab0272a1f505e65bb4f9
Instruction Fuzzy Hash: 4C31627190429CEFDF10DFA4ED85EDE77B8EB04710F5041AAE655A3181DB786A88CF24

Uniqueness

Uniqueness Score: -1.00%

Function 00748158 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54libraryloadertimeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00748181
GetModuleHandleW.KERNEL32(User32.dll,?,?,00000000,?,00000000), ref: 0074819C
GetProcAddress.KERNEL32(00000000,UpdateLayeredWindow), ref: 007481AC
GetWindowLongW.USER32(?,000000EC), ref: 007481C3
SetTimer.USER32(?,00002000,0000000A,00000000), ref: 007481DE
SetWindowLongW.USER32(?,000000EC,00000000), ref: 007481F1

Strings

User32.dll, xrefs: 00748197
UpdateLayeredWindow, xrefs: 007481A6

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: LongWindow$AddressHandleModuleProcTimer
String ID: UpdateLayeredWindow$User32.dll
API String ID: 1931165603-1943222131
Opcode ID: be31937d797033c1f01dc1088510a17558e88d14622fd66a8fa439c697481170
Instruction ID: 6b747a0c5c6c9fe26da823efc6145e1f1f25db3b4d365dffc6d0c1a10f9f842e
Opcode Fuzzy Hash: be31937d797033c1f01dc1088510a17558e88d14622fd66a8fa439c697481170
Instruction Fuzzy Hash: 4A11E530240749ABEB7057759D08F5B36E9EB45710F14862AF761D21E1CF799801CB26

Uniqueness

Uniqueness Score: -1.00%

Function 0076C2CF Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 239librarycomloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0076C2D6
LoadLibraryW.KERNEL32(?), ref: 0076C2FD
GetProcAddress.KERNEL32(00000000,DllGetClassObject), ref: 0076C310
CoCreateInstance.OLE32(?,00000000,00000017,007BBC8C,?), ref: 0076C366

Strings

UIActiveX, xrefs: 0076C4B3
showactivex, xrefs: 0076C4C9
DllGetClassObject, xrefs: 0076C307

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: AddressCreateH_prolog3InstanceLibraryLoadProc
String ID: DllGetClassObject$UIActiveX$showactivex
API String ID: 3305116791-1617538497
Opcode ID: 743a0e24a657f59e9b4470f29aa80a9762b1c670f0b29eea048d3ce8efe0bbb9
Instruction ID: 2a759f1e581527317b3c2f44e62dba3fe883a521d700931acd29da52aa27efae
Opcode Fuzzy Hash: 743a0e24a657f59e9b4470f29aa80a9762b1c670f0b29eea048d3ce8efe0bbb9
Instruction Fuzzy Hash: B59152B0A00216EFCB04DFA4C888EBEBBB9FF49714B104559F516EB354C779A941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0073F410 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0073F48D
PathAppendW.SHLWAPI(?,-00000004,00000208,?,0000000F,00000000), ref: 0073F4D6
PathFileExistsW.SHLWAPI(?), ref: 0073F4F0
lstrcpynW.KERNEL32(?,?,00000208), ref: 0073F53C
PathAppendW.SHLWAPI(?,cache\kvstore), ref: 0073F54C
PathAppendW.SHLWAPI(?,-00000004), ref: 0073F56E

Strings

cache\kvstore, xrefs: 0073F49F, 0073F542

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Path$Append$ExistsFile_memsetlstrcpyn
String ID: cache\kvstore
API String ID: 1177685679-2105417475
Opcode ID: 2ee988ec78bd3fb1ee07fa6a6e52657b98db04ab59278a513b3b275285fdd8bf
Instruction ID: 2ff866170e91926106ee43aefd8a350bc78c898e8c949236a9c5986b511be8f3
Opcode Fuzzy Hash: 2ee988ec78bd3fb1ee07fa6a6e52657b98db04ab59278a513b3b275285fdd8bf
Instruction Fuzzy Hash: DD51AFB1904340DBEB10DF64D986B9BB7E4AF84744F00892DF64687252E779E904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0078C683 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0078C68D
_localeconv.LIBCMT ref: 0078C6FB
_swscanf.LIBCMT ref: 0078C733

Part of subcall function 0078B5DE: __EH_prolog3_GS.LIBCMT ref: 0078B5E5

Strings

' is not a number., xrefs: 0078C799
%lf, xrefs: 0078C758, 0078C75B
Unable to parse token length, xrefs: 0078C6A9

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3_$_localeconv_swscanf
String ID: %lf$' is not a number.$Unable to parse token length
API String ID: 2780040302-2790277816
Opcode ID: 0495296373eab929d36221a7f192c8a092978d1458226c6e777c99f16770aed7
Instruction ID: ec8af9153dfa2e564a731aef841f309366f0f6f53a4393437f0309567556af8e
Opcode Fuzzy Hash: 0495296373eab929d36221a7f192c8a092978d1458226c6e777c99f16770aed7
Instruction Fuzzy Hash: 1D41E671950208EFDF12FBE4DC89EEE7779AF55300F144019F546AB242EB785A09CB61

Uniqueness

Uniqueness Score: -1.00%

Function 007380E0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 115stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,00736267,00000000,B04868B4), ref: 007381E9
SHSetValueW.SHLWAPI(80000002,Software\projone\podlp\smpcache\,_onecli_lastSel,00000001,00000004,00000002,?,?,?,?,?,?,?,?,?,00736267), ref: 0073820A

Strings

btnCustomTools, xrefs: 00738139, 0073816D
_onecli_lastSel, xrefs: 007381FB
btnRuleTools, xrefs: 0073811E, 00738174, 007381B6, 007381DA
btnInternalToolsInfo, xrefs: 007380F9, 007381C3, 007381CE
Software\projone\podlp\smpcache\, xrefs: 00738200

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Valuelstrlen
String ID: Software\projone\podlp\smpcache\$_onecli_lastSel$btnCustomTools$btnInternalToolsInfo$btnRuleTools
API String ID: 799288031-3413603313
Opcode ID: 1d6bd8615cc361f96a2cd570edf33c92db56913c36090b2e16d68c3dd0a50069
Instruction ID: 0aca9fdc90dd9c786f128f66b947f30240db68a35ff143cb9996631dc5f3fe98
Opcode Fuzzy Hash: 1d6bd8615cc361f96a2cd570edf33c92db56913c36090b2e16d68c3dd0a50069
Instruction Fuzzy Hash: 1B31D771704304AFE75597648C86FABB695EB49700F008529F20AAB293CF7CED4283E3

Uniqueness

Uniqueness Score: -1.00%

Function 00782667 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 115windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,00000000), ref: 00782681
GetSystemMetrics.USER32(00000000), ref: 007826A8
GetSystemMetrics.USER32(00000001), ref: 007826AF
SHAppBarMessage.SHELL32(00000005,00000024), ref: 007826D3
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000005), ref: 00782776

Strings

$, xrefs: 007826B9
, xrefs: 0078273D

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: MetricsSystemWindow$MessageRect
String ID: $$
API String ID: 1304239863-182950533
Opcode ID: 24ac019af6f2acc89914896931f9e449d13c4554ef6b1339b0eac7b1c994d350
Instruction ID: 959a5cb050e89b76fa6f52c6efeabfcb26e4869621bc818ea64ecc9e1c9ba650
Opcode Fuzzy Hash: 24ac019af6f2acc89914896931f9e449d13c4554ef6b1339b0eac7b1c994d350
Instruction Fuzzy Hash: 2B41AF72A00209AFDF14DFF9C948BEEBFF1AF44711F148119EA05A7181D7789A06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0079667D Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 104librarystringloaderCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007966D3
wnsprintfA.SHLWAPI ref: 007966F1

Part of subcall function 007965D2: lstrcmpA.KERNEL32(?,PoLogInfoA,-000000FC,00796860), ref: 007965E7

GetProcAddress.KERNEL32(00000000,00000000), ref: 0079670D
lstrcpyA.KERNEL32(007DBB30,?), ref: 00796786
wvnsprintfA.SHLWAPI(?,00000800,?,?), ref: 007967B1

Strings

Po%s%s, xrefs: 007966E5
LogInfo, xrefs: 007966E0

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: AddressProc_memsetlstrcmplstrcpywnsprintfwvnsprintf
String ID: LogInfo$Po%s%s
API String ID: 3667124596-1201488103
Opcode ID: 371a24aeac5aabb0513ee59ea84796da37d072fb2f42a9605eff523a2e464489
Instruction ID: 4d52403e617dc39319010648e5a1b2f1d3ff9c99fdf750523e27c493de879e9a
Opcode Fuzzy Hash: 371a24aeac5aabb0513ee59ea84796da37d072fb2f42a9605eff523a2e464489
Instruction Fuzzy Hash: C131A5B1108344EFDB20DB64EC85FAB77E8FB45714F408A2EF695821D1DB789908CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00740050 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00740084
GetModuleHandleW.KERNEL32(00000000,?,?,00000104,?,?,00000008), ref: 00740099

Part of subcall function 00780DB1: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?), ref: 00780DE9
Part of subcall function 00780DB1: lstrlenW.KERNEL32(?), ref: 00780DFA
Part of subcall function 00780DB1: lstrlenW.KERNEL32(?), ref: 00780E09
Part of subcall function 00780DB1: PathAppendW.SHLWAPI(?,007C7D9C), ref: 00780E29
Part of subcall function 00780DB1: PathAppendW.SHLWAPI(?,?), ref: 00780E33
Part of subcall function 00780DB1: lstrcpynW.KERNEL32(?,?,00000104), ref: 00780E4B

PathFileExistsW.SHLWAPI(?,?,00000008), ref: 007400AB
GetForegroundWindow.USER32(00000010,*g~b0R%,?,?,00000008), ref: 007400BD

Part of subcall function 00780F0F: wvnsprintfW.SHLWAPI(?,00000800,?,?), ref: 00780F39
Part of subcall function 00780F0F: MessageBoxW.USER32(?,?,007BC428,?), ref: 00780F4B

GetForegroundWindow.USER32(00000010,007BF7FC,?,?), ref: 0074012B

Strings

"%s" %s, xrefs: 007400F9
*g~b0R%, xrefs: 007400B6

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Path$AppendFileForegroundModuleWindowlstrlen$ExistsHandleMessageName_memsetlstrcpynwvnsprintf
String ID: "%s" %s$*g~b0R%
API String ID: 2355160300-2559192472
Opcode ID: 8434eafda505f1823e21e5b528c0dce1ecdf56081fe42cb6234a65f837b06123
Instruction ID: 2600253798e3d950ccf431bb575cacad05b410a1167e846c2b53325ba2a080b3
Opcode Fuzzy Hash: 8434eafda505f1823e21e5b528c0dce1ecdf56081fe42cb6234a65f837b06123
Instruction Fuzzy Hash: 0E21E976644304ABCB10FBA5AC5EBAF73D4AB88710F44493DF74997251E73CD90883A2

Uniqueness

Uniqueness Score: -1.00%

Function 00795221 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00795228
std::_Lockit::_Lockit.LIBCPMT ref: 00795232

Part of subcall function 0078A01C: std::_Lockit::_Lockit.LIBCPMT ref: 0078A02A

std::bad_exception::bad_exception.LIBCMT ref: 00795281
__CxxThrowException@8.LIBCMT ref: 0079528F
std::locale::facet::_Incref.LIBCPMT ref: 0079529F
std::locale::facet::facet_Register.LIBCPMT ref: 007952A5

Strings

bad cast, xrefs: 00795279

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8H_prolog3IncrefRegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_std::locale::facet::facet_
String ID: bad cast
API String ID: 3456076226-3145022300
Opcode ID: a069c69efc58452f1a8e81285c50d037787360113ec1b46c72d04babf4820a2c
Instruction ID: a14217c600dad417cd9f93cf7db5f5d0818576d5cccb0bb68b21073fa37f900a
Opcode Fuzzy Hash: a069c69efc58452f1a8e81285c50d037787360113ec1b46c72d04babf4820a2c
Instruction Fuzzy Hash: F8016172D41628EBCF15EBA4E81AAAD73747B40724F140229E5247B2D1EB3C9E00C796

Uniqueness

Uniqueness Score: -1.00%

Function 007956D6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 007956DD
std::_Lockit::_Lockit.LIBCPMT ref: 007956E7

Part of subcall function 0078A01C: std::_Lockit::_Lockit.LIBCPMT ref: 0078A02A

std::bad_exception::bad_exception.LIBCMT ref: 00795736
__CxxThrowException@8.LIBCMT ref: 00795744
std::locale::facet::_Incref.LIBCPMT ref: 00795754
std::locale::facet::facet_Register.LIBCPMT ref: 0079575A

Strings

bad cast, xrefs: 0079572E

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8H_prolog3IncrefRegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_std::locale::facet::facet_
String ID: bad cast
API String ID: 3456076226-3145022300
Opcode ID: 9900c10f7599ae5188575e687915d3ab43faa49f5f859727412a0bbb8ee8f579
Instruction ID: fcdf652f983d49fc610b41b5bef04361f304d7250b24e88ed98cdc888ba106a0
Opcode Fuzzy Hash: 9900c10f7599ae5188575e687915d3ab43faa49f5f859727412a0bbb8ee8f579
Instruction Fuzzy Hash: 2A016132901928DBCF16EBA4ED4AAED73746B40720F150259E614BB2D1EB7C9E01C796

Uniqueness

Uniqueness Score: -1.00%

Function 00795774 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0079577B
std::_Lockit::_Lockit.LIBCPMT ref: 00795785

Part of subcall function 0078A01C: std::_Lockit::_Lockit.LIBCPMT ref: 0078A02A

std::bad_exception::bad_exception.LIBCMT ref: 007957D4
__CxxThrowException@8.LIBCMT ref: 007957E2
std::locale::facet::_Incref.LIBCPMT ref: 007957F2
std::locale::facet::facet_Register.LIBCPMT ref: 007957F8

Strings

bad cast, xrefs: 007957CC

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8H_prolog3IncrefRegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_std::locale::facet::facet_
String ID: bad cast
API String ID: 3456076226-3145022300
Opcode ID: 658232866110eed7445a1f750fa179906ab84e5eada26753553fd57845c6b57b
Instruction ID: 8daa723c30e15eaa67fa573536c5463fe9e07d70ce54c0450f1ae9d9bfeb0528
Opcode Fuzzy Hash: 658232866110eed7445a1f750fa179906ab84e5eada26753553fd57845c6b57b
Instruction Fuzzy Hash: 5C016132941629EBCF15EBA4EC4AAED73746B44764F150219E9107B2D1EB3C9E00C795

Uniqueness

Uniqueness Score: -1.00%

Function 00780A85 Relevance: 12.2, APIs: 8, Instructions: 207COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00780A8F
InitializeCriticalSection.KERNEL32(007DBE74,000000B8,00733F89,B04868B4,B04868B4,00000000,?,?,?,?,B04868B4,?,0000000F,00000000), ref: 00780AE4
GetFileAttributesExW.KERNEL32(?,00000000,-000000B4,000000B8,00733F89,B04868B4,B04868B4,00000000,?,?,?,?,B04868B4,?,0000000F,00000000), ref: 00780B07
EnterCriticalSection.KERNEL32(007DBE74,-000000B4,000000B8,00733F89,B04868B4,B04868B4,00000000,?,?,?,?,B04868B4,?,0000000F,00000000), ref: 00780BA5
LeaveCriticalSection.KERNEL32(007DBE74,-00000070,-00000024,-00000090,-00000030,?,?,?,?,B04868B4,?,0000000F,00000000), ref: 00780C3C

Part of subcall function 007829A5: __EH_prolog3.LIBCMT ref: 007829AC

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: CriticalSection$AttributesEnterFileH_prolog3H_prolog3_InitializeLeave
String ID:
API String ID: 1351641723-0
Opcode ID: 139a11f8ef8b5e8c3ccd142cc976146ab58696b106753dcd7103a679ddc8620f
Instruction ID: 9a5756f7574b499c57fee9f68b901186b146b82b8e9fe8298961cf16d91356d0
Opcode Fuzzy Hash: 139a11f8ef8b5e8c3ccd142cc976146ab58696b106753dcd7103a679ddc8620f
Instruction Fuzzy Hash: 3C815A71900218DFDF25EFA4DC49BDDBBB5BF04300F108299E519A7292DB386A49DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00798BBE Relevance: 12.1, APIs: 8, Instructions: 78windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000002), ref: 00798BED
SendMessageW.USER32(?,00000080,00000001,?), ref: 00798C34
SendMessageW.USER32(?,00000080,00000000,?), ref: 00798C3F
SendDlgItemMessageW.USER32(?,00000321,000000C5,?,00000000), ref: 00798C59
SetDlgItemTextW.USER32(?,00000321,?), ref: 00798C66
GetDlgItem.USER32(?,00000321), ref: 00798C70
SetFocus.USER32(00000000), ref: 00798C77
SetWindowLongW.USER32(?,000000EB,?), ref: 00798C83

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ItemMessageSend$DialogFocusLongTextWindow
String ID:
API String ID: 4166416915-0
Opcode ID: 6e655feb44f8900e8c1fd5522710886bbda8998ba0f007ae476749f4345f8455
Instruction ID: adca1f94309498524ff85f5159c01c3ed8c5a4f0b3a12a8f72c81828d133e335
Opcode Fuzzy Hash: 6e655feb44f8900e8c1fd5522710886bbda8998ba0f007ae476749f4345f8455
Instruction Fuzzy Hash: 0621CD31101248BBDF615F50EC09FAB3B69EB02750F008155FB198A1A0DB7ADC92EBB5

Uniqueness

Uniqueness Score: -1.00%

Function 007571A6 Relevance: 12.1, APIs: 8, Instructions: 69COMMON

Download Yara Rule

APIs

GetClipBox.GDI32(?,00000000), ref: 007571C5
CreateRectRgnIndirect.GDI32(00000000), ref: 007571D5
CreateRectRgnIndirect.GDI32(00000000), ref: 007571DE
CreateRoundRectRgn.GDI32(?,?,?,?,?,?), ref: 007571F9
CombineRgn.GDI32(00014490,00014490,00750EA9,00000001), ref: 00757212
CombineRgn.GDI32(00014490,00014490,56038B00,00000001), ref: 0075721E
SelectClipRgn.GDI32(?,00014490), ref: 00757224
DeleteObject.GDI32(00750EA9), ref: 00757239

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: CreateRect$ClipCombineIndirect$DeleteObjectRoundSelect
String ID:
API String ID: 3239266809-0
Opcode ID: b783341b9fcdc4211e614e5bfeaa819437ef1c5553bf842dcc4f8804352a16d8
Instruction ID: d1aefa5b1c34a813890e75a10faf11a1c9c8c3bd1ebade07a6f68caf342a1588
Opcode Fuzzy Hash: b783341b9fcdc4211e614e5bfeaa819437ef1c5553bf842dcc4f8804352a16d8
Instruction Fuzzy Hash: F911D372500209AFDF02EFA8DD84EEB7BB9FF48310B014551FE15E7220C675EA258BA1

Uniqueness

Uniqueness Score: -1.00%

Function 007468DF Relevance: 12.1, APIs: 8, Instructions: 55windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000C), ref: 007468F3
GetSystemMetrics.USER32(0000000B), ref: 007468FE
LoadImageW.USER32(00000000,00000065,00000001,-0000000F,?,00000000), ref: 00746912
SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00746925
GetSystemMetrics.USER32(00000032), ref: 00746934
GetSystemMetrics.USER32(00000031), ref: 0074693F
LoadImageW.USER32(?,00000065,00000001,-0000000F,?,00000000), ref: 00746950
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0074695D

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: MetricsSystem$ImageLoadMessageSend
String ID:
API String ID: 530543073-0
Opcode ID: f2f48834b8872fa21feee123a6c11538fe734edadcfc520848cbb50d0dc49c5e
Instruction ID: a6311efc1ef478744c7d9fde58fcce725ebe1abd0b6a02381e558daa54edb5ed
Opcode Fuzzy Hash: f2f48834b8872fa21feee123a6c11538fe734edadcfc520848cbb50d0dc49c5e
Instruction Fuzzy Hash: D8016DB37907047AF5109778DC83F66B76DFB04B21F144302B374AE2E1DA96A9104A68

Uniqueness

Uniqueness Score: -1.00%

Function 00731460 Relevance: 12.0, APIs: 8, Instructions: 45filewindowCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000001,?,007312CD,00000000), ref: 00731480
SetLastError.KERNEL32(00000002,?,007312CD,00000000), ref: 0073148D
SetFileAttributesW.KERNEL32(00000001,00000000,?,007312CD,00000000), ref: 0073149E
DeleteFileW.KERNEL32(00000001,?,007312CD,00000000), ref: 007314A5
GetParent.USER32(00000001), ref: 007314B2
EnableWindow.USER32(00000000), ref: 007314B9
IsWindow.USER32(00000001), ref: 007314C3
PostMessageW.USER32(00000001,00000010,00000002,00000000), ref: 007314D7

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: File$AttributesWindow$DeleteEnableErrorLastMessageParentPost
String ID:
API String ID: 226735038-0
Opcode ID: b7492787fb347f65cd97d21ab8e4003ea7ea6c7d686b737612a05775cf0dc103
Instruction ID: 9e246e83bf91742c1e3da6819bd92bc0d062c1008c2a1de0b4a9cfdca6fb503b
Opcode Fuzzy Hash: b7492787fb347f65cd97d21ab8e4003ea7ea6c7d686b737612a05775cf0dc103
Instruction Fuzzy Hash: F501BC76540245AFEA108B68AC0CFAAB728BF06321F44C200F735971E2C73CE800DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0076C85C Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

valuechanged, xrefs: 0076C998, 0076C9F3, 0076CAED

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID:
String ID: valuechanged
API String ID: 0-4135814588
Opcode ID: 32b8b106496457c00f0f4f02ec0006eb840ad5e3853d56a412f01ec1e725afd3
Instruction ID: d140167ffbfe65808c507b18feb98cb350e48f57de05164c282e5d18ea8e4c19
Opcode Fuzzy Hash: 32b8b106496457c00f0f4f02ec0006eb840ad5e3853d56a412f01ec1e725afd3
Instruction Fuzzy Hash: 6CD1A6717006039FC719DE7CC998AB9F7A6BB85304F188229D99AD7245CB39BC54C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 0078C04B Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 259COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0078C055

Part of subcall function 0078D696: __EH_prolog3.LIBCMT ref: 0078D69D

Part of subcall function 0078D9A3: __EH_prolog3.LIBCMT ref: 0078D9AA

Part of subcall function 0078D396: __CxxThrowException@8.LIBCMT ref: 0078D3B8
Part of subcall function 0078D396: std::runtime_error::runtime_error.LIBCPMT ref: 0078D3C5

Part of subcall function 00787154: __EH_prolog3.LIBCMT ref: 0078715B

Part of subcall function 00789C83: __EH_prolog3.LIBCMT ref: 00789C8A

Strings

Missing '}' or object member name, xrefs: 0078C290
Duplicate key: ', xrefs: 0078C327
keylength >= 2^30, xrefs: 0078C2FD
Missing ',' or '}' in object declaration, xrefs: 0078C378
Missing ':' after object member name, xrefs: 0078C3A9

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3$Exception@8H_prolog3_Throwstd::runtime_error::runtime_error
String ID: Duplicate key: '$Missing ',' or '}' in object declaration$Missing ':' after object member name$Missing '}' or object member name$keylength >= 2^30
API String ID: 3684689185-466942808
Opcode ID: 949db4ced0fbb194ea096ae5a78508c471dbde1594e009a6334ca196edeb765d
Instruction ID: e68a8e439a514ffd7ae45585f2a2f9ac6478605556fea6cf6f5a37cabd69b759
Opcode Fuzzy Hash: 949db4ced0fbb194ea096ae5a78508c471dbde1594e009a6334ca196edeb765d
Instruction Fuzzy Hash: CDA17371D40258DADF12FBE4C88ABEDB778BF15300F148099E549B7182DB785A49CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00746012 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 218COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,00000002,00000002,?,00000002,?,?), ref: 00746230

Strings

Expected start-tag closing, xrefs: 0074626E
Expected end-tag start, xrefs: 00746276
Expected start tag, xrefs: 0074625A
Unmatched closing tag, xrefs: 00746282
Error parsing element name, xrefs: 00746262

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: CharNext
String ID: Error parsing element name$Expected end-tag start$Expected start tag$Expected start-tag closing$Unmatched closing tag
API String ID: 3213498283-2540963027
Opcode ID: c6aaee34a5f08bb4e2bc02704bde2e85faad3b8c455d832fb07893ad6d21d6e9
Instruction ID: 51bd2d15f8f204bc8faa74973d1337098d1ac3df8aef2d7b722cbcf91a3556f5
Opcode Fuzzy Hash: c6aaee34a5f08bb4e2bc02704bde2e85faad3b8c455d832fb07893ad6d21d6e9
Instruction Fuzzy Hash: B671C171A00224EFCF21EF68C985A6A77F0FF07310B4181AAE5019F265D7B99D41CB93

Uniqueness

Uniqueness Score: -1.00%

Function 007362A0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 170COMMON

Download Yara Rule

APIs

SHGetValueW.SHLWAPI(80000002,Software\projone\podlp\volatile\,ruleCleaned,?,?,?,B04868B4,?,00000000,00000008), ref: 007362FE

Strings

Software\projone\podlp\volatile\, xrefs: 007362E5
rulechktime, xrefs: 0073633A
ruleimporttime, xrefs: 0073634E
ruleCleaned, xrefs: 007362E0
Software\projone\podlp\, xrefs: 0073633F, 00736353

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Value
String ID: Software\projone\podlp\$Software\projone\podlp\volatile\$ruleCleaned$rulechktime$ruleimporttime
API String ID: 3702945584-3977685612
Opcode ID: dea8b68148a719baad805ccc034500fe0428435c62337fbc052f59de478bab10
Instruction ID: 46fd062ce11f0cc63b9fe5a181049266d8a794b33f55176a09801af97c2b2852
Opcode Fuzzy Hash: dea8b68148a719baad805ccc034500fe0428435c62337fbc052f59de478bab10
Instruction Fuzzy Hash: 9E518CB1908380EBE710DF55C881B5BF7E4BF84700F508A2EF69583252E778E904CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00796953 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 138COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0079695A

Part of subcall function 0078DC8C: __EH_prolog3.LIBCMT ref: 0078DC96

Strings

{'code':1}, xrefs: 007969AA
desc, xrefs: 00796A6A
code, xrefs: 00796A1E
options, xrefs: 00796AB3
info, xrefs: 00796A37

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3
String ID: code$desc$info$options${'code':1}
API String ID: 431132790-337168166
Opcode ID: 37e1cd30042e96b3f0175de05909cf360b99895c7ede04046f1ec2da94858757
Instruction ID: b28b8f42cc32e87a08533f9ee0fa9d2b8da911dcad0a5c51a835bc3664f26c6f
Opcode Fuzzy Hash: 37e1cd30042e96b3f0175de05909cf360b99895c7ede04046f1ec2da94858757
Instruction Fuzzy Hash: 5241C3B1804249EEDF01FBA0C84AADE7BB8AF05324F14815AF404B7282DB3C9F49D761

Uniqueness

Uniqueness Score: -1.00%

Function 0074AA92 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0074AAA3
SetFocus.USER32(?), ref: 0074AACB
GetTickCount.KERNEL32 ref: 0074AAFA
GetTickCount.KERNEL32 ref: 0074AB7C

Strings

killfocus, xrefs: 0074AB24
setfocus, xrefs: 0074ABA6

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: CountFocusTick
String ID: killfocus$setfocus
API String ID: 3897604831-1991930995
Opcode ID: d9e98b63bcec64efaff469ad96b2ecd05a7808689dc0dc57be7f2fb8de411dba
Instruction ID: 3dd3518452e6667d25f07b298e70216683a77b7cab04d5687ac6f76b186868e6
Opcode Fuzzy Hash: d9e98b63bcec64efaff469ad96b2ecd05a7808689dc0dc57be7f2fb8de411dba
Instruction Fuzzy Hash: 41318671644741AFD714CF24C898FAB7BE6EF84700F008D6DF69A97251CB79A848CB52

Uniqueness

Uniqueness Score: -1.00%

Function 007B2729 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindMITargetTypeInstance.LIBCMT ref: 007B277F

Part of subcall function 007B24CB: PMDtoOffset.LIBCMT ref: 007B255B

FindVITargetTypeInstance.LIBCMT ref: 007B2786
PMDtoOffset.LIBCMT ref: 007B2796
std::bad_exception::bad_exception.LIBCMT ref: 007B27BC
__CxxThrowException@8.LIBCMT ref: 007B27CA

Strings

Bad dynamic_cast!, xrefs: 007B27B4

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: FindInstanceOffsetTargetType$Exception@8Throwstd::bad_exception::bad_exception
String ID: Bad dynamic_cast!
API String ID: 3308565544-2956939130
Opcode ID: 3793fbf278f27467a719cd7ef4d8dd4c06e3c32bf0ca6eaee351385cda4fe787
Instruction ID: 5d63ba63e35ae0ecc036b277ed7e31c662d7090a5c8590aca4f7d3e6244e26d0
Opcode Fuzzy Hash: 3793fbf278f27467a719cd7ef4d8dd4c06e3c32bf0ca6eaee351385cda4fe787
Instruction Fuzzy Hash: 1B119D32A012099FCF14EE64D84ABEE77A0AF04761F244059F914A7292EE3CD902DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00746B22 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

SetPropW.USER32(?,WndX), ref: 00746B40
GetPropW.USER32(?,WndX), ref: 00746B66
CallWindowProcW.USER32(?,?,00000082,?,?), ref: 00746B87
SetPropW.USER32(?,WndX,00000000), ref: 00746B9F
DefWindowProcW.USER32(?,00000081,?,?), ref: 00746BC0

Strings

WndX, xrefs: 00746B3A, 00746B5F, 00746B64, 00746B9D

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Prop$ProcWindow$Call
String ID: WndX
API String ID: 1029653574-1375107400
Opcode ID: 71e3b29ac660959cabcc76780b5a7ee2e9e7fc518e09d096793dc028937ad3d7
Instruction ID: a97100c7ac531ee23fbf20270c7eec139ae780055bc6808f764918cc85fafc40
Opcode Fuzzy Hash: 71e3b29ac660959cabcc76780b5a7ee2e9e7fc518e09d096793dc028937ad3d7
Instruction Fuzzy Hash: 8E2159B1600209EFCB219F61DD48EAB7BA9FF05721F108518FA5A97221C738DC20DF61

Uniqueness

Uniqueness Score: -1.00%

Function 007469E2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007469F2
GetClassInfoExW.USER32(00000000,00000000), ref: 00746A15
GetClassInfoExW.USER32(00000000,00000000), ref: 00746A2E
RegisterClassExW.USER32(00000030), ref: 00746A5A
GetLastError.KERNEL32(?,?), ref: 00746A65

Strings

0, xrefs: 00746A02

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Class$Info$ErrorLastRegister_memset
String ID: 0
API String ID: 3690237952-4108050209
Opcode ID: b77767ee046dc997439561e965974ad5f0d9f4dcacf8b38591cd6658c80f5531
Instruction ID: ec07d7498837c5a6550ec2b042c8b4bd421d3c3d3c0a273bcdf372c56b4a4f0e
Opcode Fuzzy Hash: b77767ee046dc997439561e965974ad5f0d9f4dcacf8b38591cd6658c80f5531
Instruction Fuzzy Hash: 30112E75B10608AFDB00EBA8D849FAE77FCAB49345F14C419E652E3250D778D9058B62

Uniqueness

Uniqueness Score: -1.00%

Function 007480C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(User32.dll,00000004,00000000,00000000,00000000,0074C317,00000000,00000000,00000000,00000000,?,?,00000000,?,00000000), ref: 007480E0
GetProcAddress.KERNEL32(00000000,SetLayeredWindowAttributes), ref: 007480F0
GetWindowLongW.USER32(?,000000EC), ref: 00748104
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00748132

Strings

SetLayeredWindowAttributes, xrefs: 007480EA
User32.dll, xrefs: 007480DB

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: LongWindow$AddressHandleModuleProc
String ID: SetLayeredWindowAttributes$User32.dll
API String ID: 1792074081-2510956139
Opcode ID: cbb410194801602dcfe4667e9260fc7cfc175d33a9d797f075737bbb4483bd2a
Instruction ID: 411eb29243d3fdd313492700b8b09ac78be6b014b035a0334f27784ce38c1552
Opcode Fuzzy Hash: cbb410194801602dcfe4667e9260fc7cfc175d33a9d797f075737bbb4483bd2a
Instruction Fuzzy Hash: 4E01D432204609ABDB651739CC4AFABFBD8AF90711F10862EF3A7D11E0CF7858018621

Uniqueness

Uniqueness Score: -1.00%

Function 0079EE46 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0079EE52

Part of subcall function 0079CEFB: __getptd_noexit.LIBCMT ref: 0079CEFE
Part of subcall function 0079CEFB: __amsg_exit.LIBCMT ref: 0079CF0B

__amsg_exit.LIBCMT ref: 0079EE72
__lock.LIBCMT ref: 0079EE82
InterlockedDecrement.KERNEL32(?), ref: 0079EE9F
InterlockedIncrement.KERNEL32(02A015C0), ref: 0079EECA

Strings

0d}, xrefs: 0079EEA9

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID: 0d}
API String ID: 4271482742-4094664608
Opcode ID: aead788d84b92fa36f90089ccf45d37bdd68130d35abe655f2564608cc2fae62
Instruction ID: 50e6e5b77ffd7aa644ed72b8f0fd0b6735195bc1126e06669d3c86eddf8bf84d
Opcode Fuzzy Hash: aead788d84b92fa36f90089ccf45d37bdd68130d35abe655f2564608cc2fae62
Instruction Fuzzy Hash: A0014072A41A25EBEF21EB69B80975AB7A0AF00B20F05411AF814672D0C73C6D81DBD9

Uniqueness

Uniqueness Score: -1.00%

Function 00776F3C Relevance: 9.1, APIs: 6, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 007771C2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,007D8120,B04868B4), ref: 00777253
Part of subcall function 007771C2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 007773A1
Part of subcall function 007771C2: GetFileSize.KERNEL32(00000000,00000000), ref: 007773B0
Part of subcall function 007771C2: CloseHandle.KERNEL32(00000000), ref: 007773BD

GdipImageGetFrameDimensionsCount.GDIPLUS(?,00000000), ref: 00776F69
GdipImageGetFrameDimensionsList.GDIPLUS(00000000,00000000,00000000,?,?,00000000), ref: 00776F9E
GdipImageGetFrameCount.GDIPLUS(00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00776FBE
GdipGetPropertyItemSize.GDIPLUS(00000000,00005100,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00776FEA
_malloc.LIBCMT ref: 00776FF9
GdipGetPropertyItem.GDIPLUS(00000000,00005100,00000000,00000000,00000000,00005100,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00777013

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Gdip$FileFrameImage$CountCreateDimensionsItemPropertySize$CloseHandleList_malloc
String ID:
API String ID: 2622832799-0
Opcode ID: 0206381364ebb68cb97d63597be7206003c00b0d9d658ba64402eb8077a7cfa7
Instruction ID: fd47345d4555b3a5edd545348ad3977e1a023c73a74ac2b4a7ac5a0f6417aaac
Opcode Fuzzy Hash: 0206381364ebb68cb97d63597be7206003c00b0d9d658ba64402eb8077a7cfa7
Instruction Fuzzy Hash: E241CA71A00A05FFDF14DB60C986BAEB7BAFF84340F148268E908A7151DF35AD60DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00733380 Relevance: 9.1, APIs: 6, Instructions: 91filewindowCOMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(?,00000008,?,?), ref: 007333A2
DeleteFileW.KERNEL32(?), ref: 007333D9
_memset.LIBCMT ref: 007333EE
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004000), ref: 00733408
SHGetImageList.SHELL32(00000002,007B972C,?), ref: 00733420
DestroyIcon.USER32(?), ref: 0073345F

Part of subcall function 00780A3D: GetFileAttributesExW.KERNEL32(007333B4,00000000,?,?,?,?,?,?,?,?,?,?,007333B4,?), ref: 00780A5C

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: File$AttributesDeleteDestroyExistsIconImageInfoListPath_memset
String ID:
API String ID: 2762979931-0
Opcode ID: aba6478dccbb1c1c14b8fc338c0dfdf7c036525442d80c80d80bd688f64a85b4
Instruction ID: b8e8f52bcf454628fc2ea7423b0e74bcb850cea49d3b6d6e5e13dedd5e4d4432
Opcode Fuzzy Hash: aba6478dccbb1c1c14b8fc338c0dfdf7c036525442d80c80d80bd688f64a85b4
Instruction Fuzzy Hash: 7121B4716043059FD620EF68AC8AE6FB3E8FBC8B14F00461DF65987191DB78990487A6

Uniqueness

Uniqueness Score: -1.00%

Function 0078091B Relevance: 9.1, APIs: 6, Instructions: 77stringfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,74E15EC0,?), ref: 0078093B
_memset.LIBCMT ref: 00780962
GetFileAttributesW.KERNEL32(?), ref: 0078097A
lstrcpyW.KERNEL32(?,?), ref: 007809A0
PathRemoveFileSpecW.SHLWAPI(?), ref: 007809AD
CreateFileW.KERNEL32(?,10000000,00000000,00000000,00000002,00000080,00000000), ref: 007809D8

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: File$AttributesCreatePathRemoveSpec_memsetlstrcpylstrlen
String ID:
API String ID: 522591791-0
Opcode ID: 42a360613545c3ad1d1777d978dc773f8034faded12b0fde6b8c663119400460
Instruction ID: 30b3bc72d86de946b02293ac0823be21b39cc371c1a3ea5f5d87561dafc695cb
Opcode Fuzzy Hash: 42a360613545c3ad1d1777d978dc773f8034faded12b0fde6b8c663119400460
Instruction Fuzzy Hash: CE2153B1A4021CEBDF50EB749C8DBED76BCAB04304F4085A5E316E3181DA789EC98B95

Uniqueness

Uniqueness Score: -1.00%

Function 0078528D Relevance: 9.1, APIs: 6, Instructions: 76memoryfileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00785294
GdipAlloc.GDIPLUS(00000010,00000008,007854B0,?,00000008,?,?,00733678,?,?,?,?,?,?,00000000), ref: 0078529B
GdipLoadImageFromFile.GDIPLUS(?,00000004,00000010,00000008,007854B0,?,00000008,?,?,00733678,?,?,?,?,?,?), ref: 007852B6
GdipAlloc.GDIPLUS(00000010,00000010,00000008,007854B0,?,00000008,?,?,00733678,?,?,?,?,?,?,00000000), ref: 007852E2
GdipSetPageUnit.GDIPLUS(?,00000002,00000010,00000010,00000008,007854B0,?,00000008,?,?,00733678,?,?,?,?,?), ref: 00785319
GdipDeleteGraphics.GDIPLUS(?,?,?,?,?,00000000), ref: 0078534C

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Gdip$Alloc$DeleteFileFromGraphicsH_prolog3ImageLoadPageUnit
String ID:
API String ID: 4174166734-0
Opcode ID: 21690630283fe5a8bcbf2ad74e0f972d8f3326a94e41501594e92ce91910e01f
Instruction ID: e9d3933cb58f86f2597a58d67777e4169c58427a4591a955623b1027f2fd0acc
Opcode Fuzzy Hash: 21690630283fe5a8bcbf2ad74e0f972d8f3326a94e41501594e92ce91910e01f
Instruction Fuzzy Hash: A721C371680705EBEF11BBB4CC4B76E72A56F44341F140424F941EB283EFACAD019761

Uniqueness

Uniqueness Score: -1.00%

Function 0074D348 Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,007313BF,?,00000000,00000000,?,00000000), ref: 0074D38D
LoadResource.KERNEL32(00000000,00000000,?,?,00000000,?,?,007313BF,?,00000000,00000000,?,00000000), ref: 0074D3A0
FreeResource.KERNEL32(00000000,?,?,00000000,?,?,007313BF,?,00000000,00000000,?,00000000), ref: 0074D3AD
SizeofResource.KERNEL32(00000000,00000000,?,?,00000000,?,?,007313BF,?,00000000,00000000,?,00000000), ref: 0074D3C4
LockResource.KERNEL32(00000000,00000000,?,?,00000000,?,?,007313BF,?,00000000,00000000,?,00000000), ref: 0074D3CC
FreeResource.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,007313BF,?,00000000,00000000,?,00000000), ref: 0074D3DE

Part of subcall function 00745A3C: _malloc.LIBCMT ref: 00745A60

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Resource$Free$FindLoadLockSizeof_malloc
String ID:
API String ID: 572625495-0
Opcode ID: b550e3222be17812ae0e900cb79c7fb0208faa2840816e4fb8871b8830871bfc
Instruction ID: ff552263c7a657ed5a1de9baf8140fa75069c86402363e15944b6fec2b889794
Opcode Fuzzy Hash: b550e3222be17812ae0e900cb79c7fb0208faa2840816e4fb8871b8830871bfc
Instruction Fuzzy Hash: A71190B1604606EB8F316F749C48DAE3B6CEF463507008629FEA6D3252DF3D8C118666

Uniqueness

Uniqueness Score: -1.00%

Function 007825D0 Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 007825D9
IsWindow.USER32(?), ref: 007825EA
IsWindow.USER32(00000000), ref: 007825F1
GetWindowRect.USER32(?,00000000), ref: 0078261C
GetWindowRect.USER32(00000000,00000000), ref: 00782623
MoveWindow.USER32(?,00000000,?,00000000,?,00000001), ref: 0078265A

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Window$Rect$DesktopMove
String ID:
API String ID: 2894293738-0
Opcode ID: 8ee6562efdced88a384f94983b3897874956219b4ed710d9740c56667c8e6409
Instruction ID: 2675301822289e07f8691c21f03d2bb666fef334d14e7103f023d368c43dfa3b
Opcode Fuzzy Hash: 8ee6562efdced88a384f94983b3897874956219b4ed710d9740c56667c8e6409
Instruction Fuzzy Hash: 3E11F972A1011AAFDB00DFB8CD89EEEBBB9EB48251F044525EA01F2154DA74AD058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00780DB1 Relevance: 9.1, APIs: 6, Instructions: 64stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?), ref: 00780DE9
lstrlenW.KERNEL32(?), ref: 00780DFA
lstrlenW.KERNEL32(?), ref: 00780E09
PathAppendW.SHLWAPI(?,007C7D9C), ref: 00780E29
PathAppendW.SHLWAPI(?,?), ref: 00780E33
lstrcpynW.KERNEL32(?,?,00000104), ref: 00780E4B

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: AppendPathlstrlen$FileModuleNamelstrcpyn
String ID:
API String ID: 2356946560-0
Opcode ID: 620024e70365fea59f020714a4e6052a7930dea3f0c65f19de9ba86299dd2242
Instruction ID: 3dbbf208b7bb7310bfa2cb730c99f017ab513891b6f689c037b51052d6da2ddc
Opcode Fuzzy Hash: 620024e70365fea59f020714a4e6052a7930dea3f0c65f19de9ba86299dd2242
Instruction Fuzzy Hash: C11130B294121CABCB10EF65DD48EDF73BCAF54700F1049A5A619D3150D674DA44CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0077744A Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,007D81AC,00000000,00000000,00000000,00777416,?,007D8120,00000000), ref: 00777453
GlobalLock.KERNEL32(00000000), ref: 0077745C
GlobalUnlock.KERNEL32(00000000), ref: 00777474
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00777488
GdipAlloc.GDIPLUS(00000010), ref: 00777492
GdipLoadImageFromStream.GDIPLUS(00000000,00000004,00000010), ref: 007774AB

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Global$AllocGdipStream$CreateFromImageLoadLockUnlock
String ID:
API String ID: 1747925419-0
Opcode ID: f3004767f0d44af3de158b7186f5efeee9a55ae53444ac7f3702155f8ebac5bc
Instruction ID: 53a5edc8c49a1af438afe94bbe9d15c9d3984a70b0aef9ada27e47134f67a963
Opcode Fuzzy Hash: f3004767f0d44af3de158b7186f5efeee9a55ae53444ac7f3702155f8ebac5bc
Instruction Fuzzy Hash: 3F11A172504202ABDB129FA4DC49F6ABBB9FF85381F108918F65887251EB3D9821CB65

Uniqueness

Uniqueness Score: -1.00%

Function 007805DA Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(00000000,00000007,000000FF,00000000,00000000,00000000,00000000,00000000,B04868B4,?,00000000,?,00733AD8,?,00000000,?), ref: 007805F8
WideCharToMultiByte.KERNEL32(00000000,?,00000000,?,00733AD8,?,00000000,?,?,?,00733C3E,?), ref: 00780601
_malloc.LIBCMT ref: 00780609

Part of subcall function 0079B6F2: __FF_MSGBANNER.LIBCMT ref: 0079B715
Part of subcall function 0079B6F2: __NMSG_WRITE.LIBCMT ref: 0079B71C
Part of subcall function 0079B6F2: HeapAlloc.KERNEL32(00000000,?,00000001,00000000,00000000,?,0079EA5D,?,00000001,?,?,0079D9B5,00000018,007CCD60,0000000C,0079DA46), ref: 0079B769

_memset.LIBCMT ref: 0078061D
GetACP.KERNEL32(00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00780633
WideCharToMultiByte.KERNEL32(00000000), ref: 00780636

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeap_malloc_memset
String ID:
API String ID: 2311837860-0
Opcode ID: 93a4ed7fecf798081ae2536dbd05014fc8d66b7fcb123b95fe61372a57c042cf
Instruction ID: 7952bcdf4ad7d8805ec89187d323639ece8e5f5e6b91bb21c3a9d24e768e1702
Opcode Fuzzy Hash: 93a4ed7fecf798081ae2536dbd05014fc8d66b7fcb123b95fe61372a57c042cf
Instruction Fuzzy Hash: 91F0C872548250BE9621AA66AC49C7BBFBCFAC7B74B10071DF27082190DA25D815C7B5

Uniqueness

Uniqueness Score: -1.00%

Function 007A15BC Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 007A15E4

Part of subcall function 0079C19C: __getptd.LIBCMT ref: 0079C1AA
Part of subcall function 0079C19C: __getptd.LIBCMT ref: 0079C1B8

__getptd.LIBCMT ref: 007A15EE

Part of subcall function 0079CEFB: __getptd_noexit.LIBCMT ref: 0079CEFE
Part of subcall function 0079CEFB: __amsg_exit.LIBCMT ref: 0079CF0B

__getptd.LIBCMT ref: 007A15FC
__getptd.LIBCMT ref: 007A160A
__getptd.LIBCMT ref: 007A1615
_CallCatchBlock2.LIBCMT ref: 007A163B

Part of subcall function 0079C241: __CallSettingFrame@12.LIBCMT ref: 0079C28D

Part of subcall function 007A16E2: __getptd.LIBCMT ref: 007A16F1
Part of subcall function 007A16E2: __getptd.LIBCMT ref: 007A16FF

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 6abb5edf29e61c5433dbfa94702e78ac7e3e4153a0c61f06fe8c4bae13f9fa75
Instruction ID: edb4525f18d8e8ae249c9f9aeddf04ef37422cd17de7269cee5d30afd19dbfaf
Opcode Fuzzy Hash: 6abb5edf29e61c5433dbfa94702e78ac7e3e4153a0c61f06fe8c4bae13f9fa75
Instruction Fuzzy Hash: 211116B1C00209DFDF01EFA4E88AAAD7BB4FF08314F508169F855AB291DB389A119F50

Uniqueness

Uniqueness Score: -1.00%

Function 0074B4A0 Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?), ref: 0074B4CF
GetTextMetricsW.GDI32(?,007DB814), ref: 0074B4DA
SelectObject.GDI32(?,00000000), ref: 0074B4E3
SelectObject.GDI32(?,?), ref: 0074B50C
GetTextMetricsW.GDI32(?,?), ref: 0074B515
SelectObject.GDI32(?,?), ref: 0074B521

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ObjectSelect$MetricsText
String ID:
API String ID: 3697559710-0
Opcode ID: a99d344086ca5d0416c140debd6c3135bda7b3e0c31421bd3d8622d32d362749
Instruction ID: 06d289c46e56bb9d66eb770160ae75a24b329167f347a5584bb1d2f285d9b513
Opcode Fuzzy Hash: a99d344086ca5d0416c140debd6c3135bda7b3e0c31421bd3d8622d32d362749
Instruction Fuzzy Hash: C3018036201206EFCF159F64DC44A95FBB9FF58345B11852AF25593220EB3A6D24DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00780516 Relevance: 9.0, APIs: 6, Instructions: 47COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(00000000,00000003,000000FF,00000000,00000000,00000000,?,?,?,007339D6,?,00000000,00000003,?,?,00785549), ref: 00780531
MultiByteToWideChar.KERNEL32(00000000,?,?,007339D6,?,00000000,00000003,?,?,00785549,?), ref: 0078053A
_malloc.LIBCMT ref: 00780543

Part of subcall function 0079B6F2: __FF_MSGBANNER.LIBCMT ref: 0079B715
Part of subcall function 0079B6F2: __NMSG_WRITE.LIBCMT ref: 0079B71C
Part of subcall function 0079B6F2: HeapAlloc.KERNEL32(00000000,?,00000001,00000000,00000000,?,0079EA5D,?,00000001,?,?,0079D9B5,00000018,007CCD60,0000000C,0079DA46), ref: 0079B769

_memset.LIBCMT ref: 00780557
GetACP.KERNEL32(00000000,?,000000FF,00000000,00000000), ref: 00780569
MultiByteToWideChar.KERNEL32(00000000), ref: 0078056C

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeap_malloc_memset
String ID:
API String ID: 2311837860-0
Opcode ID: b0052f4c74d374adf06cb89f4bee67d747f8dbba733a002ee70e5e6388e6202d
Instruction ID: 1dbd6c4bc10211789022a7601877f73d8fa1578c13d6b09482c32753322cfcb5
Opcode Fuzzy Hash: b0052f4c74d374adf06cb89f4bee67d747f8dbba733a002ee70e5e6388e6202d
Instruction Fuzzy Hash: DBF0C272949218BBDB10A6E5AC09EABB78CFB49360F100725BA14D2190DA29DE109BB4

Uniqueness

Uniqueness Score: -1.00%

Function 0076E978 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 288COMMON

Download Yara Rule

APIs

PtInRect.USER32(00000000,?,?), ref: 0076E9C1

Strings

@, xrefs: 0076EA66

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Rect
String ID: @
API String ID: 400858303-2766056989
Opcode ID: 320a3cea08c897c200383ea30e71f52a8b089fb36398a8009fd9a5ff080267e3
Instruction ID: 649060d39ba0161d0829449d26390dcd509944a337fb2fa7b5e544d54b7c96bb
Opcode Fuzzy Hash: 320a3cea08c897c200383ea30e71f52a8b089fb36398a8009fd9a5ff080267e3
Instruction Fuzzy Hash: AAB13E753006018FDB15DF28C498AAA77E2BF85300F1985BDED4B9F256DB39E809CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00776757 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 286COMMON

Download Yara Rule

APIs

PtInRect.USER32(00000000,?,?), ref: 007767A0

Strings

@, xrefs: 00776845

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Rect
String ID: @
API String ID: 400858303-2766056989
Opcode ID: e3946359636750e803d50c1e72dd0d039743204b1852a43915a4116e7dc5c541
Instruction ID: 33b7b6cf44beb026670a28e60383e9b599e4580392defe792839c4903878f6e5
Opcode Fuzzy Hash: e3946359636750e803d50c1e72dd0d039743204b1852a43915a4116e7dc5c541
Instruction Fuzzy Hash: C1B13C70200A018FCF04DF28C598AA977E6AF85344F09C5B9ED4EAF25ADB75EC05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0073C230 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 217stringwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00785864: __EH_prolog3_GS.LIBCMT ref: 0078586E

_memset.LIBCMT ref: 0073C3C6

Part of subcall function 0073D140: std::_String_base::_Xlen.LIBCPMT ref: 0073D19C
Part of subcall function 0073D140: _memcpy_s.LIBCMT ref: 0073D1F6

Part of subcall function 0078E3B6: __EH_prolog3.LIBCMT ref: 0078E3C0

lstrcpyW.KERNEL32(?,-00000004), ref: 0073C476
SendMessageW.USER32(?,00000505,?,00000000), ref: 0073C509

Strings

depname, xrefs: 0073C3D5
depid, xrefs: 0073C32F

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3H_prolog3_MessageSendString_base::_Xlen_memcpy_s_memsetlstrcpystd::_
String ID: depid$depname
API String ID: 3271931949-2144967637
Opcode ID: 1b564669cfe8bf09d1dcf9cba9b6eabbc69f23650846630761e71207df4cb031
Instruction ID: d430f1256b6940ea223c291ec129d1d1abf8fb500c2eeb9e152e51ecedea7900
Opcode Fuzzy Hash: 1b564669cfe8bf09d1dcf9cba9b6eabbc69f23650846630761e71207df4cb031
Instruction Fuzzy Hash: 9C919FB1408380DFE731DF24C885B9BBBE8AF84300F44491DF59987252EB79A508CB53

Uniqueness

Uniqueness Score: -1.00%

Function 007717AF Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 151COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 007717B6

Part of subcall function 0079B5B0: _malloc.LIBCMT ref: 0079B5CA

Part of subcall function 00771C2B: __wcsicoll.LIBCMT ref: 00771C40

Strings

left, xrefs: 0077196A
align, xrefs: 0077196F
hl|, xrefs: 007717E0
<l|, xrefs: 007717D6

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3__wcsicoll_malloc
String ID: <l|$align$hl|$left
API String ID: 1350217532-2434893885
Opcode ID: 78ea6caf51aa6ce779494dcc644fdde6ddfef3038bf688c096ccdadbd1b50624
Instruction ID: 13687b0f71a71e65d54147739f6f4020fdec6b54240fa5b768b4172a50d3c9da
Opcode Fuzzy Hash: 78ea6caf51aa6ce779494dcc644fdde6ddfef3038bf688c096ccdadbd1b50624
Instruction Fuzzy Hash: 8A615F70701642EFDB08DF78D488BA8FBA2BF45300F5442ADE559A7351CB766960CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00736E70 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

_onecli_lastSel, xrefs: 00737867
tlayToolContainer, xrefs: 00736EE5
vlayAccountPanel, xrefs: 00736EB4
Software\projone\podlp\smpcache\, xrefs: 0073786C

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Exception@8FindInstanceOffsetTargetThrowTypestd::bad_exception::bad_exception
String ID: Software\projone\podlp\smpcache\$_onecli_lastSel$tlayToolContainer$vlayAccountPanel
API String ID: 960618624-3169965450
Opcode ID: f6fab94f6bea4131e4002c68ba9631ca2e46ca622d441693440bbd1a6ce46e9a
Instruction ID: 5e1f1e2c3498f8d2ffdc4dfdff6d951ab4953435ffe24172b6d609efc93cdf69
Opcode Fuzzy Hash: f6fab94f6bea4131e4002c68ba9631ca2e46ca622d441693440bbd1a6ce46e9a
Instruction Fuzzy Hash: DF5183B1548384EEE774AB648D4AF9FB6E8EF84304F00492EF58D57282DB796504C763

Uniqueness

Uniqueness Score: -1.00%

Function 007352B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 126windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000502,?,00000000), ref: 00735418
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00735424

Strings

lstRemove, xrefs: 007353AF
itemclick, xrefs: 00735373
lstModify, xrefs: 007353E2

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: MessagePost
String ID: itemclick$lstModify$lstRemove
API String ID: 410705778-4189857778
Opcode ID: 4859392c16d8573029c0d452ebc9180969241eb010c151a5034b6199d0cc262c
Instruction ID: 728ff3f97b206aa96640993fe55de5cdd98996d49e1b29dca7f1e97f2c407ed2
Opcode Fuzzy Hash: 4859392c16d8573029c0d452ebc9180969241eb010c151a5034b6199d0cc262c
Instruction Fuzzy Hash: B24192B1604741DFE724DB24CD45FA7B3E5FF99708F104A2CE6498B292E779A804CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0076D769 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 124COMMON

Download Yara Rule

APIs

__wcstoi64.LIBCMT ref: 0076D7C4
__wcstoi64.LIBCMT ref: 0076D7DD

Strings

columns, xrefs: 0076D805
itemsize, xrefs: 0076D77C
childvpadding, xrefs: 0076D84E

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: __wcstoi64
String ID: childvpadding$columns$itemsize
API String ID: 398114495-1858099967
Opcode ID: 84b8e7789ea5cef5195f723f5c1dc328314d17d82068d128ae1034eae5876acb
Instruction ID: cae5babf4f11e870ae668c3fffca775dbfa26da540b2121b3dcbff4b662a1369
Opcode Fuzzy Hash: 84b8e7789ea5cef5195f723f5c1dc328314d17d82068d128ae1034eae5876acb
Instruction Fuzzy Hash: B041B621B20203DADB20AF38C845AB673A69F71B64B584679EC06CB195F73BDD45C392

Uniqueness

Uniqueness Score: -1.00%

Function 0075CD49 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0075CBA1: _memset.LIBCMT ref: 0075CBBE
Part of subcall function 0075CBA1: GetObjectW.GDI32(00000000,0000005C,?), ref: 0075CBE1
Part of subcall function 0075CBA1: GetDeviceCaps.GDI32(?,0000005A), ref: 0075CC21

_memset.LIBCMT ref: 0075CD82
LoadLibraryW.KERNEL32(msftedit.dll), ref: 0075CE06
GetProcAddress.KERNEL32(00000000,CreateTextServices), ref: 0075CE16

Strings

msftedit.dll, xrefs: 0075CE01
CreateTextServices, xrefs: 0075CE10

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: _memset$AddressCapsDeviceLibraryLoadObjectProc
String ID: CreateTextServices$msftedit.dll
API String ID: 4046179195-260715840
Opcode ID: e3e64719ba4237928d83305913362a71c9ae0f743a3c860e42b86a3db3fd1957
Instruction ID: e81b3f59cd61eae35cf7ad4463b223a499c8372f06275368be234914b726e764
Opcode Fuzzy Hash: e3e64719ba4237928d83305913362a71c9ae0f743a3c860e42b86a3db3fd1957
Instruction Fuzzy Hash: BE317C71200701AFD721CF65D88AB92BBF8FF48B41F10452DE94ADB240DBB8E549CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0076A809 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 0076A835
CreateWindowExW.USER32(00000000,SysDateTimePick32,00000000,50000000,00000000,00000000,00000000,00000000,?,00001911,00000000,00000000), ref: 0076A8A9
SendMessageW.USER32(?,00001002,00000000,?), ref: 0076A8C8
SetWindowPos.USER32(?,00000000,?,?,?,?,00000040), ref: 0076A8EB

Strings

SysDateTimePick32, xrefs: 0076A8A3

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Window$CreateMessageSendShow
String ID: SysDateTimePick32
API String ID: 3165722030-1405039312
Opcode ID: e32671aa07b32dee056f773e3cf76c17dfbdbebd46bbfd084063d0f86dbc36e7
Instruction ID: e86227910bc4ca5ef0f65cb10051c70504897032da144bf12b340abf3bd8d69b
Opcode Fuzzy Hash: e32671aa07b32dee056f773e3cf76c17dfbdbebd46bbfd084063d0f86dbc36e7
Instruction Fuzzy Hash: 08312C35600211AFDF119F68CC88F9B7FB9EF46351F0445B5FE0AAB252CA389845CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00785365 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90filestringCOMMON

Download Yara Rule

APIs

PathFindExtensionW.SHLWAPI(?), ref: 00785389
lstrcmpiW.KERNEL32(00000002,00000000), ref: 007853AF
SetLastError.KERNEL32(0000065E), ref: 007853CA
GdipSaveImageToFile.GDIPLUS(?,?,?,?), ref: 00785423

Strings

d, xrefs: 00785382

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ErrorExtensionFileFindGdipImageLastPathSavelstrcmpi
String ID: d
API String ID: 1325332945-2564639436
Opcode ID: 11761b0d32f43469ed8fded65ee64bedbe2f34e54a7e4d951d8cabce5dc9019a
Instruction ID: 53f180a56300fadfa0f85c0bf67e3d7098009039e43c7073abdd6a93f562961f
Opcode Fuzzy Hash: 11761b0d32f43469ed8fded65ee64bedbe2f34e54a7e4d951d8cabce5dc9019a
Instruction Fuzzy Hash: 4A21E732941609AFCB11EF64DD44AEE77FAEF45394F504026E906E7110DBB99D41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00733070 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?,00000000,?,00000000,?,?,?,?,?,00000000), ref: 00733094
_malloc.LIBCMT ref: 007330A6

Part of subcall function 0079B6F2: __FF_MSGBANNER.LIBCMT ref: 0079B715
Part of subcall function 0079B6F2: __NMSG_WRITE.LIBCMT ref: 0079B71C
Part of subcall function 0079B6F2: HeapAlloc.KERNEL32(00000000,?,00000001,00000000,00000000,?,0079EA5D,?,00000001,?,?,0079D9B5,00000018,007CCD60,0000000C,0079DA46), ref: 0079B769

GdipGetImageEncoders.GDIPLUS(?,?,00000000,00000000,?,?,?,?,?,00000000), ref: 007330BB
lstrcmpiW.KERNEL32(00000000,image/png,00000000,?,?,00000000,00000000,?,?,?,?,?,00000000), ref: 007330DC

Strings

image/png, xrefs: 007330D6

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: EncodersGdipImage$AllocHeapSize_malloclstrcmpi
String ID: image/png
API String ID: 3194904807-2966254431
Opcode ID: c99a7622de08615e6ff5663de52d260563f8321608379872b53c31a9b923df17
Instruction ID: 23dd64f8e4616f1556a1b8bf90bbddc8deb4ad7898103f74347a3744b9f5baea
Opcode Fuzzy Hash: c99a7622de08615e6ff5663de52d260563f8321608379872b53c31a9b923df17
Instruction Fuzzy Hash: 7D21B5726443159BDB20DF18B94099BB7D8EF84750F44492EFC8597302D739EA09CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00766F44 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__wcstoi64.LIBCMT ref: 00766F9B
__wcstoi64.LIBCMT ref: 00766FAF
__wcstoi64.LIBCMT ref: 00766FC3
__wcstoi64.LIBCMT ref: 00766FD7

Strings

textpadding, xrefs: 00766F50

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: __wcstoi64
String ID: textpadding
API String ID: 398114495-3914030718
Opcode ID: e0786c2f95d6eed453eedff9e9d1119091c441b7b16064593c14a1901b9355fc
Instruction ID: dead796327e51509f85258a92c15ded9552e8641b1bc84eab16fc7569a2e95c2
Opcode Fuzzy Hash: e0786c2f95d6eed453eedff9e9d1119091c441b7b16064593c14a1901b9355fc
Instruction Fuzzy Hash: 63217F72900108BADB10AF68DC41EEA7BB9EF65354F808525FD0AEB155E739EA44C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 007883FD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00788426
GetHGlobalFromStream.OLE32(?,?), ref: 00788459
GlobalLock.KERNEL32(?), ref: 00788463
GlobalSize.KERNEL32(?), ref: 0078846F

Strings

memory expection, xrefs: 0078848C

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Global$Stream$CreateFromLockSize
String ID: memory expection
API String ID: 3378530493-1431834357
Opcode ID: e78b1a5131e3f115e5e7f4879fe8c94efe276752a3141735a509c2de779fdcd2
Instruction ID: 0a4966ea44cc8d45f592ca69a27c95dfbeaf91b9ae82cb92cc2e04cd29f58840
Opcode Fuzzy Hash: e78b1a5131e3f115e5e7f4879fe8c94efe276752a3141735a509c2de779fdcd2
Instruction Fuzzy Hash: 9C116272544386EBC720EF94DC8486E7BE8EF44310F44492DFAA587251DB399C048B53

Uniqueness

Uniqueness Score: -1.00%

Function 0078A38B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0078A395
__CxxThrowException@8.LIBCMT ref: 0078A3A3

Strings

ios_base::eofbit set, xrefs: 0078A3F7
ios_base::failbit set, xrefs: 0078A3E1
ios_base::badbit set, xrefs: 0078A3B2

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Exception@8H_prolog3Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3670251406-1866435925
Opcode ID: afc498f993a12de3f162cc731f5cefb74273d04d06dfd3d63ba6660244fb4267
Instruction ID: 3f4954a768a936bec9f25349ad68df2e6fca76714484c2b22f897cde94c0db26
Opcode Fuzzy Hash: afc498f993a12de3f162cc731f5cefb74273d04d06dfd3d63ba6660244fb4267
Instruction Fuzzy Hash: C0012DB2980208FEEB01EBD0CC86FDD7378AB04B10F14946EA545BA442DB7D9A45DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0079F5D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0079F5E4

Part of subcall function 0079CEFB: __getptd_noexit.LIBCMT ref: 0079CEFE
Part of subcall function 0079CEFB: __amsg_exit.LIBCMT ref: 0079CF0B

__getptd.LIBCMT ref: 0079F5FB
__amsg_exit.LIBCMT ref: 0079F609
__lock.LIBCMT ref: 0079F619

Strings

`i}, xrefs: 0079F626

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: `i}
API String ID: 3521780317-756928349
Opcode ID: 6ef47757e352884af0eba4092caa8082a231f1c038fda10f2afa3ab3a2bc13e4
Instruction ID: f719bd917661f31d1393acdffbf79f1b6a1f928d4408d768acae3b75e3bdd783
Opcode Fuzzy Hash: 6ef47757e352884af0eba4092caa8082a231f1c038fda10f2afa3ab3a2bc13e4
Instruction Fuzzy Hash: DFF03031A01B00CBDF21FBA4B40B75973A0AF00724F558129E451EB2E1DB3C9D418B52

Uniqueness

Uniqueness Score: -1.00%

Function 007A12F8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 007A1312

Part of subcall function 0079CEFB: __getptd_noexit.LIBCMT ref: 0079CEFE
Part of subcall function 0079CEFB: __amsg_exit.LIBCMT ref: 0079CF0B

__getptd.LIBCMT ref: 007A1323
__getptd.LIBCMT ref: 007A1331

Strings

MOC, xrefs: 007A1304
csm, xrefs: 007A130B

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: abdfce7b939a86218f3d62704afb94b7a42bdaeb6956fe92d5af059ee0dc39e4
Instruction ID: 489ea1b924139a04161361515139a16782ee1b45811d56b2d0a979d1881705d0
Opcode Fuzzy Hash: abdfce7b939a86218f3d62704afb94b7a42bdaeb6956fe92d5af059ee0dc39e4
Instruction Fuzzy Hash: B2E04F75510204CFEF20AB68D04AB683799EB8A314FD501E1E58DC7662C73CD8409546

Uniqueness

Uniqueness Score: -1.00%

Function 0078156D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 11libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetTickCount64,00787927,0000004C,0073447D,00000000,00734700), ref: 00781577
GetProcAddress.KERNEL32(00000000), ref: 0078157E
GetTickCount.KERNEL32 ref: 0078158A

Strings

GetTickCount64, xrefs: 0078156D
kernel32.dll, xrefs: 00781572

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: AddressCountHandleModuleProcTick
String ID: GetTickCount64$kernel32.dll
API String ID: 1545651562-915290683
Opcode ID: 8c602e377b3176c262fd75f475a834d86505f78dd7c682024e23451aaf4de828
Instruction ID: 6d68d379f571e778a03ca85c2dae88bb8f4394091be65347c52d08e3cbb2f67b
Opcode Fuzzy Hash: 8c602e377b3176c262fd75f475a834d86505f78dd7c682024e23451aaf4de828
Instruction Fuzzy Hash: 2BC080B0744209D78B0417B55C0DF0637196D44702344C99CB312C0094CE7C8011DE19

Uniqueness

Uniqueness Score: -1.00%

Function 0077318C Relevance: 7.6, APIs: 5, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 007731FB
GetLocalTime.KERNEL32(?,?), ref: 00773236
SendMessageW.USER32(00000000,00001002,00000000,?), ref: 0077324C
ShowWindow.USER32(00000000,00000004), ref: 00773257
SetFocus.USER32(00000000), ref: 00773260

Part of subcall function 0074BA7B: __itow.LIBCMT ref: 0074BAA3
Part of subcall function 0074BA7B: SelectObject.GDI32(?,00000000), ref: 0074BAFB
Part of subcall function 0074BA7B: GetTextMetricsW.GDI32(?,00000000), ref: 0074BB09
Part of subcall function 0074BA7B: SelectObject.GDI32(?,?), ref: 0074BB14

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: MessageObjectSelectSend$FocusLocalMetricsShowTextTimeWindow__itow
String ID:
API String ID: 1885546232-0
Opcode ID: f5f3b65949090032f93308208310638e570e0c31c700a27b33a49c86e7e397d0
Instruction ID: 6d67dc1f229b88598ce926bc0cbfeb4a8756b62bf1e24a0c8fb59dddb783639d
Opcode Fuzzy Hash: f5f3b65949090032f93308208310638e570e0c31c700a27b33a49c86e7e397d0
Instruction Fuzzy Hash: 51215A71600200EFDF11DF68CD89F9A3BA5BF49305F0484A4FA199F2A6CB79D954CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0075A02A Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

SetBkMode.GDI32(?,00000001), ref: 0075A085
SetTextColor.GDI32(?,?), ref: 0075A0A8

Part of subcall function 0074B8B5: __itow.LIBCMT ref: 0074B8DF

SelectObject.GDI32(?,00000000), ref: 0075A0C3
DrawTextW.USER32(?,?,000000FF,?,?), ref: 0075A0D9
SelectObject.GDI32(?,00000000), ref: 0075A0E3

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ObjectSelectText$ColorDrawMode__itow
String ID:
API String ID: 2874764285-0
Opcode ID: 7d305fb14efb1378da99cb893e0f4dc50b3adb7d4e71fadc6b31f243a03d9360
Instruction ID: 015bdc094bd621141b6aa036e4e55392376d30bbf03a6a8d3b8d867631040e0a
Opcode Fuzzy Hash: 7d305fb14efb1378da99cb893e0f4dc50b3adb7d4e71fadc6b31f243a03d9360
Instruction Fuzzy Hash: C9213C72A00118ABDF049FA9DD859EDBBB9FF49311F144229FA21B32A1DB359D05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00735530 Relevance: 7.6, APIs: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000080,00000000), ref: 007355AE
GetParent.USER32(?), ref: 007355C1
GetParent.USER32(?), ref: 007355C8
ShowWindow.USER32(?,00000005), ref: 007355D2
SendMessageW.USER32(?,00000086,00000001,00000000), ref: 007355E2

Part of subcall function 007469E2: _memset.LIBCMT ref: 007469F2
Part of subcall function 007469E2: GetClassInfoExW.USER32(00000000,00000000), ref: 00746A15
Part of subcall function 007469E2: GetClassInfoExW.USER32(00000000,00000000), ref: 00746A2E

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ClassInfoParentWindow$CreateMessageSendShow_memset
String ID:
API String ID: 743802084-0
Opcode ID: b65d0863dad4e68a510f1e8e7d2c58cd2f30cf79b4a464b9c82cb4e2f5306665
Instruction ID: 7dc9ef48e1cc3e95c5ff873172129ce97dc8c889040fa7443d240572abed7f8a
Opcode Fuzzy Hash: b65d0863dad4e68a510f1e8e7d2c58cd2f30cf79b4a464b9c82cb4e2f5306665
Instruction Fuzzy Hash: 9D117231340601ABE220DB58CD85F2B77EAEF89710F258158FA5597381DB25FC01CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00780E69 Relevance: 7.6, APIs: 5, Instructions: 70fileCOMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(?,00000010,00000008,00000000,0073A8F4,?,?,?,?,?,?), ref: 00780E76
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,?), ref: 00780EA1
DeleteFileW.KERNEL32(?,?,?,?), ref: 00780EBB

Part of subcall function 0078091B: lstrlenW.KERNEL32(?,74E15EC0,?), ref: 0078093B
Part of subcall function 0078091B: _memset.LIBCMT ref: 00780962
Part of subcall function 0078091B: GetFileAttributesW.KERNEL32(?), ref: 0078097A

WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,?,?), ref: 00780EDD
CloseHandle.KERNEL32(00000000), ref: 00780F04

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: File$AttributesCloseCreateDeleteExistsHandlePathWrite_memsetlstrlen
String ID:
API String ID: 2329439398-0
Opcode ID: adc6b116e8b1c363c250352e8360b8ed96d86118c034f8a199810a3fe227502e
Instruction ID: 43b3383b70196ad45025657cb2cf3f2dda37c6a5f4d6318c1d752f7d710b32a3
Opcode Fuzzy Hash: adc6b116e8b1c363c250352e8360b8ed96d86118c034f8a199810a3fe227502e
Instruction Fuzzy Hash: 70117F7294010DAFDF60BF989CC8AAFBB7CEB45364B108669F721A2090D3784D499BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00746A7D Relevance: 7.6, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00746A9A
GetWindowLongW.USER32(?,000000EB), ref: 00746AB9
CallWindowProcW.USER32(?,?,00000082,?,?), ref: 00746ADA
SetWindowLongW.USER32(?,000000EB,00000000), ref: 00746AEA
DefWindowProcW.USER32(?,00000081,?,?), ref: 00746B16

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Window$Long$Proc$Call
String ID:
API String ID: 1819824282-0
Opcode ID: b28d36c13cd5615967084f581c1eabe5a2929aba1938c32d1d6a7c9f315d5e29
Instruction ID: 653d31eae2d642086cd828667cee6bab7aff90eae02bcab780b8ee9007034717
Opcode Fuzzy Hash: b28d36c13cd5615967084f581c1eabe5a2929aba1938c32d1d6a7c9f315d5e29
Instruction Fuzzy Hash: E4219D71100614EFCF229F44DD08EAB7FB9EF45721F10C609FA25A2261C3399820DF62

Uniqueness

Uniqueness Score: -1.00%

Function 007821E5 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?), ref: 0078220E
_memset.LIBCMT ref: 00782228
SHGetPathFromIDListW.SHELL32(?,?), ref: 00782237
lstrcpynW.KERNEL32(?,?,?), ref: 0078224C
CoTaskMemFree.OLE32(?), ref: 0078225C

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: FolderFreeFromListLocationPathSpecialTask_memsetlstrcpyn
String ID:
API String ID: 3998010224-0
Opcode ID: 0903571f29209a5e2962561923169898f2058c37cd84113b587daf31d4bbf9f3
Instruction ID: 73711735197b97849c74206eb17d29678c3a4560089c1b4ca2217b29c58df7b2
Opcode Fuzzy Hash: 0903571f29209a5e2962561923169898f2058c37cd84113b587daf31d4bbf9f3
Instruction Fuzzy Hash: B101217194020CEFDB219FB4EC89FEE77B8BB04309F008129E615D2161EB799518CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00757141 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetClipBox.GDI32(?,00000000), ref: 00757160
CreateRectRgnIndirect.GDI32(00000000), ref: 00757170
CreateRectRgnIndirect.GDI32(?), ref: 00757179
CombineRgn.GDI32(00000000,00000000,?,00000001), ref: 00757185
SelectClipRgn.GDI32(?,?), ref: 0075718F

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ClipCreateIndirectRect$CombineSelect
String ID:
API String ID: 4086972238-0
Opcode ID: 4f27843f01eb83cd4056b5c9a8475b7faaa883ac1d1844af19085b9e801bb77e
Instruction ID: 1e0d0df0780515db4423f4d33e1b515a7521ed987e874b7e2d7e52e665bfc54c
Opcode Fuzzy Hash: 4f27843f01eb83cd4056b5c9a8475b7faaa883ac1d1844af19085b9e801bb77e
Instruction Fuzzy Hash: 21012876800619ABDB01EFA8DC84ADBBBBDEF48210B014562FF01EB111D675DA058BE1

Uniqueness

Uniqueness Score: -1.00%

Function 007895E4 Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 007895EB
curl_easy_init.LIBCURL32(00000024,00788C2F,?,00000000,000000FF,00788FD5,?,00000054), ref: 007895F9
curl_easy_escape.LIBCURL32(00000000,?,00000000,?,00000054), ref: 00789621
curl_free.LIBCURL32(00000000,00000000,?,?,?,?,?,00000054), ref: 0078963A
curl_easy_cleanup.LIBCURL32(00000000,?,?,?,?,?,00000054), ref: 00789641

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3_curl_easy_cleanupcurl_easy_escapecurl_easy_initcurl_free
String ID:
API String ID: 1188370838-0
Opcode ID: 7172353cabf3a948b142088300956d0699787834abf144248aa9b62d01a661c9
Instruction ID: a27a6a719738b8a72eace262ea3f59b76d89cbc84ec20117edf1385e4ff318c3
Opcode Fuzzy Hash: 7172353cabf3a948b142088300956d0699787834abf144248aa9b62d01a661c9
Instruction Fuzzy Hash: 90018632900210DBEF15AB74EC99BED7374EF44321F148528FA12B7182EF3DAA048B95

Uniqueness

Uniqueness Score: -1.00%

Function 0079B615 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0079B633

Part of subcall function 0079DA2B: __mtinitlocknum.LIBCMT ref: 0079DA41
Part of subcall function 0079DA2B: __amsg_exit.LIBCMT ref: 0079DA4D
Part of subcall function 0079DA2B: EnterCriticalSection.KERNEL32(?,?,?,007A2FEE,00000004,007CD0A0,0000000C,0079EAA7,?,?,00000000,00000000,00000000,?,0079CEAD,00000001), ref: 0079DA55

___sbh_find_block.LIBCMT ref: 0079B63E
___sbh_free_block.LIBCMT ref: 0079B64D
HeapFree.KERNEL32(00000000,?,007CCC68,0000000C,00746E35,?,007474B5,?,?,?,?,00747EC5,00000053,?,?,?), ref: 0079B67D
GetLastError.KERNEL32(?,?,00747EC5,00000053,?,?,?,0073137A,?,B04868B4,?,?,?), ref: 0079B68E

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 133a1967ed778b0c68a27082f0950f14ff49136c4946209277016d2143690012
Instruction ID: 63f5460be6d43aecada9f000a38e9152511814eb5e0343bad08456ba74a53964
Opcode Fuzzy Hash: 133a1967ed778b0c68a27082f0950f14ff49136c4946209277016d2143690012
Instruction Fuzzy Hash: 7C01AD31805305EADF30AB71BE0EB4E3BB4AF00B24F108159F504AA181DB3CAD40DA9A

Uniqueness

Uniqueness Score: -1.00%

Function 0078AE25 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0078AE2F

Part of subcall function 0078D696: __EH_prolog3.LIBCMT ref: 0078D69D

Strings

Missing '}' or object member name, xrefs: 0078B031
Missing ',' or '}' in object declaration, xrefs: 0078B09E
Missing ':' after object member name, xrefs: 0078B0C3

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3H_prolog3_
String ID: Missing ',' or '}' in object declaration$Missing ':' after object member name$Missing '}' or object member name
API String ID: 3355343447-3980781130
Opcode ID: ba5d585b91f1459b269e298abe03c562cf8a6f2ec7d9aede4644d3d42ebf8c5a
Instruction ID: 80aad87a3b749403ffd6f0253861cf71d6856549336b38a2e4c32a70bb01bba9
Opcode Fuzzy Hash: ba5d585b91f1459b269e298abe03c562cf8a6f2ec7d9aede4644d3d42ebf8c5a
Instruction Fuzzy Hash: 35818571980208EEDF21FBA4C989BEEB778AF15300F14405AF555B7182DB3C5E89DB62

Uniqueness

Uniqueness Score: -1.00%

Function 007449B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

_memmove_s.LIBCMT ref: 00744A71
_memmove_s.LIBCMT ref: 00744A95

Part of subcall function 0073E030: std::exception::exception.LIBCMT ref: 0073E04F
Part of subcall function 0073E030: __CxxThrowException@8.LIBCMT ref: 0073E066

_memmove_s.LIBCMT ref: 00744B63

Part of subcall function 00745440: _memmove_s.LIBCMT ref: 00745458

Strings

Ht, xrefs: 00744AD1, 00744B49, 00744AFA, 00744B18, 00744A34, 00744A53, 00744A6D, 00744A6F, 00744A8E, 00744B5E

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: _memmove_s$Exception@8Throwstd::exception::exception
String ID: Ht
API String ID: 2363822257-2348410036
Opcode ID: 4bf845d8ccca0dc2159a2517f0b2309283f59cb20f16e20b42844324ffc29d58
Instruction ID: 1c75d26ffa1000b64600ef5941419193b5952c023922417b5dcbed3752d5a835
Opcode Fuzzy Hash: 4bf845d8ccca0dc2159a2517f0b2309283f59cb20f16e20b42844324ffc29d58
Instruction Fuzzy Hash: 4B51E572B002028FDB18DE28C985A2B77A1FB84315F148A6DEC15CB34AE774ED15DB91

Uniqueness

Uniqueness Score: -1.00%

Function 007686F8 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 167COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 007687E8
PtInRect.USER32(?,?,?), ref: 00768825

Strings

itemclick, xrefs: 007688A0
itemdbclick, xrefs: 00768767

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Rect
String ID: itemclick$itemdbclick
API String ID: 400858303-530425747
Opcode ID: 3e455c6dd576f023f9d522a5da066621401848b2b10730e6dd99920f052f1568
Instruction ID: 83c50d2eee76b07bf013831ac79fd41353a709810bc03363690348aaf071c384
Opcode Fuzzy Hash: 3e455c6dd576f023f9d522a5da066621401848b2b10730e6dd99920f052f1568
Instruction Fuzzy Hash: 4651CD34710202DFDAA49F64C888EB9B3AAFF91340B584658E957DB351CF2DEC119B93

Uniqueness

Uniqueness Score: -1.00%

Function 00786016 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 00781DAC: lstrlenW.KERNEL32(B04868B4,?,?,?,00786067,?,.exe,B04868B4), ref: 00781DCE
Part of subcall function 00781DAC: lstrlenW.KERNEL32(?,?,00786067,?,.exe,B04868B4), ref: 00781DD3
Part of subcall function 00781DAC: lstrcmpiW.KERNEL32(?,?,00786067,?,.exe,B04868B4), ref: 00781DE5

_memset.LIBCMT ref: 00786090

Strings

.exe, xrefs: 0078605C
.dll, xrefs: 0078606B
5.1., xrefs: 007860B0

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: lstrlen$_memsetlstrcmpi
String ID: .dll$.exe$5.1.
API String ID: 1665792991-2789504256
Opcode ID: 4f2177e9e43dc595606794c30fb3c1e34bcf2d8bdfa91c404deb4026f070df30
Instruction ID: cfae37af066c7d64b672779bfbad085042db1d0dd42a5b0b3688755eb47e5849
Opcode Fuzzy Hash: 4f2177e9e43dc595606794c30fb3c1e34bcf2d8bdfa91c404deb4026f070df30
Instruction Fuzzy Hash: 9F31AFB2A84305EED710EB64D94EF5AB3E8EB44724F404929F505D3283EB38E905C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0078E0F2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0078E0FC

Part of subcall function 0079163D: __EH_prolog3.LIBCMT ref: 00791644

Part of subcall function 007952BF: __EH_prolog3_catch.LIBCMT ref: 007952C6

Strings

double out of UInt64 range, xrefs: 0078E1A6
Value is not convertible to UInt64., xrefs: 0078E135
LargestInt out of UInt64 range, xrefs: 0078E1FB

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3$H_prolog3_catch
String ID: LargestInt out of UInt64 range$Value is not convertible to UInt64.$double out of UInt64 range
API String ID: 1670334802-900115960
Opcode ID: fc746c5337e38f0f647251df196dbca72fdb7afc23ae77f2139561193cfa3d71
Instruction ID: ae2485210e8a36afd338f204041bffa9883cd9958ded9791b7769f2f4734c077
Opcode Fuzzy Hash: fc746c5337e38f0f647251df196dbca72fdb7afc23ae77f2139561193cfa3d71
Instruction Fuzzy Hash: 4E31D3B1D4461EDDDF10FB60E80EBEDB7A8BB04300F64449AA049A3082DF3CAA85CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00785688 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0078568F

Part of subcall function 007854F7: __EH_prolog3.LIBCMT ref: 00785502

Strings

servHost, xrefs: 0078571C
servAddr, xrefs: 007856DA
activeServer, xrefs: 007856A1

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3H_prolog3_
String ID: activeServer$servAddr$servHost
API String ID: 3355343447-2893113291
Opcode ID: 9e1822001eea2cce43f3446e2cb2e39aff133aa8c9e662333f20462a25fc5870
Instruction ID: c2f17f67d7df03ff9fc25b8634efc98364d4aaaba994f888e9c6c1a6f4010e1d
Opcode Fuzzy Hash: 9e1822001eea2cce43f3446e2cb2e39aff133aa8c9e662333f20462a25fc5870
Instruction Fuzzy Hash: D4213071D49608DADF06FBE4D84A9EDB7B8AF04720F64801EF415B2082EF3C6645DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007A941E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 007A9440
__calloc_crt.LIBCMT ref: 007A9459

Strings

Pn}, xrefs: 007A9492
@n}, xrefs: 007A9470

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: __calloc_crt
String ID: @n}$Pn}
API String ID: 3494438863-2097003810
Opcode ID: a82c660575e3c1a30f60e6c9b1e66575ac4908e45ac7ecfa33a71db8a0580e09
Instruction ID: 6002f0dc8682eef410bbee9f8c77d3529b366e6f20803835d3a65f7384dfa79e
Opcode Fuzzy Hash: a82c660575e3c1a30f60e6c9b1e66575ac4908e45ac7ecfa33a71db8a0580e09
Instruction Fuzzy Hash: C211A37120925197E7188A2DBC406A737A6FBCA764B64832BF311CB3A4E77CD8538644

Uniqueness

Uniqueness Score: -1.00%

Function 00796AEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60stringthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00796B03

Part of subcall function 00781DF9: wvnsprintfW.SHLWAPI(?,00002800,?,?), ref: 00781E33

lstrlenW.KERNEL32(?), ref: 00796B1E
SHDeleteValueW.SHLWAPI(80000002,Software\projone\podlp\volatile\lastError\,?), ref: 00796B76

Strings

Software\projone\podlp\volatile\lastError\, xrefs: 00796B3A, 00796B3F, 00796B6C

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: CurrentDeleteThreadValuelstrlenwvnsprintf
String ID: Software\projone\podlp\volatile\lastError\
API String ID: 3369742540-193266801
Opcode ID: 774cb97bf9f707cf0e5a154d64d8f0312ba21fce09735844d2e4dd934f8aa662
Instruction ID: 6ee89156c84a68abd60f85fb7ebacb448f355a7898db47b2d5da81c228ea82fc
Opcode Fuzzy Hash: 774cb97bf9f707cf0e5a154d64d8f0312ba21fce09735844d2e4dd934f8aa662
Instruction Fuzzy Hash: 47113D71A0010DEBCF04EB98EC89DEFB7BCEB04315B608169F611A3142DB386A06CB74

Uniqueness

Uniqueness Score: -1.00%

Function 007815FD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0078162A
GetLocalTime.KERNEL32(?), ref: 00781636
wnsprintfA.SHLWAPI ref: 00781668

Strings

%04d-%02d-%02d %02d:%02d:%02d, xrefs: 0078165A

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: LocalTime_memsetwnsprintf
String ID: %04d-%02d-%02d %02d:%02d:%02d
API String ID: 2823570691-4146437471
Opcode ID: 29bf1016fd93629153cc9dd3bf0aa1070e511ea998588968a29773b714d5126b
Instruction ID: 926a5a501733d58a432fa6892719f27c3c5f755ea20e63f74bac8698c18da98e
Opcode Fuzzy Hash: 29bf1016fd93629153cc9dd3bf0aa1070e511ea998588968a29773b714d5126b
Instruction Fuzzy Hash: F60121A1D0061C9FDB61DBE99C05EBE73FCAB0C704F404019BA59E7181E67D9644CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0078D257 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0078D261
_malloc.LIBCMT ref: 0078D2AD

Part of subcall function 0079163D: __EH_prolog3.LIBCMT ref: 00791644

Part of subcall function 007952BF: __EH_prolog3_catch.LIBCMT ref: 007952C6

Part of subcall function 0078D410: __CxxThrowException@8.LIBCMT ref: 0078D432
Part of subcall function 0078D410: std::runtime_error::runtime_error.LIBCPMT ref: 0078D43F

Strings

in Json::Value::duplicateAndPrefixStringValue(): Failed to allocate string value buffer, xrefs: 0078D2B9
in Json::Value::duplicateAndPrefixStringValue(): length too big for prefixing, xrefs: 0078D284

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3$Exception@8H_prolog3_catchThrow_mallocstd::runtime_error::runtime_error
String ID: in Json::Value::duplicateAndPrefixStringValue(): Failed to allocate string value buffer$in Json::Value::duplicateAndPrefixStringValue(): length too big for prefixing
API String ID: 4153978278-1516562270
Opcode ID: b76b98c6f7983a50aad5b094d1284a15cfc90fe64f84254b14661f7e5ee57264
Instruction ID: 9926fc3425bf77ce23e238c774487edb51e3f8ab0aa46b1992afa5134a807ce5
Opcode Fuzzy Hash: b76b98c6f7983a50aad5b094d1284a15cfc90fe64f84254b14661f7e5ee57264
Instruction Fuzzy Hash: 29015272D40319EADF21FBA4D84AFCD77ACAF05354F918059F054A61C2DB3CAA488B72

Uniqueness

Uniqueness Score: -1.00%

Function 007A6726 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

`i}, xrefs: 007A677D
I^t, xrefs: 007A676B, 007A6774

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID:
String ID: I^t$`i}
API String ID: 0-2334518906
Opcode ID: 204e96bfedcca0cb997c409f55eb527756c5adc91b1b3513edf63e15fa82d990
Instruction ID: 773e0c09d43f854924e8fecee96a2602ad6907c1955cdcafe131f7d9f3f4f015
Opcode Fuzzy Hash: 204e96bfedcca0cb997c409f55eb527756c5adc91b1b3513edf63e15fa82d990
Instruction Fuzzy Hash: 73F0C276600208BACF119F90DC02BB93BB4EB90B48F04C126FD4AD91D1F2BADAD0D794

Uniqueness

Uniqueness Score: -1.00%

Function 00785778 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007857A7
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 007857B8
PathAppendW.SHLWAPI(?,Logs\accelerator), ref: 007857C7

Strings

Logs\accelerator, xrefs: 007857BE

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: AppendDirectoryPathWindows_memset
String ID: Logs\accelerator
API String ID: 651767395-3914339143
Opcode ID: e9c8e6b69cf9d3f3d191cfbbeca4446cec8cd158ceb0c76a7321336a723f1dba
Instruction ID: a8fa291690abc90729a23ff42690aa54747e9c50be00197e144291d8907908ef
Opcode Fuzzy Hash: e9c8e6b69cf9d3f3d191cfbbeca4446cec8cd158ceb0c76a7321336a723f1dba
Instruction Fuzzy Hash: E7F0FF71A4060C9BDB21EBB5EC4AEDEB3B8AB08704F408519A625D7152EB78A6088F55

Uniqueness

Uniqueness Score: -1.00%

Function 007857EE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0078581D
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0078582E
PathAppendW.SHLWAPI(?,Logs\ignored), ref: 0078583D

Strings

Logs\ignored, xrefs: 00785834

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: AppendDirectoryPathWindows_memset
String ID: Logs\ignored
API String ID: 651767395-1052034624
Opcode ID: 4954a54e78d513ea318054ede4f3f09e028f00e03a8d1ca163f5e514fc9cd7dc
Instruction ID: 6c3367d100a141194cd64cf7c54a1a2e6501b355c8f13840d43d92469a41f2c0
Opcode Fuzzy Hash: 4954a54e78d513ea318054ede4f3f09e028f00e03a8d1ca163f5e514fc9cd7dc
Instruction Fuzzy Hash: DEF0F471A4060C9BDB21EBF5DC4AEDEB3B8AB08704F408519A625D7152EB7896088F55

Uniqueness

Uniqueness Score: -1.00%

Function 00781117 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000,?,?,?,007445F6), ref: 0078111E
OpenEventW.KERNEL32(00100000,00000000,{51908485-3D48-408a-AC9A-8DA4361CCC61},?,?,007445F6), ref: 00781130
GetLastError.KERNEL32(?,?,007445F6), ref: 00781152

Strings

{51908485-3D48-408a-AC9A-8DA4361CCC61}, xrefs: 00781124

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ErrorLast$EventOpen
String ID: {51908485-3D48-408a-AC9A-8DA4361CCC61}
API String ID: 325147236-3488813379
Opcode ID: 536c2eefb79923f471aa5b6ab3b62570eca7ac60876e2b4f7e6cb1dc22bfc819
Instruction ID: 19052cb2f8458e34896efa3ab8eff40a11bfcc1ae1d4276db542b6d4edf7749a
Opcode Fuzzy Hash: 536c2eefb79923f471aa5b6ab3b62570eca7ac60876e2b4f7e6cb1dc22bfc819
Instruction Fuzzy Hash: 1FE09B3294412DA7CA5067BC9C0EF997568CB05B61F104360FF16D22D0E6649D0596D5

Uniqueness

Uniqueness Score: -1.00%

Function 0079F59A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

___addlocaleref.LIBCMT ref: 0079F5AC

Part of subcall function 0079F44C: InterlockedIncrement.KERNEL32(?), ref: 0079F45E
Part of subcall function 0079F44C: InterlockedIncrement.KERNEL32(?), ref: 0079F46B
Part of subcall function 0079F44C: InterlockedIncrement.KERNEL32(?), ref: 0079F478
Part of subcall function 0079F44C: InterlockedIncrement.KERNEL32(?), ref: 0079F485
Part of subcall function 0079F44C: InterlockedIncrement.KERNEL32(?), ref: 0079F492
Part of subcall function 0079F44C: InterlockedIncrement.KERNEL32(?), ref: 0079F4AE
Part of subcall function 0079F44C: InterlockedIncrement.KERNEL32(00000000), ref: 0079F4BE
Part of subcall function 0079F44C: InterlockedIncrement.KERNEL32(?), ref: 0079F4D4

___removelocaleref.LIBCMT ref: 0079F5B7

Part of subcall function 0079F4DB: InterlockedDecrement.KERNEL32(fz), ref: 0079F4F5
Part of subcall function 0079F4DB: InterlockedDecrement.KERNEL32(?), ref: 0079F502
Part of subcall function 0079F4DB: InterlockedDecrement.KERNEL32(?), ref: 0079F50F
Part of subcall function 0079F4DB: InterlockedDecrement.KERNEL32(?), ref: 0079F51C
Part of subcall function 0079F4DB: InterlockedDecrement.KERNEL32(?), ref: 0079F529
Part of subcall function 0079F4DB: InterlockedDecrement.KERNEL32(?), ref: 0079F545
Part of subcall function 0079F4DB: InterlockedDecrement.KERNEL32(00000000), ref: 0079F555
Part of subcall function 0079F4DB: InterlockedDecrement.KERNEL32(?), ref: 0079F56B

___freetlocinfo.LIBCMT ref: 0079F5CB

Part of subcall function 0079F303: ___free_lconv_mon.LIBCMT ref: 0079F349
Part of subcall function 0079F303: ___free_lconv_num.LIBCMT ref: 0079F36A
Part of subcall function 0079F303: ___free_lc_time.LIBCMT ref: 0079F3EF

Strings

`i}, xrefs: 0079F5C2

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: `i}
API String ID: 467427115-756928349
Opcode ID: e4d4b074adfca55ccf98f7467b85db57986707dbadc0286de92a3e243b2e3d3e
Instruction ID: 9989f6eea52ebedbfca4190c7e1445ab56ccc533fdc119ed5289a397c3897fd6
Opcode Fuzzy Hash: e4d4b074adfca55ccf98f7467b85db57986707dbadc0286de92a3e243b2e3d3e
Instruction Fuzzy Hash: DEE08672503521459E312D1C744466B92D40F82721B1B007BF878F7554EF2C5D9083D1

Uniqueness

Uniqueness Score: -1.00%

Function 00798AB7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(00000000,?,?,?,?,0074467D), ref: 00798AC9
CommandLineToArgvW.SHELL32(00000000,?,?,?,0074467D), ref: 00798AD0

Part of subcall function 0079894C: __EH_prolog3_GS.LIBCMT ref: 00798953

LocalFree.KERNEL32(00000000,?,?,?,0074467D), ref: 00798AE8

Strings

}Ft, xrefs: 00798ADB

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: CommandLine$ArgvFreeH_prolog3_Local
String ID: }Ft
API String ID: 1550188475-1378058167
Opcode ID: 0a0ad148bbc716230af5e798f72ea676f2690246c90fbaf4b47484bd7fcfc153
Instruction ID: 74a079869b63b37ca5ec4f2ca65793a5f9aed3aff05947e3bfac44867235a54a
Opcode Fuzzy Hash: 0a0ad148bbc716230af5e798f72ea676f2690246c90fbaf4b47484bd7fcfc153
Instruction Fuzzy Hash: 4AE0ED76401118FFDF049B94ED0DFDD77BCEB04266F104144FA01A2190DB78AB009A99

Uniqueness

Uniqueness Score: -1.00%

Function 00781409 Relevance: 6.1, APIs: 4, Instructions: 115libraryloaderCOMMON

Download Yara Rule

APIs

PathFindFileNameW.SHLWAPI(00000000,?,?,?,?,00780F89,kernel32.dll,GetNativeSystemInfo,00000000,00000001,00000000), ref: 00781438
GetModuleHandleW.KERNEL32(00000000,?,?,?,00780F89,kernel32.dll,GetNativeSystemInfo,00000000,00000001,00000000), ref: 0078143F
LoadLibraryW.KERNEL32(00000000,?,?,?,00780F89,kernel32.dll,GetNativeSystemInfo,00000000,00000001,00000000), ref: 0078144C
GetProcAddress.KERNEL32(00000000,00000001), ref: 0078145E

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: AddressFileFindHandleLibraryLoadModuleNamePathProc
String ID:
API String ID: 574069307-0
Opcode ID: 82c4f6d9753cfdc3323902a12685c9a8025f3443d7b10df369161f678164f2fd
Instruction ID: 346a31f0b2d33c8688d4ad47e18bb64dd945d2bd154cc6ee8b56741ae35bf374
Opcode Fuzzy Hash: 82c4f6d9753cfdc3323902a12685c9a8025f3443d7b10df369161f678164f2fd
Instruction Fuzzy Hash: F0419672D5411AEFCF12AFD4DC448EEBB7ABF99340F618464E61272030D73A5A62AB50

Uniqueness

Uniqueness Score: -1.00%

Function 007AE890 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 007AE8C4
__isleadbyte_l.LIBCMT ref: 007AE8F8
MultiByteToWideChar.KERNEL32(00000080,00000009,007AA7CA,?,00000000,00000000,?,?,?,?,007AA7CA,00000000,?), ref: 007AE929
MultiByteToWideChar.KERNEL32(00000080,00000009,007AA7CA,00000001,00000000,00000000,?,?,?,?,007AA7CA,00000000,?), ref: 007AE997

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2bb569b77f2fd760376ed248012a43af7a35bb63e88434e8481521cb192b5205
Instruction ID: 848ec29c176b61a0b930961ce46dcbf93db92fbc039de5eec741777c902c0908
Opcode Fuzzy Hash: 2bb569b77f2fd760376ed248012a43af7a35bb63e88434e8481521cb192b5205
Instruction Fuzzy Hash: 5531BE31A00356EFEF20DF64C884AAE3BA5FF82311F1486A9E4A59B191D338ED40DB51

Uniqueness

Uniqueness Score: -1.00%

Function 007851FF Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0078521A
_malloc.LIBCMT ref: 00785228

Part of subcall function 0079B6F2: __FF_MSGBANNER.LIBCMT ref: 0079B715
Part of subcall function 0079B6F2: __NMSG_WRITE.LIBCMT ref: 0079B71C
Part of subcall function 0079B6F2: HeapAlloc.KERNEL32(00000000,?,00000001,00000000,00000000,?,0079EA5D,?,00000001,?,?,0079D9B5,00000018,007CCD60,0000000C,0079DA46), ref: 0079B769

GdipGetImageEncoders.GDIPLUS(?,?,00000000,?,?,?), ref: 00785237
lstrcmpiW.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?), ref: 00785259

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: EncodersGdipImage$AllocHeapSize_malloclstrcmpi
String ID:
API String ID: 3194904807-0
Opcode ID: daa414bb49329f793836ad282de6f144c85665bc91117ea46cb1e15e186f4cf9
Instruction ID: df106043cbca89be939810787b539808deba1c9dfa6c08cbf64ff792db19aacd
Opcode Fuzzy Hash: daa414bb49329f793836ad282de6f144c85665bc91117ea46cb1e15e186f4cf9
Instruction Fuzzy Hash: 98119EB2C4461CBACF21AFA9A8846DEBBB9BF44340F048156FC00A6141DB799A45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0075D60F Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(?,00000058), ref: 0075D638
GetDeviceCaps.GDI32(?,0000005A), ref: 0075D64D
MulDiv.KERNEL32(?,000009EC,00000000), ref: 0075D666
MulDiv.KERNEL32(?,000009EC,?), ref: 0075D676

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: CapsDevice
String ID:
API String ID: 328075279-0
Opcode ID: 0f4b7c14131e60a9d7d1cc4ff926e8d866c423bc4f408bdbee9099fcc8ec31d8
Instruction ID: 1ac56fa41143f4a41bf4ed6272ddd272fb2f58254cdf342956e98bd91142a36d
Opcode Fuzzy Hash: 0f4b7c14131e60a9d7d1cc4ff926e8d866c423bc4f408bdbee9099fcc8ec31d8
Instruction Fuzzy Hash: 0F11D676600214AFCB44DF69C9C8E4A7BE9FF49311B0581A6FE08DB356DA71E804CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0076C125 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0076C168
_wcsncpy.LIBCMT ref: 0076C177
CLSIDFromString.OLE32(?,00000000,?,?,?,00000004,?,?), ref: 0076C193
CLSIDFromProgID.OLE32(?,00000000,?,?,?,00000004,?,?), ref: 0076C19B

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: From$ProgString_memset_wcsncpy
String ID:
API String ID: 2240319475-0
Opcode ID: 707c2fc0449faf412239405a3895cb859557161e0480dd306b28324784cb1a0d
Instruction ID: 4b0ea0ced1e5453b5f9610e21fd374ba53763bb83c64378903fa086e38176b95
Opcode Fuzzy Hash: 707c2fc0449faf412239405a3895cb859557161e0480dd306b28324784cb1a0d
Instruction Fuzzy Hash: 6D11657290011CABDB21EFA8DD45FDFB7BCAB05314F404596A706F7141DA789A448BA1

Uniqueness

Uniqueness Score: -1.00%

Function 007816C9 Relevance: 6.1, APIs: 4, Instructions: 53processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007816F9
CreateToolhelp32Snapshot.KERNEL32(00000008), ref: 0078170E
Module32FirstW.KERNEL32(00000000,?), ref: 00781728
Module32NextW.KERNEL32(00000000,?), ref: 00781744

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Module32$CreateFirstNextSnapshotToolhelp32_memset
String ID:
API String ID: 2056545588-0
Opcode ID: 8be034ec96b8496f10ed9a3beeaa219ad0fa06841abd93a13c03a0e28ea4957f
Instruction ID: b438119e9b2d02803969d7e81f0e4c9918d45bc1ddda2f6569a2dd5b5736b7c2
Opcode Fuzzy Hash: 8be034ec96b8496f10ed9a3beeaa219ad0fa06841abd93a13c03a0e28ea4957f
Instruction Fuzzy Hash: 1F01C471545304EAC620FA64DD06BAB73ECAF84750F84463DBE98821C1EB38D906C796

Uniqueness

Uniqueness Score: -1.00%

Function 00793442 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00793449
std::_Mutex::_Mutex.LIBCPMT ref: 0079345A

Part of subcall function 0079B5B0: _malloc.LIBCMT ref: 0079B5CA

std::locale::_Init.LIBCPMT ref: 00793472

Part of subcall function 007A76AF: __EH_prolog3.LIBCMT ref: 007A76B6
Part of subcall function 007A76AF: std::_Lockit::_Lockit.LIBCPMT ref: 007A76CA
Part of subcall function 007A76AF: std::locale::_Locimp::_Locimp.LIBCPMT ref: 007A76F3
Part of subcall function 007A76AF: std::locale::_Setgloballocale.LIBCPMT ref: 007A7703
Part of subcall function 007A76AF: std::locale::facet::_Incref.LIBCPMT ref: 007A7726

std::locale::facet::_Incref.LIBCPMT ref: 00793480

Part of subcall function 0078A04D: std::_Lockit::_Lockit.LIBCPMT ref: 0078A059

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: std::_std::locale::_$H_prolog3IncrefLockitLockit::_std::locale::facet::_$InitLocimpLocimp::_MutexMutex::_Setgloballocale_malloc
String ID:
API String ID: 3116483794-0
Opcode ID: 66d880537514e16dfca5daffd414daa541504f043b5b4347d6f543c41931ee1b
Instruction ID: 51f7f6938620cdabea2b6a845419be5a2d61cf037cd17c80002fcd3f17c94f44
Opcode Fuzzy Hash: 66d880537514e16dfca5daffd414daa541504f043b5b4347d6f543c41931ee1b
Instruction Fuzzy Hash: F411EFB4601B00CFC726DF69C180956FBF0BF997107000A6EE89687B60EB74B904CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00780646 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000001,?,?,00000000,00733B58,?,00000001,?), ref: 00780668
_malloc.LIBCMT ref: 00780670

Part of subcall function 0079B6F2: __FF_MSGBANNER.LIBCMT ref: 0079B715
Part of subcall function 0079B6F2: __NMSG_WRITE.LIBCMT ref: 0079B71C
Part of subcall function 0079B6F2: HeapAlloc.KERNEL32(00000000,?,00000001,00000000,00000000,?,0079EA5D,?,00000001,?,?,0079D9B5,00000018,007CCD60,0000000C,0079DA46), ref: 0079B769

_memset.LIBCMT ref: 00780682
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0078069A

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeap_malloc_memset
String ID:
API String ID: 2311837860-0
Opcode ID: 7025783f1e6f406bdc36992a75f6176953b168e2f2d80ad995a2f7908f77981e
Instruction ID: 127a9ff2eeb9793ee2e604b0d86bf0242cf639e0f2921c6ccfb27f87119dbafc
Opcode Fuzzy Hash: 7025783f1e6f406bdc36992a75f6176953b168e2f2d80ad995a2f7908f77981e
Instruction Fuzzy Hash: F2F0BB322491557A9731B9A76C49CDB7E6CE7CBF70B140329F65495080E5159914C3B1

Uniqueness

Uniqueness Score: -1.00%

Function 00773423 Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,00773373,?,?,?), ref: 00773434
SendMessageW.USER32(?,00001001,00000000,?), ref: 0077345F

Part of subcall function 00773567: __EH_prolog3_GS.LIBCMT ref: 00773571

SendMessageW.USER32(?,00000008,?,?), ref: 0077349D
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 007734A8

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: MessageSend$H_prolog3_ProcWindow
String ID:
API String ID: 1335716683-0
Opcode ID: 0d8f78151f4c85f2440e03f4799e70b4d4f198ce13c0ccee656f604ada170022
Instruction ID: a4b218fc4adf8983620acc76b3d21f923710110fae86d02eb9bdcaf6b6398ca2
Opcode Fuzzy Hash: 0d8f78151f4c85f2440e03f4799e70b4d4f198ce13c0ccee656f604ada170022
Instruction Fuzzy Hash: B0111575200205FFDB019F14CC89FA9BBA6FF08355F008160FA189B6A1C772F8A0DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0078057B Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,-00000074,000000FF,00000000,00000000,-00000074,-00000098,00000000,?,00733A56,-000000D8,-00000074,-00000030,?,-00000098), ref: 0078059B
_malloc.LIBCMT ref: 007805A4

Part of subcall function 0079B6F2: __FF_MSGBANNER.LIBCMT ref: 0079B715
Part of subcall function 0079B6F2: __NMSG_WRITE.LIBCMT ref: 0079B71C
Part of subcall function 0079B6F2: HeapAlloc.KERNEL32(00000000,?,00000001,00000000,00000000,?,0079EA5D,?,00000001,?,?,0079D9B5,00000018,007CCD60,0000000C,0079DA46), ref: 0079B769

_memset.LIBCMT ref: 007805B4
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 007805CB

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeap_malloc_memset
String ID:
API String ID: 2311837860-0
Opcode ID: 1ef02046e657ff9bf66988fc018b7d5ab7daa2a7739f07a47340f5360aef0206
Instruction ID: 6ba0dd7f09cca09b46eb774c57b92bc05f0af66fb96aa393a336644083441821
Opcode Fuzzy Hash: 1ef02046e657ff9bf66988fc018b7d5ab7daa2a7739f07a47340f5360aef0206
Instruction Fuzzy Hash: 9BF05232289229BFEB2036A52C06E7BB28CEB45770F150332BA20A91C0C944AC104BF2

Uniqueness

Uniqueness Score: -1.00%

Function 0076233F Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00762346
VariantInit.OLEAUT32(?), ref: 0076235E
SysAllocString.OLEAUT32(?), ref: 00762371
VariantClear.OLEAUT32(?), ref: 00762395

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Variant$AllocClearH_prolog3InitString
String ID:
API String ID: 563561277-0
Opcode ID: 9e16db4cb79e4e3ab13b071b80d5f87581c26d64d89ffb941330371f22b706b0
Instruction ID: 71646193358847c56c3e46fae57d194764959c366c615dec31f954c8f82a7718
Opcode Fuzzy Hash: 9e16db4cb79e4e3ab13b071b80d5f87581c26d64d89ffb941330371f22b706b0
Instruction Fuzzy Hash: 24F03771C01619EBCF50DBE0C848EEEBBB8FF09700F008126B6189B291D7386A01CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 007946E8 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 380COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 007946EF

Part of subcall function 00795812: __EH_prolog3.LIBCMT ref: 00795819
Part of subcall function 00795812: std::_Lockit::_Lockit.LIBCPMT ref: 00795823

_localeconv.LIBCMT ref: 0079498D

Strings

$, xrefs: 007949F0

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3H_prolog3_LockitLockit::__localeconvstd::_
String ID: $
API String ID: 502951431-3993045852
Opcode ID: 0cc2552a7d92d97c011ea7d1a0c3bf535e228ce10a218ac32243fc7d6bc479ca
Instruction ID: 09f94b672ced134626a874a0e58badf374f15b00e9742e2714be694ec3952272
Opcode Fuzzy Hash: 0cc2552a7d92d97c011ea7d1a0c3bf535e228ce10a218ac32243fc7d6bc479ca
Instruction Fuzzy Hash: CCD14031904AE8CFDF22ABF8E449BEDBBB1AF12314F184146E0416B256C77C5987C796

Uniqueness

Uniqueness Score: -1.00%

Function 00738AB0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 248COMMON

Download Yara Rule

Strings

decfile.png, xrefs: 00738C13
DecryptNeedToApprove, xrefs: 00738BA5

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID:
String ID: DecryptNeedToApprove$decfile.png
API String ID: 0-3242272932
Opcode ID: fed1f48612b542ce40dbc58ae23798ed524cb903acbb9854f0e593d6ba092c23
Instruction ID: 9a876f41ad670a74daf8708f38df0ccf732cb6cb9138723c7a94cba00d54bb10
Opcode Fuzzy Hash: fed1f48612b542ce40dbc58ae23798ed524cb903acbb9854f0e593d6ba092c23
Instruction Fuzzy Hash: 1AA1ADB1214340DFEB90EF68E489B5EB3A1BF84314F00486DF69987253DB39A911CB63

Uniqueness

Uniqueness Score: -1.00%

Function 007908FB Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 227COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00790902
__CxxThrowException@8.LIBCMT ref: 0079093D

Part of subcall function 0079BDE0: RaiseException.KERNEL32(?,?,0079B614,00000000,?,?,?,?,0079B614,00000000,007CD388,007D9D80,00000000,?,00000000), ref: 0079BE22

Strings

invalid map/set<T> iterator, xrefs: 00790910

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrow
String ID: invalid map/set<T> iterator
API String ID: 1961742612-152884079
Opcode ID: 1b287f5013279a57b249432307d853f7570d44ff80637cfb34a61f9c2904dc49
Instruction ID: 460674ea67c554be615992433d3f348979fccdedf30ddebc00088fcc3bad4956
Opcode Fuzzy Hash: 1b287f5013279a57b249432307d853f7570d44ff80637cfb34a61f9c2904dc49
Instruction Fuzzy Hash: 76A13670628281DFDF55CF24D094B68BBA2BF55318FA8918CD8894F693C779EC85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00786C5A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00786C61
__CxxThrowException@8.LIBCMT ref: 00786C9C

Part of subcall function 0079BDE0: RaiseException.KERNEL32(?,?,0079B614,00000000,?,?,?,?,0079B614,00000000,007CD388,007D9D80,00000000,?,00000000), ref: 0079BE22

Strings

invalid map/set<T> iterator, xrefs: 00786C6F

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrow
String ID: invalid map/set<T> iterator
API String ID: 1961742612-152884079
Opcode ID: 2655fac8cb06c7ba5bcd6231cc0313d0ab6e338758a20fe7e3134733204f6eed
Instruction ID: aaa6a7e1b62716c738fbca15362edba01afade9c1ebacd5db0360c0c197c4acf
Opcode Fuzzy Hash: 2655fac8cb06c7ba5bcd6231cc0313d0ab6e338758a20fe7e3134733204f6eed
Instruction Fuzzy Hash: E8A14FB4644281EFDB15EF24C194B547FA2AF19328F28819CD4894F3A2C779ECC5CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00784E00 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00784E07
__CxxThrowException@8.LIBCMT ref: 00784E42

Part of subcall function 0079BDE0: RaiseException.KERNEL32(?,?,0079B614,00000000,?,?,?,?,0079B614,00000000,007CD388,007D9D80,00000000,?,00000000), ref: 0079BE22

Strings

invalid map/set<T> iterator, xrefs: 00784E15

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrow
String ID: invalid map/set<T> iterator
API String ID: 1961742612-152884079
Opcode ID: 5e2b051bd6e4518c5b9ce5b1ff8ef05cdf0649e884fe9820cba53db03b634bfb
Instruction ID: 0eb186b3c8817b13cf044342aedadc6741700bcfc4efa9de55416d0ef0acacf1
Opcode Fuzzy Hash: 5e2b051bd6e4518c5b9ce5b1ff8ef05cdf0649e884fe9820cba53db03b634bfb
Instruction Fuzzy Hash: 50A14B70545286DFDB19EF24D184B65BFA1BF15308F28808DD4854F392C7BAED85CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00784185 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 215COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0078418C
__CxxThrowException@8.LIBCMT ref: 007841C7

Part of subcall function 0079BDE0: RaiseException.KERNEL32(?,?,0079B614,00000000,?,?,?,?,0079B614,00000000,007CD388,007D9D80,00000000,?,00000000), ref: 0079BE22

Strings

invalid map/set<T> iterator, xrefs: 0078419A

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrow
String ID: invalid map/set<T> iterator
API String ID: 1961742612-152884079
Opcode ID: d8eca708e44b425bcb1ecb16d17c5a16aca7a215457f83f8c6518b4eb7fe8dbb
Instruction ID: c401bc3e6824d66f245d2069ed8198aaa132bec75a3f4443e2b397004e7ec809
Opcode Fuzzy Hash: d8eca708e44b425bcb1ecb16d17c5a16aca7a215457f83f8c6518b4eb7fe8dbb
Instruction Fuzzy Hash: DAA17670558292CFDB22EF64C0887A4BBA1BB16308F29C09DD5854F693D3FAEC85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00784B70 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00784B77
__CxxThrowException@8.LIBCMT ref: 00784BB2

Part of subcall function 0079BDE0: RaiseException.KERNEL32(?,?,0079B614,00000000,?,?,?,?,0079B614,00000000,007CD388,007D9D80,00000000,?,00000000), ref: 0079BE22

Strings

invalid map/set<T> iterator, xrefs: 00784B85

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrow
String ID: invalid map/set<T> iterator
API String ID: 1961742612-152884079
Opcode ID: 3a035d9282abbb87ac2a6034ce1d9659752a36340303e6e97de25bc2e84180f5
Instruction ID: 7e9f704b82e17195baa505ea047c5fdac4facda5bb77feebca827f1e8d650900
Opcode Fuzzy Hash: 3a035d9282abbb87ac2a6034ce1d9659752a36340303e6e97de25bc2e84180f5
Instruction Fuzzy Hash: F5A17B70685282CFDB11EF24C084764BBA6BF15308F6991CDC8854F693C7B9EC85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0077B682 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0077B6D5
_malloc.LIBCMT ref: 0077B799

Strings

H, xrefs: 0077B860

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: _malloc
String ID: H
API String ID: 1579825452-2852464175
Opcode ID: ab4a8beb2887b0956cc309714ec99f1b9cb520dd128234f75f45e9ef5ac9d94e
Instruction ID: bf267cda9a833cca602e84db1234c8c700dd0ab8e0747ab0f0b5387b9b6bb6fa
Opcode Fuzzy Hash: ab4a8beb2887b0956cc309714ec99f1b9cb520dd128234f75f45e9ef5ac9d94e
Instruction Fuzzy Hash: 92915370A00206DFDF24CF68C480AA9FBF4FF49380B20899AE559D7351D734AA41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00768491 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

IntersectRect.USER32(?,?,?), ref: 00768591
IntersectRect.USER32(?,?,?), ref: 007685D7

Strings

Container, xrefs: 007684CA

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: IntersectRect
String ID: Container
API String ID: 481094312-1163095736
Opcode ID: a6606e87776f1fe908310491126215f4c7d8746db47ec6c77c6e03acbc19bfde
Instruction ID: 5c1c4c2789480a976dac09afadb76f963ca437ee12cb1f2d4ae1f3cdad1bf1d1
Opcode Fuzzy Hash: a6606e87776f1fe908310491126215f4c7d8746db47ec6c77c6e03acbc19bfde
Instruction Fuzzy Hash: D8513A316046118FCB40DF68C488AAA77E5BF89301B054AA9F946DB352DB34D909CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0078C892 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0078C899

Part of subcall function 0078B5DE: __EH_prolog3_GS.LIBCMT ref: 0078B5E5

Strings

Empty escape sequence in string, xrefs: 0078C9A7
Bad escape sequence in string, xrefs: 0078C9D5

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3H_prolog3_
String ID: Bad escape sequence in string$Empty escape sequence in string
API String ID: 3355343447-928816353
Opcode ID: 65fa53d75b3b367280b9829858393d75b5f0db7f48bc64a9db3f39a466334b09
Instruction ID: cc514307ad1bd60da2a47df03f7c2fdf793be1194533e8abd703daa77e2372cf
Opcode Fuzzy Hash: 65fa53d75b3b367280b9829858393d75b5f0db7f48bc64a9db3f39a466334b09
Instruction Fuzzy Hash: DB41E6714C0209EADF12FE64C94ABBDB764EF11320F248195FC567B182CA3DAE459BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0078CBD2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0078CBD9

Strings

for detail., xrefs: 0078CD27
See , xrefs: 0078CD15

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3
String ID: for detail.$See
API String ID: 431132790-4250990345
Opcode ID: 20cad6e63b21d4dd453fcee632ac850c61572b619c149a0b4150d11d873bee4f
Instruction ID: 208541aa222fbffbe57a9302c94bb9f87ea6bedd9f14d80f258871bc5a0c9b11
Opcode Fuzzy Hash: 20cad6e63b21d4dd453fcee632ac850c61572b619c149a0b4150d11d873bee4f
Instruction Fuzzy Hash: 52417CB1D44148EBDB01FBE8C84ABDEB7B8AF04304F644159A518B3282DB796E05CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00748257 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126keyboardCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00748349
GetKeyState.USER32(00000010), ref: 007483CC

Strings

RichEdit, xrefs: 007483A7

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: CountStateTick
String ID: RichEdit
API String ID: 2629120050-1265552804
Opcode ID: e1622b2f48bcd04746f77f390ce7f52437af5205ed2aceb13428c0ee9690ca56
Instruction ID: bcb38e15d77055bb93689d9f409aeb157ccbb0e52062c35ac664edf43b02075a
Opcode Fuzzy Hash: e1622b2f48bcd04746f77f390ce7f52437af5205ed2aceb13428c0ee9690ca56
Instruction Fuzzy Hash: 78419175600749DFCB60DFA8C488BED77F1FF48700F108869E95AAB250DB39A945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0076702F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 007670AD
PtInRect.USER32(?,?,?), ref: 007670EA

Strings

itemclick, xrefs: 00767154

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Rect
String ID: itemclick
API String ID: 400858303-803468992
Opcode ID: 60debeeea01fbacb62542e0cd5f47d5618431f604e3ccf1eb26b5861509ec92b
Instruction ID: fe15711b8f21eb8fac8f4a5c86a5dd05ec461b8f2fc99d78645210804af96635
Opcode Fuzzy Hash: 60debeeea01fbacb62542e0cd5f47d5618431f604e3ccf1eb26b5861509ec92b
Instruction Fuzzy Hash: C241B630208606DBCE2C9F34C888E79B3AAFF823D8F144559ED56DB251DB29EC51C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00734340 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00734456

Strings

POST, xrefs: 0073439F, 007343C9, 007343CA
GET, xrefs: 00734395

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: Window
String ID: GET$POST
API String ID: 2353593579-3192705859
Opcode ID: 0135effb8a4e5b87c0c11e438a8157152b9eadb5c781c07f910d33f83848be03
Instruction ID: 639a5fe02b55f3ce50c5a27c4e072dac3474bb38eef86a5d7cec6f67d64ac1cc
Opcode Fuzzy Hash: 0135effb8a4e5b87c0c11e438a8157152b9eadb5c781c07f910d33f83848be03
Instruction Fuzzy Hash: B341B0B15083849FE314DF69D849B1BBBE8EF89744F04492EF98597342D779E804CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00786A90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00786A97
__CxxThrowException@8.LIBCMT ref: 00786AD6

Part of subcall function 0079BDE0: RaiseException.KERNEL32(?,?,0079B614,00000000,?,?,?,?,0079B614,00000000,007CD388,007D9D80,00000000,?,00000000), ref: 0079BE22

Strings

map/set<T> too long, xrefs: 00786AA9

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrow
String ID: map/set<T> too long
API String ID: 1961742612-1285458680
Opcode ID: 96f054c52dbc142cea8ceada384cd60ed39e5e23121ff9caea17a588326d41cf
Instruction ID: a0dd332fc6ce5a8072f530efa5e0d21840dd528cca1eb83fef7206f4f22f72e6
Opcode Fuzzy Hash: 96f054c52dbc142cea8ceada384cd60ed39e5e23121ff9caea17a588326d41cf
Instruction Fuzzy Hash: FA4117B1600240EFD721EF58C588B95BFF1AF15318F298098E9499B752D779FC85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0078744F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00787456
__CxxThrowException@8.LIBCMT ref: 00787493

Part of subcall function 0079BDE0: RaiseException.KERNEL32(?,?,0079B614,00000000,?,?,?,?,0079B614,00000000,007CD388,007D9D80,00000000,?,00000000), ref: 0079BE22

Strings

map/set<T> too long, xrefs: 00787466

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrow
String ID: map/set<T> too long
API String ID: 1961742612-1285458680
Opcode ID: 152775038d5412ec9599382030ce79f5101a9359d83d620eb9ac277e95ab17c8
Instruction ID: 1515cc28b25610acd7ac02dad76be980c3dd2d187452785cdc3cfaf9c4bb3129
Opcode Fuzzy Hash: 152775038d5412ec9599382030ce79f5101a9359d83d620eb9ac277e95ab17c8
Instruction Fuzzy Hash: EA4136B1244680DFC729EF18C188F59BBF1BF59324F258198E44A8B662C779FD85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 007AA8FE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

__fileno.LIBCMT ref: 007B0427
__getbuf.LIBCMT ref: 007B04BF

Strings

Xj}, xrefs: 007B042D

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: __fileno__getbuf
String ID: Xj}
API String ID: 2304796792-742926518
Opcode ID: 550ed5c888d8282fb88488f978af5a0a4f81cf89d111efae071829762e61aeea
Instruction ID: 1f0c82fe6815c75ba39c9bf6436bfcc25f97057397c11536cd2c10ea6f411c62
Opcode Fuzzy Hash: 550ed5c888d8282fb88488f978af5a0a4f81cf89d111efae071829762e61aeea
Instruction Fuzzy Hash: 5731C872100A804ADB398A2DD8447AB37D1EF833347248729E6BD876D1D73CE842D790

Uniqueness

Uniqueness Score: -1.00%

Function 0075226C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00752273

Part of subcall function 0079B5B0: _malloc.LIBCMT ref: 0079B5CA

Strings

VScrollBar, xrefs: 007522E7
HScrollBar, xrefs: 00752394

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3_malloc
String ID: HScrollBar$VScrollBar
API String ID: 2346879263-4035620935
Opcode ID: 8facbe0c9bef70e2e689d8b84d8904d5b335e801b43f265ca15e44f65ac85fb2
Instruction ID: 5dd897ff0a9f8e15706e498d27064ebf6bf7ffc2037926fda5da5dedff42e00a
Opcode Fuzzy Hash: 8facbe0c9bef70e2e689d8b84d8904d5b335e801b43f265ca15e44f65ac85fb2
Instruction Fuzzy Hash: 53417F74700601EFCB14DFB4C488998B7A2BF89311F258369F919D7252DB7DAC59CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0078B75E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0078B765

Strings

Extra non-whitespace after JSON value., xrefs: 0078B7FC
A valid JSON document must be either an array or an object value., xrefs: 0078B862

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3
String ID: A valid JSON document must be either an array or an object value.$Extra non-whitespace after JSON value.
API String ID: 431132790-2184294112
Opcode ID: 33e71d49048f01fc3f05597e761c5f99d6d8d09664755f2be444ebf6227c9f2f
Instruction ID: d0b7b300b164bca538207615c1958a0b133f538af45dae8fc595c0951d7b3339
Opcode Fuzzy Hash: 33e71d49048f01fc3f05597e761c5f99d6d8d09664755f2be444ebf6227c9f2f
Instruction Fuzzy Hash: 97415E7598064AEFDF15FFA4C885AEDBBB4BF14300F04812AE454A7242DB38AA55DFD0

Uniqueness

Uniqueness Score: -1.00%

Function 0078B3D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0078B3E2

Part of subcall function 00790FBA: __EH_prolog3.LIBCMT ref: 00790FC1

Part of subcall function 0079039B: __EH_prolog3_catch.LIBCMT ref: 007903A2

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0078B4BC

Part of subcall function 00787154: __EH_prolog3.LIBCMT ref: 0078715B

Part of subcall function 00789C83: __EH_prolog3.LIBCMT ref: 00789C8A

Part of subcall function 0078B5DE: __EH_prolog3_GS.LIBCMT ref: 0078B5E5

Strings

' is not a number., xrefs: 0078B45B

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3$H_prolog3_$H_prolog3_catchIos_base_dtorstd::ios_base::_
String ID: ' is not a number.
API String ID: 2426963827-698141950
Opcode ID: 09bfbf633e7064fb99c324020dea213c0e700dec21b583d27bbbd67e6fecaa53
Instruction ID: 39ecc73c50d60c906cfbce856be12b220d4733fc1e271f4c503d369150652d1e
Opcode Fuzzy Hash: 09bfbf633e7064fb99c324020dea213c0e700dec21b583d27bbbd67e6fecaa53
Instruction Fuzzy Hash: 4231AE71910148EEDF15FBA8D84AFDEBBB8AF05304F148099F049A7243DB796B49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0078CA01 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0078CA08

Part of subcall function 0078B511: __EH_prolog3.LIBCMT ref: 0078B518

Part of subcall function 0078B5DE: __EH_prolog3_GS.LIBCMT ref: 0078B5E5

Strings

expecting another \u token to begin the second half of a unicode surrogate pair, xrefs: 0078CAC3
additional six characters expected to parse unicode surrogate pair., xrefs: 0078CA4A

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3$H_prolog3_
String ID: additional six characters expected to parse unicode surrogate pair.$expecting another \u token to begin the second half of a unicode surrogate pair
API String ID: 4240126716-1961466578
Opcode ID: c85daf27cb222a5ec962ff5aa5e5ff493d592952cde89fe8cd0234a8d9e6221f
Instruction ID: 0e36ff8d521838ee5d62003cf5dc562456e62d38c130dee12f8fd3a216b20a51
Opcode Fuzzy Hash: c85daf27cb222a5ec962ff5aa5e5ff493d592952cde89fe8cd0234a8d9e6221f
Instruction Fuzzy Hash: 6D21AB34540209EFDF0AEFA0C895AFD7BA5EF18310F148428F882A7242CB389A559B60

Uniqueness

Uniqueness Score: -1.00%

Function 00792AFF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00792B06

Part of subcall function 0078A424: std::locale::facet::_Incref.LIBCPMT ref: 0078A42B

Part of subcall function 00794408: __EH_prolog3_GS.LIBCMT ref: 0079440F

Part of subcall function 0078A0B7: std::locale::facet::_Decref.LIBCPMT ref: 0078A0BD

__Stoulx.LIBCPMT ref: 00792B70

Strings

-, xrefs: 00792BA3

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3_std::locale::facet::_$DecrefIncrefStoulx
String ID: -
API String ID: 1993928798-2547889144
Opcode ID: 8fc0f4c6511ad166f25ef79827152690075883ebda66bafec30cf1ddcafa6048
Instruction ID: bdfee3889d0423e2b46a191d23af5482b5d644549714fbc8111503c0552438c3
Opcode Fuzzy Hash: 8fc0f4c6511ad166f25ef79827152690075883ebda66bafec30cf1ddcafa6048
Instruction Fuzzy Hash: 2E2119B6900218EBDF11EF94E985AEDBBF4FF05310F044266F811A7251E738AE46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00792BCC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00792BD3

Part of subcall function 0078A424: std::locale::facet::_Incref.LIBCPMT ref: 0078A42B

Part of subcall function 00794408: __EH_prolog3_GS.LIBCMT ref: 0079440F

Part of subcall function 0078A0B7: std::locale::facet::_Decref.LIBCPMT ref: 0078A0BD

__Stoulx.LIBCPMT ref: 00792C3D

Strings

-, xrefs: 00792C6D

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3_std::locale::facet::_$DecrefIncrefStoulx
String ID: -
API String ID: 1993928798-2547889144
Opcode ID: 34ba00bbf4ca3c91d95d55d3814960da791547cdae16c69349d77985356791b0
Instruction ID: cbdc6c0d4bb9bdadbe56f0b866f5a17681138985f9cad8feff07ab12f23d0cfa
Opcode Fuzzy Hash: 34ba00bbf4ca3c91d95d55d3814960da791547cdae16c69349d77985356791b0
Instruction Fuzzy Hash: F7212C76900218EFDF11EF94E985ADDBBB8FF09310F044256F811A7241D734AE46CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0078B511 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0078B518

Part of subcall function 0078B5DE: __EH_prolog3_GS.LIBCMT ref: 0078B5E5

Strings

Bad unicode escape sequence in string: four digits expected., xrefs: 0078B527
Bad unicode escape sequence in string: hexadecimal digit expected., xrefs: 0078B5B1

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3H_prolog3_
String ID: Bad unicode escape sequence in string: four digits expected.$Bad unicode escape sequence in string: hexadecimal digit expected.
API String ID: 3355343447-3825735986
Opcode ID: b781b4c21a5818b1694ad72b0839b2a794d83e85b89a29690c565ba1b8063bb0
Instruction ID: b97616f6530dec3ff0caa013437dac7cc07c702cc3f65c7a052ffe6705d3c072
Opcode Fuzzy Hash: b781b4c21a5818b1694ad72b0839b2a794d83e85b89a29690c565ba1b8063bb0
Instruction Fuzzy Hash: 7121AE34540408DFEB15EF64C8E5BEEBBF1EB45750F10441DE542AB292CB3DAA69DB40

Uniqueness

Uniqueness Score: -1.00%

Function 0074ABB9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(?), ref: 0074ABD6
GetTickCount.KERNEL32 ref: 0074AC01

Strings

killfocus, xrefs: 0074AC29

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: CountFocusTick
String ID: killfocus
API String ID: 3897604831-1616503811
Opcode ID: 87cffcd9c889fbd64cb8b0f7d3fb8cfe499f58c483ab9aa307605d948e1138d0
Instruction ID: c52160a51f6f466a349cd7c091ead729d68c26368f4a0850705fa8b71ce6a17a
Opcode Fuzzy Hash: 87cffcd9c889fbd64cb8b0f7d3fb8cfe499f58c483ab9aa307605d948e1138d0
Instruction Fuzzy Hash: 18214F75900784ABDB21DF79C888FDBBBF5EF99300F00882DE66AA6250DB746444CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00780FAF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

CoCreateGuid.OLE32(00000000,00000008), ref: 00780FD4
wnsprintfA.SHLWAPI ref: 0078101D

Strings

%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x, xrefs: 00781014

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: CreateGuidwnsprintf
String ID: %08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x
API String ID: 211977963-4056305060
Opcode ID: 42ddde10e6c34cb56fa8bd1f0dab006576521f14f017c7bad4636ff38f1788fe
Instruction ID: 027f4d48609b1a38a1d349a035008db717e9aaeb7d82ef361803d4172e0267a1
Opcode Fuzzy Hash: 42ddde10e6c34cb56fa8bd1f0dab006576521f14f017c7bad4636ff38f1788fe
Instruction Fuzzy Hash: E1113CA69040997ECB52DBE98D11EBFBBFC9B0D201F440095F6A1E1091D63CDB01DB70

Uniqueness

Uniqueness Score: -1.00%

Function 007887FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49fileCOMMON

Download Yara Rule

APIs

SHCreateStreamOnFileW.SHLWAPI(?,00001001,00000000), ref: 0078881C

Part of subcall function 007884B2: __EH_prolog3_GS.LIBCMT ref: 007884BC

DeleteFileW.KERNEL32(?), ref: 00788880

Strings

open file failed, xrefs: 00788829

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: File$CreateDeleteH_prolog3_Stream
String ID: open file failed
API String ID: 2591404272-3995927536
Opcode ID: b2f01689e0dbb20f676b01399b1571c6243f022e5233b412553de321ace90c02
Instruction ID: ead2514a524f1f0bc014e6b0fd635afd3a30e3d7f719c598d6044b11d8c23fa3
Opcode Fuzzy Hash: b2f01689e0dbb20f676b01399b1571c6243f022e5233b412553de321ace90c02
Instruction Fuzzy Hash: B8117C31568305AFDB51AF54D809B6ABBE4AF84721F94CA1CF9A886291DF38D840CB53

Uniqueness

Uniqueness Score: -1.00%

Function 007976BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 007976C5

Part of subcall function 00797112: __EH_prolog3_GS.LIBCMT ref: 0079711C

ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0079772B

Strings

open, xrefs: 00797725

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3_$ExecuteShell
String ID: open
API String ID: 3230924550-2758837156
Opcode ID: 2a61a5437e0bec054c04685623e2f233d1752aadc9e1a355e9e00f10fe1807c2
Instruction ID: 08971dbb572ec10768cbe1a6758bd6b1512ec877c7045fb87e691aa852ec17be
Opcode Fuzzy Hash: 2a61a5437e0bec054c04685623e2f233d1752aadc9e1a355e9e00f10fe1807c2
Instruction Fuzzy Hash: 85113C75A01219ABDF11DFA8E885DEEBBB5EB48310F104015F904A7241C7389A41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00738240 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(?,Runas,00000044,00000098,00000000,00000001), ref: 00738282

Strings

open, xrefs: 00738250
Runas, xrefs: 00738249, 00738280

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ExecuteShell
String ID: Runas$open
API String ID: 587946157-809297746
Opcode ID: 6418c9c179fcc52af707ea39ebfa56a00b09fd7b26608dddeeed21fe967e0cda
Instruction ID: d3770e674cac77d134ec2f56bb5038767166680ef030f5c0a3f4cc81d760aaa7
Opcode Fuzzy Hash: 6418c9c179fcc52af707ea39ebfa56a00b09fd7b26608dddeeed21fe967e0cda
Instruction Fuzzy Hash: F601F431204E01EFE7588615D848FA7B366BB82711F218134F10547642DB78BCA4C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 007A16E2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0079C1EF: __getptd.LIBCMT ref: 0079C1F5
Part of subcall function 0079C1EF: __getptd.LIBCMT ref: 0079C205

__getptd.LIBCMT ref: 007A16F1

Part of subcall function 0079CEFB: __getptd_noexit.LIBCMT ref: 0079CEFE
Part of subcall function 0079CEFB: __amsg_exit.LIBCMT ref: 0079CF0B

__getptd.LIBCMT ref: 007A16FF

Strings

csm, xrefs: 007A170D

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 01e1ae27a83a695f8d87dbed4fe3a96a8f346d479da0a6c132e4617c359eabaa
Instruction ID: ed32a1104a47bd2408e453893b2e3d1712e4ad7330755b26ad9437afe6e31403
Opcode Fuzzy Hash: 01e1ae27a83a695f8d87dbed4fe3a96a8f346d479da0a6c132e4617c359eabaa
Instruction Fuzzy Hash: 03018675801204CFEF359F64D99466CB7B9AF52321FD4691DE4C196591CB388985CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0076A9F5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001001,00000000,?), ref: 0076AA1E
wsprintfW.USER32 ref: 0076AA45

Strings

%04d-%02d-%02d, xrefs: 0076AA3F

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: MessageSendwsprintf
String ID: %04d-%02d-%02d
API String ID: 3751067900-516894531
Opcode ID: 1cd1cdb4454efe65a7364eb7ed268554e8c53f5ff52d5043000434bf48b25b79
Instruction ID: b4e0fc2e17bc2e6bef78e8d94e5cba47faf363c88de765b64d4132e27ca9f5d8
Opcode Fuzzy Hash: 1cd1cdb4454efe65a7364eb7ed268554e8c53f5ff52d5043000434bf48b25b79
Instruction Fuzzy Hash: C8F04470600204ABDB50DFA9C949FAFB3FCAB08701F404519B657D3180DE78F945C728

Uniqueness

Uniqueness Score: -1.00%

Function 0078D1FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0078D201
_malloc.LIBCMT ref: 0078D219

Strings

in Json::Value::duplicateStringValue(): Failed to allocate string value buffer, xrefs: 0078D225

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3_malloc
String ID: in Json::Value::duplicateStringValue(): Failed to allocate string value buffer
API String ID: 2346879263-3522564335
Opcode ID: 608d92a67e7305fd904240da02b0c040d9764e73acfce4b031632f9d0d43f709
Instruction ID: 0bd4cdaaa280e15e79eb517dd963c41ed993271582402984fd5a7a2542c7d327
Opcode Fuzzy Hash: 608d92a67e7305fd904240da02b0c040d9764e73acfce4b031632f9d0d43f709
Instruction Fuzzy Hash: 51F0E537840205E6CF21BAE4A85AADD77AA6F95371F690218F824671C2EF3CDD0087A1

Uniqueness

Uniqueness Score: -1.00%

Function 0076204E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00762055

Part of subcall function 0076BAB3: __EH_prolog3.LIBCMT ref: 0076BABA
Part of subcall function 0076BAB3: CoUninitialize.OLE32(00000004,007620C3), ref: 0076BAE0

Strings

\9|, xrefs: 00762065
d9|, xrefs: 0076206F

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: H_prolog3$Uninitialize
String ID: \9|$d9|
API String ID: 1272724754-1375202350
Opcode ID: 9fc84ca1979683cac0288e9e5860388cfd1a4200e27201f7c7ab771df32f53cd
Instruction ID: b5d6d34f166757a2f1cb76dd06ce07c0b6b25e2a07b2f9c8361d4be218632890
Opcode Fuzzy Hash: 9fc84ca1979683cac0288e9e5860388cfd1a4200e27201f7c7ab771df32f53cd
Instruction Fuzzy Hash: D9F0B7B0905B51CACB20EFA4810A799BBE1AB04318F10CB2D91AE5B281CBFC76448F85

Uniqueness

Uniqueness Score: -1.00%

Function 0079B15E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0079B165
__CxxThrowException@8.LIBCMT ref: 0079B190

Part of subcall function 0079BDE0: RaiseException.KERNEL32(?,?,0079B614,00000000,?,?,?,?,0079B614,00000000,007CD388,007D9D80,00000000,?,00000000), ref: 0079BE22

Strings

invalid string position, xrefs: 0079B16A

Memory Dump Source

Source File: 00000006.00000002.3223883373.0000000000731000.00000020.00000001.01000000.00000009.sdmp, Offset: 00730000, based on PE: true

Associated: 00000006.00000002.3223861027.0000000000730000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223967799.00000000007B9000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3223996171.00000000007D6000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224015275.00000000007D7000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224032495.00000000007D8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.3224054862.00000000007DE000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_730000_gxonecli.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrow
String ID: invalid string position
API String ID: 1961742612-1799206989
Opcode ID: 49c774cb878f6ffc34db5127b3798473ec2442793765986970901997f9b245c7
Instruction ID: 8401c278d91c30ffa69df8768f81fe357d29e48c0505138bca3af3f694dd63f4
Opcode Fuzzy Hash: 49c774cb878f6ffc34db5127b3798473ec2442793765986970901997f9b245c7
Instruction Fuzzy Hash: 53D062B1950108DADF05E7D0DC8BFDD7378AF14B21F484425B20576086DFAC5644C765

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EhSODySB7R.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\419d6e.rbs

C:\Program Files (x86)\IOPL\gxonecli.exe

C:\Program Files (x86)\IOPL\kl.had

C:\Program Files (x86)\IOPL\libcurl32.dll

C:\Program Files (x86)\IOPL\xz.had

C:\Users\user\AppData\Local\Temp\MSI99F2.tmp

C:\Windows\Installer\419d6c.msi

C:\Windows\Installer\MSI9F22.tmp

C:\Windows\Installer\MSIA06B.tmp

C:\Windows\Installer\MSIA0AA.tmp

C:\Windows\Installer\MSIA0DA.tmp

C:\Windows\Installer\MSIA11A.tmp

C:\Windows\Installer\MSIA14A.tmp

C:\Windows\Installer\MSIA1E7.tmp

Windows Analysis Report
EhSODySB7R.exe

Function 0040134E Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 192
fileprocessCOMMON

Function 00401053 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 84
windowthreadCOMMON

Function 00401294 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65
COMMON

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre