Edit tour

Windows Analysis Report
FW3x3p4eZ5.msi

Overview

General Information

Sample name:	FW3x3p4eZ5.msi renamed because original name is a hash value
Original sample name:	29549b75a198ad3aee4f8b9ea328bc9a73eb0e0d07e36775438bbe7268d453f9.msi
Analysis ID:	1547886
MD5:	9775cb36162fab5d8dbe372cd5910ba7
SHA1:	a06d73422ecb931b6b6ae9f2af5f08f50b3d52dc
SHA256:	29549b75a198ad3aee4f8b9ea328bc9a73eb0e0d07e36775438bbe7268d453f9
Tags:	LUNARSPIDERmsiuser-JAMESWT_MHT
Infos:

Detection

Bazar Loader, BruteRatel

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected Bazar Loader

Yara detected BruteRatel

AI detected suspicious sample

Contains functionality to inject threads in other processes

Drops executables to the windows directory (C:\Windows) and starts them

Modifies the context of a thread in another process (thread injection)

Sets debug register (to hijack the execution of another thread)

Uses known network protocols on non-standard ports

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 6428 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\FW3x3p4eZ5.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 6524 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 6964 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 6180EE345BCC1B006AD84A7E54378DDE MD5: 9D09DC1EDA745A5F87553048E57620CF)

MSIB093.tmp (PID: 6764 cmdline: "C:\Windows\Installer\MSIB093.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState MD5: B9545ED17695A32FACE8C3408A6A3553)

MpCmdRun.exe (PID: 7860 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 7868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rundll32.exe (PID: 1088 cmdline: "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3696 cmdline: "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Brute Ratel C4, BruteRatel	Brute Ratel C4 (BRC4) is a commercial framework for red-teaming and adversarial attack simulation, which made its first appearance in December 2020. It was specifically designed to evade detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. BRC4 allows operators to deploy a backdoor agent known as Badger (aka BOLDBADGER) within a target environment.This agent enables arbitrary command execution, facilitating lateral movement, privilege escalation, and the establishment of additional persistence avenues. The Badger backdoor agent can communicate with a remote server via DNS over HTTPS, HTTP, HTTPS, SMB, and TCP, using custom encrypted channels. It supports a variety of backdoor commands including shell command execution, file transfers, file execution, and credential harvesting. Additionally, the Badger agent can perform tasks such as port scanning, screenshot capturing, and keystroke logging. Notably, in September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.	No Attribution	https://0xdarkvortex.dev/hiding-in-plainsight/ https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/ https://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities https://blog.krakz.fr/articles/latrodectus/ https://blog.reveng.ai/latrodectus-distribution-via-brc4/	https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.3723009009.0000026DB5F00000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Bazar_2	Yara detected Bazar Loader	Joe Security
00000006.00000002.3722729048.0000026DB5D90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Bazar_2	Yara detected Bazar Loader	Joe Security
00000006.00000003.1274378196.0000026DB78AA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: rundll32.exe PID: 3696	JoeSecurity_BruteRatel_2	Yara detected BruteRatel	Joe Security
Process Memory Space: rundll32.exe PID: 3696	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Unpacked PEs

Source	Rule	Description	Author
6.2.rundll32.exe.26db5d90000.3.raw.unpack	JoeSecurity_Bazar_2	Yara detected Bazar Loader	Joe Security
6.2.rundll32.exe.26db5f00000.4.raw.unpack	JoeSecurity_Bazar_2	Yara detected Bazar Loader	Joe Security
6.2.rundll32.exe.26db5f00000.4.unpack	JoeSecurity_Bazar_2	Yara detected Bazar Loader	Joe Security

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-03T10:06:26.050265+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.7	49728	TCP
2024-11-03T10:07:06.891354+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.7	52742	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\vierm_soft_x64.dll

Avira: detection malicious, Label: TR/AVI.Agent.knniq

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\vierm_soft_x64.dll

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: FW3x3p4eZ5.msi

ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.9% probability

Source:	Binary string: kernel32.pdbUGP source: rundll32.exe, 00000006.00000003.1277366975.0000026DB7741000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: rundll32.exe, 00000006.00000003.1274378196.0000026DB78AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSIB093.tmp, 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmp, MSIB093.tmp, 00000004.00000000.1260001178.0000000000887000.00000002.00000001.01000000.00000003.sdmp, FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIB093.tmp.1.dr, MSIAFE6.tmp.1.dr
Source:	Binary string: ntdll.pdb source: rundll32.exe, 00000006.00000003.1273709464.0000026DB78A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: rundll32.exe, 00000006.00000003.1277366975.0000026DB7741000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: rundll32.exe, 00000006.00000003.1273709464.0000026DB78A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIAF68.tmp.1.dr, MSIAF48.tmp.1.dr, MSIAF18.tmp.1.dr, MSIAE8A.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIAF68.tmp.1.dr, MSIAF48.tmp.1.dr, MSIAF18.tmp.1.dr, MSIAE8A.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSIB093.tmp, 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmp, MSIB093.tmp, 00000004.00000000.1260001178.0000000000887000.00000002.00000001.01000000.00000003.sdmp, FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIB093.tmp.1.dr, MSIAFE6.tmp.1.dr
Source:	Binary string: E:\w\328b3cc762394cc5\sw\physx\PhysXSDK\2.8.3\RELEASE\bin\win64\PhysXCooking64.pdb source: rundll32.exe, 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmp, vierm_soft_x64.dll.1.dr
Source:	Binary string: kernelbase.pdb source: rundll32.exe, 00000006.00000003.1274378196.0000026DB78AA000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Windows\Installer\MSIB093.tmp

Code function: 4_2_0087AF79 FindFirstFileExW,

4_2_0087AF79

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 82.115.223.39 8041			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 80.78.24.30 8041			Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52654
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52660
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52677
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52683
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52735
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52759
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52765
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52786
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52803
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52807
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52808
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52813
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52815
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52818
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52819
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52823
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52826
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52827
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52829
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52830
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52833
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52834
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52842
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52843
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52845
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52846
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52849
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52850
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52853
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52854
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52857
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52861
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52862
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52870
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52871
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52873
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52874
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52877

Source: global traffic	TCP traffic: 192.168.2.7:49700 -> 82.115.223.39:8041
Source: global traffic	TCP traffic: 192.168.2.7:49720 -> 80.78.24.30:8041

Source: Joe Sandbox View	IP Address: 82.115.223.39 82.115.223.39
Source: Joe Sandbox View	IP Address: 80.78.24.30 80.78.24.30
Source: Joe Sandbox View	IP Address: 80.78.24.30 80.78.24.30

Source: Joe Sandbox View	ASN Name: MIDNET-ASTK-TelecomRU MIDNET-ASTK-TelecomRU
Source: Joe Sandbox View	ASN Name: CYBERDYNELR CYBERDYNELR

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.7:49728
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.7:52742

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: greshunka.com
Source: global traffic	DNS traffic detected: DNS query: tiguanin.com
Source: global traffic	DNS traffic detected: DNS query: bazarunet.com

Source: FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIAF68.tmp.1.dr, MSIAF48.tmp.1.dr, MSIB093.tmp.1.dr, MSIAF18.tmp.1.dr, MSIAE8A.tmp.1.dr, MSIAFE6.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIAF68.tmp.1.dr, MSIAF48.tmp.1.dr, MSIB093.tmp.1.dr, MSIAF18.tmp.1.dr, MSIAE8A.tmp.1.dr, MSIAFE6.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIAF68.tmp.1.dr, MSIAF48.tmp.1.dr, MSIB093.tmp.1.dr, MSIAF18.tmp.1.dr, MSIAE8A.tmp.1.dr, MSIAFE6.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIAF68.tmp.1.dr, MSIAF48.tmp.1.dr, MSIB093.tmp.1.dr, MSIAF18.tmp.1.dr, MSIAE8A.tmp.1.dr, MSIAFE6.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIAF68.tmp.1.dr, MSIAF48.tmp.1.dr, MSIB093.tmp.1.dr, MSIAF18.tmp.1.dr, MSIAE8A.tmp.1.dr, MSIAFE6.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIAF68.tmp.1.dr, MSIAF48.tmp.1.dr, MSIB093.tmp.1.dr, MSIAF18.tmp.1.dr, MSIAE8A.tmp.1.dr, MSIAFE6.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIAF68.tmp.1.dr, MSIAF48.tmp.1.dr, MSIB093.tmp.1.dr, MSIAF18.tmp.1.dr, MSIAE8A.tmp.1.dr, MSIAFE6.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIAF68.tmp.1.dr, MSIAF48.tmp.1.dr, MSIB093.tmp.1.dr, MSIAF18.tmp.1.dr, MSIAE8A.tmp.1.dr, MSIAFE6.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIAF68.tmp.1.dr, MSIAF48.tmp.1.dr, MSIB093.tmp.1.dr, MSIAF18.tmp.1.dr, MSIAE8A.tmp.1.dr, MSIAFE6.tmp.1.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIAF68.tmp.1.dr, MSIAF48.tmp.1.dr, MSIB093.tmp.1.dr, MSIAF18.tmp.1.dr, MSIAE8A.tmp.1.dr, MSIAFE6.tmp.1.dr	String found in binary or memory: http://t2.symcb.com0
Source: FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIAF68.tmp.1.dr, MSIAF48.tmp.1.dr, MSIB093.tmp.1.dr, MSIAF18.tmp.1.dr, MSIAE8A.tmp.1.dr, MSIAFE6.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIAF68.tmp.1.dr, MSIAF48.tmp.1.dr, MSIB093.tmp.1.dr, MSIAF18.tmp.1.dr, MSIAE8A.tmp.1.dr, MSIAFE6.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIAF68.tmp.1.dr, MSIAF48.tmp.1.dr, MSIB093.tmp.1.dr, MSIAF18.tmp.1.dr, MSIAE8A.tmp.1.dr, MSIAFE6.tmp.1.dr	String found in binary or memory: http://tl.symcd.com0&
Source: FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIAF68.tmp.1.dr, MSIAF48.tmp.1.dr, MSIB093.tmp.1.dr, MSIAF18.tmp.1.dr, MSIAE8A.tmp.1.dr, MSIAFE6.tmp.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083412078.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981957405.0000026DB777E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2135008127.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com/U
Source: rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083412078.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981957405.0000026DB777E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2135008127.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com/q
Source: rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com/u
Source: rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7787000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2135008127.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3720993389.0000026DB5C88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/
Source: rundll32.exe, 00000006.00000003.1930151344.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/-
Source: rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083412078.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981957405.0000026DB777E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2135008127.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/1
Source: rundll32.exe, 00000006.00000003.1930151344.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/5
Source: rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/=
Source: rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/I
Source: rundll32.exe, 00000006.00000003.1832539566.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2134889042.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2134889042.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3720993389.0000026DB5C88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2308943358.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB7742000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083304345.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/admin.php
Source: rundll32.exe, 00000006.00000003.2134889042.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/admin.php4
Source: rundll32.exe, 00000006.00000003.1832539566.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/admin.php:R
Source: rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/admin.phpi
Source: rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/admin.phpm:8041/bazar.php
Source: rundll32.exe, 00000006.00000003.1981824051.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.php
Source: rundll32.exe, 00000006.00000003.1930151344.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.php4
Source: rundll32.exe, 00000006.00000003.2377047243.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2134889042.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2308943358.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB7742000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083304345.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.php:R
Source: rundll32.exe, 00000006.00000002.3720993389.0000026DB5C88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.phpA
Source: rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/i
Source: rundll32.exe, 00000006.00000002.3720993389.0000026DB5C88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/net.com:8041/bazar.phpo
Source: rundll32.exe, 00000006.00000002.3720993389.0000026DB5C88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/nka.com:8041/admin.php
Source: rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/u
Source: rundll32.exe, 00000006.00000003.2083304345.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com/
Source: rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/
Source: rundll32.exe, 00000006.00000003.1545825470.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1667626615.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1626585844.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/%
Source: rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/5
Source: rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/=
Source: rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1667626615.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1626585844.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/A
Source: rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/M
Source: rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/Y
Source: rundll32.exe, 00000006.00000003.1832539566.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2134889042.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2308943358.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB7742000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083304345.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/admin.php
Source: rundll32.exe, 00000006.00000003.1771120220.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/admin.php:R
Source: rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/admin.phpm:8041/admin.php
Source: rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/admin.phpqq1k
Source: rundll32.exe, 00000006.00000002.3720993389.0000026DB5C88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/azar.php
Source: rundll32.exe, 00000006.00000003.2083304345.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/bazar.php
Source: rundll32.exe, 00000006.00000003.1667626615.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1709250280.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1626585844.0000026DB7754000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/bazar.php:R
Source: rundll32.exe, 00000006.00000002.3724751020.0000026DB7742000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/bazar.phpRRDk
Source: rundll32.exe, 00000006.00000003.1545825470.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1626585844.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/bazar.phpZ
Source: rundll32.exe, 00000006.00000003.2083304345.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/bazar.phpi
Source: rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/bazar.phpm:8041/bazar.php
Source: rundll32.exe, 00000006.00000003.1832539566.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1667626615.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1545825470.0000026DB7754000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1464919161.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2134889042.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1709250280.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2308943358.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB7742000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1626585844.0000026DB7754000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083304345.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/bazar.phppRfk
Source: rundll32.exe, 00000006.00000002.3720993389.0000026DB5C88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/dmin.php
Source: rundll32.exe, 00000006.00000003.1545825470.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1505340728.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1626585844.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/e
Source: rundll32.exe, 00000006.00000003.1464919161.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1505340728.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1411755857.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1422957158.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1464895069.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com/
Source: rundll32.exe, 00000006.00000003.1545825470.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083412078.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981957405.0000026DB777E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1505340728.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1667626615.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1411755857.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2135008127.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1422957158.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1464895069.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com/)
Source: rundll32.exe, 00000006.00000003.1545825470.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083412078.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981957405.0000026DB777E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1505340728.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1667626615.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1411755857.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2135008127.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1422957158.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1464895069.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com/9
Source: rundll32.exe, 00000006.00000003.1464895069.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1626585844.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/
Source: rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/%
Source: rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083412078.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981957405.0000026DB777E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2135008127.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/-
Source: rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/1
Source: rundll32.exe, 00000006.00000003.1878037024.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/5
Source: rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/=
Source: rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/A
Source: rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/Y
Source: rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2134889042.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1545825470.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1464919161.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1626585844.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1667626615.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1411755857.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2308943358.0000026DB7785000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1422957158.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1464895069.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.php
Source: rundll32.exe, 00000006.00000003.1411755857.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1422957158.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1464895069.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.phpZ
Source: rundll32.exe, 00000006.00000003.1464919161.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.phpg
Source: rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.phpgq
Source: rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.phpl
Source: rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.phpm
Source: rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.phpom:8041/bazar.php
Source: rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.phps
Source: rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.phpx
Source: rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.phpzq.km
Source: rundll32.exe, 00000006.00000002.3720993389.0000026DB5C88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/azar.php4
Source: rundll32.exe, 00000006.00000003.2083304345.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.php
Source: rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2134889042.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1667626615.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083304345.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.php2
Source: rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.php?
Source: rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2134889042.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1667626615.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083304345.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.phpA
Source: rundll32.exe, 00000006.00000003.1981824051.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.phpK
Source: rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.phpg
Source: rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.phpl
Source: rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083412078.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981957405.0000026DB777E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1667626615.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2135008127.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.phpm
Source: rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.phps
Source: rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.phpx
Source: rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083412078.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981957405.0000026DB777E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2135008127.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/i
Source: rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1667626615.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/u
Source: FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIAF68.tmp.1.dr, MSIAF48.tmp.1.dr, MSIB093.tmp.1.dr, MSIAF18.tmp.1.dr, MSIAE8A.tmp.1.dr, MSIAFE6.tmp.1.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIAF68.tmp.1.dr, MSIAF48.tmp.1.dr, MSIB093.tmp.1.dr, MSIAF18.tmp.1.dr, MSIAE8A.tmp.1.dr, MSIAFE6.tmp.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIAF68.tmp.1.dr, MSIAF48.tmp.1.dr, MSIB093.tmp.1.dr, MSIAF18.tmp.1.dr, MSIAE8A.tmp.1.dr, MSIAFE6.tmp.1.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIAF68.tmp.1.dr, MSIAF48.tmp.1.dr, MSIB093.tmp.1.dr, MSIAF18.tmp.1.dr, MSIAE8A.tmp.1.dr, MSIAFE6.tmp.1.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: rundll32.exe, 00000006.00000003.1274378196.0000026DB78AA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_cada1015-9

Source: rundll32.exe, 00000006.00000003.1274378196.0000026DB78AA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_afe24321-e

Source: Yara match	File source: 00000006.00000003.1274378196.0000026DB78AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3696, type: MEMORYSTR

Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000026DB773D9FE NtOpenFile,	6_3_0000026DB773D9FE
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000026DB773DACE NtReadFile,	6_3_0000026DB773DACE
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000026DB773D98E NtAllocateVirtualMemory,	6_3_0000026DB773D98E
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000026DB773DA6E NtProtectVirtualMemory,	6_3_0000026DB773DA6E
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB7874BE0 NtProtectVirtualMemory,	6_2_0000026DB7874BE0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB7874FF0 NtQueueApcThread,	6_2_0000026DB7874FF0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB7874360 NtCreateThreadEx,	6_2_0000026DB7874360
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB785F3A0 CreateToolhelp32Snapshot,Thread32First,NtSuspendThread,NtResumeThread,Thread32Next,NtClose,	6_2_0000026DB785F3A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB7874740 NtFreeVirtualMemory,	6_2_0000026DB7874740
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB7857A50 NtSetContextThread,	6_2_0000026DB7857A50
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB78745F0 NtDuplicateObject,	6_2_0000026DB78745F0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB78471B0 NtClose,	6_2_0000026DB78471B0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB78751C0 NtReadVirtualMemory,	6_2_0000026DB78751C0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB78555C0 NtClose,NtTerminateThread,	6_2_0000026DB78555C0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB7858149 NtSetContextThread,	6_2_0000026DB7858149

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\50adaf.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAE8A.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAF18.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAF48.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAF68.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{61449C75-AB36-4299-A465-A142FC439D7F}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAFE6.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB093.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIAE8A.tmp

Jump to behavior

Source: C:\Windows\Installer\MSIB093.tmp	Code function: 4_2_00846A50	4_2_00846A50
Source: C:\Windows\Installer\MSIB093.tmp	Code function: 4_2_0087F032	4_2_0087F032
Source: C:\Windows\Installer\MSIB093.tmp	Code function: 4_2_008792A9	4_2_008792A9
Source: C:\Windows\Installer\MSIB093.tmp	Code function: 4_2_0086C2CA	4_2_0086C2CA
Source: C:\Windows\Installer\MSIB093.tmp	Code function: 4_2_0086E270	4_2_0086E270
Source: C:\Windows\Installer\MSIB093.tmp	Code function: 4_2_008784BD	4_2_008784BD
Source: C:\Windows\Installer\MSIB093.tmp	Code function: 4_2_0086A587	4_2_0086A587
Source: C:\Windows\Installer\MSIB093.tmp	Code function: 4_2_0087D8D5	4_2_0087D8D5
Source: C:\Windows\Installer\MSIB093.tmp	Code function: 4_2_0084C870	4_2_0084C870
Source: C:\Windows\Installer\MSIB093.tmp	Code function: 4_2_0086A915	4_2_0086A915
Source: C:\Windows\Installer\MSIB093.tmp	Code function: 4_2_00864920	4_2_00864920
Source: C:\Windows\Installer\MSIB093.tmp	Code function: 4_2_00870A48	4_2_00870A48
Source: C:\Windows\Installer\MSIB093.tmp	Code function: 4_2_00849CC0	4_2_00849CC0
Source: C:\Windows\Installer\MSIB093.tmp	Code function: 4_2_00875D6D	4_2_00875D6D
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004AC9C	6_2_000000018004AC9C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018003E804	6_2_000000018003E804
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180029010	6_2_0000000180029010
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004B820	6_2_000000018004B820
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180041044	6_2_0000000180041044
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018003A050	6_2_000000018003A050
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180017880	6_2_0000000180017880
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004C084	6_2_000000018004C084
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180036160	6_2_0000000180036160
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018004D178	6_2_000000018004D178
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180049280	6_2_0000000180049280
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018002A290	6_2_000000018002A290
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180041BE4	6_2_0000000180041BE4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180012C00	6_2_0000000180012C00
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018000B460	6_2_000000018000B460
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018001D4D0	6_2_000000018001D4D0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018002C4F0	6_2_000000018002C4F0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180017540	6_2_0000000180017540
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180043548	6_2_0000000180043548
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180018550	6_2_0000000180018550
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180040580	6_2_0000000180040580
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018000BDA0	6_2_000000018000BDA0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018000A600	6_2_000000018000A600
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180007E50	6_2_0000000180007E50
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180048684	6_2_0000000180048684
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018003BEB0	6_2_000000018003BEB0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180038EF0	6_2_0000000180038EF0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018002BF20	6_2_000000018002BF20
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180044774	6_2_0000000180044774
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB5F429EE	6_2_0000026DB5F429EE
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB5F431BE	6_2_0000026DB5F431BE
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000273F807BE	6_2_0000000273F807BE
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000273F7FFEE	6_2_0000000273F7FFEE
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB78555C0	6_2_0000026DB78555C0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB7871490	6_2_0000026DB7871490
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB785CBE0	6_2_0000026DB785CBE0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB7872812	6_2_0000026DB7872812
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB7872F60	6_2_0000026DB7872F60
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB78613A3	6_2_0000026DB78613A3
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB7862BB0	6_2_0000026DB7862BB0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB786FBC0	6_2_0000026DB786FBC0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB785BED0	6_2_0000026DB785BED0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB78666E0	6_2_0000026DB78666E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB784A730	6_2_0000026DB784A730
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB7871F40	6_2_0000026DB7871F40
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB78682A0	6_2_0000026DB78682A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB78516A0	6_2_0000026DB78516A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB78542A0	6_2_0000026DB78542A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB78466C0	6_2_0000026DB78466C0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB78499D0	6_2_0000026DB78499D0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB786B5E0	6_2_0000026DB786B5E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB78655E0	6_2_0000026DB78655E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB7870210	6_2_0000026DB7870210
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB7867220	6_2_0000026DB7867220
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB7864550	6_2_0000026DB7864550
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB7845D60	6_2_0000026DB7845D60
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB7854DB0	6_2_0000026DB7854DB0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB785B4E0	6_2_0000026DB785B4E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB785A100	6_2_0000026DB785A100
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB7849500	6_2_0000026DB7849500
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000026DB7859120	6_2_0000026DB7859120

Source: Joe Sandbox View

Dropped File: C:\Windows\Installer\MSIAE8A.tmp 426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD

Source: C:\Windows\Installer\MSIB093.tmp	Code function: String function: 0086325F appears 103 times
Source: C:\Windows\Installer\MSIB093.tmp	Code function: String function: 00863790 appears 39 times
Source: C:\Windows\Installer\MSIB093.tmp	Code function: String function: 00863292 appears 70 times

Source: FW3x3p4eZ5.msi	Binary or memory string: OriginalFilenameviewer.exeF vs FW3x3p4eZ5.msi
Source: FW3x3p4eZ5.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs FW3x3p4eZ5.msi

Source: classification engine

Classification label: mal100.troj.evad.winMSI@11/25@6/2

Source: C:\Windows\Installer\MSIB093.tmp

Code function: 4_2_00843860 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,

4_2_00843860

Source: C:\Windows\Installer\MSIB093.tmp

Code function: 4_2_00844BA0 CoInitialize,CoCreateInstance,VariantInit,VariantClear,IUnknown_QueryService,IUnknown_QueryInterface_Proxy,IUnknown_QueryInterface_Proxy,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error,

4_2_00844BA0

Source: C:\Windows\Installer\MSIB093.tmp

Code function: 4_2_008445B0 LoadResource,LockResource,SizeofResource,

4_2_008445B0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CMLB030.tmp

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7868:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DFC46AA5768F39BCED.TMP

Jump to behavior

Source: C:\Windows\Installer\MSIB093.tmp

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState

Source: FW3x3p4eZ5.msi

ReversingLabs: Detection: 60%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\FW3x3p4eZ5.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6180EE345BCC1B006AD84A7E54378DDE
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSIB093.tmp "C:\Windows\Installer\MSIB093.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState
Source: C:\Windows\Installer\MSIB093.tmp	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6180EE345BCC1B006AD84A7E54378DDE	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSIB093.tmp "C:\Windows\Installer\MSIB093.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\Installer\MSIB093.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Installer\MSIB093.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Installer\MSIB093.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Installer\MSIB093.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Installer\MSIB093.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll	Jump to behavior

Source: C:\Windows\Installer\MSIB093.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: FW3x3p4eZ5.msi

Static file information: File size 1686016 > 1048576

Source:	Binary string: kernel32.pdbUGP source: rundll32.exe, 00000006.00000003.1277366975.0000026DB7741000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: rundll32.exe, 00000006.00000003.1274378196.0000026DB78AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSIB093.tmp, 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmp, MSIB093.tmp, 00000004.00000000.1260001178.0000000000887000.00000002.00000001.01000000.00000003.sdmp, FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIB093.tmp.1.dr, MSIAFE6.tmp.1.dr
Source:	Binary string: ntdll.pdb source: rundll32.exe, 00000006.00000003.1273709464.0000026DB78A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: rundll32.exe, 00000006.00000003.1277366975.0000026DB7741000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: rundll32.exe, 00000006.00000003.1273709464.0000026DB78A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIAF68.tmp.1.dr, MSIAF48.tmp.1.dr, MSIAF18.tmp.1.dr, MSIAE8A.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIAF68.tmp.1.dr, MSIAF48.tmp.1.dr, MSIAF18.tmp.1.dr, MSIAE8A.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSIB093.tmp, 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmp, MSIB093.tmp, 00000004.00000000.1260001178.0000000000887000.00000002.00000001.01000000.00000003.sdmp, FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIB093.tmp.1.dr, MSIAFE6.tmp.1.dr
Source:	Binary string: E:\w\328b3cc762394cc5\sw\physx\PhysXSDK\2.8.3\RELEASE\bin\win64\PhysXCooking64.pdb source: rundll32.exe, 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmp, vierm_soft_x64.dll.1.dr
Source:	Binary string: kernelbase.pdb source: rundll32.exe, 00000006.00000003.1274378196.0000026DB78AA000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180046A88 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

6_2_0000000180046A88

Source: vierm_soft_x64.dll.1.dr

Static PE information: real checksum: 0x6c167 should be: 0xb2c0a

Source: vierm_soft_x64.dll.1.dr

Static PE information: section name: text

Source: C:\Windows\Installer\MSIB093.tmp	Code function: 4_2_0086323C push ecx; ret		4_2_0086324F
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000026DB77000D8 push cs; retf		6_3_0000026DB77000FD

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\msiexec.exe

Executable created and started: C:\Windows\Installer\MSIB093.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAF18.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAF48.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAF68.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\vierm_soft_x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAE8A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB093.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAF18.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAF48.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAF68.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAE8A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB093.tmp	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52654
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52660
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52677
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52683
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52735
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52759
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52765
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52786
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52803
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52807
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52808
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52813
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52815
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52818
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52819
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52823
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52826
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52827
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52829
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52830
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52833
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52834
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52842
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52843
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52845
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52846
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52849
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52850
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52853
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52854
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52857
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52861
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52862
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52870
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52871
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52873
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52874
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 52877

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,

6_2_0000026DB7864D00

Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 1847			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 8067			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIAF18.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIAF48.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIAF68.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\vierm_soft_x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIAE8A.tmp	Jump to dropped file

Source: C:\Windows\Installer\MSIB093.tmp	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_4-33744
Source: C:\Windows\System32\rundll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_6-39932

Source: C:\Windows\Installer\MSIB093.tmp

API coverage: 6.4 %

Source: C:\Windows\System32\rundll32.exe TID: 3872	Thread sleep count: 1847 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3872	Thread sleep time: -110820000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3872	Thread sleep count: 8067 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3872	Thread sleep time: -484020000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\Installer\MSIB093.tmp

Code function: 4_2_0087AF79 FindFirstFileExW,

4_2_0087AF79

Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 60000			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 60000			Jump to behavior

Source: rundll32.exe, 00000006.00000002.3720993389.0000026DB5C88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW04w
Source: rundll32.exe, 00000006.00000003.1274378196.0000026DB78AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2134889042.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1545825470.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1464919161.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1626585844.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1667626615.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000006.00000003.1274378196.0000026DB78AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2134889042.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1545825470.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1464919161.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1626585844.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1667626615.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@zRk

Source: C:\Windows\System32\rundll32.exe

API call chain: ExitProcess graph end node

graph_6-39536

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000026DB784CCE0 LdrGetProcedureAddress,

6_2_0000026DB784CCE0

Source: C:\Windows\Installer\MSIB093.tmp

Code function: 4_2_0084D0A5 IsDebuggerPresent,OutputDebugStringW,

4_2_0084D0A5

Source: C:\Windows\System32\rundll32.exe

6_2_0000000180046A88

Source: C:\Windows\Installer\MSIB093.tmp	Code function: 4_2_00872DCC mov ecx, dword ptr fs:[00000030h]		4_2_00872DCC
Source: C:\Windows\Installer\MSIB093.tmp	Code function: 4_2_0087AD78 mov eax, dword ptr fs:[00000030h]		4_2_0087AD78

Source: C:\Windows\Installer\MSIB093.tmp

Code function: 4_2_00842310 GetProcessHeap,

4_2_00842310

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\Installer\MSIB093.tmp "C:\Windows\Installer\MSIB093.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState

Jump to behavior

Source: C:\Windows\Installer\MSIB093.tmp	Code function: 4_2_008633A8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_008633A8
Source: C:\Windows\Installer\MSIB093.tmp	Code function: 4_2_0086353F SetUnhandledExceptionFilter,	4_2_0086353F
Source: C:\Windows\Installer\MSIB093.tmp	Code function: 4_2_00862968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00862968
Source: C:\Windows\Installer\MSIB093.tmp	Code function: 4_2_00866E1B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00866E1B
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000000018003E5C0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_000000018003E5C0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_0000000180042698 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0000000180042698

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 82.115.223.39 8041			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 80.78.24.30 8041			Jump to behavior

Contains functionality to inject threads in other processes

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000273F41380 Sleep,SleepEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,

6_2_0000000273F41380

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: unknown	Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\rundll32.exe

Thread register set: 3696 1

Jump to behavior

Source: C:\Windows\Installer\MSIB093.tmp

Code function: 4_2_008452F0 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,Sleep,EnumWindows,BringWindowToTop,WaitForSingleObject,GetExitCodeProcess,

4_2_008452F0

Source: C:\Windows\Installer\MSIB093.tmp

Code function: 4_2_008635A9 cpuid

4_2_008635A9

Source: C:\Windows\Installer\MSIB093.tmp	Code function: EnumSystemLocalesW,	4_2_0087E0C6
Source: C:\Windows\Installer\MSIB093.tmp	Code function: EnumSystemLocalesW,	4_2_0087E1AC
Source: C:\Windows\Installer\MSIB093.tmp	Code function: EnumSystemLocalesW,	4_2_0087E111
Source: C:\Windows\Installer\MSIB093.tmp	Code function: EnumSystemLocalesW,	4_2_00877132
Source: C:\Windows\Installer\MSIB093.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_0087E237
Source: C:\Windows\Installer\MSIB093.tmp	Code function: GetLocaleInfoEx,	4_2_008623F8
Source: C:\Windows\Installer\MSIB093.tmp	Code function: GetLocaleInfoW,	4_2_0087E48A
Source: C:\Windows\Installer\MSIB093.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_0087E5B3
Source: C:\Windows\Installer\MSIB093.tmp	Code function: GetLocaleInfoW,	4_2_008776AF
Source: C:\Windows\Installer\MSIB093.tmp	Code function: GetLocaleInfoW,	4_2_0087E6B9
Source: C:\Windows\Installer\MSIB093.tmp	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_0087E788
Source: C:\Windows\Installer\MSIB093.tmp	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	4_2_0087DE24

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\Installer\MSIB093.tmp

Code function: 4_2_008637D5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_008637D5

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000026DB7864D00 GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,

6_2_0000026DB7864D00

Source: C:\Windows\Installer\MSIB093.tmp

Code function: 4_2_00877B1F GetTimeZoneInformation,

4_2_00877B1F

Source: C:\Windows\System32\rundll32.exe

Code function: 6_2_0000000180040824 HeapCreate,GetVersion,HeapSetInformation,

6_2_0000000180040824

Source: C:\Windows\Installer\MSIB093.tmp	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Bazar Loader

Source: Yara match	File source: 6.2.rundll32.exe.26db5d90000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.26db5f00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.26db5f00000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3723009009.0000026DB5F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3722729048.0000026DB5D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected BruteRatel

Source: Yara match

File source: Process Memory Space: rundll32.exe PID: 3696, type: MEMORYSTR

Remote Access Functionality

Yara detected Bazar Loader

Source: Yara match	File source: 6.2.rundll32.exe.26db5d90000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.26db5f00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.26db5f00000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3723009009.0000026DB5F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3722729048.0000026DB5D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected BruteRatel

Source: Yara match

File source: Process Memory Space: rundll32.exe PID: 3696, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	21 Input Capture	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	41 Process Injection	2 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	34 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	121 Masquerading	Cached Domain Credentials	131 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	11 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Process Injection	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Rundll32	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
FW3x3p4eZ5.msi	61%	ReversingLabs	Win64.Trojan.Maloder

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\vierm_soft_x64.dll	100%	Avira	TR/AVI.Agent.knniq
C:\Users\user\AppData\Roaming\vierm_soft_x64.dll	66%	ReversingLabs	Win64.Trojan.Maloder
C:\Windows\Installer\MSIAE8A.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIAF18.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIAF48.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIAF68.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIB093.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://www.thawte.com/cps0/	0%	URL Reputation	safe
https://www.thawte.com/repository0W	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
greshunka.com	82.115.223.39	true	true	unknown
tiguanin.com	80.78.24.30	true	true	unknown
bazarunet.com	80.78.24.30	true	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://tiguanin.com:8041/bazar.phpm	rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083412078.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981957405.0000026DB777E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1667626615.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2135008127.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/bazar.phpl	rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/=	rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/A	rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/A	rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1667626615.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1626585844.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/bazar.phpg	rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com/q	rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083412078.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981957405.0000026DB777E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2135008127.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/5	rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com/u	rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/=	rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/admin.phpm:8041/bazar.php	rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/bazar.phpx	rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/admin.phpqq1k	rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/admin.phpZ	rundll32.exe, 00000006.00000003.1411755857.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1422957158.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1464895069.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/bazar.php	rundll32.exe, 00000006.00000003.2083304345.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/%	rundll32.exe, 00000006.00000003.1545825470.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1667626615.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1626585844.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/bazar.phps	rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/i	rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/%	rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/admin.phpg	rundll32.exe, 00000006.00000003.1464919161.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/admin.phpl	rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/u	rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/admin.phpm	rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/Y	rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/admin.phpm:8041/admin.php	rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/bazar.phpRRDk	rundll32.exe, 00000006.00000002.3724751020.0000026DB7742000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/M	rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/1	rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/admin.phps	rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/admin.phpx	rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/5	rundll32.exe, 00000006.00000003.1878037024.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/	rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7787000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2135008127.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3720993389.0000026DB5C88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/bazar.phpA	rundll32.exe, 00000006.00000002.3720993389.0000026DB5C88000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com/	rundll32.exe, 00000006.00000003.2083304345.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/admin.phpgq	rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/azar.php	rundll32.exe, 00000006.00000002.3720993389.0000026DB5C88000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/admin.php4	rundll32.exe, 00000006.00000003.2134889042.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com/9	rundll32.exe, 00000006.00000003.1545825470.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083412078.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981957405.0000026DB777E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1505340728.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1667626615.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1411755857.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2135008127.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1422957158.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1464895069.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/-	rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083412078.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981957405.0000026DB777E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2135008127.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/bazar.phpm:8041/bazar.php	rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/admin.php	rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2134889042.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1545825470.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1464919161.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1626585844.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1667626615.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1411755857.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2308943358.0000026DB7785000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1422957158.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1464895069.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/I	rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/bazar.phpi	rundll32.exe, 00000006.00000003.2083304345.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/dmin.php	rundll32.exe, 00000006.00000002.3720993389.0000026DB5C88000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/	rundll32.exe, 00000006.00000003.1464895069.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1626585844.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/admin.phpom:8041/bazar.php	rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/bazar.php4	rundll32.exe, 00000006.00000003.1930151344.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com/	rundll32.exe, 00000006.00000003.1464919161.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1505340728.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1411755857.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1422957158.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1464895069.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com/)	rundll32.exe, 00000006.00000003.1545825470.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083412078.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981957405.0000026DB777E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1505340728.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1667626615.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1411755857.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2135008127.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1422957158.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1464895069.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/=	rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/bazar.phpZ	rundll32.exe, 00000006.00000003.1545825470.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1626585844.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/e	rundll32.exe, 00000006.00000003.1545825470.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1505340728.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1626585844.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/bazar.php2	rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2134889042.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1667626615.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083304345.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/bazar.php	rundll32.exe, 00000006.00000003.2083304345.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/net.com:8041/bazar.phpo	rundll32.exe, 00000006.00000002.3720993389.0000026DB5C88000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/bazar.php	rundll32.exe, 00000006.00000003.1981824051.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/nka.com:8041/admin.php	rundll32.exe, 00000006.00000002.3720993389.0000026DB5C88000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/-	rundll32.exe, 00000006.00000003.1930151344.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/bazar.phppRfk	rundll32.exe, 00000006.00000003.1832539566.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1667626615.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1545825470.0000026DB7754000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1464919161.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2134889042.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1709250280.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2308943358.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB7742000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1626585844.0000026DB7754000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083304345.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/bazar.phpK	rundll32.exe, 00000006.00000003.1981824051.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/admin.phpzq.km	rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/admin.phpi	rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.thawte.com/cps0/	FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIAF68.tmp.1.dr, MSIAF48.tmp.1.dr, MSIB093.tmp.1.dr, MSIAF18.tmp.1.dr, MSIAE8A.tmp.1.dr, MSIAFE6.tmp.1.dr	false	URL Reputation: safe	unknown
https://bazarunet.com:8041/5	rundll32.exe, 00000006.00000003.1930151344.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/admin.php:R	rundll32.exe, 00000006.00000003.1771120220.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/bazar.php:R	rundll32.exe, 00000006.00000003.2377047243.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2134889042.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2308943358.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB7742000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083304345.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/Y	rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.thawte.com/repository0W	FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIAF68.tmp.1.dr, MSIAF48.tmp.1.dr, MSIB093.tmp.1.dr, MSIAF18.tmp.1.dr, MSIAE8A.tmp.1.dr, MSIAFE6.tmp.1.dr	false	URL Reputation: safe	unknown
https://bazarunet.com/U	rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083412078.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981957405.0000026DB777E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2135008127.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/1	rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083412078.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981957405.0000026DB777E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2135008127.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/azar.php4	rundll32.exe, 00000006.00000002.3720993389.0000026DB5C88000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/bazar.phpA	rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2134889042.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1667626615.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083304345.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/bazar.php?	rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/admin.php	rundll32.exe, 00000006.00000003.1832539566.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2134889042.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2308943358.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB7742000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083304345.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.advancedinstaller.com	FW3x3p4eZ5.msi, 50adaf.msi.1.dr, MSIAF68.tmp.1.dr, MSIAF48.tmp.1.dr, MSIB093.tmp.1.dr, MSIAF18.tmp.1.dr, MSIAE8A.tmp.1.dr, MSIAFE6.tmp.1.dr	false		unknown
https://greshunka.com:8041/bazar.php:R	rundll32.exe, 00000006.00000003.1667626615.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1709250280.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1626585844.0000026DB7754000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/admin.php:R	rundll32.exe, 00000006.00000003.1832539566.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/	rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/u	rundll32.exe, 00000006.00000003.1709250280.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1667626615.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1771120220.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/admin.php	rundll32.exe, 00000006.00000003.1832539566.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2134889042.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1878037024.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB776F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1832539566.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2462680784.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2134889042.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3720993389.0000026DB5C88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2308943358.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1930151344.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3724751020.0000026DB7742000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083304345.0000026DB7756000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/i	rundll32.exe, 00000006.00000003.2308943358.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2083412078.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981957405.0000026DB777E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2355933348.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1981824051.0000026DB777D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2377047243.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2387742585.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2135008127.0000026DB7780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2217057148.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2341812553.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2257690389.0000026DB7770000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
82.115.223.39	greshunka.com	Russian Federation		209821	MIDNET-ASTK-TelecomRU	true
80.78.24.30	tiguanin.com	Cyprus		37560	CYBERDYNELR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1547886
Start date and time:	2024-11-03 10:05:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	FW3x3p4eZ5.msi renamed because original name is a hash value
Original Sample Name:	29549b75a198ad3aee4f8b9ea328bc9a73eb0e0d07e36775438bbe7268d453f9.msi
Detection:	MAL
Classification:	mal100.troj.evad.winMSI@11/25@6/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 38 Number of non-executed functions: 198
Cookbook Comments:	Found application associated with file extension: .msi Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, SgrmBroker.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: FW3x3p4eZ5.msi

Simulations

Behavior and APIs

Time	Type	Description
04:06:08	API Interceptor	15106738x Sleep call for process: rundll32.exe modified
05:33:11	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
82.115.223.39	PhysXCooking64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel	Browse
	Document-20-18-07.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse
	das.msi	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse
	vierm_soft_x64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse
	Document-18-33-08.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse
	Document-19-51-48.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse
	vierm_soft_x64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse
	dsa.msi	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse
	Document-19-27-03.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse
	0.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse
80.78.24.30	e664858e8b8ff1ac08f6dd812a68d65d05a704262fa13862538c3c45.vbs	Get hash	malicious	Unknown	Browse	fredlomberhfile.com:2351/lpfdokkq
	s5YgOFFmFK.exe	Get hash	malicious	IcedID	Browse	smockalifatori.com/
	CiMXn78mMb.exe	Get hash	malicious	IcedID	Browse	skayfingertawr.com/
	Scan_06-28_INV__70.exe	Get hash	malicious	IcedID	Browse	hloyagorepa.com/
	Scan_06-28_INV__70.exe	Get hash	malicious	IcedID	Browse	hloyagorepa.com/
	Scan_06-28_INV__10.exe	Get hash	malicious	IcedID	Browse	hloyagorepa.com/
	Scan_06-28_INV__10.exe	Get hash	malicious	IcedID	Browse	hloyagorepa.com/
	05387199.exe	Get hash	malicious	IcedID	Browse	shoterqana.com/
	08778399.exe	Get hash	malicious	IcedID	Browse	shoterqana.com/
	Contract_March_23_INV#305.exe	Get hash	malicious	IcedID	Browse	aoureskindzet.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bazarunet.com	PhysXCooking64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel	Browse	80.78.24.30
	Document-20-18-07.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	80.78.24.30
	das.msi	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	80.78.24.30
	vierm_soft_x64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	80.78.24.30
	Document-18-33-08.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	80.78.24.30
	Document-19-51-48.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	185.106.92.54
	vierm_soft_x64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	185.106.92.54
	dsa.msi	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	185.106.92.54
	Document-19-27-03.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	185.106.92.54
	0.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	185.106.92.54
tiguanin.com	PhysXCooking64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel	Browse	80.78.24.30
	Document-20-18-07.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	80.78.24.30
	das.msi	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	80.78.24.30
	vierm_soft_x64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	80.78.24.30
	Document-18-33-08.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	80.78.24.30
	Document-19-51-48.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.40
	vierm_soft_x64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.40
	dsa.msi	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.40
	Document-19-27-03.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.40
	0.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.40
greshunka.com	PhysXCooking64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel	Browse	82.115.223.39
	Document-20-18-07.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.39
	das.msi	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.39
	vierm_soft_x64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.39
	Document-18-33-08.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.39
	Document-19-51-48.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.39
	vierm_soft_x64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.39
	dsa.msi	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.39
	Document-19-27-03.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.39
	0.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.39

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MIDNET-ASTK-TelecomRU	PhysXCooking64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel	Browse	82.115.223.39
	Document-19-36-27.js	Get hash	malicious	Unknown	Browse	82.115.223.150
	meliwe_gown_x64.dll.dll	Get hash	malicious	Unknown	Browse	82.115.223.150
	Document-19-36-27.js	Get hash	malicious	Unknown	Browse	82.115.223.150
	Document-19-29-20.js	Get hash	malicious	Unknown	Browse	82.115.223.150
	meliwe_gown_x64.dll.dll	Get hash	malicious	Unknown	Browse	82.115.223.150
	BEST.msi	Get hash	malicious	Unknown	Browse	82.115.223.150
	Document-20-18-07.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.39
	das.msi	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.39
	vierm_soft_x64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.39
CYBERDYNELR	PhysXCooking64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel	Browse	80.78.24.30
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.193.127.129
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.193.127.129
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.193.127.129
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.193.127.129
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.193.127.129
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.193.127.129
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.193.127.129
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.193.127.129
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.193.127.129

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Installer\MSIAE8A.tmp	Document-19-06-38.js	Get hash	malicious	BruteRatel	Browse
	Document-19-06-38.js	Get hash	malicious	BruteRatel	Browse
	Document-14-33-26.js	Get hash	malicious	Unknown	Browse
	net.msi	Get hash	malicious	Unknown	Browse
	Document-14-33-26.js	Get hash	malicious	Unknown	Browse
	1156#U91d1#U5c71#U6bd2#U9738#U79bb#U7ebf#U5b89#U88c5#U5305.msi	Get hash	malicious	Unknown	Browse
	Document-19-36-27.js	Get hash	malicious	Unknown	Browse
	Document-19-36-27.js	Get hash	malicious	Unknown	Browse
	Document-19-29-20.js	Get hash	malicious	Unknown	Browse
	BEST.msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\50adb1.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	1227
Entropy (8bit):	5.679900187329247
Encrypted:	false
SSDEEP:	24:zOgbJ8yaj/IfTJ68fJvTJtdJgRpUzM4WD4qFP9yWDhiSWzWD4P84WD4uLK:SAuy2/IbI8fRT5ub54nOP5D8SOnP84nt
MD5:	AF030EA6E5BED5E0F11BC0287CED9548
SHA1:	B3F2FB21670D3509C784CC29E5CD623D19A819A3
SHA-256:	4E7539D9B764AF99CC98CFD7DA514B735265652754B53DC01FB7FC4E8DF5EA1C
SHA-512:	259E396F36AF18D80968D4AE46AE9E73D2A61CBA9ECF3A770467D0D59240C4F82EA16F34FA66C7522A2D5107C2B04BF184E512AF7A7A8A369B7AD45110AEA7C8
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@. cY.@.....@.....@.....@.....@.....@......&.{61449C75-AB36-4299-A465-A142FC439D7F}..DiabloSoft..FW3x3p4eZ5.msi.@.....@...+.@.....@........&.{A2F4824E-0932-4220-A5B9-879D3AA09993}.....@.....@.....@.....@.......@.....@.....@.......@......DiabloSoft......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{B48CC27C-9823-4256-8235-834BFD2D0DBB}&.{61449C75-AB36-4299-A465-A142FC439D7F}.@......&.{4A323D5F-6D73-4C26-8E39-BE8928DA13EB}&.{61449C75-AB36-4299-A465-A142FC439D7F}.@......&.{3C2F95B1-2498-4067-A55B-D5C6DDB44F40}&.{61449C75-AB36-4299-A465-A142FC439D7F}.@........CreateFolders..Creating folders..Folder: [1]#.=.C:\Users\user\AppData\Roaming\DiabloSoft LLC\DiabloSoft\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..#.C:\Users\user\AppData\Roaming\....5.C:\Users\user\AppData\Roaming\vierm_soft_x64.dll....WriteRegistryValues..Writing system

C:\Users\user\AppData\Roaming\vierm_soft_x64.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	682496
Entropy (8bit):	7.329646601975181
Encrypted:	false
SSDEEP:	12288:c91cnMmvhqG3zx+zd/RMzDWrii7x4if+H3fFBI:c91cMmvhHzx+z5qW7qiMFe
MD5:	877C8B214D984656143D7576F832D935
SHA1:	26BEDAE9E05AFBFF75EDE2EFC7777A376E362B6A
SHA-256:	28F5E949ECAD3606C430CEA5A34D0F3E7218F239BCFA758A834DCEB649E78ABC
SHA-512:	F07AC6795F4D8DE38AC7F92A5AE308D2BDC30E29CEBDF93B7FDEE958C04BB83B1A28C4E6AC4E6A770B6D207AF2A886CC93028B26E8850327F55391118F2D621A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.p..............4.......4.................z....4..e....4.......4.......4......Rich............PE..d......`..........# ................p...............................................g..........................................................<.......@:...@.. =...2..(&..........P................................................................................text...n........................... ..`.rdata..............................@..@.data....\|.......$..................@....pdata.. =...@...>..................@..@text................................@.. data....0...........................@..@.rsrc...@:.......<... ..............@..@.reloc..T............\..............@..B................................................................................................................................................................................................

C:\Windows\Installer\50adaf.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {A2F4824E-0932-4220-A5B9-879D3AA09993}, Number of Words: 10, Subject: DiabloSoft, Author: DiabloSoft LLC, Name of Creating Application: DiabloSoft, Template: ;1033, Comments: This installer database contains the logic and data required to install DiabloSoft., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	1686016
Entropy (8bit):	7.199867025936388
Encrypted:	false
SSDEEP:	49152:gfj3YhW8zBQSc0ZnSKSZKumZr7AlFBBdtM:cYY0ZnQK/AlprM
MD5:	9775CB36162FAB5D8DBE372CD5910BA7
SHA1:	A06D73422ECB931B6B6AE9F2AF5F08F50B3D52DC
SHA-256:	29549B75A198AD3AEE4F8B9EA328BC9A73EB0E0D07E36775438BBE7268D453F9
SHA-512:	42CC3D3746FC416097B7DE340CF1782FEBE957EE45E17B5C368F6509BB5112CFDD808D223283EF424B5EE1AAB0DDDC78562A778F196F7962C3F27839F4F60564
Malicious:	false
Reputation:	low
Preview:	......................>.......................................................E.......a...............................(...)......+...,...-...........A...B...C...D...E...F...G...........................................................................................................................................................................................................................................................................................................................................................<...........!...3............................................................................................... ...+..."...#...$...%...&...'...(...)......1...,...-......./...0...4...2...;...?...5...6...7...8...9...:.......=.......>.......@...A...B...C...D...........G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSIAE8A.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Document-19-06-38.js, Detection: malicious, Browse Filename: Document-19-06-38.js, Detection: malicious, Browse Filename: Document-14-33-26.js, Detection: malicious, Browse Filename: net.msi, Detection: malicious, Browse Filename: Document-14-33-26.js, Detection: malicious, Browse Filename: 1156#U91d1#U5c71#U6bd2#U9738#U79bb#U7ebf#U5b89#U88c5#U5305.msi, Detection: malicious, Browse Filename: Document-19-36-27.js, Detection: malicious, Browse Filename: Document-19-36-27.js, Detection: malicious, Browse Filename: Document-19-29-20.js, Detection: malicious, Browse Filename: BEST.msi, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIAF18.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIAF48.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIAF68.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIAFE6.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	401088
Entropy (8bit):	6.591995440193157
Encrypted:	false
SSDEEP:	6144:EMvZx0Flyv/UB8zBQSnuJnO6n4ZSaHwLvFnNLqrFWeyp1uBxfAOT3VDqO1U:EMvZx0FlS68zBQSncb4ZPQTpAjZxqO1U
MD5:	EF8A2E8889A65BB656E3E8F215DB774B
SHA1:	24B2EC425DB54A2B9102A958BB8C0C88BDDECC02
SHA-256:	26ACFD30D7B60DC877558681B59125899D130B5EB45C15DA2E5F3A29B8F77FA1
SHA-512:	EC73DFA513D20A2D733A2BF3B8E201A28BB889CB61826473AFD61EDBAC473A2421849940E85F3D1BD1E279C2252A557E50730FED69EA78D211A2B476AACD246B
Malicious:	false
Preview:	...@IXOS.@.....@. cY.@.....@.....@.....@.....@.....@......&.{61449C75-AB36-4299-A465-A142FC439D7F}..DiabloSoft..FW3x3p4eZ5.msi.@.....@...+.@.....@........&.{A2F4824E-0932-4220-A5B9-879D3AA09993}.....@.....@.....@.....@.......@.....@.....@.......@......DiabloSoft......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{B48CC27C-9823-4256-8235-834BFD2D0DBB}=.C:\Users\user\AppData\Roaming\DiabloSoft LLC\DiabloSoft\.@.......@.....@.....@......&.{4A323D5F-6D73-4C26-8E39-BE8928DA13EB}..01:\Software\DiabloSoft LLC\DiabloSoft\Version.@.......@.....@.....@......&.{3C2F95B1-2498-4067-A55B-D5C6DDB44F40}5.C:\Users\user\AppData\Roaming\vierm_soft_x64.dll.@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]".=.C:\Users\user\AppData\Roaming\DiabloSoft LLC\DiabloSoft\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size

C:\Windows\Installer\MSIB093.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	399328
Entropy (8bit):	6.589290025452677
Encrypted:	false
SSDEEP:	6144:gMvZx0Flyv/UB8zBQSnuJnO6n4ZSaHwLvFnNLqrFWeyp1uBxfAOT3VDqO1:gMvZx0FlS68zBQSncb4ZPQTpAjZxqO1
MD5:	B9545ED17695A32FACE8C3408A6A3553
SHA1:	F6C31C9CD832AE2AEBCD88E7B2FA6803AE93FC83
SHA-256:	1E0E63B446EECF6C9781C7D1CAE1F46A3BB31654A70612F71F31538FB4F4729A
SHA-512:	F6D6DC40DCBA5FF091452D7CC257427DCB7CE2A21816B4FEC2EE249E63246B64667F5C4095220623533243103876433EF8C12C9B612C0E95FDFFFE41D1504E04
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................J......J..5.......................J......J......J..........Y..."......".q............."......Rich....................PE..L....<.a.........."......^...........2.......p....@..........................P......".....@.................................0....................................5...V..p....................X.......W..@............p.. ............................text....\.......^.................. ..`.rdata..XA...p...B...b..............@..@.data....6..........................@....rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{61449C75-AB36-4299-A465-A142FC439D7F}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.164375326524683
Encrypted:	false
SSDEEP:	12:JSbX72FjzAGiLIlHVRpZh/7777777777777777777777777vDHFh6c/c5A/ait/z:JpQI5tr6cEe/riF
MD5:	72BDF215FB508996366F46C8EDD3A0E2
SHA1:	39F974B17C23FA0597AC22CA8E6BC6C5EFF6C8BB
SHA-256:	0071DF41F4FE77D04A73490276DB9192F5FF9445D81251407A8DD7EC12CF9FFB
SHA-512:	C7239EF68AF773991EB415164AF805271F6DE41A189773653A2489115255FB7A83FF5658AE3F17212F33AC37ED69187CD06EC3AE6365B7596E275CFFB43CA9C8
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5545079263525303
Encrypted:	false
SSDEEP:	48:h8Ph0uRc06WXJMnT54Z0scvhYS+h6AE+lCy4tMLhYS+hQTk:8h01vnTGZ0scvhYrhBZlCFiLhYrhF
MD5:	16E4D7244C52E3BA742D1EA211E9B80A
SHA1:	CAA2B80C5708FAB19D8641C7F3DDC369C74299D3
SHA-256:	08C8714CC2552381C4C43A6D102DE1952AE4785C1A529CA6303BC1AEFEA33AA1
SHA-512:	0DED2B784315F4CEBF4CDB194A88963862BFA52C88BC930DE228FC936B024B88A04A6A3CA6747CE6F0F5A5A46AA16371D0F13887E35D5D2697F1B1563D847B19
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	360001
Entropy (8bit):	5.36295622810591
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau5:zTtbmkExhMJCIpEU
MD5:	7BA7ED98846403BA81BAB71766351E19
SHA1:	F6AB5B12E3A4AB9A04A07E6DA07918DF4050560B
SHA-256:	CAE9E53722E6018F808568F1FCCCA04A7DCAACB0E1CF2A36A41E6BDCF0D140DD
SHA-512:	DD0AC8AE9B0FBDAB0C9A06C897EC187DC2177797797C2B05D45CEF6A0E55B632255E4BA6A0F3C186B3F6622653BC221C448E3942D5548714A079EB48EFFB6B0C
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	2464
Entropy (8bit):	3.2492596516591328
Encrypted:	false
SSDEEP:	24:QOaqdmuF3r0gw+kWReHgHttUKlDENh+pyMySn6tUKlDENh+pyMySwwIPVxcwIPVj:FaqdF70gw+AAHdKoqKFxcxkF6gW
MD5:	65C44E5FB259FCCC61FFCAAFDC41D005
SHA1:	70E51C4DAA07DC48043D31343D572C19CEF6AC88
SHA-256:	6D6582207DA4B9CB73B4D0A4A16E60B78B986C8F76E80088DB04450F3FC0F1D0
SHA-512:	01EFAC780FF9E056A6AF9EB52AA26875023C40376D0AE37E46E4C53F8CB0C2FB9D16596030059A8B4657C7BBC0BFE44F23DD876665D5F6D8641AB4B7FC76F0EE
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. S.u.n. .. N.o.v. .. 0.3. .. 2.0.2.4. .0.5.:.3.3.:.1.1.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

C:\Windows\Temp\~DF00DB0F31828C5AAA.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2467944845671939
Encrypted:	false
SSDEEP:	48:bz8uk+M+CFXJjT5QZ0scvhYS+h6AE+lCy4tMLhYS+hQTk:H8V7TuZ0scvhYrhBZlCFiLhYrhF
MD5:	330E014AA57205987F62C8CE2176C95A
SHA1:	78F929CD3FB3FFFD565A24A91E14AFA98629E102
SHA-256:	25C0B9D7CAF6D18F069B1A92B804D913587FBCD83FBE22D804AA7B785E5459B1
SHA-512:	56DC6AE753A21ADD99D1A5739E6F481C1D8EF419A4FE5971C72451A7C5D5F1DF070A7B326132D2A8C33BEEF576DA6C4FFBD652385D3CC8E094FB7287114712D8
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF33762007915439EB.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5545079263525303
Encrypted:	false
SSDEEP:	48:h8Ph0uRc06WXJMnT54Z0scvhYS+h6AE+lCy4tMLhYS+hQTk:8h01vnTGZ0scvhYrhBZlCFiLhYrhF
MD5:	16E4D7244C52E3BA742D1EA211E9B80A
SHA1:	CAA2B80C5708FAB19D8641C7F3DDC369C74299D3
SHA-256:	08C8714CC2552381C4C43A6D102DE1952AE4785C1A529CA6303BC1AEFEA33AA1
SHA-512:	0DED2B784315F4CEBF4CDB194A88963862BFA52C88BC930DE228FC936B024B88A04A6A3CA6747CE6F0F5A5A46AA16371D0F13887E35D5D2697F1B1563D847B19
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4BD044A96DF87FA9.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF767176D571D7BACC.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9CA22651D5966B01.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2467944845671939
Encrypted:	false
SSDEEP:	48:bz8uk+M+CFXJjT5QZ0scvhYS+h6AE+lCy4tMLhYS+hQTk:H8V7TuZ0scvhYrhBZlCFiLhYrhF
MD5:	330E014AA57205987F62C8CE2176C95A
SHA1:	78F929CD3FB3FFFD565A24A91E14AFA98629E102
SHA-256:	25C0B9D7CAF6D18F069B1A92B804D913587FBCD83FBE22D804AA7B785E5459B1
SHA-512:	56DC6AE753A21ADD99D1A5739E6F481C1D8EF419A4FE5971C72451A7C5D5F1DF070A7B326132D2A8C33BEEF576DA6C4FFBD652385D3CC8E094FB7287114712D8
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA5945E392E714903.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2467944845671939
Encrypted:	false
SSDEEP:	48:bz8uk+M+CFXJjT5QZ0scvhYS+h6AE+lCy4tMLhYS+hQTk:H8V7TuZ0scvhYrhBZlCFiLhYrhF
MD5:	330E014AA57205987F62C8CE2176C95A
SHA1:	78F929CD3FB3FFFD565A24A91E14AFA98629E102
SHA-256:	25C0B9D7CAF6D18F069B1A92B804D913587FBCD83FBE22D804AA7B785E5459B1
SHA-512:	56DC6AE753A21ADD99D1A5739E6F481C1D8EF419A4FE5971C72451A7C5D5F1DF070A7B326132D2A8C33BEEF576DA6C4FFBD652385D3CC8E094FB7287114712D8
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC211493CE9934EEB.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC46AA5768F39BCED.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.13419099999162537
Encrypted:	false
SSDEEP:	24:Y9ETxQoIeie7ipVQoIeieFQoIeie7ipVQoIeie1AEVQoyjCy4eyVqewGqPDps+0/:IETShYS+hhhYS+h6AE+lCy4tMDsRBZ
MD5:	B5101B7F505BC00DAF2FF2ED4ABE0C69
SHA1:	7C0E78035718BBF2F6B251830E29601F8B3C8437
SHA-256:	3CDD465018FAE22E51C43642775B53ED2341B206EBBA43CBD7E9243504B340E2
SHA-512:	96F95D10141C3BF27E01006C87446C4B5187272B7D269C915B41821CBA2CB0A3B7100B8869DF1F347725EB40228C6E56E0D2C60B4121D415840CF67EEDBC564A
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC5FE607B0EB2892E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFDCB61CE2D4973152.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5545079263525303
Encrypted:	false
SSDEEP:	48:h8Ph0uRc06WXJMnT54Z0scvhYS+h6AE+lCy4tMLhYS+hQTk:8h01vnTGZ0scvhYrhBZlCFiLhYrhF
MD5:	16E4D7244C52E3BA742D1EA211E9B80A
SHA1:	CAA2B80C5708FAB19D8641C7F3DDC369C74299D3
SHA-256:	08C8714CC2552381C4C43A6D102DE1952AE4785C1A529CA6303BC1AEFEA33AA1
SHA-512:	0DED2B784315F4CEBF4CDB194A88963862BFA52C88BC930DE228FC936B024B88A04A6A3CA6747CE6F0F5A5A46AA16371D0F13887E35D5D2697F1B1563D847B19
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE39D81768B7BFD78.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFEC42C18D4F5C6A0D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07143500512385609
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKO8gB6c/c5A/RgVky6lit/:2F0i8n0itFzDHFh6c/c5A/tit/
MD5:	4476C289B74056D3F9786CE97497C8D8
SHA1:	BF7347A2EF066D2C4BF267C3093799A80CA41BC9
SHA-256:	B99968F79DA073867A9CB51DA312EE44633151CA97FFE24038B3E03624F3591B
SHA-512:	6067C71C7DEBC6D5F83CFA558984D09A09CEDF387B532C9D1948F678B6A4FA0C7BFC3890DB4BDE908AA291BD64E9F951AC862310AFE7A4ED8EE1A22BBA3B7A5F
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {A2F4824E-0932-4220-A5B9-879D3AA09993}, Number of Words: 10, Subject: DiabloSoft, Author: DiabloSoft LLC, Name of Creating Application: DiabloSoft, Template: ;1033, Comments: This installer database contains the logic and data required to install DiabloSoft., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Entropy (8bit):	7.199867025936388
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	FW3x3p4eZ5.msi
File size:	1'686'016 bytes
MD5:	9775cb36162fab5d8dbe372cd5910ba7
SHA1:	a06d73422ecb931b6b6ae9f2af5f08f50b3d52dc
SHA256:	29549b75a198ad3aee4f8b9ea328bc9a73eb0e0d07e36775438bbe7268d453f9
SHA512:	42cc3d3746fc416097b7de340cf1782febe957ee45e17b5c368f6509bb5112cfdd808d223283ef424b5ee1aab0dddc78562a778f196f7962c3f27839f4f60564
SSDEEP:	49152:gfj3YhW8zBQSc0ZnSKSZKumZr7AlFBBdtM:cYY0ZnQK/AlprM
TLSH:	F275D02273C6C537D96E01303A2AD66B5179FDB70B3140DBA3C8292E9E745C16639FA3
File Content Preview:	........................>.......................................................E.......a...............................(...)...*...+...,...-...........A...B...C...D...E...F...G..............................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-03T10:06:26.050265+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.7	49728	TCP
2024-11-03T10:07:06.891354+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.7	52742	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2024 10:06:13.738672018 CET	49700	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:06:13.743813038 CET	8041	49700	82.115.223.39	192.168.2.7
Nov 3, 2024 10:06:13.743910074 CET	49700	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:06:13.765599012 CET	49700	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:06:13.770823002 CET	8041	49700	82.115.223.39	192.168.2.7
Nov 3, 2024 10:06:17.779318094 CET	49700	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:06:21.862725973 CET	49720	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:21.867505074 CET	8041	49720	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:21.867561102 CET	49720	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:21.867822886 CET	49720	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:21.872622967 CET	8041	49720	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:22.966500998 CET	8041	49720	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:22.966625929 CET	49720	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:22.967571020 CET	49720	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:22.972722054 CET	8041	49720	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:22.972783089 CET	49720	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:22.977215052 CET	49727	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:22.982141018 CET	8041	49727	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:22.982215881 CET	49727	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:22.982527971 CET	49727	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:22.987895012 CET	8041	49727	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:24.069304943 CET	8041	49727	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:24.069379091 CET	49727	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:24.087738991 CET	49727	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:24.093189955 CET	8041	49727	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:24.093254089 CET	49727	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:24.129522085 CET	49734	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:24.134458065 CET	8041	49734	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:24.134531975 CET	49734	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:24.136229038 CET	49734	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:24.141164064 CET	8041	49734	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:24.141216040 CET	49734	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:28.305510044 CET	52563	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:06:28.310347080 CET	8041	52563	82.115.223.39	192.168.2.7
Nov 3, 2024 10:06:28.310446024 CET	52563	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:06:28.310724974 CET	52563	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:06:28.315573931 CET	8041	52563	82.115.223.39	192.168.2.7
Nov 3, 2024 10:06:32.325822115 CET	52563	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:06:32.373825073 CET	52584	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:06:32.378587008 CET	8041	52584	82.115.223.39	192.168.2.7
Nov 3, 2024 10:06:32.378663063 CET	52584	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:06:32.378983021 CET	52584	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:06:32.383786917 CET	8041	52584	82.115.223.39	192.168.2.7
Nov 3, 2024 10:06:36.372936010 CET	52584	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:06:40.433875084 CET	52620	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:06:40.438673973 CET	8041	52620	82.115.223.39	192.168.2.7
Nov 3, 2024 10:06:40.438744068 CET	52620	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:06:40.439073086 CET	52620	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:06:40.443833113 CET	8041	52620	82.115.223.39	192.168.2.7
Nov 3, 2024 10:06:44.450644016 CET	52620	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:06:47.493073940 CET	52654	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:47.497865915 CET	8041	52654	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:47.497967005 CET	52654	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:47.498271942 CET	52654	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:47.502998114 CET	8041	52654	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:48.552615881 CET	8041	52654	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:48.552692890 CET	52654	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:48.553112030 CET	52654	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:48.558553934 CET	8041	52654	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:48.558620930 CET	52654	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:48.565638065 CET	52660	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:48.570523977 CET	8041	52660	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:48.570600033 CET	52660	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:48.570899963 CET	52660	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:48.575773001 CET	8041	52660	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:49.605400085 CET	8041	52660	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:49.605674028 CET	52660	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:49.605907917 CET	52660	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:49.611361980 CET	52666	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:49.612149954 CET	8041	52660	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:49.612205982 CET	52660	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:49.616303921 CET	8041	52666	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:49.616395950 CET	52666	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:49.616503954 CET	52666	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:49.621853113 CET	8041	52666	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:49.621902943 CET	52666	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:51.649341106 CET	52677	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:51.654448986 CET	8041	52677	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:51.654541969 CET	52677	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:51.654819012 CET	52677	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:51.659630060 CET	8041	52677	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:52.714757919 CET	8041	52677	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:52.714853048 CET	52677	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:52.715187073 CET	52677	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:52.720382929 CET	8041	52677	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:52.720438957 CET	52677	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:52.726188898 CET	52683	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:52.731195927 CET	8041	52683	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:52.731275082 CET	52683	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:52.731631994 CET	52683	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:52.736442089 CET	8041	52683	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:53.793876886 CET	8041	52683	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:53.793958902 CET	52683	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:53.827286005 CET	52683	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:53.832524061 CET	8041	52683	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:53.832576990 CET	52683	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:53.832863092 CET	52686	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:53.837732077 CET	8041	52686	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:53.837801933 CET	52686	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:53.837939978 CET	52686	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:53.843548059 CET	8041	52686	80.78.24.30	192.168.2.7
Nov 3, 2024 10:06:53.843599081 CET	52686	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:06:54.883238077 CET	52691	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:06:54.888292074 CET	8041	52691	82.115.223.39	192.168.2.7
Nov 3, 2024 10:06:54.888437033 CET	52691	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:06:54.888916016 CET	52691	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:06:54.893755913 CET	8041	52691	82.115.223.39	192.168.2.7
Nov 3, 2024 10:06:58.904066086 CET	52691	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:07:03.975923061 CET	52735	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:03.980979919 CET	8041	52735	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:03.981081009 CET	52735	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:03.981404066 CET	52735	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:03.986648083 CET	8041	52735	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:05.043632030 CET	8041	52735	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:05.043747902 CET	52735	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:05.044130087 CET	52735	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:05.049611092 CET	8041	52735	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:05.049669981 CET	52735	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:05.054632902 CET	52741	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:05.060323954 CET	8041	52741	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:05.060442924 CET	52741	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:05.061310053 CET	52741	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:05.066137075 CET	8041	52741	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:06.115415096 CET	8041	52741	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:06.115518093 CET	52741	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:06.279140949 CET	52741	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:06.283987045 CET	8041	52741	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:06.307812929 CET	52748	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:06.312747002 CET	8041	52748	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:06.312838078 CET	52748	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:06.314456940 CET	52748	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:06.319344997 CET	8041	52748	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:06.319410086 CET	52748	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:08.507388115 CET	52759	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:08.512482882 CET	8041	52759	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:08.512671947 CET	52759	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:08.513537884 CET	52759	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:08.518322945 CET	8041	52759	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:09.593652964 CET	8041	52759	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:09.593733072 CET	52759	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:09.594072104 CET	52759	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:09.599473953 CET	8041	52759	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:09.599530935 CET	52759	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:09.605840921 CET	52765	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:09.610646963 CET	8041	52765	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:09.610730886 CET	52765	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:09.610995054 CET	52765	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:09.615966082 CET	8041	52765	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:10.684716940 CET	8041	52765	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:10.685270071 CET	52765	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:10.685983896 CET	52765	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:10.689873934 CET	52771	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:10.691348076 CET	8041	52765	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:10.691406965 CET	52765	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:10.694664001 CET	8041	52771	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:10.694751024 CET	52771	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:10.694941998 CET	52771	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:10.699742079 CET	8041	52771	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:10.700129032 CET	8041	52771	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:10.700252056 CET	52771	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:13.743951082 CET	52786	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:13.750133991 CET	8041	52786	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:13.750214100 CET	52786	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:13.750834942 CET	52786	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:13.755739927 CET	8041	52786	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:14.805258989 CET	8041	52786	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:14.805327892 CET	52786	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:14.805587053 CET	52786	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:14.811343908 CET	8041	52786	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:14.811425924 CET	52786	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:14.818254948 CET	52792	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:14.824163914 CET	8041	52792	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:14.824238062 CET	52792	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:14.824543953 CET	52792	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:14.830504894 CET	8041	52792	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:15.870848894 CET	8041	52792	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:15.870969057 CET	52792	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:15.871073008 CET	52792	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:15.873020887 CET	52796	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:15.876386881 CET	8041	52792	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:15.878624916 CET	8041	52796	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:15.878695965 CET	52796	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:15.878801107 CET	52796	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:15.883795977 CET	8041	52796	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:15.884676933 CET	8041	52796	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:15.884726048 CET	52796	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:18.903171062 CET	52803	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:18.909086943 CET	8041	52803	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:18.909181118 CET	52803	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:18.909449100 CET	52803	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:18.914499998 CET	8041	52803	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:19.972450972 CET	8041	52803	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:19.972532988 CET	52803	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:19.972837925 CET	52803	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:19.978311062 CET	8041	52803	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:19.978364944 CET	52803	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:19.992351055 CET	52804	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:19.997360945 CET	8041	52804	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:19.997446060 CET	52804	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:19.998739004 CET	52804	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:20.004203081 CET	8041	52804	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:21.046464920 CET	8041	52804	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:21.046551943 CET	52804	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:21.046669006 CET	52804	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:21.048362970 CET	52805	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:21.051424026 CET	8041	52804	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:21.053195000 CET	8041	52805	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:21.053267956 CET	52805	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:21.053364992 CET	52805	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:21.058862925 CET	8041	52805	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:21.058921099 CET	52805	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:26.110295057 CET	52806	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:07:26.115411043 CET	8041	52806	82.115.223.39	192.168.2.7
Nov 3, 2024 10:07:26.115652084 CET	52806	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:07:26.115982056 CET	52806	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:07:26.121047020 CET	8041	52806	82.115.223.39	192.168.2.7
Nov 3, 2024 10:07:30.122730017 CET	52806	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:07:34.184083939 CET	52807	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:34.189095974 CET	8041	52807	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:34.191342115 CET	52807	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:34.192097902 CET	52807	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:34.196856976 CET	8041	52807	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:35.278682947 CET	8041	52807	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:35.278815031 CET	52807	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:35.279263973 CET	52807	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:35.284722090 CET	8041	52807	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:35.284799099 CET	52807	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:35.300224066 CET	52808	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:35.305073977 CET	8041	52808	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:35.305161953 CET	52808	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:35.305604935 CET	52808	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:35.310585022 CET	8041	52808	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:36.368999004 CET	8041	52808	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:36.372198105 CET	52808	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:36.373173952 CET	52808	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:36.378458023 CET	8041	52808	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:36.378555059 CET	52808	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:36.388077021 CET	52809	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:36.393264055 CET	8041	52809	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:36.396189928 CET	52809	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:36.396302938 CET	52809	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:36.402118921 CET	8041	52809	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:36.402205944 CET	52809	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:39.494683981 CET	52810	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:07:39.499773979 CET	8041	52810	82.115.223.39	192.168.2.7
Nov 3, 2024 10:07:39.499865055 CET	52810	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:07:39.501986027 CET	52810	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:07:39.507797003 CET	8041	52810	82.115.223.39	192.168.2.7
Nov 3, 2024 10:07:43.497733116 CET	52810	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:07:43.553683043 CET	52811	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:07:43.558712006 CET	8041	52811	82.115.223.39	192.168.2.7
Nov 3, 2024 10:07:43.558790922 CET	52811	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:07:43.559220076 CET	52811	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:07:43.564040899 CET	8041	52811	82.115.223.39	192.168.2.7
Nov 3, 2024 10:07:47.560997009 CET	52811	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:07:51.605937004 CET	52812	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:51.610845089 CET	8041	52812	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:51.610917091 CET	52812	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:51.611363888 CET	52812	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:51.616295099 CET	8041	52812	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:52.684925079 CET	8041	52812	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:52.686717987 CET	52812	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:52.688435078 CET	52812	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:52.693197966 CET	8041	52812	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:52.765014887 CET	52813	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:52.769915104 CET	8041	52813	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:52.772491932 CET	52813	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:52.772491932 CET	52813	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:52.777326107 CET	8041	52813	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:53.834836006 CET	8041	52813	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:53.834897995 CET	52813	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:53.835299969 CET	52813	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:53.839199066 CET	52814	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:53.840492010 CET	8041	52813	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:53.840538979 CET	52813	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:53.844304085 CET	8041	52814	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:53.844372034 CET	52814	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:53.844530106 CET	52814	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:53.849764109 CET	8041	52814	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:53.849813938 CET	52814	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:54.904112101 CET	52815	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:54.911472082 CET	8041	52815	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:54.911607027 CET	52815	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:54.916115046 CET	52815	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:54.922496080 CET	8041	52815	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:55.970566988 CET	8041	52815	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:55.970643044 CET	52815	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:55.971076965 CET	52815	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:55.976511002 CET	8041	52815	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:55.976561069 CET	52815	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:56.000116110 CET	52816	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:56.008960962 CET	8041	52816	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:56.012281895 CET	52816	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:56.016125917 CET	52816	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:56.026907921 CET	8041	52816	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:57.360166073 CET	8041	52816	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:57.360299110 CET	52816	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:57.360323906 CET	52816	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:57.360425949 CET	8041	52816	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:57.360465050 CET	52816	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:57.362634897 CET	52817	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:57.365235090 CET	8041	52816	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:57.385251999 CET	8041	52817	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:57.385333061 CET	52817	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:57.385489941 CET	52817	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:57.394723892 CET	8041	52817	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:57.394772053 CET	52817	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:58.435364008 CET	52818	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:58.440371037 CET	8041	52818	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:58.444375992 CET	52818	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:58.448131084 CET	52818	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:58.452899933 CET	8041	52818	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:59.496470928 CET	8041	52818	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:59.496539116 CET	52818	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:59.496928930 CET	52818	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:59.501997948 CET	8041	52818	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:59.502053976 CET	52818	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:59.512890100 CET	52819	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:59.517736912 CET	8041	52819	80.78.24.30	192.168.2.7
Nov 3, 2024 10:07:59.517817020 CET	52819	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:59.518183947 CET	52819	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:07:59.523519993 CET	8041	52819	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:00.565409899 CET	8041	52819	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:00.566618919 CET	52819	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:00.568388939 CET	52819	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:00.573781013 CET	8041	52819	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:00.573884964 CET	52819	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:00.662265062 CET	52820	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:00.667176962 CET	8041	52820	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:00.668930054 CET	52820	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:00.669090033 CET	52820	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:00.674374104 CET	8041	52820	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:00.674474955 CET	52820	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:04.050545931 CET	52821	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:08:04.055603981 CET	8041	52821	82.115.223.39	192.168.2.7
Nov 3, 2024 10:08:04.056233883 CET	52821	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:08:04.060126066 CET	52821	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:08:04.065326929 CET	8041	52821	82.115.223.39	192.168.2.7
Nov 3, 2024 10:08:08.061500072 CET	52821	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:08:13.199563026 CET	52822	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:08:13.204562902 CET	8041	52822	82.115.223.39	192.168.2.7
Nov 3, 2024 10:08:13.204637051 CET	52822	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:08:13.205091953 CET	52822	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:08:13.210079908 CET	8041	52822	82.115.223.39	192.168.2.7
Nov 3, 2024 10:08:17.216671944 CET	52822	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:08:21.266938925 CET	52823	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:21.272030115 CET	8041	52823	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:21.272103071 CET	52823	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:21.272648096 CET	52823	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:21.277430058 CET	8041	52823	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:22.322490931 CET	8041	52823	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:22.328242064 CET	52823	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:22.328584909 CET	52823	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:22.333652020 CET	8041	52823	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:22.334255934 CET	52823	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:22.352159023 CET	52824	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:22.357033968 CET	8041	52824	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:22.358295918 CET	52824	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:22.358694077 CET	52824	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:22.363440037 CET	8041	52824	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:23.422244072 CET	8041	52824	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:23.422307968 CET	52824	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:23.422497034 CET	52824	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:23.424499035 CET	52825	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:23.429522038 CET	8041	52824	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:23.431901932 CET	8041	52825	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:23.431967020 CET	52825	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:23.432102919 CET	52825	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:23.437206030 CET	8041	52825	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:23.437242985 CET	52825	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:27.481477022 CET	52826	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:27.486469030 CET	8041	52826	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:27.486547947 CET	52826	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:27.486969948 CET	52826	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:27.491789103 CET	8041	52826	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:28.537070990 CET	8041	52826	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:28.537219048 CET	52826	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:28.537544966 CET	52826	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:28.543046951 CET	8041	52826	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:28.543165922 CET	52826	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:28.548167944 CET	52827	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:28.553033113 CET	8041	52827	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:28.553174973 CET	52827	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:28.553580999 CET	52827	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:28.558393955 CET	8041	52827	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:29.644120932 CET	8041	52827	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:29.644186974 CET	52827	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:29.644747972 CET	52827	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:29.649429083 CET	52828	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:29.650155067 CET	8041	52827	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:29.650204897 CET	52827	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:29.654278994 CET	8041	52828	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:29.654360056 CET	52828	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:29.655945063 CET	52828	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:29.660795927 CET	8041	52828	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:29.660837889 CET	52828	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:34.732182980 CET	52829	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:34.737155914 CET	8041	52829	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:34.740710020 CET	52829	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:34.740710020 CET	52829	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:34.745588064 CET	8041	52829	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:35.797190905 CET	8041	52829	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:35.797251940 CET	52829	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:35.843444109 CET	52829	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:35.848278046 CET	52830	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:35.848664045 CET	8041	52829	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:35.848711967 CET	52829	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:35.853158951 CET	8041	52830	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:35.853251934 CET	52830	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:35.878453016 CET	52830	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:35.883256912 CET	8041	52830	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:36.934233904 CET	8041	52830	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:36.934319973 CET	52830	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:36.934746981 CET	52830	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:36.939893961 CET	8041	52830	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:36.939960957 CET	52830	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:36.950397968 CET	52831	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:36.955224991 CET	8041	52831	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:36.955326080 CET	52831	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:36.955488920 CET	52831	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:36.960701942 CET	8041	52831	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:36.960776091 CET	52831	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:39.367681026 CET	52832	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:08:39.372602940 CET	8041	52832	82.115.223.39	192.168.2.7
Nov 3, 2024 10:08:39.372678041 CET	52832	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:08:39.373282909 CET	52832	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:08:39.378027916 CET	8041	52832	82.115.223.39	192.168.2.7
Nov 3, 2024 10:08:43.373617887 CET	52832	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:08:43.415951967 CET	52833	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:43.420881033 CET	8041	52833	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:43.420953035 CET	52833	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:43.421349049 CET	52833	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:43.426179886 CET	8041	52833	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:44.476474047 CET	8041	52833	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:44.476670027 CET	52833	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:44.476957083 CET	52833	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:44.477627993 CET	52834	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:44.482600927 CET	8041	52833	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:44.482614994 CET	8041	52834	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:44.482708931 CET	52833	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:44.482708931 CET	52834	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:44.483056068 CET	52834	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:44.487848043 CET	8041	52834	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:45.548168898 CET	8041	52834	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:45.548228025 CET	52834	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:45.548639059 CET	52834	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:45.549127102 CET	52835	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:45.553776979 CET	8041	52834	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:45.553822994 CET	52834	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:45.554079056 CET	8041	52835	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:45.554224014 CET	52835	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:45.554255009 CET	52835	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:45.559541941 CET	8041	52835	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:45.559593916 CET	52835	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:49.605990887 CET	52842	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:49.610991001 CET	8041	52842	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:49.611063957 CET	52842	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:49.611466885 CET	52842	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:49.616375923 CET	8041	52842	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:50.675945044 CET	8041	52842	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:50.676059961 CET	52842	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:50.676851988 CET	52842	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:50.676855087 CET	52843	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:50.681802988 CET	8041	52843	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:50.682310104 CET	8041	52842	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:50.684284925 CET	52842	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:50.684283972 CET	52843	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:50.684535027 CET	52843	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:50.690361023 CET	8041	52843	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:51.733030081 CET	8041	52843	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:51.733093023 CET	52843	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:51.733629942 CET	52843	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:51.734163046 CET	52844	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:51.739124060 CET	8041	52844	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:51.739136934 CET	8041	52843	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:51.739187956 CET	52844	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:51.739214897 CET	52843	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:51.739413977 CET	52844	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:51.744652033 CET	8041	52844	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:51.744698048 CET	52844	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:51.783256054 CET	52845	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:51.788429976 CET	8041	52845	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:51.788495064 CET	52845	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:51.788964033 CET	52845	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:51.793900013 CET	8041	52845	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:52.858308077 CET	8041	52845	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:52.862442970 CET	52845	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:52.863204002 CET	52846	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:52.863204956 CET	52845	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:52.868706942 CET	8041	52846	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:52.868993998 CET	8041	52845	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:52.870771885 CET	52845	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:52.870773077 CET	52846	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:52.871064901 CET	52846	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:52.875886917 CET	8041	52846	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:53.928133965 CET	8041	52846	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:53.928180933 CET	52846	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:53.928561926 CET	52846	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:53.929152012 CET	52847	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:53.933702946 CET	8041	52846	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:53.933758974 CET	52846	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:53.933967113 CET	8041	52847	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:53.934041023 CET	52847	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:53.934181929 CET	52847	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:53.939634085 CET	8041	52847	80.78.24.30	192.168.2.7
Nov 3, 2024 10:08:53.939694881 CET	52847	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:08:54.318404913 CET	52848	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:08:54.323240042 CET	8041	52848	82.115.223.39	192.168.2.7
Nov 3, 2024 10:08:54.323349953 CET	52848	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:08:54.323762894 CET	52848	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:08:54.328568935 CET	8041	52848	82.115.223.39	192.168.2.7
Nov 3, 2024 10:08:58.310787916 CET	52848	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:00.393449068 CET	52849	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:00.398340940 CET	8041	52849	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:00.398405075 CET	52849	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:00.401638031 CET	52849	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:00.406449080 CET	8041	52849	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:01.455538034 CET	8041	52849	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:01.455615044 CET	52849	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:01.455961943 CET	52849	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:01.460230112 CET	52850	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:01.461213112 CET	8041	52849	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:01.464287043 CET	52849	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:01.465217113 CET	8041	52850	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:01.465332031 CET	52850	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:01.465635061 CET	52850	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:01.470822096 CET	8041	52850	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:02.534945965 CET	8041	52850	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:02.535012960 CET	52850	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:02.535490990 CET	52850	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:02.536154032 CET	52851	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:02.540626049 CET	8041	52850	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:02.540671110 CET	52850	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:02.540960073 CET	8041	52851	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:02.541021109 CET	52851	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:02.541172981 CET	52851	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:02.546211958 CET	8041	52851	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:02.546262026 CET	52851	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:05.634290934 CET	52852	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:05.639786005 CET	8041	52852	82.115.223.39	192.168.2.7
Nov 3, 2024 10:09:05.646245003 CET	52852	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:05.669130087 CET	52852	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:05.674096107 CET	8041	52852	82.115.223.39	192.168.2.7
Nov 3, 2024 10:09:09.670387983 CET	52852	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:14.728760958 CET	52853	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:14.733781099 CET	8041	52853	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:14.733860970 CET	52853	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:14.734262943 CET	52853	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:14.739121914 CET	8041	52853	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:15.804191113 CET	8041	52853	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:15.804300070 CET	52853	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:15.804711103 CET	52853	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:15.810286045 CET	52854	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:15.810308933 CET	8041	52853	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:15.810393095 CET	52853	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:15.815186024 CET	8041	52854	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:15.815274000 CET	52854	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:15.815623045 CET	52854	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:15.820465088 CET	8041	52854	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:16.878889084 CET	8041	52854	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:16.878958941 CET	52854	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:16.897547007 CET	52854	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:16.902947903 CET	8041	52854	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:16.904757977 CET	52854	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:16.991600990 CET	52855	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:16.996579885 CET	8041	52855	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:16.996650934 CET	52855	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:17.057885885 CET	52855	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:17.062876940 CET	8041	52855	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:17.062931061 CET	52855	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:18.148329020 CET	52856	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:18.153204918 CET	8041	52856	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:18.153276920 CET	52856	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:18.153666019 CET	52856	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:18.158468008 CET	8041	52856	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:19.209688902 CET	8041	52856	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:19.212308884 CET	52856	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:19.212599039 CET	52856	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:19.214658022 CET	52857	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:19.217366934 CET	8041	52856	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:19.219580889 CET	8041	52857	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:19.219691038 CET	52857	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:19.220109940 CET	52857	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:19.224904060 CET	8041	52857	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:20.309556007 CET	8041	52857	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:20.309638977 CET	52857	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:20.310086012 CET	52857	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:20.315200090 CET	52858	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:20.315412045 CET	8041	52857	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:20.315466881 CET	52857	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:20.320204020 CET	8041	52858	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:20.320269108 CET	52858	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:20.320437908 CET	52858	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:20.325613022 CET	8041	52858	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:20.325663090 CET	52858	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:20.367705107 CET	52859	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:20.372658014 CET	8041	52859	82.115.223.39	192.168.2.7
Nov 3, 2024 10:09:20.372735023 CET	52859	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:20.373552084 CET	52859	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:20.378367901 CET	8041	52859	82.115.223.39	192.168.2.7
Nov 3, 2024 10:09:24.389369011 CET	52859	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:24.435034990 CET	52860	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:24.439992905 CET	8041	52860	82.115.223.39	192.168.2.7
Nov 3, 2024 10:09:24.440064907 CET	52860	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:24.440567970 CET	52860	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:24.445317984 CET	8041	52860	82.115.223.39	192.168.2.7
Nov 3, 2024 10:09:28.451963902 CET	52860	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:30.532454014 CET	52861	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:30.537352085 CET	8041	52861	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:30.537424088 CET	52861	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:30.537789106 CET	52861	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:30.542529106 CET	8041	52861	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:31.595293999 CET	8041	52861	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:31.595403910 CET	52861	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:31.596218109 CET	52861	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:31.596230984 CET	52862	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:31.601013899 CET	8041	52862	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:31.601510048 CET	52862	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:31.601838112 CET	52862	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:31.602706909 CET	8041	52861	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:31.602906942 CET	52861	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:31.606568098 CET	8041	52862	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:32.655832052 CET	8041	52862	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:32.655932903 CET	52862	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:32.656337976 CET	52862	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:32.656914949 CET	52863	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:32.661880016 CET	8041	52862	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:32.661933899 CET	52862	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:32.662017107 CET	8041	52863	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:32.662081003 CET	52863	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:32.662199020 CET	52863	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:32.667402983 CET	8041	52863	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:32.667443991 CET	52863	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:34.700375080 CET	52864	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:34.706944942 CET	8041	52864	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:34.707020998 CET	52864	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:34.707647085 CET	52864	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:34.713217974 CET	8041	52864	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:35.754441023 CET	8041	52864	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:35.755589008 CET	52864	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:35.755697012 CET	52864	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:35.758613110 CET	52865	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:35.760440111 CET	8041	52864	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:35.763422012 CET	8041	52865	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:35.763566971 CET	52865	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:35.764292002 CET	52865	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:35.769032955 CET	8041	52865	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:36.826952934 CET	8041	52865	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:36.827030897 CET	52865	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:36.827204943 CET	52865	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:36.828027010 CET	52866	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:36.831989050 CET	8041	52865	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:36.832838058 CET	8041	52866	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:36.832912922 CET	52866	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:36.833080053 CET	52866	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:36.838171959 CET	8041	52866	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:36.838224888 CET	52866	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:36.875703096 CET	52867	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:36.881340027 CET	8041	52867	82.115.223.39	192.168.2.7
Nov 3, 2024 10:09:36.881411076 CET	52867	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:36.881820917 CET	52867	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:36.887427092 CET	8041	52867	82.115.223.39	192.168.2.7
Nov 3, 2024 10:09:44.701036930 CET	8041	52867	82.115.223.39	192.168.2.7
Nov 3, 2024 10:09:44.701112032 CET	52867	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:44.701203108 CET	52867	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:44.702296972 CET	52868	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:44.705952883 CET	8041	52867	82.115.223.39	192.168.2.7
Nov 3, 2024 10:09:44.707106113 CET	8041	52868	82.115.223.39	192.168.2.7
Nov 3, 2024 10:09:44.707164049 CET	52868	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:44.707549095 CET	52868	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:44.712377071 CET	8041	52868	82.115.223.39	192.168.2.7
Nov 3, 2024 10:09:52.325241089 CET	8041	52868	82.115.223.39	192.168.2.7
Nov 3, 2024 10:09:52.325304031 CET	52868	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:52.325391054 CET	52868	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:52.325967073 CET	52869	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:52.330138922 CET	8041	52868	82.115.223.39	192.168.2.7
Nov 3, 2024 10:09:52.330759048 CET	8041	52869	82.115.223.39	192.168.2.7
Nov 3, 2024 10:09:52.330821991 CET	52869	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:52.330960989 CET	52869	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:52.335901976 CET	8041	52869	82.115.223.39	192.168.2.7
Nov 3, 2024 10:09:52.336199045 CET	8041	52869	82.115.223.39	192.168.2.7
Nov 3, 2024 10:09:52.336245060 CET	52869	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:09:57.384737015 CET	52870	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:58.096555948 CET	8041	52870	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:58.100877047 CET	52870	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:58.100877047 CET	52870	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:58.105747938 CET	8041	52870	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:59.207357883 CET	8041	52870	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:59.207437038 CET	52870	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:59.207889080 CET	52870	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:59.208405972 CET	52871	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:59.212944984 CET	8041	52870	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:59.213005066 CET	52870	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:59.213237047 CET	8041	52871	80.78.24.30	192.168.2.7
Nov 3, 2024 10:09:59.213305950 CET	52871	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:59.213639021 CET	52871	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:09:59.218410015 CET	8041	52871	80.78.24.30	192.168.2.7
Nov 3, 2024 10:10:00.262046099 CET	8041	52871	80.78.24.30	192.168.2.7
Nov 3, 2024 10:10:00.262109995 CET	52871	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:00.262605906 CET	52871	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:00.263191938 CET	52872	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:00.267936945 CET	8041	52871	80.78.24.30	192.168.2.7
Nov 3, 2024 10:10:00.268028021 CET	52871	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:00.268037081 CET	8041	52872	80.78.24.30	192.168.2.7
Nov 3, 2024 10:10:00.268104076 CET	52872	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:00.268352032 CET	52872	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:00.273938894 CET	8041	52872	80.78.24.30	192.168.2.7
Nov 3, 2024 10:10:00.273988962 CET	52872	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:00.572264910 CET	52873	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:00.577217102 CET	8041	52873	80.78.24.30	192.168.2.7
Nov 3, 2024 10:10:00.577280998 CET	52873	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:00.584614992 CET	52873	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:00.589490891 CET	8041	52873	80.78.24.30	192.168.2.7
Nov 3, 2024 10:10:01.634610891 CET	8041	52873	80.78.24.30	192.168.2.7
Nov 3, 2024 10:10:01.634793997 CET	52873	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:01.635247946 CET	52873	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:01.635682106 CET	52874	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:01.640686989 CET	8041	52873	80.78.24.30	192.168.2.7
Nov 3, 2024 10:10:01.640698910 CET	8041	52874	80.78.24.30	192.168.2.7
Nov 3, 2024 10:10:01.640775919 CET	52873	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:01.640779972 CET	52874	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:01.641062975 CET	52874	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:01.645796061 CET	8041	52874	80.78.24.30	192.168.2.7
Nov 3, 2024 10:10:02.692275047 CET	8041	52874	80.78.24.30	192.168.2.7
Nov 3, 2024 10:10:02.692327976 CET	52874	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:02.692730904 CET	52874	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:02.693406105 CET	52875	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:02.698285103 CET	8041	52875	80.78.24.30	192.168.2.7
Nov 3, 2024 10:10:02.698332071 CET	8041	52874	80.78.24.30	192.168.2.7
Nov 3, 2024 10:10:02.698349953 CET	52875	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:02.698374987 CET	52874	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:02.699600935 CET	52875	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:02.704758883 CET	8041	52875	80.78.24.30	192.168.2.7
Nov 3, 2024 10:10:02.704804897 CET	52875	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:04.761392117 CET	52876	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:04.766442060 CET	8041	52876	80.78.24.30	192.168.2.7
Nov 3, 2024 10:10:04.766505003 CET	52876	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:04.766988039 CET	52876	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:04.771886110 CET	8041	52876	80.78.24.30	192.168.2.7
Nov 3, 2024 10:10:05.825340986 CET	8041	52876	80.78.24.30	192.168.2.7
Nov 3, 2024 10:10:05.828422070 CET	52876	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:05.834940910 CET	52876	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:05.839704037 CET	8041	52876	80.78.24.30	192.168.2.7
Nov 3, 2024 10:10:05.842365026 CET	52877	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:05.847174883 CET	8041	52877	80.78.24.30	192.168.2.7
Nov 3, 2024 10:10:05.849611044 CET	52877	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:05.853013992 CET	52877	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:05.857842922 CET	8041	52877	80.78.24.30	192.168.2.7
Nov 3, 2024 10:10:06.896497011 CET	8041	52877	80.78.24.30	192.168.2.7
Nov 3, 2024 10:10:06.896934986 CET	52877	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:06.897284031 CET	52877	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:06.897861004 CET	52878	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:06.902467012 CET	8041	52877	80.78.24.30	192.168.2.7
Nov 3, 2024 10:10:06.902514935 CET	52877	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:06.902935982 CET	8041	52878	80.78.24.30	192.168.2.7
Nov 3, 2024 10:10:06.903003931 CET	52878	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:06.903098106 CET	52878	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:06.908456087 CET	8041	52878	80.78.24.30	192.168.2.7
Nov 3, 2024 10:10:06.908499956 CET	52878	8041	192.168.2.7	80.78.24.30
Nov 3, 2024 10:10:11.947423935 CET	52879	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:10:11.952390909 CET	8041	52879	82.115.223.39	192.168.2.7
Nov 3, 2024 10:10:11.956435919 CET	52879	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:10:11.956756115 CET	52879	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:10:11.961545944 CET	8041	52879	82.115.223.39	192.168.2.7
Nov 3, 2024 10:10:19.580636978 CET	8041	52879	82.115.223.39	192.168.2.7
Nov 3, 2024 10:10:19.580749989 CET	52879	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:10:19.580823898 CET	52879	8041	192.168.2.7	82.115.223.39
Nov 3, 2024 10:10:19.585686922 CET	8041	52879	82.115.223.39	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2024 10:06:13.275197983 CET	64403	53	192.168.2.7	1.1.1.1
Nov 3, 2024 10:06:13.731815100 CET	53	64403	1.1.1.1	192.168.2.7
Nov 3, 2024 10:06:21.846015930 CET	56192	53	192.168.2.7	1.1.1.1
Nov 3, 2024 10:06:21.861897945 CET	53	56192	1.1.1.1	192.168.2.7
Nov 3, 2024 10:06:28.207360029 CET	53	49341	1.1.1.1	192.168.2.7
Nov 3, 2024 10:07:03.950201035 CET	58767	53	192.168.2.7	1.1.1.1
Nov 3, 2024 10:07:03.974859953 CET	53	58767	1.1.1.1	192.168.2.7
Nov 3, 2024 10:08:03.717464924 CET	61420	53	192.168.2.7	1.1.1.1
Nov 3, 2024 10:08:04.049407959 CET	53	61420	1.1.1.1	192.168.2.7
Nov 3, 2024 10:08:39.033509970 CET	56656	53	192.168.2.7	1.1.1.1
Nov 3, 2024 10:08:39.366307020 CET	53	56656	1.1.1.1	192.168.2.7
Nov 3, 2024 10:08:53.974751949 CET	56300	53	192.168.2.7	1.1.1.1
Nov 3, 2024 10:08:54.317284107 CET	53	56300	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 3, 2024 10:06:13.275197983 CET	192.168.2.7	1.1.1.1	0x5f68	Standard query (0)	greshunka.com	A (IP address)	IN (0x0001)	false
Nov 3, 2024 10:06:21.846015930 CET	192.168.2.7	1.1.1.1	0xfe13	Standard query (0)	tiguanin.com	A (IP address)	IN (0x0001)	false
Nov 3, 2024 10:07:03.950201035 CET	192.168.2.7	1.1.1.1	0xccd3	Standard query (0)	bazarunet.com	A (IP address)	IN (0x0001)	false
Nov 3, 2024 10:08:03.717464924 CET	192.168.2.7	1.1.1.1	0xa0ab	Standard query (0)	greshunka.com	A (IP address)	IN (0x0001)	false
Nov 3, 2024 10:08:39.033509970 CET	192.168.2.7	1.1.1.1	0xfe16	Standard query (0)	greshunka.com	A (IP address)	IN (0x0001)	false
Nov 3, 2024 10:08:53.974751949 CET	192.168.2.7	1.1.1.1	0x9c36	Standard query (0)	greshunka.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 3, 2024 10:06:13.731815100 CET	1.1.1.1	192.168.2.7	0x5f68	No error (0)	greshunka.com	82.115.223.39	A (IP address)	IN (0x0001)	false
Nov 3, 2024 10:06:21.861897945 CET	1.1.1.1	192.168.2.7	0xfe13	No error (0)	tiguanin.com	80.78.24.30	A (IP address)	IN (0x0001)	false
Nov 3, 2024 10:07:03.974859953 CET	1.1.1.1	192.168.2.7	0xccd3	No error (0)	bazarunet.com	80.78.24.30	A (IP address)	IN (0x0001)	false
Nov 3, 2024 10:08:04.049407959 CET	1.1.1.1	192.168.2.7	0xa0ab	No error (0)	greshunka.com	82.115.223.39	A (IP address)	IN (0x0001)	false
Nov 3, 2024 10:08:39.366307020 CET	1.1.1.1	192.168.2.7	0xfe16	No error (0)	greshunka.com	82.115.223.39	A (IP address)	IN (0x0001)	false
Nov 3, 2024 10:08:54.317284107 CET	1.1.1.1	192.168.2.7	0x9c36	No error (0)	greshunka.com	82.115.223.39	A (IP address)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49720	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:06:22.966500998 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49727	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:06:24.069304943 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	52654	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:06:48.552615881 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	52660	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:06:49.605400085 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	52677	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:06:52.714757919 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	52683	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:06:53.793876886 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	52735	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:07:05.043632030 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	52759	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:07:09.593652964 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	52765	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:07:10.684716940 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	52786	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:07:14.805258989 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	52803	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:07:19.972450972 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	52807	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:07:35.278682947 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	52808	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:07:36.368999004 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	52813	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:07:53.834836006 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	52815	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:07:55.970566988 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	52818	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:07:59.496470928 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	52819	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:08:00.565409899 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	52823	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:08:22.322490931 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	52826	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:08:28.537070990 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	52827	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:08:29.644120932 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.7	52829	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:08:35.797190905 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.7	52830	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:08:36.934233904 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.7	52833	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:08:44.476474047 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.7	52834	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:08:45.548168898 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.7	52842	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:08:50.675945044 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.7	52843	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:08:51.733030081 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.7	52845	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:08:52.858308077 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.7	52846	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:08:53.928133965 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.7	52849	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:09:01.455538034 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.7	52850	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:09:02.534945965 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.7	52853	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:09:15.804191113 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.7	52854	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:09:16.878889084 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.7	52857	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:09:20.309556007 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.7	52861	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:09:31.595293999 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.7	52862	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:09:32.655832052 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.7	52870	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:09:59.207357883 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.7	52871	80.78.24.30	8041	3696	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:10:00.262046099 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port
37	192.168.2.7	52873	80.78.24.30	8041

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:10:01.634610891 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port
38	192.168.2.7	52874	80.78.24.30	8041

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:10:02.692275047 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port
39	192.168.2.7	52877	80.78.24.30	8041

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:10:06.896497011 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Target ID:	0
Start time:	04:06:05
Start date:	03/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\FW3x3p4eZ5.msi"
Imagebase:	0x7ff617f10000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:06:05
Start date:	03/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff617f10000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	04:06:06
Start date:	03/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 6180EE345BCC1B006AD84A7E54378DDE
Imagebase:	0xa80000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:06:06
Start date:	03/11/2024
Path:	C:\Windows\Installer\MSIB093.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Installer\MSIB093.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState
Imagebase:	0x840000
File size:	399'328 bytes
MD5 hash:	B9545ED17695A32FACE8C3408A6A3553
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:06:06
Start date:	03/11/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState
Imagebase:	0xdb0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	04:06:07
Start date:	03/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState
Imagebase:	0x7ff6da9f0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Bazar_2, Description: Yara detected Bazar Loader, Source: 00000006.00000002.3723009009.0000026DB5F00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Bazar_2, Description: Yara detected Bazar Loader, Source: 00000006.00000002.3722729048.0000026DB5D90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000003.1274378196.0000026DB78AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	05:33:11
Start date:	03/11/2024
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff6ff520000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	05:33:11
Start date:	03/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	38.3%
Total number of Nodes:	389
Total number of Limit Nodes:	10

Executed Functions

Function 00844BA0 Relevance: 36.5, APIs: 24, Instructions: 502
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008457C0: GetCurrentProcess.KERNEL32(00000008,?,50FA5EA3,?,-00000010), ref: 008457D0
Part of subcall function 008457C0: OpenProcessToken.ADVAPI32(00000000), ref: 008457D7

CoInitialize.OLE32(00000000), ref: 00844C15
CoCreateInstance.OLE32(008872B0,00000000,00000004,00895104,00000000,?), ref: 00844C45
CoUninitialize.COMBASE ref: 00845187
_com_issue_error.COMSUPP ref: 008451B5

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Process$CreateCurrentInitializeInstanceOpenTokenUninitialize_com_issue_error
String ID:
API String ID: 928366108-0
Opcode ID: 0ed116d14df4137cc41f48f40701a224b4de2655159f48709c2b1269ac341e15
Instruction ID: dc9cf47b64f468fe95228662239b36726015b642527e43aec2f7b8d2e5958d7e
Opcode Fuzzy Hash: 0ed116d14df4137cc41f48f40701a224b4de2655159f48709c2b1269ac341e15
Instruction Fuzzy Hash: 83227D70A0478CDFEB11CFA8C948BADBBB4FF55308F248199E405EB282D7759A45CB51

Function 00846A50 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 461
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00846AC8
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00846AD5
CloseHandle.KERNEL32(00000000), ref: 00846AF5

Strings

S-1-5-18, xrefs: 00846B69

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Process$CloseCurrentHandleOpenToken
String ID: S-1-5-18
API String ID: 4052875653-4289277601
Opcode ID: 58e1a3f129f1b57c06ea9a3453feb2e5abb0a7fb865989a206d94a84bd2dfcf3
Instruction ID: 298a7f300546990ec7f6b427a802eaef7b4a300dccad213d67984599b38fdf3a
Opcode Fuzzy Hash: 58e1a3f129f1b57c06ea9a3453feb2e5abb0a7fb865989a206d94a84bd2dfcf3
Instruction Fuzzy Hash: 44029D7090125D8FDF14DFA8C9547AEBBB5FF06314F148258E842EB285EB34AE05CB92

Function 008457C0 Relevance: 6.0, APIs: 4, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000008,?,50FA5EA3,?,-00000010), ref: 008457D0
OpenProcessToken.ADVAPI32(00000000), ref: 008457D7
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 0084580C
CloseHandle.KERNEL32(?), ref: 00845822

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 78b0dd14d4af75a4bb46ab83c5aaddbbf931c5f6e85afdd3387d2e153c34d878
Instruction ID: c1f98fdcd178f3fa29b953dc7e2e46c80289a572f2df5b133a21d1b4b0b73910
Opcode Fuzzy Hash: 78b0dd14d4af75a4bb46ab83c5aaddbbf931c5f6e85afdd3387d2e153c34d878
Instruction Fuzzy Hash: 63F01D74148301ABEB109F24EC49BAA7BF8FB44700F608829F994D21A0D779D61CDB63

Function 0084CDB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32(50FA5EA3,?,?,?,?,?,?,?,?,?,008856D5,000000FF), ref: 0084CDE8

Part of subcall function 00841F80: LocalAlloc.KERNEL32(00000040,00000000,?,?,vector too long,00844251,50FA5EA3,00000000,?,00000000,?,?,?,00884400,000000FF,?), ref: 00841F9D

ExitProcess.KERNEL32 ref: 0084CEB1

Part of subcall function 00846600: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?), ref: 0084667E

Strings

Full command line:, xrefs: 0084CE13

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: AllocCommandCreateExitFileLineLocalProcess
String ID: Full command line:
API String ID: 1878577176-831861440
Opcode ID: 207622636c226269125241d97f41d9568183ce5b08025b7b7a8023fc7462e6eb
Instruction ID: af6cccb6868e314f63b4c16d56042850cb131ba59d46b1dfee7d99e64558028f
Opcode Fuzzy Hash: 207622636c226269125241d97f41d9568183ce5b08025b7b7a8023fc7462e6eb
Instruction Fuzzy Hash: A121EF31911218ABCB05FB68CC45BAE77A9FF41744F144128E402EB292FF345A08C793

Function 00845E40 Relevance: 4.6, APIs: 3, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00845E18,50FA5EA3,?), ref: 00845EB4
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,00845E18,50FA5EA3,?), ref: 00845EBE
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,00845E18,50FA5EA3,?), ref: 00845F1A

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: InformationToken$ErrorLast
String ID:
API String ID: 2567405617-0
Opcode ID: 350dfb46ec842d9a7016ef1e850078ceb921676eecd7e2939c41aa01687fd108
Instruction ID: 3470565ca9f569cd38cd03b495939fb60884705a784b3886fac6cc7dfee30256
Opcode Fuzzy Hash: 350dfb46ec842d9a7016ef1e850078ceb921676eecd7e2939c41aa01687fd108
Instruction Fuzzy Hash: 8D318E71A00609AFDB10CF58DC45BAFBBF9FB44710F20452AE415E7280DBB5A9048BA1

Function 008770BB Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,0087596A,00000001,00000364,?,00000006,000000FF,?,00866CE7,00000000,00873841,00000000), ref: 008770FC

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d4c1a5455a08a3641cb8cee9706fa9062cd9fa1da42b5a4be14718d6dc7f34fb
Instruction ID: 4dcf00f7229602a46bc2b12097e1d2854ee485addfcd4f27b9bbd123b69b2834
Opcode Fuzzy Hash: d4c1a5455a08a3641cb8cee9706fa9062cd9fa1da42b5a4be14718d6dc7f34fb
Instruction Fuzzy Hash: A0F0BE3220CA246A9B226A2A9C01B5A7759FB517B0B55C031BD2CDA198CA20EC00C7F2

Non-executed Functions

Function 008452F0 Relevance: 52.9, APIs: 14, Strings: 16, Instructions: 402
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000,?,?,?,?,?), ref: 0084549C
GetForegroundWindow.USER32(00000000,?,?,?,?,?), ref: 0084551D
ShellExecuteExW.SHELL32(?), ref: 00845601
ShellExecuteExW.SHELL32(?), ref: 00845637
GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?,?,?), ref: 0084567C
GetProcAddress.KERNEL32(00000000), ref: 00845685
AllowSetForegroundWindow.USER32(00000000), ref: 0084568B
GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?,?,?), ref: 008456AB
GetProcAddress.KERNEL32(00000000), ref: 008456AE
Sleep.KERNEL32(00000064,?,?,?,?,?,?), ref: 008456CA
EnumWindows.USER32(00845830,?), ref: 008456DF
BringWindowToTop.USER32(00000000), ref: 008456F4
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?), ref: 00845711
GetExitCodeProcess.KERNEL32(?,?), ref: 0084571B

Strings

runas, xrefs: 008454EC
Visible, xrefs: 008455DB, 008455EA
%s\System32\cmd.exe, xrefs: 008454A9
.cmd, xrefs: 0084545F
Window Visibility:, xrefs: 008455E3
Directory:<, xrefs: 008455B2
FilePath:<, xrefs: 00845589
Hidden, xrefs: 008455D6
Kernel32.dll, xrefs: 00845677, 008456A6
open, xrefs: 008454D5
.bat, xrefs: 00845422
GetProcessId, xrefs: 00845672, 008456A1
Parameters:<, xrefs: 008455C6
/C ""%s" %s", xrefs: 008454C1
ShellExecuteInfo members:, xrefs: 00845540
Verb:<, xrefs: 0084559E

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Window$AddressExecuteForegroundHandleModuleProcShellWindows$AllowBringCodeDirectoryEnumExitObjectProcessSingleSleepWait
String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$Directory:<$FilePath:<$GetProcessId$Hidden$Kernel32.dll$Parameters:<$ShellExecuteInfo members:$Verb:<$Visible$Window Visibility:$open$runas
API String ID: 697762045-2796270252
Opcode ID: 3ab71b30483db9e114fe138af89fb1c088628f622c44831fccf512c93559da04
Instruction ID: 8041415a37178a77bdcf10b812b5675618fa856e88287a2e8a7a4de7b29e2f43
Opcode Fuzzy Hash: 3ab71b30483db9e114fe138af89fb1c088628f622c44831fccf512c93559da04
Instruction Fuzzy Hash: A0E1EF71A00A0D9BCF11EFA8C884BAEB7B5FF58710F584129E915EB392EB349D01CB51

Function 0084C870 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 366registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 0084CBB6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,0089E6D0,00000800), ref: 0084CBD3

Strings

/DIR , xrefs: 0084C9F3
/HideWindow, xrefs: 0084C98E, 0084C9AC, 0084C9B1
/RunAsAdmin , xrefs: 0084C92B, 0084C94C, 0084C951
/DontWait , xrefs: 0084C8D8, 0084C8EE, 0084C8F3
/EnforcedRunAsAdmin , xrefs: 0084C893, 0084C8A3, 0084C8A8
/LogFile, xrefs: 0084CA07

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: OpenQueryValue
String ID: /DIR $/DontWait $/EnforcedRunAsAdmin $/HideWindow$/LogFile$/RunAsAdmin
API String ID: 4153817207-482544602
Opcode ID: 0e3fb0657640cbf0908fe67456dfad6800dd2e8d76b3813e3f186e8de049bcda
Instruction ID: 3f8f1ebbef11b21d8ee696337fc94376ff40cd2a6386ae276defb3b55849f881
Opcode Fuzzy Hash: 0e3fb0657640cbf0908fe67456dfad6800dd2e8d76b3813e3f186e8de049bcda
Instruction Fuzzy Hash: 2CC13874A0622ECBCFB5EF14C84127ABBA9FF50740F59446AE889CB291E770CD81C791

Function 0087DE24 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008757CC: GetLastError.KERNEL32(?,00000008,0087AD4C), ref: 008757D0
Part of subcall function 008757CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00875872

GetACP.KERNEL32(?,?,?,?,?,?,008742D9,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0087DEE5
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,008742D9,?,?,?,00000055,?,-00000050,?,?), ref: 0087DF10
_wcschr.LIBVCRUNTIME ref: 0087DFA4
_wcschr.LIBVCRUNTIME ref: 0087DFB2
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0087E073

Strings

utf8, xrefs: 0087DFE2

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: bb98da3ac09a41712a84331a3e8bb807e859ad1e0610809f20f9ffae74e34474
Instruction ID: 8410d8885712cbb82b98e0a28f466aeffd0421a763cbafbb374a4330ef48380a
Opcode Fuzzy Hash: bb98da3ac09a41712a84331a3e8bb807e859ad1e0610809f20f9ffae74e34474
Instruction Fuzzy Hash: 7371F632600705AADB25AB38CC46BA773B8FF58704F148469F51DDB189EBB0E9408762

Function 00843860 Relevance: 10.7, APIs: 7, Instructions: 227processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,50FA5EA3,?), ref: 008438CB
CloseHandle.KERNEL32(00000000), ref: 0084390B
Process32FirstW.KERNEL32(?,00000000), ref: 0084395F
OpenProcess.KERNEL32(00000410,00000000,?), ref: 0084397A
CloseHandle.KERNEL32(00000000), ref: 00843A8E
Process32NextW.KERNEL32(?,00000000), ref: 00843AA2
CloseHandle.KERNEL32(?), ref: 00843AF0

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: CloseHandle$Process32$CreateFirstNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 708755948-0
Opcode ID: 0d8cfacfb371ba36a2b7ba0719669dfc6d4dab1dd4c13f4e2607158902542e71
Instruction ID: 60f4d582ce850ac8a01d705bf8fdb8d63f1611025d113d18bb708920a443113c
Opcode Fuzzy Hash: 0d8cfacfb371ba36a2b7ba0719669dfc6d4dab1dd4c13f4e2607158902542e71
Instruction Fuzzy Hash: 57A1E7B1905259DFDF10DFA8D988BDEBBB8FF48304F244159E905EB280D7749A48CBA1

Function 0087F032 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0087F216

Strings

1#SNAN, xrefs: 0087F13E
1#IND, xrefs: 0087F137
1#INF, xrefs: 0087F168
1#QNAN, xrefs: 0087F145

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: e30885778928767ba78d5eb8e07ad564f95b2c5ff69dcb5f13ce918527d6b547
Instruction ID: ffbe1cfca3ea6ecb757e1bae367c1fb5e954d4f4acca14cd72f680277190c783
Opcode Fuzzy Hash: e30885778928767ba78d5eb8e07ad564f95b2c5ff69dcb5f13ce918527d6b547
Instruction Fuzzy Hash: DED24872E082288FDB65DE29CD407EAB7B5FB44304F1441EAD90DE7245EB74AE858F41

Function 0087E5B3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,0087E8D1,00000002,00000000,?,?,?,0087E8D1,?,00000000), ref: 0087E64C
GetLocaleInfoW.KERNEL32(?,20001004,0087E8D1,00000002,00000000,?,?,?,0087E8D1,?,00000000), ref: 0087E675
GetACP.KERNEL32(?,?,0087E8D1,?,00000000), ref: 0087E68A

Strings

ACP, xrefs: 0087E5D1
OCP, xrefs: 0087E607

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: d2dfbddd198ebdfca60c169cd67a97395b295dc6e6bf41ee80efeda0beebb378
Instruction ID: 675106b03d8b2bc5df292e18dece6a1f2ccba93929f56dcd395e43e1edd4ca81
Opcode Fuzzy Hash: d2dfbddd198ebdfca60c169cd67a97395b295dc6e6bf41ee80efeda0beebb378
Instruction Fuzzy Hash: C8216D36640104AADB34DF54C904A9777A6FB7CB68B56C5A4E90ED7118EB32DD40C350

Function 00849CC0 Relevance: 7.9, APIs: 5, Instructions: 441COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00849E60
LocalFree.KERNEL32(00000000), ref: 00849EB7
_swprintf.LIBCMT ref: 0084A0A0
LocalFree.KERNEL32(00000000), ref: 0084A0F7
_swprintf.LIBCMT ref: 0084A183

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: _swprintf$FreeLocal
String ID:
API String ID: 2429749586-0
Opcode ID: b016c8f8e05eda7e091f72ad294789e41d88deeb813448a120b23bd6ea429c86
Instruction ID: 66cc8356938f3c4110c1801fb51ca45fe5ff938d7cbf9c659d43ff2ffa4c40ec
Opcode Fuzzy Hash: b016c8f8e05eda7e091f72ad294789e41d88deeb813448a120b23bd6ea429c86
Instruction Fuzzy Hash: B1F19B71D0061DABDF29DFA8DC41BAEBBB5FF48304F144229F811AB281D775A941CBA1

Function 0087E788 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008757CC: GetLastError.KERNEL32(?,00000008,0087AD4C), ref: 008757D0
Part of subcall function 008757CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00875872

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0087E894
IsValidCodePage.KERNEL32(00000000), ref: 0087E8DD
IsValidLocale.KERNEL32(?,00000001), ref: 0087E8EC
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0087E934
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0087E953

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: fd8b1756d7b82a28281c75c9fb8ce375d48608a3a996a9825883be996f8e4b94
Instruction ID: aa67c40ad06a95fdf934d14583ed47069e5b470a9eb03f6a4478b42ec6b7ce38
Opcode Fuzzy Hash: fd8b1756d7b82a28281c75c9fb8ce375d48608a3a996a9825883be996f8e4b94
Instruction Fuzzy Hash: 45515071A00209ABEB20DFA9DC45ABE77B8FF4C701F1484B9E918EB195D770D9408B62

Function 00875D6D Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00875DFA

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: c088d6f79354faf8b1bce494a29b4de1bf964f76c3977490bbe1990304a04063
Instruction ID: ef92bbff7ef392e8d8f6815835afd8040fa523131454bbd19f9f590e3cb74ba6
Opcode Fuzzy Hash: c088d6f79354faf8b1bce494a29b4de1bf964f76c3977490bbe1990304a04063
Instruction Fuzzy Hash: 99B16732904A459FDB25CF28C881BEEBBA5FF15304F15C16AE808EB345E674DE01CBA1

Function 008633A8 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 008633B4
IsDebuggerPresent.KERNEL32 ref: 00863480
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 008634A0
UnhandledExceptionFilter.KERNEL32(?), ref: 008634AA

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 33a45718861b76ecb0e16a46ece3c0e31f9de9c721284baeb0ce05be6b7f112b
Instruction ID: 478c9f3f7b7aa625471e028da82bd51d3e8757a83cc64d556a5253a9d0547c36
Opcode Fuzzy Hash: 33a45718861b76ecb0e16a46ece3c0e31f9de9c721284baeb0ce05be6b7f112b
Instruction Fuzzy Hash: F131F5B5D052189BDF21DFA4D989BCDBBB8FF08304F1041AAE50DAB250EB719B858F45

Function 0084D0A5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0084C630: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,50FA5EA3,?,00883D30,000000FF), ref: 0084C657
Part of subcall function 0084C630: GetLastError.KERNEL32(?,00000000,00000000,50FA5EA3,?,00883D30,000000FF), ref: 0084C661

IsDebuggerPresent.KERNEL32(?,?,00898AF0), ref: 0084D0D8
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,00898AF0), ref: 0084D0E7

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0084D0E2

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 6610aa9bb11c197e1d507cb5a000018780faa8fa405514f47030845a6898af13
Instruction ID: ff1b4fc8bb9ff98d33db640cdb483dd5cd8fe0aac657102fc4f3b3743dd0c643
Opcode Fuzzy Hash: 6610aa9bb11c197e1d507cb5a000018780faa8fa405514f47030845a6898af13
Instruction Fuzzy Hash: B5E06D70204B458FD360AF68E4487427AF4FB10344F24886DE556C3650E7B4D4488BA2

Function 0087E237 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 008757CC: GetLastError.KERNEL32(?,00000008,0087AD4C), ref: 008757D0
Part of subcall function 008757CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00875872

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0087E28B
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0087E2D5
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0087E39B

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: d52a3e453b52bb20ad13764aab49e244bc52c071609906290bfb37541accb30b
Instruction ID: 4d7b81c052060269b0da4888eb04899a7676da6d94f054ffff389f44a57d7e21
Opcode Fuzzy Hash: d52a3e453b52bb20ad13764aab49e244bc52c071609906290bfb37541accb30b
Instruction Fuzzy Hash: EE619371500607DFEB289F28CC82BBA77A8FF19304F1481B9E909C7289E774D984CB51

Function 00866E1B Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00866F13
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00866F1D
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00866F2A

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a29039c102f793f984bebff0b98f0e725d1f3c0d13d9bdccce8c30fdc3f5f9e0
Instruction ID: 7709c81ff2fb252aa7b4935f96a11961cfa0bf992237b694b2f5f967f325eb64
Opcode Fuzzy Hash: a29039c102f793f984bebff0b98f0e725d1f3c0d13d9bdccce8c30fdc3f5f9e0
Instruction Fuzzy Hash: 3D31A274901228ABCB21DF68D98978DBBB8FF18310F5141EAE51CA7251EB709F858F45

Function 008445B0 Relevance: 4.6, APIs: 3, Instructions: 64COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,00000000,50FA5EA3,00000001,00000000,?,00000000,00884460,000000FF,?,0084474D,00843778,?,00000000,00000000,?), ref: 008445DB
LockResource.KERNEL32(00000000,?,00000000,00884460,000000FF,?,0084474D,00843778,?,00000000,00000000,?,?,?,?,00843778), ref: 008445E6
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00884460,000000FF,?,0084474D,00843778,?,00000000,00000000,?,?,?), ref: 008445F4

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: cafb4767c24df6cea5ce8120e5fcbdb6c6a253b8653842bf135b45434ed17ed7
Instruction ID: 11499b2c9b9c00f51449b8628627ba77fda4a6e09df2eefe6ce27c4f8d9312d8
Opcode Fuzzy Hash: cafb4767c24df6cea5ce8120e5fcbdb6c6a253b8653842bf135b45434ed17ed7
Instruction Fuzzy Hash: 7C11C632A046599BD7359F59DC44B66B7FCF796715F11052BEC1AD3240EA35AC008690

Function 0086E270 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b8607f755f17a23646f2bf370a959f638319f8f7f89048cc653de111095432
Instruction ID: a7b9ff3b50f72ed10d464d7be14ac73b89311cb459b2b5eb390fe33b8301337a
Opcode Fuzzy Hash: c3b8607f755f17a23646f2bf370a959f638319f8f7f89048cc653de111095432
Instruction Fuzzy Hash: 24F14075E002199FDF14CFA8D984AADB7B1FF98314F168269E815EB381D730AE01CB94

Function 00877B1F Relevance: 1.9, APIs: 1, Instructions: 408timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00877F64,00000000,00000000,00000000), ref: 00877E23

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 2109d532d0a86ffd2a16547e24de0588c6cd2ee4ea5161f34a4a7f79b8b9b9a8
Instruction ID: a2131b5e69dcd1809b7d27c2595333f28c2ef3c22f6637dcbf7b377e56089651
Opcode Fuzzy Hash: 2109d532d0a86ffd2a16547e24de0588c6cd2ee4ea5161f34a4a7f79b8b9b9a8
Instruction Fuzzy Hash: B5C13972904215ABDB20BF68DC42ABE7BB8FF45714F158066F908EB299E730DE40C791

Function 008784BD Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,008784B8,?,?,00000008,?,?,008814E4,00000000), ref: 008786EA

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 0e046b086c9921c4171de7508c79debb7783f63f09efb8152ae61e9e2678d5f9
Instruction ID: 64d12508713b9597cb1c91456e34f2a0d3957fc9f92626e07653a6ec464a9c02
Opcode Fuzzy Hash: 0e046b086c9921c4171de7508c79debb7783f63f09efb8152ae61e9e2678d5f9
Instruction Fuzzy Hash: 2AB15931650608DFD718CF28C48AA657BA0FF45364F25C658E99ECF2A5CB35E982CB40

Function 008635A9 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 008635BF

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 1616ebd714491e2738bffece6273d066175d64d8e64daf3cd9f69d5e9b974ac5
Instruction ID: 63c23f66ef61cb5bec74a1d31d26a84e836adb2a89ade0b697f4f24b8d5adbdc
Opcode Fuzzy Hash: 1616ebd714491e2738bffece6273d066175d64d8e64daf3cd9f69d5e9b974ac5
Instruction Fuzzy Hash: F25199B1A11705DBEB15CF59E881BAEBBF0FB48354F29852AC906EB350D3759A00CF90

Function 0087AF79 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b84d65b29a7bef3cfcd8d341f275b7383ae69efad505633dab35759ce53a1957
Instruction ID: b8f00178c08164b93900debcd97734d4ff7ffd95aaa83acae2028d5ed23b0cdf
Opcode Fuzzy Hash: b84d65b29a7bef3cfcd8d341f275b7383ae69efad505633dab35759ce53a1957
Instruction Fuzzy Hash: 4331B472900619AFCB24DFA8CC85ABBB76AFB84310F148159F919D7248EA31DD408B64

Function 0086A587 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 0086A715

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 107a3c530cb674d025cc367d38f6e2250a29f36056777e5bcec7acdc853ca1a6
Instruction ID: b706b18bd5633330e75e3f04019a375feada30a032b7d413b3b870df5020b321
Opcode Fuzzy Hash: 107a3c530cb674d025cc367d38f6e2250a29f36056777e5bcec7acdc853ca1a6
Instruction Fuzzy Hash: E2C1BC70A0064A8FCB2CCE68C495A7EBBB1FB55304F2A4619D496EB291C731ED46CF52

Function 0087E48A Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 008757CC: GetLastError.KERNEL32(?,00000008,0087AD4C), ref: 008757D0
Part of subcall function 008757CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00875872

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0087E4DE

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 9c5a8d3090774c734068a7cfed4590044b6085445a0391d588f4db89228927f8
Instruction ID: 074cf9701161bb3da9287200f5cbd14e5b12d05310d17f19315080cc12c95ed3
Opcode Fuzzy Hash: 9c5a8d3090774c734068a7cfed4590044b6085445a0391d588f4db89228927f8
Instruction Fuzzy Hash: 6021C27260420AABDF289F28DC41ABA73ACFF09318F1480BAF909C6145FB74ED40C751

Function 0087E111 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008757CC: GetLastError.KERNEL32(?,00000008,0087AD4C), ref: 008757D0
Part of subcall function 008757CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00875872

EnumSystemLocalesW.KERNEL32(0087E237,00000001,00000000,?,-00000050,?,0087E868,00000000,?,?,?,00000055,?), ref: 0087E183

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 87a73fc0317e2b90d6487e2d0499ea58cfe5c59acb885ff9be55b9cf2deeff67
Instruction ID: 0b31776cd7c8958881c1636523411e4495adf65902ef542ab546883c9d1abc85
Opcode Fuzzy Hash: 87a73fc0317e2b90d6487e2d0499ea58cfe5c59acb885ff9be55b9cf2deeff67
Instruction Fuzzy Hash: 2E11E93A2007019FDB189F39C8915BAB795FF88759B59842CE54A87B40D375F942CB50

Function 0087E6B9 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 008757CC: GetLastError.KERNEL32(?,00000008,0087AD4C), ref: 008757D0
Part of subcall function 008757CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00875872

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0087E453,00000000,00000000,?), ref: 0087E6E5

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 6a580a9364913db032fc5fbd947bbb15ff0867f111c87e4ff25fffac6c786140
Instruction ID: 3eb3f7c0c8cb12bc1f9744a315749f80915403c86220d3687ee263e8369870c3
Opcode Fuzzy Hash: 6a580a9364913db032fc5fbd947bbb15ff0867f111c87e4ff25fffac6c786140
Instruction Fuzzy Hash: 1BF0CD36600216BBDB2C5764CC49BBA77ACFB447D4F1584A4EC19E3184DB74FD41C690

Function 0087E1AC Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008757CC: GetLastError.KERNEL32(?,00000008,0087AD4C), ref: 008757D0
Part of subcall function 008757CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00875872

EnumSystemLocalesW.KERNEL32(0087E48A,00000001,?,?,-00000050,?,0087E82C,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0087E1F6

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: c1da28be1fa8bd9a1f586d6286d9372445049eaf34f2c280818ccfa89a39d3ad
Instruction ID: 29b6ad024b0a55d90070af1dd27db4dab902e0e1c11da028563c58ec5f015882
Opcode Fuzzy Hash: c1da28be1fa8bd9a1f586d6286d9372445049eaf34f2c280818ccfa89a39d3ad
Instruction Fuzzy Hash: 39F022362003045FCB245F38C885A6A7B98FB84768F04846CF909CBA90C2B1DC02CB54

Function 00877132 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00871C9A: EnterCriticalSection.KERNEL32(-0089DE50,?,00873576,?,0089A078,0000000C,00873841,?), ref: 00871CA9

EnumSystemLocalesW.KERNEL32(00877125,00000001,0089A1D8,0000000C,00877554,00000000), ref: 0087716A

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 8474398a3f6c02248fde154bbc7f15ffe0a029c2bf60c6bf4bbbad40c9a477be
Instruction ID: bc621599ff0fa3a18de6dda88f35d80c0136a60fc4e65edffd60fc70c1044451
Opcode Fuzzy Hash: 8474398a3f6c02248fde154bbc7f15ffe0a029c2bf60c6bf4bbbad40c9a477be
Instruction Fuzzy Hash: 7FF03772A44200DFDB00EF9CE846B987BF0FB48722F10856AF419DB2A0DB7989008B51

Function 0087E0C6 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008757CC: GetLastError.KERNEL32(?,00000008,0087AD4C), ref: 008757D0
Part of subcall function 008757CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00875872

EnumSystemLocalesW.KERNEL32(0087E01F,00000001,?,?,?,0087E88A,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0087E0FD

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 9661c21833510979c0af8034d106cdf68765d3bf982371670b22edc71edbc7de
Instruction ID: 58c581727d5b9b933f08f794cca0183617f649c5abbecc49bc1dccd28a318ae1
Opcode Fuzzy Hash: 9661c21833510979c0af8034d106cdf68765d3bf982371670b22edc71edbc7de
Instruction Fuzzy Hash: D6F02B3A3003059BCB04AF39DC5966A7F95FFC5760F068098EB1DCB655C6B5D882C7A0

Function 008623F8 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002,?,?,008600E2,00000000,00000000,00000004,0085ED14,00000000,00000004,0085F127,00000000,00000000), ref: 00862410

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 4de3ba7d09f76eb5a6b04eea7faa448bdd8f6268b6ae52cf53d6d0330f9b15af
Instruction ID: fe264eedaa5447ea0fa6f8f8dfc3360f490d9366b0538b075963585603961861
Opcode Fuzzy Hash: 4de3ba7d09f76eb5a6b04eea7faa448bdd8f6268b6ae52cf53d6d0330f9b15af
Instruction Fuzzy Hash: 23E0D832654105B6EB154B7D9E0FFBA76A8F700709F5041D1E902E44D1DEA1CA10A1A5

Function 008776AF Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00874E3F,?,20001004,00000000,00000002,?,?,00874441), ref: 008776E3

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: bec8efe94879844ef0f637f604b195f2edc52308b2313c53f02f461e8d90c4d4
Instruction ID: c5b9b180c2938fbbdf9d360668841e0245d243da33e0afb4deff0be4b12015ca
Opcode Fuzzy Hash: bec8efe94879844ef0f637f604b195f2edc52308b2313c53f02f461e8d90c4d4
Instruction Fuzzy Hash: 19E04F3655861CBBCF122F69DC08AAE7E26FF44760F108021FC19A5125CB71CD20EBD6

Function 0086353F Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002354B,00863077), ref: 00863544

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 385a7623774a616da4519578773e90815de9f4dbd168560959d0aae553121d3c
Instruction ID: c33ec55bcdeed8303a0821da70757ac4cb04bac8f9230d37202b5e309ee2cd23
Opcode Fuzzy Hash: 385a7623774a616da4519578773e90815de9f4dbd168560959d0aae553121d3c
Instruction Fuzzy Hash:

Function 00842310 Relevance: 1.3, APIs: 1, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00862C98: EnterCriticalSection.KERNEL32(0089DD3C,?,?,?,008423B6,0089E638,50FA5EA3,?,?,00883D6D,000000FF), ref: 00862CA3
Part of subcall function 00862C98: LeaveCriticalSection.KERNEL32(0089DD3C,?,?,?,008423B6,0089E638,50FA5EA3,?,?,00883D6D,000000FF), ref: 00862CE0

GetProcessHeap.KERNEL32 ref: 00842365

Part of subcall function 00862C4E: EnterCriticalSection.KERNEL32(0089DD3C,?,?,00842427,0089E638,00886B40), ref: 00862C58
Part of subcall function 00862C4E: LeaveCriticalSection.KERNEL32(0089DD3C,?,?,00842427,0089E638,00886B40), ref: 00862C8B
Part of subcall function 00862C4E: RtlWakeAllConditionVariable.NTDLL ref: 00862D02

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ConditionHeapProcessVariableWake
String ID:
API String ID: 325507722-0
Opcode ID: 83f0f131a3aaa5612cd65bebe0546bf1f58326bec26d1696dda9184632ee063c
Instruction ID: e83010bf3e03ac55a277d2020f96271b5b35ba60f238a16c9b4b721ca5596c5a
Opcode Fuzzy Hash: 83f0f131a3aaa5612cd65bebe0546bf1f58326bec26d1696dda9184632ee063c
Instruction Fuzzy Hash: 462166B1905604EBDB22EF58E846B497BB0F734724F18025AE425D73E0E7B45908CB52

Function 00870A48 Relevance: .7, Instructions: 655COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: c8be701706672502347744ee385a29e4b982556497efb68b5e76dd04359ca494
Instruction ID: 2a44dc9debfc7d5a3b0e80b356ac0a13a828a6de6948c8d4effb985ddaea0fc2
Opcode Fuzzy Hash: c8be701706672502347744ee385a29e4b982556497efb68b5e76dd04359ca494
Instruction Fuzzy Hash: C4328C74A0021ACFCF24CF98C995ABEB7B5FF44304F148169D949AB359D632EE46CB90

Function 008792A9 Relevance: .6, Instructions: 637COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88cf24d63b70fb22268ca5f0ee215d6d514d8dc3f06674472402ff9142ab2165
Instruction ID: cbb59ddc31df955130be33a2cb8f9cce77f4de3492630ccba369a3ca0dabb919
Opcode Fuzzy Hash: 88cf24d63b70fb22268ca5f0ee215d6d514d8dc3f06674472402ff9142ab2165
Instruction Fuzzy Hash: E432E031D29F454DD7239638DC62339A248BFB73D4F15D727E85AB5AAAEF28C4834200

Function 0086A915 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f03ea44793a352741c98ec1410d8582ba216404dd29222f6de3249c0e6a8dbba
Instruction ID: 509e1811b95004516f51b563cd34eb6f524c165fd630cd9e8101777084325cd2
Opcode Fuzzy Hash: f03ea44793a352741c98ec1410d8582ba216404dd29222f6de3249c0e6a8dbba
Instruction Fuzzy Hash: E2E19D706006098FCB28CF68C581ABAB7F1FF49314B26865AD556EB291D731ED82CF53

Function 0087D8D5 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 3471368781-0
Opcode ID: e1166250ac85ec84ba1a710b0b0ba78af442f2f048731e3c93d0765d6c5dda27
Instruction ID: cf69972d8ec2591193834f3dc7fbc9fee374186c48b5772d42fb0e8f293947ae
Opcode Fuzzy Hash: e1166250ac85ec84ba1a710b0b0ba78af442f2f048731e3c93d0765d6c5dda27
Instruction Fuzzy Hash: 02B103755007058BCB389F28CC82BB7B3F8FF54318F15846DEA8AC6688EA75E981C750

Function 0086C2CA Relevance: .2, Instructions: 158COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45df35f10881d6221681adf7eefdf880ea19ec113d03b89221ba79bb02f15a8
Instruction ID: 6ef9cf2962b1fa6afebf1ad219ba0b828f3cb5ca1c97405509b6591fbba24440
Opcode Fuzzy Hash: d45df35f10881d6221681adf7eefdf880ea19ec113d03b89221ba79bb02f15a8
Instruction Fuzzy Hash: 2A515E71E00219AFDF14CF99C951ABEBBB2FF88314F198069E955AB301C7349E50CB95

Function 00864920 Relevance: .1, Instructions: 76COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: c2039643174c5df25260555d6b78dd99dda76564f1086610e830131764cf4ee5
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: F511E67728114243D6048A2EC4B46BFEF96FBC6325B3F636AD191CB778D222A945D600

Function 0087AD78 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
Instruction ID: 9708d0b77325e6d25d5e749ae62e4873778c33dffcefa2727fa876129b879eb0
Opcode Fuzzy Hash: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
Instruction Fuzzy Hash: F4E04672911228EBCB28DB9CC90498AB6ACFB84B01B15849AB505D3500C270DE00E7D2

Function 00872DCC Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3db29eff45ca403c5659c65b9b04778331e453842759ddf3eba89ef405327b8
Instruction ID: f45e5a560dad28600aceb867c5c903fce7ce9dd40f62068951f59966eae37190
Opcode Fuzzy Hash: b3db29eff45ca403c5659c65b9b04778331e453842759ddf3eba89ef405327b8
Instruction Fuzzy Hash: 09C08C34400E0446CE3D8914CAB13A83754F7D1783F84468CC40B8BA5EC51EEC83D602

Function 00860116 Relevance: 30.3, APIs: 20, Instructions: 287COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0086011D
collate.LIBCPMT ref: 00860126

Part of subcall function 0085EDF2: __EH_prolog3_GS.LIBCMT ref: 0085EDF9
Part of subcall function 0085EDF2: __Getcoll.LIBCPMT ref: 0085EE5D

__Getcoll.LIBCPMT ref: 0086016C
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00860180
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00860195
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 008601D3
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 008601E6
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0086022C
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00860260
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0086031B
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0086032E
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0086034B
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00860368
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00860385
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 008602BD

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

numpunct.LIBCPMT ref: 008603C4
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 008603D4
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00860418

Part of subcall function 00846330: LocalAlloc.KERNEL32(00000040,?,00850E04,00000020,?,?,00849942,00000000,50FA5EA3,?,?,?,?,008850DD,000000FF), ref: 00846336

std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0086042B
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 00860448

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: AddfacLocimp::_Locimp_std::locale::_$GetcollLockitstd::_$AllocH_prolog3H_prolog3_LocalLockit::_Lockit::~_collatenumpunct
String ID:
API String ID: 3717464618-0
Opcode ID: d67a4b2616c5b34bceba09cfa6f16f6800dbfafdfd42c76bc41c486821680108
Instruction ID: b57118920d018a0a26ff8741bcb17494cc32d5880f1351be846b9e79cb456609
Opcode Fuzzy Hash: d67a4b2616c5b34bceba09cfa6f16f6800dbfafdfd42c76bc41c486821680108
Instruction Fuzzy Hash: 1C91B271901219ABE7257FB84C46B7F7AA8FF41724F15442DFA09E7382EE7049048BA7

Function 00846600 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 319filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?), ref: 0084667E
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 008466D7
LocalAlloc.KERNEL32(00000040,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 008466E2
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 008466FE
WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,008849E5,000000FF), ref: 008467DB
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,008849E5,000000FF), ref: 008467E7
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,008849E5), ref: 0084682F
LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,008849E5,000000FF), ref: 0084684A
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,008849E5), ref: 00846867
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,008849E5,000000FF), ref: 00846891
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 008468D8
ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 0084692A
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,008849E5,000000FF), ref: 0084695C

Strings

URL Shortcut content:, xrefs: 00846875
open, xrefs: 008468D1, 008468F0
-_.~!*'();:@&=+$,/?#[], xrefs: 00846757, 0084676E
[InternetShortcut]URL=, xrefs: 0084670A

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: ByteCharLocalMultiWide$AllocExecuteFileFreeShell$CloseCreateHandleWrite
String ID: -_.~!*'();:@&=+$,/?#[]$URL Shortcut content:$[InternetShortcut]URL=$open
API String ID: 2199533872-3004881174
Opcode ID: 1fb560aa46e4f630cc6801a6fd702c302daec0f94393954d3dae82956aea43fe
Instruction ID: 7495c9ec37c25c6b3fc810e59182cae64f6b85a100117ee802a4b62703aecebe
Opcode Fuzzy Hash: 1fb560aa46e4f630cc6801a6fd702c302daec0f94393954d3dae82956aea43fe
Instruction Fuzzy Hash: 17B1DF71904249AFEB20DF68CC85BEEBBB5FF56710F144129E514EB2C1E7709A0887A2

Function 00862B8C Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(0089DD3C,00000FA0,?,?,00862B6A), ref: 00862B98
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00862B6A), ref: 00862BA3
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00862B6A), ref: 00862BB4
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00862BC6
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00862BD4
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00862B6A), ref: 00862BF7
DeleteCriticalSection.KERNEL32(0089DD3C,00000007,?,?,00862B6A), ref: 00862C13
CloseHandle.KERNEL32(00000000,?,?,00862B6A), ref: 00862C23

Strings

kernel32.dll, xrefs: 00862BAF
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00862B9E
WakeAllConditionVariable, xrefs: 00862BCC
SleepConditionVariableCS, xrefs: 00862BC0

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 9140fcd34084522fb8e6f913188937f94662cf03e4c3e5159584a5d3c39abe92
Instruction ID: 7ef9a4f57954a7a9a79993b24f41131acc52b800d6f9055dfb56f19045477b72
Opcode Fuzzy Hash: 9140fcd34084522fb8e6f913188937f94662cf03e4c3e5159584a5d3c39abe92
Instruction Fuzzy Hash: 8101D475A45B11EBE7212F78AC0DE167B78FF40B50B250851FC04D23A0DE78C8008761

Function 00865CAF Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 00865DAC
type_info::operator==.LIBVCRUNTIME ref: 00865DCE
___TypeMatch.LIBVCRUNTIME ref: 00865EDD
IsInExceptionSpec.LIBVCRUNTIME ref: 00865FAF
_UnwindNestedFrames.LIBCMT ref: 00866033
CallUnexpected.LIBVCRUNTIME ref: 0086604E

Strings

csm, xrefs: 00865D59
csm, xrefs: 00865E05
csm, xrefs: 00865CEC

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 05e001407cb408e880cfab5efbc15df83ec4678fe48b4948fc86f9bc2a157316
Instruction ID: 4241b70dfd7201920c8b0b734169f59ed0ff5caa95d10e5268f18085529da258
Opcode Fuzzy Hash: 05e001407cb408e880cfab5efbc15df83ec4678fe48b4948fc86f9bc2a157316
Instruction Fuzzy Hash: 0CB1AF31800609EFCF19DFA8D9819AEBBB5FF14314F164069E815EB242DB31DE61CB92

Function 00844270 Relevance: 15.1, APIs: 10, Instructions: 137timeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,50FA5EA3,?,?,?), ref: 008442D2
OpenProcess.KERNEL32(00000400,00000000,?,?,50FA5EA3,?,?,?), ref: 008442F3
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,50FA5EA3,?,?,?), ref: 00844326
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,50FA5EA3,?,?,?), ref: 00844337
CloseHandle.KERNEL32(00000000,?,50FA5EA3,?,?,?), ref: 00844355
CloseHandle.KERNEL32(00000000,?,50FA5EA3,?,?,?), ref: 00844371
CloseHandle.KERNEL32(00000000,?,50FA5EA3,?,?,?), ref: 00844399
CloseHandle.KERNEL32(00000000,?,50FA5EA3,?,?,?), ref: 008443B5
CloseHandle.KERNEL32(00000000,?,50FA5EA3,?,?,?), ref: 008443D3
CloseHandle.KERNEL32(00000000,?,50FA5EA3,?,?,?), ref: 008443EF

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: CloseHandle$Process$OpenTimes
String ID:
API String ID: 1711917922-0
Opcode ID: 29393beb8ec7c6d782e86d74beaecb6f0af613ef6786f794189fcf555fedcf39
Instruction ID: bd01f2848e9b3781842c37c6fc3eef06dd8b6ae6ee5e944a1e9f819d9dee86f1
Opcode Fuzzy Hash: 29393beb8ec7c6d782e86d74beaecb6f0af613ef6786f794189fcf555fedcf39
Instruction Fuzzy Hash: DC514871E02618AFDB10DF98D984BAEBBB4FF48B14F245219E524F7380C77559058BA4

Function 0085BBBD Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0085BBC4

Part of subcall function 0085254E: __EH_prolog3.LIBCMT ref: 00852555
Part of subcall function 0085254E: std::_Lockit::_Lockit.LIBCPMT ref: 0085255F
Part of subcall function 0085254E: std::_Lockit::~_Lockit.LIBCPMT ref: 008525D0

Strings

%m / %d / %y, xrefs: 0085BCBB
%d / %m / %y, xrefs: 0085BEFA
:AM:am:PM:pm, xrefs: 0085BF2A
%H : %M : %S, xrefs: 0085BD5D
%b %d %H : %M : %S %Y, xrefs: 0085BE52
%I : %M : %S %p, xrefs: 0085BF1F
%H : %M, xrefs: 0085BD03

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1538362411-2891247106
Opcode ID: 4cfc29ae825eb0114b48e150716417679a61431f55a4c25224089d46b6ca7b8c
Instruction ID: 7749a1ed3c1beae400d2b59e655d769fd46df93322fb49efba0f084d8c698e0d
Opcode Fuzzy Hash: 4cfc29ae825eb0114b48e150716417679a61431f55a4c25224089d46b6ca7b8c
Instruction Fuzzy Hash: F7B17B7250010AABCF19DF68CD66EFE3BB9FB24306F144119FE06E2291DB318A189B51

Function 00860C9D Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00860CA4

Part of subcall function 00849270: std::_Lockit::_Lockit.LIBCPMT ref: 008492A0
Part of subcall function 00849270: std::_Lockit::_Lockit.LIBCPMT ref: 008492C2
Part of subcall function 00849270: std::_Lockit::~_Lockit.LIBCPMT ref: 008492EA
Part of subcall function 00849270: std::_Lockit::~_Lockit.LIBCPMT ref: 00849422

Strings

%m / %d / %y, xrefs: 00860D9B
%d / %m / %y, xrefs: 00860FDA
:AM:am:PM:pm, xrefs: 0086100A
%H : %M : %S, xrefs: 00860E3D
%b %d %H : %M : %S %Y, xrefs: 00860F32
%I : %M : %S %p, xrefs: 00860FFF
%H : %M, xrefs: 00860DE3

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1383202999-2891247106
Opcode ID: 336e94f6d2bbedf358af24bdea11587de4ef7df0b861b4c0a040010e3f1c6878
Instruction ID: eb6a753b57ef51ea72a0fc85a1359ac37c366e23afcdd0dc0e0058cd190d5ffb
Opcode Fuzzy Hash: 336e94f6d2bbedf358af24bdea11587de4ef7df0b861b4c0a040010e3f1c6878
Instruction Fuzzy Hash: B5B1AB7550020EAFCF29DFA8C959DBF3BA9FB04304F160519FA06E6292DA319A10DF65

Function 0085BF7E Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0085BF85

Part of subcall function 00848610: std::_Lockit::_Lockit.LIBCPMT ref: 00848657
Part of subcall function 00848610: std::_Lockit::_Lockit.LIBCPMT ref: 00848679
Part of subcall function 00848610: std::_Lockit::~_Lockit.LIBCPMT ref: 008486A1
Part of subcall function 00848610: std::_Lockit::~_Lockit.LIBCPMT ref: 0084880E

Strings

%m / %d / %y, xrefs: 0085C07C
%d / %m / %y, xrefs: 0085C2BB
:AM:am:PM:pm, xrefs: 0085C2EB
%H : %M : %S, xrefs: 0085C11E
%b %d %H : %M : %S %Y, xrefs: 0085C213
%I : %M : %S %p, xrefs: 0085C2E0
%H : %M, xrefs: 0085C0C4

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1383202999-2891247106
Opcode ID: 4ea401d0709c376fc8a906845b2ce4e3466a58859f1e8e871506dd196d648d7f
Instruction ID: bdab47e5b8fe3297fd1aa54e391b6d8f1328da2bcc6e09636eda7cad3323b596
Opcode Fuzzy Hash: 4ea401d0709c376fc8a906845b2ce4e3466a58859f1e8e871506dd196d648d7f
Instruction Fuzzy Hash: 3AB16B7254020EEFCF19EEA8C955DFE3BB9FB08346F154119FE02E6252D6318A189F61

Function 00858555 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0085855C
_Maklocstr.LIBCPMT ref: 008585C5
_Maklocstr.LIBCPMT ref: 008585D7
_Maklocchr.LIBCPMT ref: 008585EF
_Maklocchr.LIBCPMT ref: 008585FF
_Getvals.LIBCPMT ref: 00858621

Part of subcall function 00851CD4: _Maklocchr.LIBCPMT ref: 00851D03
Part of subcall function 00851CD4: _Maklocchr.LIBCPMT ref: 00851D19

Strings

false, xrefs: 008585C0
true, xrefs: 008585D2

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
String ID: false$true
API String ID: 3549167292-2658103896
Opcode ID: 10d1acc9640732de443932fb371e3e5937f6b3ec8217254a8958c9a2bb69df74
Instruction ID: d7bcb4c5b21b3782dd3c195324c10da9bfed0242c5be42f2bdc03574a0de689e
Opcode Fuzzy Hash: 10d1acc9640732de443932fb371e3e5937f6b3ec8217254a8958c9a2bb69df74
Instruction Fuzzy Hash: 8F215871D40314EBDF15EFA5D849ADE7B68FF04711F048156BD15DF142DA708948CBA1

Function 00849730 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 398COMMON

Download Yara Rule

APIs

std::locale::_Init.LIBCPMT ref: 00849763

Part of subcall function 00850C94: __EH_prolog3.LIBCMT ref: 00850C9B
Part of subcall function 00850C94: std::_Lockit::_Lockit.LIBCPMT ref: 00850CA6
Part of subcall function 00850C94: std::locale::_Setgloballocale.LIBCPMT ref: 00850CC1
Part of subcall function 00850C94: std::_Lockit::~_Lockit.LIBCPMT ref: 00850D17

std::_Lockit::_Lockit.LIBCPMT ref: 0084978A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 008497F0
std::locale::_Locimp::_Makeloc.LIBCPMT ref: 0084984A

Part of subcall function 0084F57A: __EH_prolog3.LIBCMT ref: 0084F581
Part of subcall function 0084F57A: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0084F5C8
Part of subcall function 0084F57A: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0084F620
Part of subcall function 0084F57A: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0084F654
Part of subcall function 0084F57A: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0084F6A8

LocalFree.KERNEL32(00000000,00000000,?,008954B1,00000000), ref: 008499BF
__cftoe.LIBCMT ref: 00849B0B

Strings

bad locale name, xrefs: 008498FF

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::locale::_$Locimp::_$AddfacLocimp_std::_$Lockit$H_prolog3Lockit::_$FreeInitLocalLocinfo::_Locinfo_ctorLockit::~_MakelocSetgloballocale__cftoe
String ID: bad locale name
API String ID: 3103716676-1405518554
Opcode ID: d137f78fc330062f24091bdaf439a0b0165da2aa3e022c53115e8ec5419c16d4
Instruction ID: ec979668cd80d46afbe8096e700f20167cfb3c4854d79cfafca190c9a3807c41
Opcode Fuzzy Hash: d137f78fc330062f24091bdaf439a0b0165da2aa3e022c53115e8ec5419c16d4
Instruction Fuzzy Hash: C1F1897190124CDFDB20DFA8C985BAEBBB5FF09314F244169E845EB281E7359A04CBA1

Function 00843C20 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 225libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 008436D0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00843735
Part of subcall function 008436D0: _wcschr.LIBVCRUNTIME ref: 008437C6

GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 00843CA8
ReadProcessMemory.KERNEL32(?,?,?,000001D8,00000000,00000000,00000018,00000000), ref: 00843D01
ReadProcessMemory.KERNEL32(?,?,?,00000048,00000000,?,000001D8,00000000,00000000,00000018,00000000), ref: 00843D7A
ReadProcessMemory.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,?,?,?,00000048,00000000,?,000001D8), ref: 00843EB1
GetLastError.KERNEL32 ref: 00843F34
FreeLibrary.KERNEL32(?), ref: 00843F7B

Strings

NtQueryInformationProcess, xrefs: 00843CA2

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: MemoryProcessRead$AddressDirectoryErrorFreeLastLibraryProcSystem_wcschr
String ID: NtQueryInformationProcess
API String ID: 566592816-2781105232
Opcode ID: 7c7fcf3d1a2434f180153fb162026df0aedfd2a90050cadab1aea8959944a5ac
Instruction ID: 157cd67fe4e2b41e9af51d86bd021942e3306a6ad1a60d11745477e1e46946a4
Opcode Fuzzy Hash: 7c7fcf3d1a2434f180153fb162026df0aedfd2a90050cadab1aea8959944a5ac
Instruction Fuzzy Hash: A0A13A709056599AEB20DF64CC49BAEBBF0FF48308F204599D449E7290E775AA88CF51

Function 008440B0 Relevance: 12.2, APIs: 8, Instructions: 233memorytimeCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,40000022,50FA5EA3,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00844154
LocalAlloc.KERNEL32(00000040,3FFFFFFF,50FA5EA3,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00844177
LocalFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00844217
OpenProcess.KERNEL32(00000400,00000000,?,50FA5EA3,?,?,?), ref: 008442D2
OpenProcess.KERNEL32(00000400,00000000,?,?,50FA5EA3,?,?,?), ref: 008442F3
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,50FA5EA3,?,?,?), ref: 00844326
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,50FA5EA3,?,?,?), ref: 00844337
CloseHandle.KERNEL32(00000000,?,50FA5EA3,?,?,?), ref: 00844355
CloseHandle.KERNEL32(00000000,?,50FA5EA3,?,?,?), ref: 00844371

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Process$Local$AllocCloseHandleOpenTimes$Free
String ID:
API String ID: 1424318461-0
Opcode ID: 7a7ebdd45c2061a4e7c28e64405c5587620d9bc414aac015de1edf779b89304a
Instruction ID: b0f824edc071cc534b686ad402d6f88a5f0b76c9d7af1dc855574487ea757de8
Opcode Fuzzy Hash: 7a7ebdd45c2061a4e7c28e64405c5587620d9bc414aac015de1edf779b89304a
Instruction Fuzzy Hash: 3581BC71A006199FCB14DFA8D885BAEBBB4FB48714F244229E925E73C0D771A9018BA4

Function 0086266D Relevance: 12.2, APIs: 8, Instructions: 224COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?), ref: 008626F8
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00862786
__alloca_probe_16.LIBCMT ref: 008627B0
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008627F8
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00862812
__alloca_probe_16.LIBCMT ref: 00862838
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00862875
CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00862892

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16$CompareInfoString
String ID:
API String ID: 3603178046-0
Opcode ID: 191b3ebca2501f1a7a64162cbd8ca81dcc0d5ff39605447304ade728ec7d5afc
Instruction ID: f490c71ac8a4941c73f2dd7b8d127bc84b09d0de13225243de3af5789f66fd86
Opcode Fuzzy Hash: 191b3ebca2501f1a7a64162cbd8ca81dcc0d5ff39605447304ade728ec7d5afc
Instruction Fuzzy Hash: CB71A235900A0AAFDF219FA8CC45EEE7BB6FF55354F2A40A9E904E7251DB31C900CB61

Function 0086215A Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 008621A3
__alloca_probe_16.LIBCMT ref: 008621CF
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 0086220E
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0086222B
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0086226A
__alloca_probe_16.LIBCMT ref: 00862287
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008622C9
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 008622EC

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 5ba56c6ce1e61dd5ddd5d24b52c9c4e23792e1903186333f14d65baca09a65c6
Instruction ID: a5027dd9ec385c9a6e1a4fa3c8010288170ef04f436e05cb1646b6be13ea89b1
Opcode Fuzzy Hash: 5ba56c6ce1e61dd5ddd5d24b52c9c4e23792e1903186333f14d65baca09a65c6
Instruction Fuzzy Hash: 4C51C17250061AAFEB205FA8CC45FAB7BB9FF44750F2240A8FA15EA260D734DD109B60

Function 00848610 Relevance: 10.7, APIs: 7, Instructions: 157memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00848657
std::_Lockit::_Lockit.LIBCPMT ref: 00848679
std::_Lockit::~_Lockit.LIBCPMT ref: 008486A1
LocalAlloc.KERNEL32(00000040,00000044,00000000,50FA5EA3,?,00000000), ref: 008486F9
__Getctype.LIBCPMT ref: 0084877B
std::_Facet_Register.LIBCPMT ref: 008487E4
std::_Lockit::~_Lockit.LIBCPMT ref: 0084880E

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_GetctypeLocalRegister
String ID:
API String ID: 2372200979-0
Opcode ID: 54cfd3d98de21253d1102e7048673052a3758a4291e172c69a881f8fed4b9d85
Instruction ID: 305a6513ca97fa2f45f6399e0c424ba7c254df29864a20a5b2810ee8b2e02747
Opcode Fuzzy Hash: 54cfd3d98de21253d1102e7048673052a3758a4291e172c69a881f8fed4b9d85
Instruction Fuzzy Hash: D661BEB1C00648DFCB11DF68C944BAEBBF0FB24314F258159D845EB392EB34AA45CB91

Function 00849270 Relevance: 10.6, APIs: 7, Instructions: 135memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 008492A0
std::_Lockit::_Lockit.LIBCPMT ref: 008492C2
std::_Lockit::~_Lockit.LIBCPMT ref: 008492EA
LocalAlloc.KERNEL32(00000040,00000018,00000000,50FA5EA3,?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00849342
__Getctype.LIBCPMT ref: 008493BD
std::_Facet_Register.LIBCPMT ref: 008493F8
std::_Lockit::~_Lockit.LIBCPMT ref: 00849422

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_GetctypeLocalRegister
String ID:
API String ID: 2372200979-0
Opcode ID: 2dcc1da10e8f8acfe711c32e3a75129d4685c886e05cb1cae4c7e668298b0171
Instruction ID: 4f2d66dd0e4930490d157e7a7b1f67683369bee604a066c1794db936b4528939
Opcode Fuzzy Hash: 2dcc1da10e8f8acfe711c32e3a75129d4685c886e05cb1cae4c7e668298b0171
Instruction Fuzzy Hash: 9951CC71904219DFCB21DFA8C84479EBBF4FF15714F248199E885EB381E774AA05CB91

Function 00863F20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00863F57
___except_validate_context_record.LIBVCRUNTIME ref: 00863F5F
_ValidateLocalCookies.LIBCMT ref: 00863FE8
__IsNonwritableInCurrentImage.LIBCMT ref: 00864013
_ValidateLocalCookies.LIBCMT ref: 00864068

Strings

csm, xrefs: 00863FFD

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: da4d5eb7a90dbf0f62b864771720826c4eb4501d3b3e0619a2052e5b69727847
Instruction ID: 56cd9c11222d1804305d32ccb1fc68b74be18c48891a0d192f66f977eb4af4c6
Opcode Fuzzy Hash: da4d5eb7a90dbf0f62b864771720826c4eb4501d3b3e0619a2052e5b69727847
Instruction Fuzzy Hash: B1419034E00219EBCF10DF68C881A9EBBB5FF44328F158159E915DB392DB32EA15CB91

Function 008772FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00877408,00873841,0000000C,?,00000000,00000000,?,00877632,00000021,FlsSetValue,0088BD58,0088BD60,?), ref: 008773BC

Strings

ext-ms-, xrefs: 00877366
api-ms-, xrefs: 00877352

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 31b18b84787446c431d2bc22bd35c8ed04a33cfa3661576351c36fc8047fbda7
Instruction ID: 372d4d24db7436e795e435808c371de0bb899dd785a7a32e59fadce052fe31d5
Opcode Fuzzy Hash: 31b18b84787446c431d2bc22bd35c8ed04a33cfa3661576351c36fc8047fbda7
Instruction Fuzzy Hash: 38212431A09211EBDB21AB689C81E6A37A9FF81774F694110FD19E7384D730ED00E7E0

Function 0084B500 Relevance: 9.2, APIs: 6, Instructions: 151memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0084B531
std::_Lockit::_Lockit.LIBCPMT ref: 0084B54F
std::_Lockit::~_Lockit.LIBCPMT ref: 0084B577
LocalAlloc.KERNEL32(00000040,0000000C,00000000,50FA5EA3,?,00000000,00000000), ref: 0084B5CF
std::_Facet_Register.LIBCPMT ref: 0084B6B7
std::_Lockit::~_Lockit.LIBCPMT ref: 0084B6E1

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_LocalRegister
String ID:
API String ID: 3931714976-0
Opcode ID: 7b8d4161228ae37ac53af6c67efd75d47c29b58ee7407cbe5856be9acecd39c3
Instruction ID: e837eb38f1e39a53c7e1cc49083f8ddb4dc40ef4c5d5313e5c20669d11f06c68
Opcode Fuzzy Hash: 7b8d4161228ae37ac53af6c67efd75d47c29b58ee7407cbe5856be9acecd39c3
Instruction Fuzzy Hash: D8519EB1904248DFDB11DF98C8807AEBBB4FF20314F25415AE815EB391E7B5DA05CB82

Function 0084B700 Relevance: 9.1, APIs: 6, Instructions: 128memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0084B731
std::_Lockit::_Lockit.LIBCPMT ref: 0084B74F
std::_Lockit::~_Lockit.LIBCPMT ref: 0084B777
LocalAlloc.KERNEL32(00000040,00000008,00000000,50FA5EA3,?,00000000,00000000), ref: 0084B7CF
std::_Facet_Register.LIBCPMT ref: 0084B863
std::_Lockit::~_Lockit.LIBCPMT ref: 0084B88D

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_LocalRegister
String ID:
API String ID: 3931714976-0
Opcode ID: 43ba89d0366bfa50789c78545f4971a8072f5c6e1e7c2c0112a8fe4e67d1198d
Instruction ID: 3c79f3dc408478c54639a2f0bd5d62f6fc4661289da5f096845566fe26888580
Opcode Fuzzy Hash: 43ba89d0366bfa50789c78545f4971a8072f5c6e1e7c2c0112a8fe4e67d1198d
Instruction Fuzzy Hash: EB517BB1904218DBDB11DF98C880BAEBBB4FB54714F28815EE855EB381D775EE04CB81

Function 00870351 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 369COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0087043B
__freea.LIBCMT ref: 008704D1
__freea.LIBCMT ref: 008704ED

Strings

am/pm, xrefs: 00870551
a/p, xrefs: 008705B5

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: __freea$__alloca_probe_16
String ID: a/p$am/pm
API String ID: 3509577899-3206640213
Opcode ID: e6d2d6d45c685bbddd423a3540f6158bd5596cffbf27d55b5ddd9e2ee7b9079f
Instruction ID: 8da3e518e3190c87ca77a509fa80994db8ad1b7f7254fa5cc66c7bbf382abd02
Opcode Fuzzy Hash: e6d2d6d45c685bbddd423a3540f6158bd5596cffbf27d55b5ddd9e2ee7b9079f
Instruction Fuzzy Hash: 64C1CF7490020ADACB28CFA8C999ABA77B0FF55748F24C049E50DEB258D336ED41CF65

Function 00865978 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0086596F,00864900,0086358F), ref: 00865986
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00865994
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008659AD
SetLastError.KERNEL32(00000000,0086596F,00864900,0086358F), ref: 008659FF

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 937cc1ee7fd846e92f0ea4c68bff0b7f91deab3e62d57ca5c64c1e7f9311db7c
Instruction ID: 80645c8b30b31880174b816a66772b6b6f282fb67457f81b8589f3c472e39983
Opcode Fuzzy Hash: 937cc1ee7fd846e92f0ea4c68bff0b7f91deab3e62d57ca5c64c1e7f9311db7c
Instruction Fuzzy Hash: 1D018433209F52EFA624267E7C86A6A2F55FB02779F22032AF514D51E1FE124C619291

Function 00843230 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 260fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,URL,00000000,?,50FA5EA3,?,00000004), ref: 00843294
MoveFileW.KERNEL32(?,00000000), ref: 0084354A
DeleteFileW.KERNEL32(?), ref: 00843592

Part of subcall function 00841A70: LocalAlloc.KERNEL32(00000040,80000022), ref: 00841AF7
Part of subcall function 00841A70: LocalFree.KERNEL32(7FFFFFFE), ref: 00841B7D

Part of subcall function 00842E60: LocalFree.KERNEL32(?,50FA5EA3,?,?,00883C40,000000FF,?,00841242,50FA5EA3,?,?,00883C75,000000FF), ref: 00842EB1

Strings

URL, xrefs: 0084328E, 0084357A
url, xrefs: 008433B9, 00843575

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: FileLocal$Free$AllocDeleteMoveNameTemp
String ID: URL$url
API String ID: 853893950-346267919
Opcode ID: 7f221e14f4a80c88d2dc770acc9a41f908f6a922fa14e0488cdd3d4077f2fb9d
Instruction ID: 4ecff328657a5682f7f3c9f69a658651bb671ed874f493e502e4b5031bc6c746
Opcode Fuzzy Hash: 7f221e14f4a80c88d2dc770acc9a41f908f6a922fa14e0488cdd3d4077f2fb9d
Instruction Fuzzy Hash: D4C1467091826C9ADB24DF28CC98BDDB7B4FF14304F5442D9E009A7291EBB56B88CF91

Function 008436D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00843735
GetLastError.KERNEL32(?,?,?,00884215,000000FF), ref: 0084381A

Part of subcall function 00842310: GetProcessHeap.KERNEL32 ref: 00842365

Part of subcall function 008446F0: FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,?,?,?,?,00843778,-00000010,?,?,?,00884215,000000FF), ref: 00844736

_wcschr.LIBVCRUNTIME ref: 008437C6
LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,00884215,000000FF), ref: 008437DB

Strings

ntdll.dll, xrefs: 008437B3

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: DirectoryErrorFindHeapLastLibraryLoadProcessResourceSystem_wcschr
String ID: ntdll.dll
API String ID: 3941625479-2227199552
Opcode ID: 16c563d26095cf8d9da0207ad3ba6e3f79c5c8ca83884a273c6000bd8e9f5c98
Instruction ID: 16626182ae868183f7cc076a612a417434736ac38b2ece163687563c19c23936
Opcode Fuzzy Hash: 16c563d26095cf8d9da0207ad3ba6e3f79c5c8ca83884a273c6000bd8e9f5c98
Instruction Fuzzy Hash: 63419071A00609DFDB10DFA8CC49BAEB7B4FF14314F144629F926D7281EBB4AA04CB91

Function 0084621F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00841A20: LocalFree.KERNEL32(?), ref: 00841A42

Part of subcall function 00863E5A: RaiseException.KERNEL32(E06D7363,00000001,00000003,00841434,?,?,0084D341,00841434,00898B5C,?,00841434,?,00000000), ref: 00863EBA

GetCurrentProcess.KERNEL32(50FA5EA3,50FA5EA3,?,?,00000000,00884981,000000FF), ref: 008462EB

Part of subcall function 00862C98: EnterCriticalSection.KERNEL32(0089DD3C,?,?,?,008423B6,0089E638,50FA5EA3,?,?,00883D6D,000000FF), ref: 00862CA3
Part of subcall function 00862C98: LeaveCriticalSection.KERNEL32(0089DD3C,?,?,?,008423B6,0089E638,50FA5EA3,?,?,00883D6D,000000FF), ref: 00862CE0

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 008462B0
GetProcAddress.KERNEL32(00000000), ref: 008462B7

Part of subcall function 00862C4E: EnterCriticalSection.KERNEL32(0089DD3C,?,?,00842427,0089E638,00886B40), ref: 00862C58
Part of subcall function 00862C4E: LeaveCriticalSection.KERNEL32(0089DD3C,?,?,00842427,0089E638,00886B40), ref: 00862C8B
Part of subcall function 00862C4E: RtlWakeAllConditionVariable.NTDLL ref: 00862D02

Strings

IsWow64Process, xrefs: 008462A6
kernel32, xrefs: 008462AB

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AddressConditionCurrentExceptionFreeHandleLocalModuleProcProcessRaiseVariableWake
String ID: IsWow64Process$kernel32
API String ID: 1333104975-3789238822
Opcode ID: 15de531cdd686c04132e4132c321fae9b73a49f6fb84affcc30e1855e125744a
Instruction ID: 9319dfdd1e3de4564da35d558e03f74346c5ae51e333a89961ed501bd037a76d
Opcode Fuzzy Hash: 15de531cdd686c04132e4132c321fae9b73a49f6fb84affcc30e1855e125744a
Instruction Fuzzy Hash: B421A172948619EBCB11EFA8DD06B5D7BA4FB24710F180215F821D37D0E7755500CB62

Function 00858451 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00858458
_Getvals.LIBCPMT ref: 008584AA
_Mpunct.LIBCPMT ref: 008584E5
_Mpunct.LIBCPMT ref: 008584FF

Strings

$+xv, xrefs: 0085850A

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Mpunct$GetvalsH_prolog3
String ID: $+xv
API String ID: 2204710431-1686923651
Opcode ID: d50f3815a2be0b0ba9ec97b93ba186a9e412c301c93d889f8cf5a1aea083cf4b
Instruction ID: cda94bc7484a6528a12c76453e9c5705a7b3c9bedd40e12424ce1cdb2a5fceeb
Opcode Fuzzy Hash: d50f3815a2be0b0ba9ec97b93ba186a9e412c301c93d889f8cf5a1aea083cf4b
Instruction Fuzzy Hash: AD21A7B1904B52AEDB25DF78845077BBEF8FB08302F04455AE899C7A42E734D605CBA5

Function 00846250 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(50FA5EA3,50FA5EA3,?,?,00000000,00884981,000000FF), ref: 008462EB

Part of subcall function 00862C98: EnterCriticalSection.KERNEL32(0089DD3C,?,?,?,008423B6,0089E638,50FA5EA3,?,?,00883D6D,000000FF), ref: 00862CA3
Part of subcall function 00862C98: LeaveCriticalSection.KERNEL32(0089DD3C,?,?,?,008423B6,0089E638,50FA5EA3,?,?,00883D6D,000000FF), ref: 00862CE0

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 008462B0
GetProcAddress.KERNEL32(00000000), ref: 008462B7

Part of subcall function 00862C4E: EnterCriticalSection.KERNEL32(0089DD3C,?,?,00842427,0089E638,00886B40), ref: 00862C58
Part of subcall function 00862C4E: LeaveCriticalSection.KERNEL32(0089DD3C,?,?,00842427,0089E638,00886B40), ref: 00862C8B
Part of subcall function 00862C4E: RtlWakeAllConditionVariable.NTDLL ref: 00862D02

Strings

IsWow64Process, xrefs: 008462A6
kernel32, xrefs: 008462AB

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AddressConditionCurrentHandleModuleProcProcessVariableWake
String ID: IsWow64Process$kernel32
API String ID: 2056477612-3789238822
Opcode ID: 4658499ba0be72a60682e4fcd5620fcf655be90f5259af2bec5d38a3d5efc6b8
Instruction ID: 7fd565a48e8c7ca6695c289f531790e352a3af6da0d9fe47fa593847637e5d05
Opcode Fuzzy Hash: 4658499ba0be72a60682e4fcd5620fcf655be90f5259af2bec5d38a3d5efc6b8
Instruction Fuzzy Hash: E111A272D08658EFDB11DF98DD05B99B7B8F725710F18026AE821D37D0E7796900CB51

Function 008669E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00866AA3,?,?,0089DDCC,00000000,?,00866BCE,00000004,InitializeCriticalSectionEx,008897E8,InitializeCriticalSectionEx,00000000), ref: 00866A72

Strings

api-ms-, xrefs: 00866A32

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 2b0986ebf5f68e442c3b031839ca17e11f382ecc8050dc4e9284d53ed3a40027
Instruction ID: 67ef82e54ac366343757deb2ce1ad72a8b9f00dee63cbce0f4655b58b912e30c
Opcode Fuzzy Hash: 2b0986ebf5f68e442c3b031839ca17e11f382ecc8050dc4e9284d53ed3a40027
Instruction Fuzzy Hash: 1E11E032A00375ABCB229BA89C44B5937A4FF01772F264260FA14FB280E730EE1087D5

Function 00872DEE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,50FA5EA3,?,?,00000000,00886A6C,000000FF,?,00872DC1,?,?,00872D95,?), ref: 00872E23
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00872E35
FreeLibrary.KERNEL32(00000000,?,00000000,00886A6C,000000FF,?,00872DC1,?,?,00872D95,?), ref: 00872E57

Strings

mscoree.dll, xrefs: 00872E1C
CorExitProcess, xrefs: 00872E2D

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4dccc1f0b7b35d7977dce3da7c12a4adcdcb9308e1160d671bb7452a87447b55
Instruction ID: 8d4d9d1a61ae464bc962afb474cab2de02a0cc9a79152acac01eb52dec8e7298
Opcode Fuzzy Hash: 4dccc1f0b7b35d7977dce3da7c12a4adcdcb9308e1160d671bb7452a87447b55
Instruction Fuzzy Hash: C501A272918619ABDB129F44CC09FAEBBB8FB04B10F044526F821E26E0DB78D900CB90

Function 00876DB9 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00876E40
__alloca_probe_16.LIBCMT ref: 00876F01
__freea.LIBCMT ref: 00876F68

Part of subcall function 00875BDC: HeapAlloc.KERNEL32(00000000,00000000,00873841,?,0087543A,?,00000000,?,00866CE7,00000000,00873841,00000000,?,?,?,0087363B), ref: 00875C0E

__freea.LIBCMT ref: 00876F7D
__freea.LIBCMT ref: 00876F8D

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 4ef1c7587c60a35f0ce7bf6d466e7f71f3c248d3512e8e846d9ae749b65481df
Instruction ID: 307592499825f32e9bdf3a516a3ca49b951712cfcd1b9db2edff05c725a098a2
Opcode Fuzzy Hash: 4ef1c7587c60a35f0ce7bf6d466e7f71f3c248d3512e8e846d9ae749b65481df
Instruction Fuzzy Hash: 6251B472600A06AFEB219F68DC81EBF3AA9FF44754B158168FD0CD6254FB31DC208661

Function 0084B8B0 Relevance: 7.6, APIs: 5, Instructions: 105COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0084B8DD
std::_Lockit::_Lockit.LIBCPMT ref: 0084B900
std::_Lockit::~_Lockit.LIBCPMT ref: 0084B928
std::_Facet_Register.LIBCPMT ref: 0084B98D
std::_Lockit::~_Lockit.LIBCPMT ref: 0084B9B7

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 54490a32960de3d3ad0665c7550f4ddc6deba76f5b25c4cd6e3e1c08aab06804
Instruction ID: ec652d49f2edb5880b2c9af1664044794f8a485d5b262f49ac248986fe6b9f64
Opcode Fuzzy Hash: 54490a32960de3d3ad0665c7550f4ddc6deba76f5b25c4cd6e3e1c08aab06804
Instruction Fuzzy Hash: 0B31A031900218EFCB21DF58D941BAEBFB4FF24324F18419AE955A72A1E771AD05CB92

Function 00845890 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,?,76B14450,00845646,?,?,?,?,?), ref: 00845898

Strings

Call to ShellExecuteEx() returned:, xrefs: 008458AF
false, xrefs: 008458A2
Last error=, xrefs: 008458D9
true, xrefs: 008458A7, 008458B6

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: ErrorLast
String ID: Call to ShellExecuteEx() returned:$Last error=$false$true
API String ID: 1452528299-1782174991
Opcode ID: 148b07a09bb7ba09dbb9b6fe7f2f9944bab2b8706158f03cd992f6a245b8b40b
Instruction ID: 525e42d1b1b596f3af2c67bdd26b665dd4c4b140cf9201faa43a4635eb1bb3f5
Opcode Fuzzy Hash: 148b07a09bb7ba09dbb9b6fe7f2f9944bab2b8706158f03cd992f6a245b8b40b
Instruction Fuzzy Hash: 7A11A515A10629C7DF302FAC980033AB6E4FF51754F69047FE989D7392FAB98C818395

Function 00851C42 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

_Maklocstr.LIBCPMT ref: 00851C62
_Maklocstr.LIBCPMT ref: 00851C7F
_Maklocstr.LIBCPMT ref: 00851C9C
_Maklocchr.LIBCPMT ref: 00851CAE
_Maklocchr.LIBCPMT ref: 00851CC1

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Maklocstr$Maklocchr
String ID:
API String ID: 2020259771-0
Opcode ID: 688b69f4f2a7824be27b2912f5cbe6c5e5d1846fffbc5f1fb68130565efe83e9
Instruction ID: 02bf2db3b2a3d2e2e06c70fbe6ed86b9a5e98c83aa58dc7befbf0085234ea080
Opcode Fuzzy Hash: 688b69f4f2a7824be27b2912f5cbe6c5e5d1846fffbc5f1fb68130565efe83e9
Instruction Fuzzy Hash: A01191B1940784BFEB20DBA4C88AF12B7ECFF05351F080519FA45CBA41D665FC5887A5

Function 0084D87C Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0084D883
std::_Lockit::_Lockit.LIBCPMT ref: 0084D88D

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

numpunct.LIBCPMT ref: 0084D8C7
std::_Facet_Register.LIBCPMT ref: 0084D8DE
std::_Lockit::~_Lockit.LIBCPMT ref: 0084D8FE

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
String ID:
API String ID: 743221004-0
Opcode ID: 20d620f339bc36e3000c9d7fc2558cb56bf40aadbb1741e0fc52c8513e5fc3e0
Instruction ID: 84a045a16813ec8f3a6f8f891b0a334150d38e1550a41fa769c76943eb267c2f
Opcode Fuzzy Hash: 20d620f339bc36e3000c9d7fc2558cb56bf40aadbb1741e0fc52c8513e5fc3e0
Instruction Fuzzy Hash: 5F117C35900219EBCF15BBA898516BE77A1FF84711F240859E811EB291DF709E058B92

Function 008522FA Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00852301
std::_Lockit::_Lockit.LIBCPMT ref: 0085230B

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

codecvt.LIBCPMT ref: 00852345
std::_Facet_Register.LIBCPMT ref: 0085235C
std::_Lockit::~_Lockit.LIBCPMT ref: 0085237C

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: 97a2a3efe1145e9fa3727e1e30b962795f046f91639d23ff127b59a25f96037d
Instruction ID: 741e43d21e81f18a435ab3b3e1eb968e072f4296f8ac42c9b5ad840e2c6a99de
Opcode Fuzzy Hash: 97a2a3efe1145e9fa3727e1e30b962795f046f91639d23ff127b59a25f96037d
Instruction Fuzzy Hash: A101C031900219DBCB15FBA8D841ABEB7A1FF80721F280509F910EB391DF749E098B92

Function 0085238F Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00852396
std::_Lockit::_Lockit.LIBCPMT ref: 008523A0

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

codecvt.LIBCPMT ref: 008523DA
std::_Facet_Register.LIBCPMT ref: 008523F1
std::_Lockit::~_Lockit.LIBCPMT ref: 00852411

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: 30dc9c7092595256ea6cb8a593f06d83ea0d9baf84de61c05915f994b3a93760
Instruction ID: 21ed2b1d8e6774c01d604878e03f04312e66e83580d32dd7c322488de021612e
Opcode Fuzzy Hash: 30dc9c7092595256ea6cb8a593f06d83ea0d9baf84de61c05915f994b3a93760
Instruction Fuzzy Hash: A801C031900219DBCB15FBA898416BE77A1FF80721F284409E811EB391CF749E09CB92

Function 008524B9 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 008524C0
std::_Lockit::_Lockit.LIBCPMT ref: 008524CA

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

collate.LIBCPMT ref: 00852504
std::_Facet_Register.LIBCPMT ref: 0085251B
std::_Lockit::~_Lockit.LIBCPMT ref: 0085253B

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID:
API String ID: 1007100420-0
Opcode ID: 6638ce533f0433851a3e31b15d2aec2b792fe1490512f84d9272783343de1b0a
Instruction ID: 5df4c22a69e4c5516caace4407674d7d49e33bd594fa48f8cd55f55ab63dbe91
Opcode Fuzzy Hash: 6638ce533f0433851a3e31b15d2aec2b792fe1490512f84d9272783343de1b0a
Instruction Fuzzy Hash: 3501D232900229DBCB15FBA8D8556AEB7B1FF94722F240409F810E7391DF709E08CB92

Function 00852424 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0085242B
std::_Lockit::_Lockit.LIBCPMT ref: 00852435

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

collate.LIBCPMT ref: 0085246F
std::_Facet_Register.LIBCPMT ref: 00852486
std::_Lockit::~_Lockit.LIBCPMT ref: 008524A6

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID:
API String ID: 1007100420-0
Opcode ID: f089445d170f0a4400e47da9784f50ed5aec00a9fcfd7f6aab30dee300dd3f62
Instruction ID: 5608da17000c8978abc92f1d6421267b48c44633512e8c9c261643dd704a67ef
Opcode Fuzzy Hash: f089445d170f0a4400e47da9784f50ed5aec00a9fcfd7f6aab30dee300dd3f62
Instruction Fuzzy Hash: D701C031900219DBCB15FBA8D8416AE7BA1FF85721F280409F810E73D1DF709E08CB96

Function 008525E3 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 008525EA
std::_Lockit::_Lockit.LIBCPMT ref: 008525F4

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

messages.LIBCPMT ref: 0085262E
std::_Facet_Register.LIBCPMT ref: 00852645
std::_Lockit::~_Lockit.LIBCPMT ref: 00852665

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID:
API String ID: 2750803064-0
Opcode ID: f318752477d38ef261cd912c44da4b3aae590d1b1c0440a0077a40562e18b208
Instruction ID: c3ba1f943fc1d5c1f28843ce4034e1cc6400b557bb6d20465a62bcd405700c69
Opcode Fuzzy Hash: f318752477d38ef261cd912c44da4b3aae590d1b1c0440a0077a40562e18b208
Instruction Fuzzy Hash: 3C01D231900219DBCB11FBA8D851AAE7BB1FF91721F284409F811E7391CF709E08CB92

Function 0085254E Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00852555
std::_Lockit::_Lockit.LIBCPMT ref: 0085255F

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

ctype.LIBCPMT ref: 00852599
std::_Facet_Register.LIBCPMT ref: 008525B0
std::_Lockit::~_Lockit.LIBCPMT ref: 008525D0

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registerctype
String ID:
API String ID: 83828444-0
Opcode ID: 433232930d051f36a7b1fbfe8a1a999065247428981873a2b36fb9b1ceda3e00
Instruction ID: d41d6cebfb0d5d2af5ec637ceb6f2072c7f010b42ced02a236a820bc72ca14b0
Opcode Fuzzy Hash: 433232930d051f36a7b1fbfe8a1a999065247428981873a2b36fb9b1ceda3e00
Instruction Fuzzy Hash: 1901C031900219DBCB11FBA8D852AAE7BA1FF84721F240409E811E7291EF709E08CB92

Function 0084D6BD Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0084D6C4
std::_Lockit::_Lockit.LIBCPMT ref: 0084D6CE

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

codecvt.LIBCPMT ref: 0084D708
std::_Facet_Register.LIBCPMT ref: 0084D71F
std::_Lockit::~_Lockit.LIBCPMT ref: 0084D73F

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: cd205f2aaff8deb6712e9b9bef78bcdd405866305ab96237d18929003dec7732
Instruction ID: 4ea8b5cdfb7cb2d33438c0514b62efa90d90cdfcf3a09ffa1df82726887b3985
Opcode Fuzzy Hash: cd205f2aaff8deb6712e9b9bef78bcdd405866305ab96237d18929003dec7732
Instruction Fuzzy Hash: 8501C03690021DDBCB11FBA898516BE7BA1FF80721F25050AF810EB292CF749E048B92

Function 00852678 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0085267F
std::_Lockit::_Lockit.LIBCPMT ref: 00852689

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

messages.LIBCPMT ref: 008526C3
std::_Facet_Register.LIBCPMT ref: 008526DA
std::_Lockit::~_Lockit.LIBCPMT ref: 008526FA

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID:
API String ID: 2750803064-0
Opcode ID: 5058c115d018518b83cb397aec8bb85d72e3dd2e126a4c860e64171d55108dc7
Instruction ID: 496dd065130597c2b9fc4410838c294bee11e1d9c42a1a6542639519a1b1d9e7
Opcode Fuzzy Hash: 5058c115d018518b83cb397aec8bb85d72e3dd2e126a4c860e64171d55108dc7
Instruction Fuzzy Hash: 8701C432900229DFCB11FB68D8456BEB7B1FF94721F240409E910E7291CF709E098B92

Function 0085E8D8 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0085E8DF
std::_Lockit::_Lockit.LIBCPMT ref: 0085E8E9

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

messages.LIBCPMT ref: 0085E923
std::_Facet_Register.LIBCPMT ref: 0085E93A
std::_Lockit::~_Lockit.LIBCPMT ref: 0085E95A

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID:
API String ID: 2750803064-0
Opcode ID: 8fa94060146441b38eda78c0d52a371d91d6e0902025d3fe9e48f8002a73724a
Instruction ID: 58cc4438edbacce6d378f451a83c773c4d9cfb19bbcc1831fa761d22a336c2a7
Opcode Fuzzy Hash: 8fa94060146441b38eda78c0d52a371d91d6e0902025d3fe9e48f8002a73724a
Instruction Fuzzy Hash: A7018835900219DBCB15FB68984167E7BA1FF84712F250509E915E7291CF749F048B92

Function 0085E843 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0085E84A
std::_Lockit::_Lockit.LIBCPMT ref: 0085E854

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

collate.LIBCPMT ref: 0085E88E
std::_Facet_Register.LIBCPMT ref: 0085E8A5
std::_Lockit::~_Lockit.LIBCPMT ref: 0085E8C5

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID:
API String ID: 1007100420-0
Opcode ID: aab2e2a4804700023a9b03cf239b1c2010775e483096309a054de04330939cd6
Instruction ID: 57b535a88b172e5831a8934a97822a5e46a735417b432ee6c86324efffc56ecb
Opcode Fuzzy Hash: aab2e2a4804700023a9b03cf239b1c2010775e483096309a054de04330939cd6
Instruction Fuzzy Hash: E701C436900129DBCB15FB6898416AE7BB1FF84711F244419F811EB2D1CF709E088B92

Function 008529F6 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 008529FD
std::_Lockit::_Lockit.LIBCPMT ref: 00852A07

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

moneypunct.LIBCPMT ref: 00852A41
std::_Facet_Register.LIBCPMT ref: 00852A58
std::_Lockit::~_Lockit.LIBCPMT ref: 00852A78

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 8c470051bf432be039c3ebcbbb47ce1548204c94eda4d4e996d2a410c78c6c77
Instruction ID: 9a2bf26f7cd733cd0bcc0f8215f34d9016d67202b7488f32f273bce08c3ebe09
Opcode Fuzzy Hash: 8c470051bf432be039c3ebcbbb47ce1548204c94eda4d4e996d2a410c78c6c77
Instruction Fuzzy Hash: 9801D631900229DFCB11FB68D8516BE77B1FF44711F290409F911EB291CF709E098B92

Function 00852961 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00852968
std::_Lockit::_Lockit.LIBCPMT ref: 00852972

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

moneypunct.LIBCPMT ref: 008529AC
std::_Facet_Register.LIBCPMT ref: 008529C3
std::_Lockit::~_Lockit.LIBCPMT ref: 008529E3

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 55c069c73d965aa2e12b3c0682678a6fa52ba47e950b4f44dac4fc4e75e46bdb
Instruction ID: 8d5e98e2b47ca2b88c149488c268db18a7fae4d2306269341dbf5881d494ee24
Opcode Fuzzy Hash: 55c069c73d965aa2e12b3c0682678a6fa52ba47e950b4f44dac4fc4e75e46bdb
Instruction Fuzzy Hash: 0F01D631900219DFCB11FB68D842AAE7BB1FF84711F240509F910EB391CF709E098B92

Function 00852A8B Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00852A92
std::_Lockit::_Lockit.LIBCPMT ref: 00852A9C

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

moneypunct.LIBCPMT ref: 00852AD6
std::_Facet_Register.LIBCPMT ref: 00852AED
std::_Lockit::~_Lockit.LIBCPMT ref: 00852B0D

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 29915a8de8f33b559d74e5217c17b6ca54027b77754f409f9c71d73e5c3e372f
Instruction ID: ac55f5ce75a30c0d1db6a39770584d5c70a6725f8a9e78bf7cc0554bd015d924
Opcode Fuzzy Hash: 29915a8de8f33b559d74e5217c17b6ca54027b77754f409f9c71d73e5c3e372f
Instruction Fuzzy Hash: FD018471900229DFCB15FB68D8516AE77A1FF85721F254409F911E7292CF709E09CB92

Function 0085EA97 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0085EA9E
std::_Lockit::_Lockit.LIBCPMT ref: 0085EAA8

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

moneypunct.LIBCPMT ref: 0085EAE2
std::_Facet_Register.LIBCPMT ref: 0085EAF9
std::_Lockit::~_Lockit.LIBCPMT ref: 0085EB19

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: dec8da3bc7bb0a7b3396b6969f95106d92a6435e8e7b1cc725a2d05f3b58727d
Instruction ID: ee09b354b8ef5f21ac17f55a4df4d5a5afe1e68ddfad875a03af3565ae5a640e
Opcode Fuzzy Hash: dec8da3bc7bb0a7b3396b6969f95106d92a6435e8e7b1cc725a2d05f3b58727d
Instruction Fuzzy Hash: B7018431D00219DBCB19FB68DD416AE77B1FF44722F250549E815E72D2DF709E098B92

Function 00852B20 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00852B27
std::_Lockit::_Lockit.LIBCPMT ref: 00852B31

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

moneypunct.LIBCPMT ref: 00852B6B
std::_Facet_Register.LIBCPMT ref: 00852B82
std::_Lockit::~_Lockit.LIBCPMT ref: 00852BA2

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 92c598db1e3c78ab78609cbfd0ef072eb202bb9e7bfabc99fa813896c4caa0e7
Instruction ID: 4d99b33976bd739f78ecc890cba526869acfb5580d5ab7a3e757f1cf7e2ced89
Opcode Fuzzy Hash: 92c598db1e3c78ab78609cbfd0ef072eb202bb9e7bfabc99fa813896c4caa0e7
Instruction Fuzzy Hash: BA018035900229DBCB15FBA898456AE77B1FF84721F250409E915E7292DF709E088B92

Function 0085EB2C Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0085EB33
std::_Lockit::_Lockit.LIBCPMT ref: 0085EB3D

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

moneypunct.LIBCPMT ref: 0085EB77
std::_Facet_Register.LIBCPMT ref: 0085EB8E
std::_Lockit::~_Lockit.LIBCPMT ref: 0085EBAE

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 6b00f7d7076034d9d17b61c26f18772b589f594729c43ccef71fb3ec1833661c
Instruction ID: 6b2875e5be5462de4a1d13e6c33d3f7ce4e69e340d4d8d73154fa85b1d881f70
Opcode Fuzzy Hash: 6b00f7d7076034d9d17b61c26f18772b589f594729c43ccef71fb3ec1833661c
Instruction Fuzzy Hash: 21018431900119DBCB15FB68D8916AE77B5FF84722F254409E911F72D1CF749E098B92

Function 00852D74 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00852D7B
std::_Lockit::_Lockit.LIBCPMT ref: 00852D85

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

numpunct.LIBCPMT ref: 00852DBF
std::_Facet_Register.LIBCPMT ref: 00852DD6
std::_Lockit::~_Lockit.LIBCPMT ref: 00852DF6

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
String ID:
API String ID: 743221004-0
Opcode ID: ae1abc8b975e56b146e4ede4717fdf4b2c0827e0f549f85095172f94c2e69da7
Instruction ID: f8219a29c96e9ea459caadf8e15e506a3bfabe7e7de574cade74aab9f074da16
Opcode Fuzzy Hash: ae1abc8b975e56b146e4ede4717fdf4b2c0827e0f549f85095172f94c2e69da7
Instruction Fuzzy Hash: 4D019235900229DBCB15FBA8D8516BE77B1FF85721F690409F811E7392CF709E098B92

Function 00862C4E Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0089DD3C,?,?,00842427,0089E638,00886B40), ref: 00862C58
LeaveCriticalSection.KERNEL32(0089DD3C,?,?,00842427,0089E638,00886B40), ref: 00862C8B
RtlWakeAllConditionVariable.NTDLL ref: 00862D02
SetEvent.KERNEL32(?,00842427,0089E638,00886B40), ref: 00862D0C
ResetEvent.KERNEL32(?,00842427,0089E638,00886B40), ref: 00862D18

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
String ID:
API String ID: 3916383385-0
Opcode ID: f66c9de502f46d49432e82363b61a00ddb1dcc38279d27fa701b12023c175a3d
Instruction ID: ba082b13cca049ed041d1e18723ad05074616ee081670762003d67a3dc822cfc
Opcode Fuzzy Hash: f66c9de502f46d49432e82363b61a00ddb1dcc38279d27fa701b12023c175a3d
Instruction Fuzzy Hash: A4016932609A20DFCB11BF18FC48A98BB75FF49755B09046AF90287330CB319901CF94

Function 0084BB40 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 181memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000018,50FA5EA3,?,00000000), ref: 0084BBA3
Concurrency::cancel_current_task.LIBCPMT ref: 0084BD7F

Strings

false, xrefs: 0084BC95
true, xrefs: 0084BCAB

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: AllocConcurrency::cancel_current_taskLocal
String ID: false$true
API String ID: 3924972193-2658103896
Opcode ID: 9b99f3225c2cd5dc6ceea78abc10891674b637f1c9396f64a8a086228e254d70
Instruction ID: c40a4559d0c1043fe7dc0e21aae2451edb8a807d5c89c764995697e74b2c332b
Opcode Fuzzy Hash: 9b99f3225c2cd5dc6ceea78abc10891674b637f1c9396f64a8a086228e254d70
Instruction Fuzzy Hash: E76170B1D00748DBDB10DFA8C845B9EB7B8FF14704F14426AE855EB281E775AA48CB91

Function 0085D3CB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0085D3D2

Part of subcall function 0085254E: __EH_prolog3.LIBCMT ref: 00852555
Part of subcall function 0085254E: std::_Lockit::_Lockit.LIBCPMT ref: 0085255F
Part of subcall function 0085254E: std::_Lockit::~_Lockit.LIBCPMT ref: 008525D0

_Find_elem.LIBCPMT ref: 0085D46E

Strings

%.0Lf, xrefs: 0085D419
0123456789-, xrefs: 0085D41E

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: %.0Lf$0123456789-
API String ID: 2544715827-3094241602
Opcode ID: 6420ec5e0363abf476d655b66512fe9b4b0b76011c23b403c53b856da9ccbe45
Instruction ID: c1641c9509c95507089584dbf6c29201999b046c56986fa3ebd51ba5d4e7d8df
Opcode Fuzzy Hash: 6420ec5e0363abf476d655b66512fe9b4b0b76011c23b403c53b856da9ccbe45
Instruction Fuzzy Hash: B6414B31900218DFCF15EFA8C880ADDBBB5FF08316F100159EC11EB255DB30AA5ACBA6

Function 0085D66F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0085D676

Part of subcall function 00848610: std::_Lockit::_Lockit.LIBCPMT ref: 00848657
Part of subcall function 00848610: std::_Lockit::_Lockit.LIBCPMT ref: 00848679
Part of subcall function 00848610: std::_Lockit::~_Lockit.LIBCPMT ref: 008486A1
Part of subcall function 00848610: std::_Lockit::~_Lockit.LIBCPMT ref: 0084880E

_Find_elem.LIBCPMT ref: 0085D712

Strings

0123456789-, xrefs: 0085D6BD
0123456789-, xrefs: 0085D6C2

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
String ID: 0123456789-$0123456789-
API String ID: 3042121994-2494171821
Opcode ID: 18fb61bc83d70e65df7d9678e49e3cc9d2c7e9f45663e9b8ff5ef0f6a98e88f1
Instruction ID: a3ecd6ab192ca204c646e346c7853dbd68383a652dcf7640b351400d50b84fb0
Opcode Fuzzy Hash: 18fb61bc83d70e65df7d9678e49e3cc9d2c7e9f45663e9b8ff5ef0f6a98e88f1
Instruction Fuzzy Hash: B241587190021DDFCF15EFA8C880ADEBBB5FF18315F500159E911EB255DB30AA5ACBA2

Function 0086175A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00861761

Part of subcall function 00849270: std::_Lockit::_Lockit.LIBCPMT ref: 008492A0
Part of subcall function 00849270: std::_Lockit::_Lockit.LIBCPMT ref: 008492C2
Part of subcall function 00849270: std::_Lockit::~_Lockit.LIBCPMT ref: 008492EA
Part of subcall function 00849270: std::_Lockit::~_Lockit.LIBCPMT ref: 00849422

_Find_elem.LIBCPMT ref: 008617FB

Strings

0123456789-, xrefs: 008617AD
0123456789-, xrefs: 008617A8

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
String ID: 0123456789-$0123456789-
API String ID: 3042121994-2494171821
Opcode ID: ab7e0f0467ada78aa9ceb88235e615db476d5d2b6ec30580b65241ba37a9fc3d
Instruction ID: 6e055d79c2fa802a5bbca8d01a4910adc4b7dd057199d276f8c840ff365fca21
Opcode Fuzzy Hash: ab7e0f0467ada78aa9ceb88235e615db476d5d2b6ec30580b65241ba37a9fc3d
Instruction Fuzzy Hash: A1415A3190121DDFCF15EFA8D885A9EBBB5FF04314F11005AE811EB256DB349A16CB96

Function 00858386 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0085838D

Part of subcall function 00851C42: _Maklocstr.LIBCPMT ref: 00851C62
Part of subcall function 00851C42: _Maklocstr.LIBCPMT ref: 00851C7F
Part of subcall function 00851C42: _Maklocstr.LIBCPMT ref: 00851C9C
Part of subcall function 00851C42: _Maklocchr.LIBCPMT ref: 00851CAE
Part of subcall function 00851C42: _Maklocchr.LIBCPMT ref: 00851CC1

_Mpunct.LIBCPMT ref: 0085841A
_Mpunct.LIBCPMT ref: 00858434

Strings

$+xv, xrefs: 0085843F

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Maklocstr$MaklocchrMpunct$H_prolog3
String ID: $+xv
API String ID: 2939335142-1686923651
Opcode ID: 94c39b0874fb8bca79c4783b28b28869ff270f17024488ce5e6cc8ae12078276
Instruction ID: 9c3545ddffb0c280bfb8ac62cd9bd40d07004103b4d54ff8617cd97b454f7a01
Opcode Fuzzy Hash: 94c39b0874fb8bca79c4783b28b28869ff270f17024488ce5e6cc8ae12078276
Instruction Fuzzy Hash: 7921B5B1904A92AEDB25DF79849077BBEE8FB08701F04055AE899C7A42E730DA05CB91

Function 0085FFEA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0085FFF1
_Mpunct.LIBCPMT ref: 0086007E
_Mpunct.LIBCPMT ref: 00860098

Strings

$+xv, xrefs: 008600A3

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Mpunct$H_prolog3
String ID: $+xv
API String ID: 4281374311-1686923651
Opcode ID: 4b63ce56395b8fd5504c5e8a30af46251090933c14bd06e9342f3cfab3de8e01
Instruction ID: 34ec285cd9abf8b6fa8185ace386c9a798a5f2e3deb5a52c72209b75554442c3
Opcode Fuzzy Hash: 4b63ce56395b8fd5504c5e8a30af46251090933c14bd06e9342f3cfab3de8e01
Instruction Fuzzy Hash: 4C2192B1904B526EDB26DF78849077BBEF8FB0C301F04455AE499C7A42E734EA05CBA5

Function 008424C0 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00841434,?,00000000), ref: 00842569
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00841434,?,00000000), ref: 00842589
LocalFree.KERNEL32(?,00841434,?,00000000), ref: 008425DF
CloseHandle.KERNEL32(00000000,50FA5EA3,?,00000000,00883C40,000000FF,00000008,?,?,?,?,00841434,?,00000000), ref: 00842633
LocalFree.KERNEL32(?,50FA5EA3,?,00000000,00883C40,000000FF,00000008,?,?,?,?,00841434), ref: 00842647

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Local$AllocFree$CloseHandle
String ID:
API String ID: 1291444452-0
Opcode ID: 5a8e3836c1799013fdad6b8a33d36c94b91cf9845278afeac4359393e5b3e182
Instruction ID: 580adee2732f923baf15087ee4e2f2a58a37f957cbb3b7b1405ee7da86cdc963
Opcode Fuzzy Hash: 5a8e3836c1799013fdad6b8a33d36c94b91cf9845278afeac4359393e5b3e182
Instruction Fuzzy Hash: B54129326087199BC3149F6CD894B5ABBE8FF49360F62072AF526C72D0EB30D84487A0

Function 00881D9B Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(50FA5EA3,?,00000000,?), ref: 00881DFE

Part of subcall function 0087A9BB: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00876F5E,?,00000000,-00000008), ref: 0087AA67

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00882059
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 008820A1
GetLastError.KERNEL32 ref: 00882144

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 4d94e98316bbf59a371e1ffcd1c9ccf05d211139e210f2b27c79e98174eabd47
Instruction ID: b93ae2c81e60d585165c924e12382e283b7b1705068ee0661ce31835d0ea5960
Opcode Fuzzy Hash: 4d94e98316bbf59a371e1ffcd1c9ccf05d211139e210f2b27c79e98174eabd47
Instruction Fuzzy Hash: DCD169B5D00258DFCF15DFA8D8849ADBBB9FF09314F28452AE925EB351D730A942CB50

Function 008535F7 Relevance: 6.3, APIs: 4, Instructions: 282COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 008535FE
_strcspn.LIBCMT ref: 00853666
_strcspn.LIBCMT ref: 00853686
ctype.LIBCPMT ref: 008536E4

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID:
API String ID: 838279627-0
Opcode ID: ab895ff86379c8470449e6c13cb0536d228521355e96807e9f069bb27dc84ee9
Instruction ID: 36cf87779cf2551905a04bc16fe9808f1fcf3cb3a66957592300a3a201258550
Opcode Fuzzy Hash: ab895ff86379c8470449e6c13cb0536d228521355e96807e9f069bb27dc84ee9
Instruction Fuzzy Hash: 44B149B5D0024DAFCF15DF98C881AEEBBB9FF48351F144129E805EB251D730AA59CBA1

Function 0084DA6F Relevance: 6.3, APIs: 4, Instructions: 279COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0084DA76
_strcspn.LIBCMT ref: 0084DADE
_strcspn.LIBCMT ref: 0084DAFE
ctype.LIBCPMT ref: 0084DB5C

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: _strcspn$H_prolog3_ctype
String ID:
API String ID: 838279627-0
Opcode ID: 62e111cd418a53c89997da40251427208f42f7844206022d9c4e7081904a488f
Instruction ID: 3b0bab18f6b826d9b8bd2231ec8690782eaec1f6caa4e4be189c01216b7b955e
Opcode Fuzzy Hash: 62e111cd418a53c89997da40251427208f42f7844206022d9c4e7081904a488f
Instruction Fuzzy Hash: E1B1367190025D9FDF10DF98C981AEEBBB9FF08310F144029E815EB256D774AE46CBA1

Function 00865A58 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00865B1F
___AdjustPointer.LIBCMT ref: 00865B42
___AdjustPointer.LIBCMT ref: 00865BDE

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: f4bf4df0ee2faa88a4a3ca94fe37bcfe93fa10dec8acf3b64f4d20aad5be71ed
Instruction ID: 370d3fcb1ce323181bfd2dce384586b7e1f8dc7fb8a3dfbbf61f68fdb27e0691
Opcode Fuzzy Hash: f4bf4df0ee2faa88a4a3ca94fe37bcfe93fa10dec8acf3b64f4d20aad5be71ed
Instruction Fuzzy Hash: 62510472601B16AFDB299F58D891BBAB7A4FF01321F16462DE905CB291E731EC40CB91

Function 008724E8 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7362a25a26800e6296a9a7c988f61aa42e0482ebf9bf39a98019649b7801d50
Instruction ID: e1b89641d53f86420a9c683700c0231b166d3be11319723a171f62309defcb21
Opcode Fuzzy Hash: a7362a25a26800e6296a9a7c988f61aa42e0482ebf9bf39a98019649b7801d50
Instruction Fuzzy Hash: 8121DE71604205AFDB60AF79CCA2D2B7BA9FF44368710C519F81DC7254EB30EC00A7A1

Function 00846FB0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000002,80004005,S-1-5-18,00000008), ref: 00846FB7

Strings

> returned:, xrefs: 00846FC6
Call to ShellExecute() for verb<, xrefs: 00846FC1
Last error=, xrefs: 00847011

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: ErrorLast
String ID: > returned:$Call to ShellExecute() for verb<$Last error=
API String ID: 1452528299-1781106413
Opcode ID: c2958d844cf01432c7c194ec0b63c67788db0fde11772ad3d520031c4f9debe5
Instruction ID: adb071e31fa471321a4dbf971255d3a88514c9e279da4aec7aa6596c3af55dad
Opcode Fuzzy Hash: c2958d844cf01432c7c194ec0b63c67788db0fde11772ad3d520031c4f9debe5
Instruction Fuzzy Hash: C3219F59A1066582CB342F7CD401339A2E0FF55758F69086FE9C8D7380FBB98C8283A6

Function 0084CCE0 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,50FA5EA3), ref: 0084CD1C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 0084CD3C
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 0084CD6D
CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 0084CD86

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: 713c0227b63faf63697613bf43322edbeece8dcb49b06313e678989fa97a9998
Instruction ID: 966a5346e430951c6044237221653b3db75c3fd35946e32a657448f773c013aa
Opcode Fuzzy Hash: 713c0227b63faf63697613bf43322edbeece8dcb49b06313e678989fa97a9998
Instruction Fuzzy Hash: E8217F70941619EFD7209F54DC09FAABBB8FB05B14F204269F611F72D0D7B46A0587E4

Function 008527A2 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 008527A9
std::_Lockit::_Lockit.LIBCPMT ref: 008527B3

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

std::_Facet_Register.LIBCPMT ref: 00852804
std::_Lockit::~_Lockit.LIBCPMT ref: 00852824

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 1eae5cf1c0edbad0e09539daf9c57c3b59b54596b788d16e2a2f1aa7f321048a
Instruction ID: bc99f64f7fb5de9c6329c1b351cdb23f6c9d9405060cefbde54bd0f4d3b86216
Opcode Fuzzy Hash: 1eae5cf1c0edbad0e09539daf9c57c3b59b54596b788d16e2a2f1aa7f321048a
Instruction Fuzzy Hash: 4301C031900229DBCB11FBA898516BE77B1FF84722F240419ED11E7392CF709E098B92

Function 0084D7E7 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0084D7EE
std::_Lockit::_Lockit.LIBCPMT ref: 0084D7F8

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

std::_Facet_Register.LIBCPMT ref: 0084D849
std::_Lockit::~_Lockit.LIBCPMT ref: 0084D869

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: ffcf88cf5ad2f4b1fa4430abe737f51dc6ae0836ec9f499ab1a33c0bc4e4b54f
Instruction ID: 3167b7b6b711778c3e85b49a506d8df8d0013e40195a9aa8d02c67d6e80cfe11
Opcode Fuzzy Hash: ffcf88cf5ad2f4b1fa4430abe737f51dc6ae0836ec9f499ab1a33c0bc4e4b54f
Instruction Fuzzy Hash: 5901803290021DEBCB15FBA8D8426BE77A1FF84721F250859E511EB291DF709E058B92

Function 0085270D Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00852714
std::_Lockit::_Lockit.LIBCPMT ref: 0085271E

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

std::_Facet_Register.LIBCPMT ref: 0085276F
std::_Lockit::~_Lockit.LIBCPMT ref: 0085278F

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 50c504f60f9ca65f191bec889558a3df55a56352e96cc1a777c57eef322e6b78
Instruction ID: 3867958e4adfd68e60dbbf1fe57d1460b242aed3e8f56f6d628bea900b9a3577
Opcode Fuzzy Hash: 50c504f60f9ca65f191bec889558a3df55a56352e96cc1a777c57eef322e6b78
Instruction Fuzzy Hash: 08018436900219DBCB15FB6898456AE77B1FF44712F290509E815EB292DF709E098B92

Function 0084D752 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0084D759
std::_Lockit::_Lockit.LIBCPMT ref: 0084D763

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

std::_Facet_Register.LIBCPMT ref: 0084D7B4
std::_Lockit::~_Lockit.LIBCPMT ref: 0084D7D4

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 6188e85aafb74ebcc7ec60ac4acdd9f8150d1ea9fbfc8f63d2e3037d074f97a0
Instruction ID: 5b2d37e316d8bc6f7c116fbe7d03bf26e34426c6eace74e9f36f99f8096faf46
Opcode Fuzzy Hash: 6188e85aafb74ebcc7ec60ac4acdd9f8150d1ea9fbfc8f63d2e3037d074f97a0
Instruction Fuzzy Hash: 7701CC3690022DDBCB15FBA898426AE77A1FF80725F280409E811EB291CF749E048B92

Function 008528CC Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 008528D3
std::_Lockit::_Lockit.LIBCPMT ref: 008528DD

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

std::_Facet_Register.LIBCPMT ref: 0085292E
std::_Lockit::~_Lockit.LIBCPMT ref: 0085294E

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 02413a92699dfd4614e7d8d5247ce50b015c5eb36cefe3422c0aa6498f5e93bc
Instruction ID: d8459059b3ebb453e9b0b7a62b120f9c73e7193a88766911eeabdf6ce2d09ac7
Opcode Fuzzy Hash: 02413a92699dfd4614e7d8d5247ce50b015c5eb36cefe3422c0aa6498f5e93bc
Instruction Fuzzy Hash: 9C01D635900229DBCB11FB68D851ABE7BB1FF85722F240409F911E7392CF709E098B92

Function 00852837 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0085283E
std::_Lockit::_Lockit.LIBCPMT ref: 00852848

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

std::_Facet_Register.LIBCPMT ref: 00852899
std::_Lockit::~_Lockit.LIBCPMT ref: 008528B9

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 16fa66d159bbf33eae1b12746686125c93086426b597aa34cbb0880cc08dfd58
Instruction ID: 99ffcf29d3ef7b59c3fd985def1619ba4ad4aa94db6321d1e05bb5401944d00e
Opcode Fuzzy Hash: 16fa66d159bbf33eae1b12746686125c93086426b597aa34cbb0880cc08dfd58
Instruction Fuzzy Hash: B7018431900129DFCB15FBA8D9416BE77B1FF84721F290519E911EB292DF709E098B92

Function 0085E96D Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0085E974
std::_Lockit::_Lockit.LIBCPMT ref: 0085E97E

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

std::_Facet_Register.LIBCPMT ref: 0085E9CF
std::_Lockit::~_Lockit.LIBCPMT ref: 0085E9EF

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 64f658909b73ab0268040ccf234ca9bacf74202c2d559f22b3d5a72277856ff2
Instruction ID: 86e9796271f4567547d396e345d613e58397d3eb03fd0e3e0d2d0c1ea29e444d
Opcode Fuzzy Hash: 64f658909b73ab0268040ccf234ca9bacf74202c2d559f22b3d5a72277856ff2
Instruction Fuzzy Hash: 41018431900229DBCB15FB6898426BE7BA5FF84711F250509F911E7291CF749E088B96

Function 0085EA02 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0085EA09
std::_Lockit::_Lockit.LIBCPMT ref: 0085EA13

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

std::_Facet_Register.LIBCPMT ref: 0085EA64
std::_Lockit::~_Lockit.LIBCPMT ref: 0085EA84

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 2b1beaa8735eb2cd0ac23323b6a201ebe1ba40d9af89df6fa2a107376c596ea0
Instruction ID: a07b441aace9451cf3e05aec7e425a3f645327fbfb26334508a665876cddee0d
Opcode Fuzzy Hash: 2b1beaa8735eb2cd0ac23323b6a201ebe1ba40d9af89df6fa2a107376c596ea0
Instruction Fuzzy Hash: 3701D635900229DBCB15FB68D8416AE77B1FF94711F290409F811E7391CF749E088B92

Function 00852BB5 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00852BBC
std::_Lockit::_Lockit.LIBCPMT ref: 00852BC6

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

std::_Facet_Register.LIBCPMT ref: 00852C17
std::_Lockit::~_Lockit.LIBCPMT ref: 00852C37

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 58947cc190c1ba435909147b681d020ce0bd3c8f2dc9e08007adc93180debf42
Instruction ID: e0087e7499e10711ddbc160cd6fc6770fd4bf5eca49fb1098e1e88bdc65d9ea2
Opcode Fuzzy Hash: 58947cc190c1ba435909147b681d020ce0bd3c8f2dc9e08007adc93180debf42
Instruction Fuzzy Hash: FC01C031900229DBCB15FBA8D8416AE77B1FF90721F25444AE811E7292DF709E08CB92

Function 0085EBC1 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0085EBC8
std::_Lockit::_Lockit.LIBCPMT ref: 0085EBD2

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

std::_Facet_Register.LIBCPMT ref: 0085EC23
std::_Lockit::~_Lockit.LIBCPMT ref: 0085EC43

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: c9d587abe508a9ba1494fc51e1813f49cd266faa211951c52966e33bca63a3e3
Instruction ID: 2538a313891ee5c6f7919c88345d3c157eb31a3eab81304d66223587be7cf5d9
Opcode Fuzzy Hash: c9d587abe508a9ba1494fc51e1813f49cd266faa211951c52966e33bca63a3e3
Instruction Fuzzy Hash: 2B01C435900119DBCB15FB68D8466BE77B1FF80712F290449E915E72D1CF70DE098B92

Function 00852CDF Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00852CE6
std::_Lockit::_Lockit.LIBCPMT ref: 00852CF0

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

std::_Facet_Register.LIBCPMT ref: 00852D41
std::_Lockit::~_Lockit.LIBCPMT ref: 00852D61

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: bdec38c0bc21e20dbb7836db1df798fae5e5d3540b6ab508986c79f11ad1a835
Instruction ID: 9b6bc9c0722f24466b43758e6c8053a353f78dd8af9c15c9fc192d292d75800c
Opcode Fuzzy Hash: bdec38c0bc21e20dbb7836db1df798fae5e5d3540b6ab508986c79f11ad1a835
Instruction Fuzzy Hash: 5001C03190021DDBCB25FBA8D8416AE7BB1FF84722F250509F911E72D2CF709E098B92

Function 00852C4A Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00852C51
std::_Lockit::_Lockit.LIBCPMT ref: 00852C5B

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

std::_Facet_Register.LIBCPMT ref: 00852CAC
std::_Lockit::~_Lockit.LIBCPMT ref: 00852CCC

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 4efcd4bf8dba4c1257316aa2b154005d4c13b713acafd409ec00fad56d7f374d
Instruction ID: 42c2f903e0fc304d0ad72ff2d49e7510323662251fb07bd5e6061ad7a210f23a
Opcode Fuzzy Hash: 4efcd4bf8dba4c1257316aa2b154005d4c13b713acafd409ec00fad56d7f374d
Instruction Fuzzy Hash: C401C036901219DBCB11FBA898416BEBBB1FF80711F250409F811EB392CF749E088B92

Function 0085EC56 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0085EC5D
std::_Lockit::_Lockit.LIBCPMT ref: 0085EC67

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

std::_Facet_Register.LIBCPMT ref: 0085ECB8
std::_Lockit::~_Lockit.LIBCPMT ref: 0085ECD8

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: f491bce50fcaacff51000c768b4fae9b32b17f4953e8fc18c7bf42042c7d43b8
Instruction ID: 129d8d328a4a4b087c279d2ce6bf3eda8e59b15af98c3eb902b9541164aaed90
Opcode Fuzzy Hash: f491bce50fcaacff51000c768b4fae9b32b17f4953e8fc18c7bf42042c7d43b8
Instruction Fuzzy Hash: BE01C031900219DBCB15FBA8D8456AE7BB1FF80721F250409F811E7291CF70DE098B92

Function 00852E9E Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00852EA5
std::_Lockit::_Lockit.LIBCPMT ref: 00852EAF

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

std::_Facet_Register.LIBCPMT ref: 00852F00
std::_Lockit::~_Lockit.LIBCPMT ref: 00852F20

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 1cdf8731a7907c8820bc4057b7d790322486cdde1c8fc18a77abdbf19c8c5db9
Instruction ID: 2e31f88eb71e80f94f6b7d91fb50bb21758899a75a702622c4d1982a7205edcd
Opcode Fuzzy Hash: 1cdf8731a7907c8820bc4057b7d790322486cdde1c8fc18a77abdbf19c8c5db9
Instruction Fuzzy Hash: 37019231900229DBCB15FBA8E8416BE77B1FF85711F250509F915E7292CF709E08CB92

Function 00852E09 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00852E10
std::_Lockit::_Lockit.LIBCPMT ref: 00852E1A

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

std::_Facet_Register.LIBCPMT ref: 00852E6B
std::_Lockit::~_Lockit.LIBCPMT ref: 00852E8B

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: f7e083032e741097fd72c2e43ebbf0dd2c876a9a25463b43324241d332a624e5
Instruction ID: f0d2f3f59e2f6799cc5a769fffd1dfcaa25f03cbf64397c4e05f2788c3510370
Opcode Fuzzy Hash: f7e083032e741097fd72c2e43ebbf0dd2c876a9a25463b43324241d332a624e5
Instruction Fuzzy Hash: 2601D636900219DBCB15FBA8D8426AEB7B1FF55711F244509F910E7392CF709E088B92

Function 00852F33 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00852F3A
std::_Lockit::_Lockit.LIBCPMT ref: 00852F44

Part of subcall function 00848C20: std::_Lockit::_Lockit.LIBCPMT ref: 00848C50
Part of subcall function 00848C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00848C78

std::_Facet_Register.LIBCPMT ref: 00852F95
std::_Lockit::~_Lockit.LIBCPMT ref: 00852FB5

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 8aee73fdb453912b6b7ad53cb0490be181f13f12e50c1966f0fcbfb6c2345949
Instruction ID: 49e777b77be51f10d74dd7e0d5c1c0428796fb86c9fb029fcb2a152b4de03724
Opcode Fuzzy Hash: 8aee73fdb453912b6b7ad53cb0490be181f13f12e50c1966f0fcbfb6c2345949
Instruction Fuzzy Hash: 7801D631900219DBCB21FB68D8416BEBBB1FF84711F244409F811E7291CF709E088B92

Function 00883686 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,00883053,?,00000001,?,?,?,00882198,?,?,00000000), ref: 0088369D
GetLastError.KERNEL32(?,00883053,?,00000001,?,?,?,00882198,?,?,00000000,?,?,?,0088271F,?), ref: 008836A9

Part of subcall function 0088366F: CloseHandle.KERNEL32(FFFFFFFE,008836B9,?,00883053,?,00000001,?,?,?,00882198,?,?,00000000,?,?), ref: 0088367F

___initconout.LIBCMT ref: 008836B9

Part of subcall function 00883631: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00883660,00883040,?,?,00882198,?,?,00000000,?), ref: 00883644

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,00883053,?,00000001,?,?,?,00882198,?,?,00000000,?), ref: 008836CE

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 988cd0d6c7ccc12c1cf737131adb2df1bb901070b9cc3297e06bb29d9d8a2c76
Instruction ID: 436f72b9c9615a8a2ad4627b9341f656aa1062e00d7b1aa7d8f18a864c8a8d4c
Opcode Fuzzy Hash: 988cd0d6c7ccc12c1cf737131adb2df1bb901070b9cc3297e06bb29d9d8a2c76
Instruction Fuzzy Hash: F1F03036504128BBCF627F9DDC089993F66FB187A1B544050FE19DA231D632C920EB91

Function 00862D20 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,00862CBD,00000064), ref: 00862D43
LeaveCriticalSection.KERNEL32(0089DD3C,?,?,00862CBD,00000064,?,?,?,008423B6,0089E638,50FA5EA3,?,?,00883D6D,000000FF), ref: 00862D4D
WaitForSingleObjectEx.KERNEL32(?,00000000,?,00862CBD,00000064,?,?,?,008423B6,0089E638,50FA5EA3,?,?,00883D6D,000000FF), ref: 00862D5E
EnterCriticalSection.KERNEL32(0089DD3C,?,00862CBD,00000064,?,?,?,008423B6,0089E638,50FA5EA3,?,?,00883D6D,000000FF), ref: 00862D65

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: ecb02297ae0d8658931c826b5478b5ffd1a05b0af033626aab4c3052e03a4061
Instruction ID: f61138cd77504f10eb60bb77f793395090ce8856cf2d705157c989c665f6db35
Opcode Fuzzy Hash: ecb02297ae0d8658931c826b5478b5ffd1a05b0af033626aab4c3052e03a4061
Instruction Fuzzy Hash: 26E04833545B28BBDF123B58EC08A9EBF39FF04B55F190051F615A6171C76599008BD9

Function 0084EC87 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0084EC8E

Part of subcall function 0084D87C: __EH_prolog3.LIBCMT ref: 0084D883
Part of subcall function 0084D87C: std::_Lockit::_Lockit.LIBCPMT ref: 0084D88D
Part of subcall function 0084D87C: std::_Lockit::~_Lockit.LIBCPMT ref: 0084D8FE

_Find_elem.LIBCPMT ref: 0084EE8A

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 0084ECF6

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2544715827-2799312399
Opcode ID: 4ee8624c2f9026c24895cc037db27bf53932d9f39575dc35b8767fc23473c96b
Instruction ID: d0bc79e5977a82729c9363b33461df0c091b914babcb5f923d8f09c60e3db2c7
Opcode Fuzzy Hash: 4ee8624c2f9026c24895cc037db27bf53932d9f39575dc35b8767fc23473c96b
Instruction Fuzzy Hash: CDC16E34E0428C8EDF25DFA885507ACBBB2FF55304F2840A9E895EB287DB259D49CB51

Function 008562BE Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 316COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 008562C8

Part of subcall function 00852D74: __EH_prolog3.LIBCMT ref: 00852D7B
Part of subcall function 00852D74: std::_Lockit::_Lockit.LIBCPMT ref: 00852D85
Part of subcall function 00852D74: std::_Lockit::~_Lockit.LIBCPMT ref: 00852DF6

_Find_elem.LIBCPMT ref: 00856502

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 0085633F

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2544715827-2799312399
Opcode ID: d9133a6f5bb0f7dcab1235a09ea559da832d2b639340ff5a7b2e6350066f5a94
Instruction ID: b70fe732678fb31e8a88bcd0f887f4e7f658f7a753a45e60c17dc21f5867fedd
Opcode Fuzzy Hash: d9133a6f5bb0f7dcab1235a09ea559da832d2b639340ff5a7b2e6350066f5a94
Instruction Fuzzy Hash: 17C16270E042588ADF259F68C8417ECBBB2FF11306F944099DC85EB286EB349D9DCB55

Function 00856694 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 316COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0085669E

Part of subcall function 0084B8B0: std::_Lockit::_Lockit.LIBCPMT ref: 0084B8DD
Part of subcall function 0084B8B0: std::_Lockit::_Lockit.LIBCPMT ref: 0084B900
Part of subcall function 0084B8B0: std::_Lockit::~_Lockit.LIBCPMT ref: 0084B928
Part of subcall function 0084B8B0: std::_Lockit::~_Lockit.LIBCPMT ref: 0084B9B7

_Find_elem.LIBCPMT ref: 008568D8

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 00856715

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 3042121994-2799312399
Opcode ID: 3c29a548dc7ccbf01ca95e8f03918784c2fc99c5774753654718ded5bcd3233e
Instruction ID: 55f9cb255e1c7a8b181fe0ad6b87197e719ee284d37fc0f2fb9c072b09b9220b
Opcode Fuzzy Hash: 3c29a548dc7ccbf01ca95e8f03918784c2fc99c5774753654718ded5bcd3233e
Instruction Fuzzy Hash: C7C16430E042688BDF259F68C8517ACBBB2FF55306F948099DC85EB242EB348D9DCB51

Function 00871A6D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00871AFD

Strings

pow, xrefs: 00871AD5, 00871AF2

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 34e28c47bcae826d72e551c89985f255ddd2622fdb066cf0725f580054d33403
Instruction ID: e00b2c8ea5684978570cc9d9bc5200e99fd8fe4e64f9a9e2c9ae3f4e2418feef
Opcode Fuzzy Hash: 34e28c47bcae826d72e551c89985f255ddd2622fdb066cf0725f580054d33403
Instruction Fuzzy Hash: 8E516661A08505CACF197B1CCD4537E6BA0FB80B50F20C959E0DDC26ADEA36CC85AB43

Function 00861E70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 182COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00861FD1

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00861F2F, 00861F66, 00861F6B
-, xrefs: 00861FFF

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: __aulldiv
String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3732870572-1956417402
Opcode ID: 55cb418064df5040fd9ea87d984951ee326a143abb813317506626164881d1e1
Instruction ID: b0a229c146f09a2d6947c4856c44b43616a6620dfdb4d3ce5740e39a168a9e04
Opcode Fuzzy Hash: 55cb418064df5040fd9ea87d984951ee326a143abb813317506626164881d1e1
Instruction Fuzzy Hash: 4D512630B04289AEDF25CEAC94997BEBBF5FF05350F1A409AE881D7242CB71C941C761

Function 0084BD90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0084BF6E

Strings

false, xrefs: 0084BE95
true, xrefs: 0084BEAB

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: false$true
API String ID: 118556049-2658103896
Opcode ID: d573427f0e46820e9281b376ac126cc6e31b5889e8f3d8b48f260deede460f98
Instruction ID: a05fd8f30ca8add9cc03c669fe4183f9b887de738e9c951abf1bb728ebc858fe
Opcode Fuzzy Hash: d573427f0e46820e9281b376ac126cc6e31b5889e8f3d8b48f260deede460f98
Instruction Fuzzy Hash: B051B3B1D007489FDB10DFA4C841BEEB7B8FF45304F14826AE805EB641E774A949CB91

Function 008470A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

\\?\UNC\, xrefs: 00847173, 008471CE
\\?\, xrefs: 008471E3, 00847210

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID:
String ID: \\?\$\\?\UNC\
API String ID: 0-3019864461
Opcode ID: 70a507a6f8846f4604a2811d908dcf9b9a44ae12d610896b6d2c55747dab478e
Instruction ID: 1166a6d8824e2571f2835d08c5f6e0a9b8721cdde711cf31abf461e7ef641346
Opcode Fuzzy Hash: 70a507a6f8846f4604a2811d908dcf9b9a44ae12d610896b6d2c55747dab478e
Instruction Fuzzy Hash: 6D51CF70A0420C9BDF14DF68C885BAEB7B5FF99344F14451DE802F7280DBB5A988CBA0

Function 0085D4FA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0085D501
_swprintf.LIBCMT ref: 0085D573

Part of subcall function 0085254E: __EH_prolog3.LIBCMT ref: 00852555
Part of subcall function 0085254E: std::_Lockit::_Lockit.LIBCPMT ref: 0085255F
Part of subcall function 0085254E: std::_Lockit::~_Lockit.LIBCPMT ref: 008525D0

Part of subcall function 00852FC8: __EH_prolog3.LIBCMT ref: 00852FCF

Strings

%.0Lf, xrefs: 0085D56B

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: H_prolog3Lockitstd::_$H_prolog3_Lockit::_Lockit::~__swprintf
String ID: %.0Lf
API String ID: 3050236999-1402515088
Opcode ID: 1252d7026fa7fd429e205b040375192b5d8dec18be927994e0c1c623542921e7
Instruction ID: e207ec1842bde31f1b1f15a980abc823f5e3062ffa2f0ea046a937d81f992549
Opcode Fuzzy Hash: 1252d7026fa7fd429e205b040375192b5d8dec18be927994e0c1c623542921e7
Instruction Fuzzy Hash: 9E416871D00308ABCF15EFE4C845ADDBBB5FB08305F204559E856AB291EB359919CF91

Function 0085D79E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0085D7A5
_swprintf.LIBCMT ref: 0085D817

Part of subcall function 00848610: std::_Lockit::_Lockit.LIBCPMT ref: 00848657
Part of subcall function 00848610: std::_Lockit::_Lockit.LIBCPMT ref: 00848679
Part of subcall function 00848610: std::_Lockit::~_Lockit.LIBCPMT ref: 008486A1
Part of subcall function 00848610: std::_Lockit::~_Lockit.LIBCPMT ref: 0084880E

Strings

%.0Lf, xrefs: 0085D80F

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
String ID: %.0Lf
API String ID: 1487807907-1402515088
Opcode ID: ceb20f2a0c5f91ccd469c819e832ed01a47a36208ae903fdb9f815ef4c978bb7
Instruction ID: e15d3bdfa520d290841c6d2fde0e449f648326f0f211eed7f52fc09b23a0b52d
Opcode Fuzzy Hash: ceb20f2a0c5f91ccd469c819e832ed01a47a36208ae903fdb9f815ef4c978bb7
Instruction Fuzzy Hash: 98417671E00318EBCF15EFE8C844ADE7BB5FB08311F204459E856AB291EB35A919CF91

Function 00861887 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0086188E
_swprintf.LIBCMT ref: 00861900

Part of subcall function 00849270: std::_Lockit::_Lockit.LIBCPMT ref: 008492A0
Part of subcall function 00849270: std::_Lockit::_Lockit.LIBCPMT ref: 008492C2
Part of subcall function 00849270: std::_Lockit::~_Lockit.LIBCPMT ref: 008492EA
Part of subcall function 00849270: std::_Lockit::~_Lockit.LIBCPMT ref: 00849422

Strings

%.0Lf, xrefs: 008618F8

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
String ID: %.0Lf
API String ID: 1487807907-1402515088
Opcode ID: 7f6a1241434a3242836b6faeb10c34b81e4c7372a06072eac2f4e201b49dc249
Instruction ID: a31bd10274d359abc9ce95927b572d2c9a77cd7a38051cdacf7739e117ba04b6
Opcode Fuzzy Hash: 7f6a1241434a3242836b6faeb10c34b81e4c7372a06072eac2f4e201b49dc249
Instruction Fuzzy Hash: E2417971E0020CABCF05EFE4D855ADDBBB5FF08304F214459E856AB292DB359915CF91

Function 00866059 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0086607E

Strings

RCC, xrefs: 00866098
MOC, xrefs: 00866090

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 47d33c23d99144cff76f526f2a5b542ff35641ea1749ddcc3f469c6983af4e2d
Instruction ID: e6389ce2c12997b9a0eceab1d984349d0849398556d873e50e12dc908a2e5b64
Opcode Fuzzy Hash: 47d33c23d99144cff76f526f2a5b542ff35641ea1749ddcc3f469c6983af4e2d
Instruction Fuzzy Hash: BD416871900249EFCF16DF98CC81EAEBBB5FF49304F1A8159F918A7212E3359960DB51

Function 0085DF8F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0085DF96
__cftoe.LIBCMT ref: 0085E01A

Strings

!%x, xrefs: 0085DFA7

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: 15f21ca45a9e35b24beb376c40be1027b0897cbe9a5176cff12bb527696a0af4
Instruction ID: 4ffd2f2d8d4966e81b92cb0f7f0749999bf6183365f7592a5f608f97e88f1770
Opcode Fuzzy Hash: 15f21ca45a9e35b24beb376c40be1027b0897cbe9a5176cff12bb527696a0af4
Instruction Fuzzy Hash: 03314871D0020DABDF04DF94E881AEEB7B6FF08305F104419F905E7251DB75AA49CB64

Function 008619FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00861A01
__cftoe.LIBCMT ref: 00861A7F

Strings

!%x, xrefs: 00861A15

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: 4e7d5f8d146fd43d5d159632e129a72f5c43f5657df0ac3a7f598def66d6c7a7
Instruction ID: d32390f1ab659cd6fa1d9ed50b937c6a847bfbbc5a9ab31d67e50863246e9b86
Opcode Fuzzy Hash: 4e7d5f8d146fd43d5d159632e129a72f5c43f5657df0ac3a7f598def66d6c7a7
Instruction Fuzzy Hash: 4131543291526CAFDF05DF98E884AEEBBB6FF08305F190019F844A7242D7359A45CBA1

Function 00845F40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ConvertSidToStringSidW.ADVAPI32(?,00000000), ref: 00845F86
LocalFree.KERNEL32(00000000,Invalid SID,0000000B,?,00000000,50FA5EA3), ref: 00845FF6

Strings

Invalid SID, xrefs: 00845FD4

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: ConvertFreeLocalString
String ID: Invalid SID
API String ID: 3201929900-130637731
Opcode ID: edb0adf2f7a4f6ebcf1179d7b1c841de4b00326675df4f317b5469a95b7e3bf0
Instruction ID: e5af216a17f763fdccc81e3515389b84f1525abcb851b4f292b56a403a981829
Opcode Fuzzy Hash: edb0adf2f7a4f6ebcf1179d7b1c841de4b00326675df4f317b5469a95b7e3bf0
Instruction Fuzzy Hash: DB219075A046099BDB14DF98C855BAFBBF8FF44714F10051DE415E7380D7BAAA088BD1

Function 00849070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0084909B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 008490FE

Strings

bad locale name, xrefs: 00849121

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 7245e1ead26c219ce4324798308d2b6a549ca47d5db02d98ba55196cd00697b7
Instruction ID: d1e91c4a85c3d95dfabd51e72b6213c138f1eeab83e6395e87d5a3c68940838f
Opcode Fuzzy Hash: 7245e1ead26c219ce4324798308d2b6a549ca47d5db02d98ba55196cd00697b7
Instruction Fuzzy Hash: F621A170805B84DED721CFA8C90474BBFF4FB15710F14869DD495D7781D3B9A6048BA2

Function 0084F098 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0084F09F

Strings

false, xrefs: 0084F0F6
true, xrefs: 0084F109

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: H_prolog3_
String ID: false$true
API String ID: 2427045233-2658103896
Opcode ID: 22ce7f35795b2bbe1b3f7e2e556a8ba2e2e9af5363a2c9c48e172e5609d55783
Instruction ID: 51d06a3e60bc2a1afee283e61d8a7f1185725221561902445dcddd1d03cd0e67
Opcode Fuzzy Hash: 22ce7f35795b2bbe1b3f7e2e556a8ba2e2e9af5363a2c9c48e172e5609d55783
Instruction Fuzzy Hash: 78118171941B44AECB21EFB8D841B8AB7F4FB05300F04C51AE5A6D7742EA30E5088B61

Function 00844070 Relevance: 5.2, APIs: 4, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,00844261,00884400,000000FF,50FA5EA3,00000000,?,00000000,?,?,?,00884400,000000FF,?,00843A75,?), ref: 00844096
LocalAlloc.KERNEL32(00000040,40000022,50FA5EA3,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00844154
LocalAlloc.KERNEL32(00000040,3FFFFFFF,50FA5EA3,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00844177
LocalFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00844217

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Local$AllocFree
String ID:
API String ID: 2012307162-0
Opcode ID: 4ee57ed788434c3aff379851d81df5637943601d6ab839fe1deb9ac150559ffe
Instruction ID: 4d6149e049b3de7bc886177f2d1b533d8fe6a2d1bbd0719ca4ccb65d46d3b6e9
Opcode Fuzzy Hash: 4ee57ed788434c3aff379851d81df5637943601d6ab839fe1deb9ac150559ffe
Instruction Fuzzy Hash: B9519FB5A002199FDB18DF6CC885BAEBBB5FB48354F24462DE925E7280D771AD40CB90

Function 00841D80 Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,80000022,00000000,?,00000000), ref: 00841E01
LocalAlloc.KERNEL32(00000040,7FFFFFFF,00000000,?,00000000), ref: 00841E21
LocalFree.KERNEL32(7FFFFFFE,?,00000000), ref: 00841EA7
LocalFree.KERNEL32(00000001,50FA5EA3,00000000,00000000,00883C40,000000FF,?,00000000), ref: 00841F2D

Memory Dump Source

Source File: 00000004.00000002.1262300874.0000000000841000.00000020.00000001.01000000.00000003.sdmp, Offset: 00840000, based on PE: true

Associated: 00000004.00000002.1262259527.0000000000840000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1262378643.0000000000887000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1263871627.000000000089C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1271233427.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_840000_MSIB093.jbxd

Similarity

API ID: Local$AllocFree
String ID:
API String ID: 2012307162-0
Opcode ID: 029ea257eeb979bca1a0a8a5ff78978eae39484b30a9845c67a6222316921f13
Instruction ID: cc825eb71eb443d6da2613a0a7b0be773e732d2327f3bbb8342c1e481d585e35
Opcode Fuzzy Hash: 029ea257eeb979bca1a0a8a5ff78978eae39484b30a9845c67a6222316921f13
Instruction Fuzzy Hash: 6051F576A042199FCB15DF2CDC84A6AB7E9FF89360F110A2EF866D7290DB30D9448791

Analysis Process: rundll32.exePID: 3696, Parent PID: 1088COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	92.9%
Signature Coverage:	11.3%
Total number of Nodes:	1069
Total number of Limit Nodes:	52

Executed Functions

Function 000000018004AC9C Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 337
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000000018004AE5E
VirtualAlloc.KERNELBASE ref: 000000018004AEE0

Strings

J^1#, xrefs: 000000018004ACC4
NwEz, xrefs: 000000018004ACEC
#8BQ, xrefs: 000000018004AEB5
do@#, xrefs: 000000018004ACD4
6cgv, xrefs: 000000018004ACDC
Ftt, xrefs: 000000018004ACF4
xBO?, xrefs: 000000018004ACCC

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: #8BQ$6cgv$Ftt$J^1#$NwEz$do@#$xBO?
API String ID: 4275171209-2817147213
Opcode ID: 5b77fe72eaddb53b703fe21e6f9f9f3e6d288ab5ce12969816a75deff9559122
Instruction ID: cda52e59a6181bcc1e9931452a8ff373926afa540e7e1d9509708c0067d5f037
Opcode Fuzzy Hash: 5b77fe72eaddb53b703fe21e6f9f9f3e6d288ab5ce12969816a75deff9559122
Instruction Fuzzy Hash: 70D12772705B9886EB6ACF21D0847ED7BA1F709BC8F468025EE0A17B54DF38D649C708

Function 0000026DB7864D00 Relevance: 10.8, APIs: 7, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32 ref: 0000026DB7864D92
GetComputerNameExW.KERNELBASE ref: 0000026DB7864DA7
GetComputerNameExW.KERNELBASE ref: 0000026DB7864DD6
GetTokenInformation.KERNELBASE ref: 0000026DB7864E12
GetNativeSystemInfo.KERNELBASE ref: 0000026DB7864EC4
GetAdaptersInfo.IPHLPAPI ref: 0000026DB7864FB0
GetAdaptersInfo.IPHLPAPI ref: 0000026DB7864FF5

Memory Dump Source

Source File: 00000006.00000002.3724949403.0000026DB7841000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026DB7841000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26db7841000_rundll32.jbxd

Similarity

API ID: InfoName$AdaptersComputer$InformationNativeSystemTokenUser
String ID:
API String ID: 1596153048-0
Opcode ID: 53bd537aa1b4620733eb70ff0ede8cbf2f1afdb2ec242c599ba99b4d536de885
Instruction ID: 1a20223bd5a124b5839ae132432db69db6ec8c0c1c4e9aa4140439d9599eb91e
Opcode Fuzzy Hash: 53bd537aa1b4620733eb70ff0ede8cbf2f1afdb2ec242c599ba99b4d536de885
Instruction Fuzzy Hash: 73A1E134718B488FEB54AF14D85A7DEB7E1FB84304F804529A84EC3295DB7ADA45CB83

Function 0000000273F41380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
injectionsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 0000000273F413A0
VirtualAllocEx.KERNEL32 ref: 0000000273F413C3
WriteProcessMemory.KERNEL32 ref: 0000000273F413F8
CreateRemoteThread.KERNEL32 ref: 0000000273F4142E
WaitForSingleObject.KERNEL32 ref: 0000000273F41448

Strings

@, xrefs: 0000000273F413A6

Memory Dump Source

Source File: 00000006.00000002.3713823424.0000000273F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000273F40000, based on PE: true

Associated: 00000006.00000002.3713766770.0000000273F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3713823424.0000000273F85000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_273f40000_rundll32.jbxd

Similarity

API ID: AllocCreateMemoryObjectProcessRemoteSingleSleepThreadVirtualWaitWrite
String ID: @
API String ID: 3172812169-2766056989
Opcode ID: 7fcec4437536d1c811a67ff0d3e935be9d4b92fa0fac673d0b509e6aa8ba7f62
Instruction ID: 70ca693b3c1452cbeb4233b6b91bedeb956dc212f3bce1284f7759b325db5040
Opcode Fuzzy Hash: 7fcec4437536d1c811a67ff0d3e935be9d4b92fa0fac673d0b509e6aa8ba7f62
Instruction Fuzzy Hash: 5F117F22709E9042F6A0CF26BC08B5666A0B789FF4F644324EFBD17BE5DB38C6059605

Function 0000026DB785F3A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 215
threadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0000026DB785F406
Thread32First.KERNEL32 ref: 0000026DB785F42B
Thread32Next.KERNEL32 ref: 0000026DB785F602

Strings

0, xrefs: 0000026DB785F47E

Memory Dump Source

Source File: 00000006.00000002.3724949403.0000026DB7841000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026DB7841000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26db7841000_rundll32.jbxd

Similarity

API ID: Thread32$CreateFirstNextSnapshotToolhelp32
String ID: 0
API String ID: 3779972765-4108050209
Opcode ID: ac050863fd1c388b9e453669c56b0ce2359168e04f01584157f339651d1c4fcd
Instruction ID: 753859297e977bbde5d79b07c6fe6ea9aeecba861f5cfb2f2c1148d7c2cda8b1
Opcode Fuzzy Hash: ac050863fd1c388b9e453669c56b0ce2359168e04f01584157f339651d1c4fcd
Instruction Fuzzy Hash: BE71C230718B4C8FE794EF68D449B9AB7E1FB88308F51056DA54EC3295DB71D8458B42

Function 0000000180040824 Relevance: 4.5, APIs: 3, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE ref: 000000018004083A
GetVersion.KERNEL32 ref: 000000018004084C
HeapSetInformation.KERNEL32 ref: 000000018004086A

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$CreateInformationVersion
String ID:
API String ID: 3563531100-0
Opcode ID: e32ab0bd0fee94bccc68f32d9a077722b0d5913c979a1ba73cc683a210d046bc
Instruction ID: 988e22e6e5946a36f70c9e45e8ed652961c4ed90b6ce8b9843ec7a251a3b24ee
Opcode Fuzzy Hash: e32ab0bd0fee94bccc68f32d9a077722b0d5913c979a1ba73cc683a210d046bc
Instruction Fuzzy Hash: 70E09274611F8882F7C69710AC897D52261B79C3C8FA18418F94A42B64DF3CC2CD8708

Function 0000026DB784CCE0 Relevance: 1.6, APIs: 1, Instructions: 114
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrGetProcedureAddress.NTDLL ref: 0000026DB784CDB2

Memory Dump Source

Source File: 00000006.00000002.3724949403.0000026DB7841000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026DB7841000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26db7841000_rundll32.jbxd

Similarity

API ID: AddressProcedure
String ID:
API String ID: 3653107232-0
Opcode ID: 64a4c363e66e8fcb324c2d013a85a570e217f1f41a485886b1e3891cf8e103dc
Instruction ID: dfe4ba94df2ae75258eae0d538b393bfff2d9a958d7c691694a4c8a5bb093bfe
Opcode Fuzzy Hash: 64a4c363e66e8fcb324c2d013a85a570e217f1f41a485886b1e3891cf8e103dc
Instruction Fuzzy Hash: E9312534618B0C4BDB68AF08DC4E7BAB7E4FB89710F50062EE586C3255E671A84287C7

Function 0000026DB78555C0 Relevance: .9, Instructions: 926COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3724949403.0000026DB7841000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026DB7841000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26db7841000_rundll32.jbxd

Similarity

API ID: CreateFirstSnapshotThread32Toolhelp32
String ID:
API String ID: 490256885-0
Opcode ID: bdae03430df69abd2c9d775c583e96b44cfdfdcfb6ad024ecb1a5f206801d552
Instruction ID: 014f7005dd104f0cabe372ea2c237724d15ed0fcf92f02d0f0432b35f128e7e0
Opcode Fuzzy Hash: bdae03430df69abd2c9d775c583e96b44cfdfdcfb6ad024ecb1a5f206801d552
Instruction Fuzzy Hash: 6D728334618B0C8FE7A4DF18D889BA5B7E0FB98704F11466ED44DD72A6CF35A845CB82

Function 0000026DB78471B0 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3724949403.0000026DB7841000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026DB7841000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26db7841000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 504a02ecd7dd5b9c727ac592882f9f33d8d6d99b3cf7a4fd9ebc18adb0a9304d
Instruction ID: df55b4fa3dcb04fbe739192ad3f55b07b036ea2c934874b228e7902a2a8247e8
Opcode Fuzzy Hash: 504a02ecd7dd5b9c727ac592882f9f33d8d6d99b3cf7a4fd9ebc18adb0a9304d
Instruction Fuzzy Hash: 7641C974624A088FF348DF28D8497AAB7E1FB48308F50066DF05BC32D6CB798841CB82

Function 0000026DB7874360 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3724949403.0000026DB7841000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026DB7841000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26db7841000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246b04183441d9db0d4c236240df2ca26f18e78107733016fa740d2a375581b5
Instruction ID: 44b087eb83b8ecdea9a6583e91cf91c8fdda5e4b61a3ab61cf6cad658650b2a6
Opcode Fuzzy Hash: 246b04183441d9db0d4c236240df2ca26f18e78107733016fa740d2a375581b5
Instruction Fuzzy Hash: AF414C71A1CB488FE6749F08A8467EAB7E0FB89720F00491FD5C982215D672A4428BC6

Function 0000026DB78745F0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3724949403.0000026DB7841000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026DB7841000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26db7841000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7425b9f205f2e48f6743ce85b3d4803992b94f2dd7c42288ff67dbf43d2a16d5
Instruction ID: 7969d007534df0c7d275c784acfd65a292e3906c81f42f23c5d62d1ab350b1af
Opcode Fuzzy Hash: 7425b9f205f2e48f6743ce85b3d4803992b94f2dd7c42288ff67dbf43d2a16d5
Instruction Fuzzy Hash: 30218E75A1DB488FE754DF08984A7AAB7E4FB88725F20491FE44DC3360D6759880CB83

Function 0000026DB7874BE0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3724949403.0000026DB7841000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026DB7841000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26db7841000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4459b4d784854b5074084b1eb2e58009c50c2c7bf0fd286647bf740f6eacac18
Instruction ID: fd8743cdabacb95b17eaaef55c3bd8224601f180efdd40da16e514f16c3a7e1e
Opcode Fuzzy Hash: 4459b4d784854b5074084b1eb2e58009c50c2c7bf0fd286647bf740f6eacac18
Instruction Fuzzy Hash: E0119430B58B4D8FEB54DF58984B769B7D4F798719F50041EE44DC2290D77698808B83

Function 0000026DB78751C0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3724949403.0000026DB7841000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026DB7841000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26db7841000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9efb2dc69225788838bd08ce1b571aed7e5ff7df66dff9cf99eed66fee9a7a8
Instruction ID: 98f0b4f02a5f496a4421fc463c60f2b5549c6b09a2419dc234cc915a28054ee9
Opcode Fuzzy Hash: c9efb2dc69225788838bd08ce1b571aed7e5ff7df66dff9cf99eed66fee9a7a8
Instruction Fuzzy Hash: A011A774B68B4D4FEB54DF08984B7A973E4F789719F40441EE889C2254D676D540CB83

Function 0000026DB773DACE Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.1302979217.0000026DB7700000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026DB7700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_26db7700000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 633259c266d87a5b95fda6ce05470889e09af076b0dc8ff2f0ee963c60a24a3d
Instruction ID: a17a6ef14aebc557184bf729d22b725f855afb29582a740ea2bc1cb2cafe1405
Opcode Fuzzy Hash: 633259c266d87a5b95fda6ce05470889e09af076b0dc8ff2f0ee963c60a24a3d
Instruction Fuzzy Hash: 2D11F970A18B888FD6A0DF499889BAAB7E1FBD8715F54062FE48CD3210C7319841C793

Function 0000026DB7857A50 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3724949403.0000026DB7841000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026DB7841000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26db7841000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1edcd44484da87e5859a06b6baea96ffdedb9e447a7428d438afc54a8ed0a131
Instruction ID: 78c4d1eecd95b8da4927802cb803283734d96c6d3a04ea8960348ca945bf098d
Opcode Fuzzy Hash: 1edcd44484da87e5859a06b6baea96ffdedb9e447a7428d438afc54a8ed0a131
Instruction Fuzzy Hash: CE110674A28B4C5FF7649E18D44E3BA77C4F788318F50451DF989C22C9DBB656488743

Function 0000026DB7874FF0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3724949403.0000026DB7841000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026DB7841000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26db7841000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b493b046dda1831e3ac93b31f1d57d2ffdedc147415695421c0937c946fff3
Instruction ID: bd992fb4702c4a28ff6d7082371beb32d1c8d3a1f3d11fb3e67f0136a69e78c9
Opcode Fuzzy Hash: a3b493b046dda1831e3ac93b31f1d57d2ffdedc147415695421c0937c946fff3
Instruction Fuzzy Hash: 8611A734B18B498FEB54DF08984BBA977E0F749715F40041EE449C2290D676A840CBC3

Function 0000026DB7874740 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3724949403.0000026DB7841000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026DB7841000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26db7841000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c2dce99591ed636752d02e92fb4e83679b8b4534c19c070d62bd12e62a70ad
Instruction ID: 395beca15969bdc1a2e29c097cfb4615069ca5d19b5a802a1d509b4ff5365679
Opcode Fuzzy Hash: c6c2dce99591ed636752d02e92fb4e83679b8b4534c19c070d62bd12e62a70ad
Instruction Fuzzy Hash: 0701C434B28B0D4FE748AB18940B2B673E1F789754F10451EE44EC3295D676D9408B83

Function 0000026DB773D98E Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.1302979217.0000026DB7700000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026DB7700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_26db7700000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba3f95c2c9417701ba101d61fb74fecea45e223f9a8c54239b1753508d96a613
Instruction ID: c8537ff9ab38867a9820e1561c41814cf6b639cf396e46b1ccd80c1dbd510828
Opcode Fuzzy Hash: ba3f95c2c9417701ba101d61fb74fecea45e223f9a8c54239b1753508d96a613
Instruction Fuzzy Hash: 4DF04470A28B448BE744DF1884C967677E1FBD8755F24452EE899C7361DB319842CB43

Function 0000026DB773D9FE Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.1302979217.0000026DB7700000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026DB7700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_26db7700000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe48e069b0bf4257b6ece8509336bdb1b8fe3d1efb0e08b23792c235e305b72c
Instruction ID: 21e475beaa45079173b8c5765da583b93a77b4bb2a18c1991d4c30b0d9859ceb
Opcode Fuzzy Hash: fe48e069b0bf4257b6ece8509336bdb1b8fe3d1efb0e08b23792c235e305b72c
Instruction Fuzzy Hash: 37F0A470A28B448BE744DF1884CA67677E1FBD8749F24452EE889C7361CB3298828B43

Function 0000026DB773DA6E Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.1302979217.0000026DB7700000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026DB7700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_26db7700000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611503c2f2b608366220324c20f94816b5761d40c9c053a388f9cbb19c4f0105
Instruction ID: 58fef4de6da2dad700d0b0970e332aa5135c3ff041919be5c7054c2f6e47bdd0
Opcode Fuzzy Hash: 611503c2f2b608366220324c20f94816b5761d40c9c053a388f9cbb19c4f0105
Instruction Fuzzy Hash: 7AF05B70B24F444BD704AF1C844AA7577D1F7D8655F54452EA444C7361DB35D5438B43

Function 0000026DB7858149 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3724949403.0000026DB7841000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026DB7841000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26db7841000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9374db516d9e4375f251f78bef5fecbce5b368e01431e898dda6d9a0c6f8720e
Instruction ID: 8d181de764bcca6004c4042aafd147ceac873e40448321ec7607aecc681b3015
Opcode Fuzzy Hash: 9374db516d9e4375f251f78bef5fecbce5b368e01431e898dda6d9a0c6f8720e
Instruction Fuzzy Hash: 32D0A97298DB1C8EE7209AA8F8873E8B3D0F780328F40482EC18DC2083D63F40468706

Function 0000026DB5F02050 Relevance: 22.8, APIs: 15, Instructions: 324
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000026DB5F01340: SetLastError.KERNEL32 ref: 0000026DB5F01364

SetLastError.KERNEL32 ref: 0000026DB5F020C4

Memory Dump Source

Source File: 00000006.00000002.3723009009.0000026DB5F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026DB5F00000, based on PE: true

Associated: 00000006.00000002.3723009009.0000026DB5F46000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26db5f00000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 4d975507dabfc9bcff4ce07bface502bc42e706bf54c750510e23b7039734968
Instruction ID: b5162bf8e0eebbbc5215bc80e88cf46bb2bd4c10b59040ae9c46023e9244f001
Opcode Fuzzy Hash: 4d975507dabfc9bcff4ce07bface502bc42e706bf54c750510e23b7039734968
Instruction Fuzzy Hash: C3F1DD36719B8886EB608F15E49476EB7A0F3CCB84F195119EB8E83B68DF39C444CB10

Function 000000018003FF00 Relevance: 10.6, APIs: 7, Instructions: 93
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000180040824: HeapCreate.KERNELBASE ref: 000000018004083A
Part of subcall function 0000000180040824: GetVersion.KERNEL32 ref: 000000018004084C
Part of subcall function 0000000180040824: HeapSetInformation.KERNEL32 ref: 000000018004086A

_RTC_Initialize.LIBCMT ref: 000000018003FF32
GetCommandLineA.KERNEL32 ref: 000000018003FF37

Part of subcall function 0000000180045FFC: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 0000000180046015
Part of subcall function 0000000180045FFC: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 000000018004606C
Part of subcall function 0000000180045FFC: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 00000001800460A7
Part of subcall function 0000000180045FFC: free.LIBCMT ref: 00000001800460B4
Part of subcall function 0000000180045FFC: FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 00000001800460BF

Part of subcall function 00000001800442B4: GetStartupInfoW.KERNEL32 ref: 00000001800442D5

__setargv.LIBCMT ref: 000000018003FF60
_cinit.LIBCMT ref: 000000018003FF74

Part of subcall function 00000001800431C8: FlsFree.KERNEL32(?,?,?,?,000000018003FFDE), ref: 00000001800431D7
Part of subcall function 00000001800431C8: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000018003FFDE), ref: 00000001800464B7
Part of subcall function 00000001800431C8: free.LIBCMT ref: 00000001800464C0
Part of subcall function 00000001800431C8: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000018003FFDE), ref: 00000001800464E7

Part of subcall function 0000000180044588: free.LIBCMT ref: 00000001800445D9

Part of subcall function 0000000180042A74: Sleep.KERNEL32(?,?,?,00000001800432DB,?,?,?,00000001800408ED,?,?,?,?,000000018003E245), ref: 0000000180042AB9

FlsSetValue.KERNEL32 ref: 000000018004000E
GetCurrentThreadId.KERNEL32 ref: 0000000180040022
free.LIBCMT ref: 0000000180040031

Part of subcall function 000000018003E220: HeapFree.KERNEL32(?,?,?,000000018000110D), ref: 000000018003E236
Part of subcall function 000000018003E220: _errno.LIBCMT ref: 000000018003E240

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: free$FreeHeap$ByteCharCriticalDeleteEnvironmentMultiSectionStringsWide$CommandCreateCurrentInfoInformationInitializeLineSleepStartupThreadValueVersion__setargv_cinit_errno
String ID:
API String ID: 2481119767-0
Opcode ID: 61b5e00b11298625462c404e981e4dbee0cdad509bc41096663f8cfabbcd0743
Instruction ID: aa315cb78357cfe07c34d30648f785c9cd846825b8d2e9133f4b691ac97a99c6
Opcode Fuzzy Hash: 61b5e00b11298625462c404e981e4dbee0cdad509bc41096663f8cfabbcd0743
Instruction Fuzzy Hash: C3314C30200A0D89FAF7777059827FA12959F5D3D8F37D534B919852D3EE29874C836A

Function 0000026DB773CABE Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 323COMMON

Download Yara Rule

Strings

0, xrefs: 0000026DB773CBCE
@, xrefs: 0000026DB773CD21
`, xrefs: 0000026DB773CB5B
@, xrefs: 0000026DB773CBE5

Memory Dump Source

Source File: 00000006.00000003.1302979217.0000026DB7700000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026DB7700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_26db7700000_rundll32.jbxd

Similarity

API ID:
String ID: 0$@$@$`
API String ID: 0-307318802
Opcode ID: 790f92f7944892e3d38ff7d826f4987b9e3c0bb28676424d5e8019a2330f5ae1
Instruction ID: 8036dac9f59f2ef502d83583d5766041c1191d1716a4c5c43bdcbd66e42dce5f
Opcode Fuzzy Hash: 790f92f7944892e3d38ff7d826f4987b9e3c0bb28676424d5e8019a2330f5ae1
Instruction Fuzzy Hash: FDB18130A1CB488FD7A4EF18D449BAAB7E0FB98314F114A1EE49DC3295DB70D945CB82

Function 0000026DB7847830 Relevance: 7.8, APIs: 5, Instructions: 340
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET ref: 0000026DB784788A
InternetConnectW.WININET ref: 0000026DB78478CB
HttpSendRequestA.WININET ref: 0000026DB78479DA
InternetCloseHandle.WININET ref: 0000026DB7847B11
InternetCloseHandle.WININET ref: 0000026DB7847B1F

Part of subcall function 0000026DB786B4E0: RtlFreeHeap.NTDLL ref: 0000026DB786B51D

Memory Dump Source

Source File: 00000006.00000002.3724949403.0000026DB7841000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026DB7841000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26db7841000_rundll32.jbxd

Similarity

API ID: Internet$CloseHandle$ConnectFreeHeapHttpOpenRequestSend
String ID:
API String ID: 1124828664-0
Opcode ID: d9666d6ee9cc84210a5d48bfb43a1b93f204f5f1cab97c350c418fdf5ba67fc7
Instruction ID: 23dd12f1c6181f0a7d927b242385778756102b2ae2ff0618418ea07576e02c0b
Opcode Fuzzy Hash: d9666d6ee9cc84210a5d48bfb43a1b93f204f5f1cab97c350c418fdf5ba67fc7
Instruction Fuzzy Hash: 3EB1F334718A0C8FE754EF18D8597AAB7E5FB98708F06052DE84AC3299DFB5D8418782

Function 0000026DB773BE8E Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

, xrefs: 0000026DB773C0F8

Memory Dump Source

Source File: 00000006.00000003.1302979217.0000026DB7700000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026DB7700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_26db7700000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9457dfe6ec60ebb388675859c3b208fc461dcabcf6edda219dbca694cf0c5acf
Instruction ID: f78ecce2b37f2ed0ab48c7fd7aa7a5058afd8d0ff1a39b3033e563baf5970664
Opcode Fuzzy Hash: 9457dfe6ec60ebb388675859c3b208fc461dcabcf6edda219dbca694cf0c5acf
Instruction Fuzzy Hash: F8B1723161CA0C8FDB54EF1CC889F9AB7E1FB98310F124569E489C72A5DB74E845CB82

Function 0000026DB7858C60 Relevance: 3.2, APIs: 2, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFiber.KERNELBASE ref: 0000026DB7858E01
DeleteFiber.KERNELBASE ref: 0000026DB7858E1C

Memory Dump Source

Source File: 00000006.00000002.3724949403.0000026DB7841000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026DB7841000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26db7841000_rundll32.jbxd

Similarity

API ID: Fiber$CreateDelete
String ID:
API String ID: 2527733159-0
Opcode ID: 318d4458220fefe7ecd04c4217b70e3ea4272adf2d4e41289bf899562a1583dc
Instruction ID: 40a3700adca4d5984b5df6b7d8e458772dd0b162d9dcd31907e168bb2198b3d9
Opcode Fuzzy Hash: 318d4458220fefe7ecd04c4217b70e3ea4272adf2d4e41289bf899562a1583dc
Instruction Fuzzy Hash: 6A51E935B189184FEB68AB28AC4E76973D1FB58315F21032AE89BD31E5DB359C4287C1

Function 0000026DB5F015E0 Relevance: 3.1, APIs: 2, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNEL32 ref: 0000026DB5F0167C

Memory Dump Source

Source File: 00000006.00000002.3723009009.0000026DB5F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026DB5F00000, based on PE: true

Associated: 00000006.00000002.3723009009.0000026DB5F46000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26db5f00000_rundll32.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 75ce38d37ca8cf5b7d06ded007de5ea175a415d9990679de99291eeea22f5aae
Instruction ID: 36e99e0d2d91211780778befc70846958c3704837bd887eb2cc2194547b8ca3e
Opcode Fuzzy Hash: 75ce38d37ca8cf5b7d06ded007de5ea175a415d9990679de99291eeea22f5aae
Instruction Fuzzy Hash: F451CC767187488BEB60CF1AE894B1AF7A1F3C8B48F090119EA8D87758DB79D540CF00

Function 0000026DB5F01380 Relevance: 2.6, APIs: 2, Instructions: 119
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 0000026DB5F01445
VirtualAlloc.KERNEL32 ref: 0000026DB5F014F4

Memory Dump Source

Source File: 00000006.00000002.3723009009.0000026DB5F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026DB5F00000, based on PE: true

Associated: 00000006.00000002.3723009009.0000026DB5F46000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26db5f00000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 816fc88231aa2467bf2252115963d1d14762f6c5c40f282537df11a36abcc1ab
Instruction ID: f823672bf0e459203c43f7159f3e7510e4896d0b58ed6ed7d582721770a315b4
Opcode Fuzzy Hash: 816fc88231aa2467bf2252115963d1d14762f6c5c40f282537df11a36abcc1ab
Instruction Fuzzy Hash: 4F51DA76718B4486DB64CF19E48462AB7A1F3CCBD8F195215EE8E87B68DB39C541CF00

Function 0000026DB7848ED0 Relevance: 1.9, APIs: 1, Instructions: 410
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExA.KERNELBASE ref: 0000026DB7848F00

Memory Dump Source

Source File: 00000006.00000002.3724949403.0000026DB7841000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026DB7841000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26db7841000_rundll32.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 6f5cb151aadba70b4aa6e5bafaf7101ce807ceecab62b3beafb4f2b699b4b3ec
Instruction ID: 06080464fbde2bd9af73ae1e5f2de8b42374dddc35ec4048c0e2abea872a2028
Opcode Fuzzy Hash: 6f5cb151aadba70b4aa6e5bafaf7101ce807ceecab62b3beafb4f2b699b4b3ec
Instruction Fuzzy Hash: DDE14171508A4D8FE751EF14E894BE6BBF4F768340F20067BE84EC2265DB399245CB86

Function 0000026DB786B4E0 Relevance: 1.5, APIs: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL ref: 0000026DB786B51D

Memory Dump Source

Source File: 00000006.00000002.3724949403.0000026DB7841000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026DB7841000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26db7841000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d9c8acccb119fdf6d5691a0567f94fa179966e421fbccb122f962e3160943c6c
Instruction ID: 2b9273f2a7e6bccbd14bff114ed9c696ba0f95d82ce0254bcc53337672a0fa89
Opcode Fuzzy Hash: d9c8acccb119fdf6d5691a0567f94fa179966e421fbccb122f962e3160943c6c
Instruction Fuzzy Hash: BBF01C34710A088BFB58EBBAACC976537E2FB9D349B858054A405C62A8DB39D841C701

Function 0000000273F414D0 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE ref: 0000000273F414E5

Memory Dump Source

Source File: 00000006.00000002.3713823424.0000000273F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000273F40000, based on PE: true

Associated: 00000006.00000002.3713766770.0000000273F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3713823424.0000000273F85000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_273f40000_rundll32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 490134546b41fa5f3525d4fc16026bee51ec6a607ddd3dfaa8bb0cc5ac4d8099
Instruction ID: 0bf00bace8f2674ea540bcf736f3f2282d979a864102f6c7b7d6f84e33ec7844
Opcode Fuzzy Hash: 490134546b41fa5f3525d4fc16026bee51ec6a607ddd3dfaa8bb0cc5ac4d8099
Instruction Fuzzy Hash: 06B09B14F04594C7E2255791B44D7699610B74FBD1F249451C55D13755851455425702

Function 0000026DB5F011C0 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 0000026DB5F011DC

Memory Dump Source

Source File: 00000006.00000002.3723009009.0000026DB5F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026DB5F00000, based on PE: true

Associated: 00000006.00000002.3723009009.0000026DB5F46000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26db5f00000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a26db5a74adc6119d098d68705d28c1916c0da013186a83d7531f391c9707544
Instruction ID: 52bd893b0ab8d3b9b45a534ed22aabc2410373ca711bff54e084ee7056c4de4c
Opcode Fuzzy Hash: a26db5a74adc6119d098d68705d28c1916c0da013186a83d7531f391c9707544
Instruction Fuzzy Hash: F8D092B6B1568087DB289F25E45560AAB60F389748F908119EA8D47BA8CA3EC6168F04

Non-executed Functions

Function 0000000180044774 Relevance: 44.2, APIs: 24, Strings: 1, Instructions: 465COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00000001800447CA
_errno.LIBCMT ref: 00000001800447D1
_invalid_parameter_noinfo.LIBCMT ref: 00000001800447DC

Strings

U, xrefs: 0000000180044D58

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: 2d5ce46ed2b1d32d86571561728c0a6fb84dd56a645abb6e696f7c4412cbdee7
Instruction ID: a924f4dc1a727bc392aaaba263266b47709fba0b4cecbfed23009677402f7412
Opcode Fuzzy Hash: 2d5ce46ed2b1d32d86571561728c0a6fb84dd56a645abb6e696f7c4412cbdee7
Instruction Fuzzy Hash: 3312F633204E4986EBA28F25D4C43EA67A1F38CBC8F568115FA494BA95DF7DC64DC708

Function 0000000180046A88 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 136libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046ACD
GetProcAddress.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046AE9
EncodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046AFB
GetProcAddress.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046B12
EncodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046B1B
GetProcAddress.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046B32
EncodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046B3B
GetProcAddress.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046B52
EncodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046B5B
GetProcAddress.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046B7A
EncodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046B83
DecodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046BB6
DecodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046BC6
DecodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046C1C
DecodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046C3D
DecodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046C57

Strings

GetUserObjectInformationW, xrefs: 0000000180046B41
GetProcessWindowStation, xrefs: 0000000180046B70
USER32.DLL, xrefs: 0000000180046AC6
GetActiveWindow, xrefs: 0000000180046B01
GetLastActivePopup, xrefs: 0000000180046B21
MessageBoxW, xrefs: 0000000180046ADF

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
API String ID: 2643518689-564504941
Opcode ID: 1824d7e647174aac9ba8a228052728ff37a26939126cb63fc2dd71cb4fdc05b6
Instruction ID: df7a2586361332801e439d358c24d371d3d75d19ea64f50f1298fa16b69f6015
Opcode Fuzzy Hash: 1824d7e647174aac9ba8a228052728ff37a26939126cb63fc2dd71cb4fdc05b6
Instruction Fuzzy Hash: A6514A30602F5980FED7DB51BC943E523A1BB8EBC8F068424BC5E433A0EE38968D8315

Function 0000000180040580 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_set_error_mode.LIBCMT ref: 00000001800405C5
_set_error_mode.LIBCMT ref: 00000001800405D6
GetModuleFileNameW.KERNEL32 ref: 0000000180040638

Part of subcall function 00000001800427E4: GetCurrentProcess.KERNEL32(?,?,?,?,0000000180042886), ref: 00000001800427FC

GetStdHandle.KERNEL32 ref: 000000018004074D
WriteFile.KERNEL32 ref: 00000001800407AA

Strings

<program name unknown>, xrefs: 0000000180040647
Microsoft Visual C++ Runtime Library, xrefs: 00000001800406F1
Runtime Error!Program: , xrefs: 0000000180040605
..., xrefs: 000000018004068A

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: File_set_error_mode$CurrentHandleModuleNameProcessWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 2183313154-4022980321
Opcode ID: ba61b9740d2fabcbb053f7a8c1a04480db4f8b8fe58e62101f9bba5b1f63e096
Instruction ID: afc2a24109b5524a715c6b2c3ba94efa30044fcd1fda98386a67971cc6d85b1b
Opcode Fuzzy Hash: ba61b9740d2fabcbb053f7a8c1a04480db4f8b8fe58e62101f9bba5b1f63e096
Instruction Fuzzy Hash: 1851F131B04A8845F7E6DB25A8917DA22A1A78D7C8F668112FE5A03B95DF38C30DC709

Function 0000000180041044 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000180040AE0: _getptd.LIBCMT ref: 0000000180040AF2

_errno.LIBCMT ref: 0000000180041094
_invalid_parameter_noinfo.LIBCMT ref: 000000018004109E
_errno.LIBCMT ref: 00000001800410C0
_invalid_parameter_noinfo.LIBCMT ref: 00000001800410CC
_errno.LIBCMT ref: 00000001800410F4
_cftoe_l.LIBCMT ref: 0000000180041138

Strings

gfffffff, xrefs: 00000001800413C3

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$_cftoe_l_getptd
String ID: gfffffff
API String ID: 1282097019-1523873471
Opcode ID: 24a95ef78a624545ba7c9d7dc106d39f48c7645bdea6b767835b0edbd9f1c844
Instruction ID: cd9f51b8cdbe88b98d15d95ecd3b9eaa2330d4955cd9fdd12c4ed391452db137
Opcode Fuzzy Hash: 24a95ef78a624545ba7c9d7dc106d39f48c7645bdea6b767835b0edbd9f1c844
Instruction Fuzzy Hash: 3EB17773704BC88AEB92CB25C6803DD6BA5F3197D9F05C621EF59877D5EA388629C304

Function 000000018003E5C0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00000001800428BB
RtlLookupFunctionEntry.KERNEL32 ref: 00000001800428DA
RtlVirtualUnwind.KERNEL32 ref: 0000000180042926
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001800427CB), ref: 0000000180042998
SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001800427CB), ref: 00000001800429B0
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001800427CB), ref: 00000001800429BD
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001800427CB), ref: 00000001800429D6
TerminateProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001800427CB), ref: 00000001800429E4

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: c3598976ca1632c357be4ba8301645e2a35c7deb92361203275c35b9385dcc3e
Instruction ID: 868fa4e71887f5911bd689abb344e6afb6984900060eeb71dea75f24283ff6da
Opcode Fuzzy Hash: c3598976ca1632c357be4ba8301645e2a35c7deb92361203275c35b9385dcc3e
Instruction Fuzzy Hash: 6C31F335208F8885EB929B10F8843DA73A1F78D3D8F518126FA9D42BA5DF7CC298C705

Function 0000000180042698 Relevance: 9.1, APIs: 6, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 0000000180042705
RtlLookupFunctionEntry.KERNEL32 ref: 000000018004271D
RtlVirtualUnwind.KERNEL32 ref: 0000000180042757
IsDebuggerPresent.KERNEL32 ref: 000000018004278D
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000180042797
UnhandledExceptionFilter.KERNEL32 ref: 00000001800427A2

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 687f001dfb37a47157b6f2a046625e947f4851768aa9483d248bdf8ccabb4226
Instruction ID: ce6028df09523790c5ce4c1857c5788db5e4af3653a889637483fba63be9d821
Opcode Fuzzy Hash: 687f001dfb37a47157b6f2a046625e947f4851768aa9483d248bdf8ccabb4226
Instruction Fuzzy Hash: C8319132204F8486EBA1CF25E8807DE77A0F788798F51411AFA9D43B99DF38C649CB00

Function 000000018003E804 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 283COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000000018003E95B
_set_statfp.LIBCMT ref: 000000018003E990
_set_statfp.LIBCMT ref: 000000018003EAE5

Strings

!, xrefs: 000000018003E8FC
atan2f, xrefs: 000000018003E8EC

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _set_statfp
String ID: !$atan2f
API String ID: 1156100317-746904718
Opcode ID: 922dedef4b508459671a67f39f388c8a37360033d7157b9d186a1199daea5b28
Instruction ID: d5c9dca1ae84759df08d4f946077274373d06d771ca18e833c4e4ac63076a48d
Opcode Fuzzy Hash: 922dedef4b508459671a67f39f388c8a37360033d7157b9d186a1199daea5b28
Instruction Fuzzy Hash: 43C1D231624ECC88E6B78B3254103E7E3547F5F7D4F16D312B92A36AD4EF29868A8700

Function 000000018004A638 Relevance: 107.7, APIs: 86, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 000000018004A64D

Part of subcall function 000000018003E220: HeapFree.KERNEL32(?,?,?,000000018000110D), ref: 000000018003E236
Part of subcall function 000000018003E220: _errno.LIBCMT ref: 000000018003E240

free.LIBCMT ref: 000000018004A656
free.LIBCMT ref: 000000018004A65F
free.LIBCMT ref: 000000018004A668
free.LIBCMT ref: 000000018004A671
free.LIBCMT ref: 000000018004A67A
free.LIBCMT ref: 000000018004A682
free.LIBCMT ref: 000000018004A68B
free.LIBCMT ref: 000000018004A694
free.LIBCMT ref: 000000018004A69D
free.LIBCMT ref: 000000018004A6A6
free.LIBCMT ref: 000000018004A6AF
free.LIBCMT ref: 000000018004A6B8
free.LIBCMT ref: 000000018004A6C1
free.LIBCMT ref: 000000018004A6CA
free.LIBCMT ref: 000000018004A6D3
free.LIBCMT ref: 000000018004A6DF
free.LIBCMT ref: 000000018004A6EB
free.LIBCMT ref: 000000018004A6F7
free.LIBCMT ref: 000000018004A703
free.LIBCMT ref: 000000018004A70F
free.LIBCMT ref: 000000018004A71B
free.LIBCMT ref: 000000018004A727
free.LIBCMT ref: 000000018004A733
free.LIBCMT ref: 000000018004A73F
free.LIBCMT ref: 000000018004A74B
free.LIBCMT ref: 000000018004A757
free.LIBCMT ref: 000000018004A763
free.LIBCMT ref: 000000018004A76F
free.LIBCMT ref: 000000018004A77B
free.LIBCMT ref: 000000018004A787
free.LIBCMT ref: 000000018004A793
free.LIBCMT ref: 000000018004A79F
free.LIBCMT ref: 000000018004A7AB
free.LIBCMT ref: 000000018004A7B7
free.LIBCMT ref: 000000018004A7C3
free.LIBCMT ref: 000000018004A7CF
free.LIBCMT ref: 000000018004A7DB
free.LIBCMT ref: 000000018004A7E7
free.LIBCMT ref: 000000018004A7F3
free.LIBCMT ref: 000000018004A7FF
free.LIBCMT ref: 000000018004A80B
free.LIBCMT ref: 000000018004A817
free.LIBCMT ref: 000000018004A823
free.LIBCMT ref: 000000018004A82F
free.LIBCMT ref: 000000018004A83B
free.LIBCMT ref: 000000018004A847
free.LIBCMT ref: 000000018004A853
free.LIBCMT ref: 000000018004A85F
free.LIBCMT ref: 000000018004A86B
free.LIBCMT ref: 000000018004A877
free.LIBCMT ref: 000000018004A883
free.LIBCMT ref: 000000018004A88F
free.LIBCMT ref: 000000018004A89B
free.LIBCMT ref: 000000018004A8A7
free.LIBCMT ref: 000000018004A8B3
free.LIBCMT ref: 000000018004A8BF
free.LIBCMT ref: 000000018004A8CB
free.LIBCMT ref: 000000018004A8D7
free.LIBCMT ref: 000000018004A8E3
free.LIBCMT ref: 000000018004A8EF
free.LIBCMT ref: 000000018004A8FB
free.LIBCMT ref: 000000018004A907
free.LIBCMT ref: 000000018004A913
free.LIBCMT ref: 000000018004A91F
free.LIBCMT ref: 000000018004A92B
free.LIBCMT ref: 000000018004A937
free.LIBCMT ref: 000000018004A943
free.LIBCMT ref: 000000018004A94F
free.LIBCMT ref: 000000018004A95B
free.LIBCMT ref: 000000018004A967
free.LIBCMT ref: 000000018004A973
free.LIBCMT ref: 000000018004A97F
free.LIBCMT ref: 000000018004A98B
free.LIBCMT ref: 000000018004A997
free.LIBCMT ref: 000000018004A9A3
free.LIBCMT ref: 000000018004A9AF
free.LIBCMT ref: 000000018004A9BB
free.LIBCMT ref: 000000018004A9C7
free.LIBCMT ref: 000000018004A9D3
free.LIBCMT ref: 000000018004A9DF
free.LIBCMT ref: 000000018004A9EB
free.LIBCMT ref: 000000018004A9F7
free.LIBCMT ref: 000000018004AA03
free.LIBCMT ref: 000000018004AA0F
free.LIBCMT ref: 000000018004AA1B

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: free$FreeHeap_errno
String ID:
API String ID: 2737118440-0
Opcode ID: 258e030ea8eef92e677a1f4030c5f0b19a91ecd9a257867854d2aa094b2d70cf
Instruction ID: 4d872ec27d9ca8d6f8751ad299c95db9e4a79eb5509a17a55bae787e74e0c8bc
Opcode Fuzzy Hash: 258e030ea8eef92e677a1f4030c5f0b19a91ecd9a257867854d2aa094b2d70cf
Instruction Fuzzy Hash: 54A1553121158885E6C3BB71F8957DF1325ABCAF84F059E32BB4D4B5E7CE10DA498390

Function 0000000180045108 Relevance: 32.0, APIs: 21, Instructions: 482COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180045139
_errno.LIBCMT ref: 0000000180045142
__doserrno.LIBCMT ref: 000000018004519C
_errno.LIBCMT ref: 00000001800451A3
_invalid_parameter_noinfo.LIBCMT ref: 0000000180045812

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: 27ee3e071bdb6c1f7188517e3c46bf29d4632009371291bd4a31ced4f22275c5
Instruction ID: beaf73869c5ab8301a8de9efe598f3bfa40f1db9310f99e121f6dd647ad85f45
Opcode Fuzzy Hash: 27ee3e071bdb6c1f7188517e3c46bf29d4632009371291bd4a31ced4f22275c5
Instruction Fuzzy Hash: 8322F572205E8886F7A38F64D4C03EC2B91A749BDEF56C115EA96077D3DE78C649C309

Function 00000001800478B4 Relevance: 19.6, APIs: 13, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

__free_lconv_mon.LIBCMT ref: 000000018004790C

Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AAB2
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AAC4
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AAD6
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AAE8
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AAFA
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AB0C
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AB1E
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AB30
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AB42
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AB54
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AB69
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AB7E
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AB93

free.LIBCMT ref: 0000000180047900

Part of subcall function 000000018003E220: HeapFree.KERNEL32(?,?,?,000000018000110D), ref: 000000018003E236
Part of subcall function 000000018003E220: _errno.LIBCMT ref: 000000018003E240

free.LIBCMT ref: 0000000180047922
__free_lconv_num.LIBCMT ref: 000000018004792E
free.LIBCMT ref: 000000018004793A
free.LIBCMT ref: 0000000180047946
free.LIBCMT ref: 000000018004796A
free.LIBCMT ref: 000000018004797E
free.LIBCMT ref: 000000018004798D
free.LIBCMT ref: 0000000180047999
free.LIBCMT ref: 00000001800479C6
free.LIBCMT ref: 00000001800479EE
free.LIBCMT ref: 0000000180047A08

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: free$FreeHeap__free_lconv_mon__free_lconv_num_errno
String ID:
API String ID: 2573795696-0
Opcode ID: 5a0bd3a4139776b5973723257e7de0a69dd99bb23b7eab651e3109ceedcb2a20
Instruction ID: 64e24b2416a1ca949d6f303a85acd9c423b1c112d23fea3cbc33af8ea2b513f7
Opcode Fuzzy Hash: 5a0bd3a4139776b5973723257e7de0a69dd99bb23b7eab651e3109ceedcb2a20
Instruction Fuzzy Hash: 6041113230298884FFD79F61D4903EE2354E78DBD8F059931BA4D4A2D6CF28CA99C355

Function 000000018004CB30 Relevance: 18.1, APIs: 12, Instructions: 115memoryfileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000180048148: _errno.LIBCMT ref: 000000018004816A

_errno.LIBCMT ref: 000000018004CBB8

Part of subcall function 0000000180048148: SetFilePointer.KERNEL32(00000000,00000001,00000001,0000000180044F61,?,00000000,00000000,0000000180041A89,?,?,00000000,0000000180041AE5,?,?,00000200,0000000180042572), ref: 000000018004818A
Part of subcall function 0000000180048148: GetLastError.KERNEL32(?,00000000,00000000,0000000180041A89,?,?,00000000,0000000180041AE5,?,?,00000200,0000000180042572), ref: 0000000180048199

GetProcessHeap.KERNEL32(00000000,?,00000109,00000001800496A0), ref: 000000018004CB8A
HeapAlloc.KERNEL32 ref: 000000018004CB9F
_errno.LIBCMT ref: 000000018004CBAD
__doserrno.LIBCMT ref: 000000018004CC12
_errno.LIBCMT ref: 000000018004CC1C
GetProcessHeap.KERNEL32 ref: 000000018004CC35
HeapFree.KERNEL32 ref: 000000018004CC43
SetEndOfFile.KERNEL32(00000000,?,00000109,00000001800496A0), ref: 000000018004CC6E
_errno.LIBCMT ref: 000000018004CC85
__doserrno.LIBCMT ref: 000000018004CC90
GetLastError.KERNEL32 ref: 000000018004CC98

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$Heap$ErrorFileLastProcess__doserrno$AllocFreePointer
String ID:
API String ID: 3112900366-0
Opcode ID: 5c1484790b7029330c56b00ce7b4326b62192608e4fc1df10d09937e4c225644
Instruction ID: fe7456c0442f1bcdb1b8f511e1c750bbd640e26c1f04292c679d1de3200e95df
Opcode Fuzzy Hash: 5c1484790b7029330c56b00ce7b4326b62192608e4fc1df10d09937e4c225644
Instruction Fuzzy Hash: 6741E131300E5841EAD6AB3598857DC2291A74DBF8F56C711F939077D2DF38CA49878A

Function 000000018004A0F4 Relevance: 15.2, APIs: 10, Instructions: 206COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 000000018004A18E
malloc.LIBCMT ref: 000000018004A1F7
MultiByteToWideChar.KERNEL32 ref: 000000018004A22B
LCMapStringW.KERNEL32 ref: 000000018004A252
LCMapStringW.KERNEL32 ref: 000000018004A29A
malloc.LIBCMT ref: 000000018004A2F7

Part of subcall function 000000018003E168: _FF_MSGBANNER.LIBCMT ref: 000000018003E198
Part of subcall function 000000018003E168: HeapAlloc.KERNEL32(?,?,00000000,0000000180042A24,?,?,?,0000000180046585,?,?,?,000000018004662F), ref: 000000018003E1BD
Part of subcall function 000000018003E168: _callnewh.LIBCMT ref: 000000018003E1D6
Part of subcall function 000000018003E168: _errno.LIBCMT ref: 000000018003E1E1
Part of subcall function 000000018003E168: _errno.LIBCMT ref: 000000018003E1EC

LCMapStringW.KERNEL32 ref: 000000018004A32C
WideCharToMultiByte.KERNEL32 ref: 000000018004A36C
free.LIBCMT ref: 000000018004A380
free.LIBCMT ref: 000000018004A391

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiStringWide$_errnofreemalloc$AllocHeap_callnewh
String ID:
API String ID: 1080698880-0
Opcode ID: 8f87ab9d2ae227485477a57223987bd8726c4cafbcef0a4fabf5341cba31a906
Instruction ID: 746fdc849fb7efc80f96b9087f0f4f5be30642e255885f1a6576107973598593
Opcode Fuzzy Hash: 8f87ab9d2ae227485477a57223987bd8726c4cafbcef0a4fabf5341cba31a906
Instruction Fuzzy Hash: 0381B732208B8886FBA69F2594803DA77D5F74E7E8F158615FA1943BD4EF78C7488308

Function 0000000180048408 Relevance: 15.1, APIs: 10, Instructions: 123COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018004844F
_invalid_parameter_noinfo.LIBCMT ref: 000000018004845B
_errno.LIBCMT ref: 00000001800484A5
_errno.LIBCMT ref: 00000001800484B0
_errno.LIBCMT ref: 00000001800484E2
_invalid_parameter_noinfo.LIBCMT ref: 00000001800484EC
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000001FE,?,00000001800485DB), ref: 000000018004855E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000001FE,?,00000001800485DB), ref: 000000018004857B
_errno.LIBCMT ref: 00000001800485A1
_invalid_parameter_noinfo.LIBCMT ref: 00000001800485AD

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 2295021086-0
Opcode ID: d8226484d9b045e3bf121a32930208bfe2de1e8e9735e94a0eea8d55c1e7fd26
Instruction ID: 9c22cb322589bbaecf03df9c4e1f5db85217bda39a9a5de2319d300efcf44f58
Opcode Fuzzy Hash: d8226484d9b045e3bf121a32930208bfe2de1e8e9735e94a0eea8d55c1e7fd26
Instruction Fuzzy Hash: 2251EA32601E4949FBE79F60C4C03EC26A0BF897ECF56C524FA4916AC5DF3886499748

Function 00000001800442B4 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32 ref: 00000001800442D5

Part of subcall function 0000000180042A74: Sleep.KERNEL32(?,?,?,00000001800432DB,?,?,?,00000001800408ED,?,?,?,?,000000018003E245), ref: 0000000180042AB9

GetFileType.KERNEL32 ref: 0000000180044440
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000000018004447E

Strings

@, xrefs: 0000000180044539

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CountCriticalFileInfoInitializeSectionSleepSpinStartupType
String ID: @
API String ID: 3473179607-2766056989
Opcode ID: 731d2ca942fb7059f98ccea79a0825b347f719a010229efa7715c3398953b345
Instruction ID: 7b13a2a208b59659a7ff2164eb285c9a59e6247728ec510e04abe0ab60cf6499
Opcode Fuzzy Hash: 731d2ca942fb7059f98ccea79a0825b347f719a010229efa7715c3398953b345
Instruction Fuzzy Hash: CE81B472200F8986EB968F14D88439937A1F748BB8F59C324EA7A477D1DF78C659C309

Function 000000018004582C Relevance: 13.6, APIs: 9, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180045855
_errno.LIBCMT ref: 000000018004585E
__doserrno.LIBCMT ref: 00000001800458BC
_errno.LIBCMT ref: 00000001800458C3
_invalid_parameter_noinfo.LIBCMT ref: 0000000180045927

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: c62bc627254f1f1a9acb5995aa69af8956a7e938587757901c016c5564e10ee5
Instruction ID: 7682daf60427842ebd199fa13711cc73cf9a5fbc78c26fb93eb3438255fbe3e8
Opcode Fuzzy Hash: c62bc627254f1f1a9acb5995aa69af8956a7e938587757901c016c5564e10ee5
Instruction Fuzzy Hash: 7D310472310E8C86F7936F6598C13ED2650A7487E8F57C119FAA4177D3CE788A48C708

Function 0000000180043E2C Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 206COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180043E7D
_invalid_parameter_noinfo.LIBCMT ref: 0000000180043E88
_wsopen_s.LIBCMT ref: 0000000180044099

Strings

UNICODE, xrefs: 000000018004404B
ccs, xrefs: 0000000180043FC9
UTF-8, xrefs: 0000000180044005
UTF-16LE, xrefs: 0000000180044028

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo_wsopen_s
String ID: UNICODE$UTF-16LE$UTF-8$ccs
API String ID: 2053332431-3573488595
Opcode ID: b0c4c6ed9e8498d35fe9303ea9063a51c90cfbb9c06f99b476d42cc90f5ed235
Instruction ID: 3e9b913e688f760b830cb86a69413b8bce1326bacd42ec6ba54fe81f9aa2ab57
Opcode Fuzzy Hash: b0c4c6ed9e8498d35fe9303ea9063a51c90cfbb9c06f99b476d42cc90f5ed235
Instruction Fuzzy Hash: DD711472E04A0C55FBF75A12A9867EA16E0675D7CCE17E024FE0A029C5DF38CB4C8389

Function 0000000273F41740 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 115COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 0000000273F4185B

Strings

Address %p has no image-section, xrefs: 0000000273F417B2, 0000000273F41905
Mingw-w64 runtime failure:, xrefs: 0000000273F41777
VirtualQuery failed for %d bytes at address %p, xrefs: 0000000273F418F1
VirtualProtect failed with code 0x%x, xrefs: 0000000273F418CE

Memory Dump Source

Source File: 00000006.00000002.3713823424.0000000273F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000273F40000, based on PE: true

Associated: 00000006.00000002.3713766770.0000000273F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3713823424.0000000273F85000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_273f40000_rundll32.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: 0cce06267e1579f90ae27719d32f235d794723324326edd454bf682594529e94
Instruction ID: 663189738c40874af7135dc25b0b982f4eec5aa8fa6ad61ed8319b582aa1f326
Opcode Fuzzy Hash: 0cce06267e1579f90ae27719d32f235d794723324326edd454bf682594529e94
Instruction Fuzzy Hash: CB41AF72F08F4482EB14DB51E8497DA77A0F789BE0F644220DA4D07BA5EB38C685E742

Function 0000000180044FB4 Relevance: 12.1, APIs: 8, Instructions: 95COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180044FCB
_invalid_parameter_noinfo.LIBCMT ref: 0000000180044FD6

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: ca76609593e7968924802dd47909a67a3de79fc0893ea02630d952cda44f7c31
Instruction ID: b8706fcba3373454a4b01edf78d16520a1e85cc0d5fe777b1d3ba09b79c1032e
Opcode Fuzzy Hash: ca76609593e7968924802dd47909a67a3de79fc0893ea02630d952cda44f7c31
Instruction Fuzzy Hash: 0C41D936604E4852EBE64B2581C13EC37A0F7097DDF258605FBA5836C2CF74CAA9C784

Function 0000000180044694 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00000001800446B7
_errno.LIBCMT ref: 00000001800446BF
_lseek_nolock.LIBCMT ref: 000000018004471C

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: __doserrno_errno_lseek_nolock
String ID:
API String ID: 3948042459-0
Opcode ID: 5491721df6ad7ab657e95dd21b0d4c728b4e8247b75b654f02dc873897995978
Instruction ID: bdeca9385717e63bca4346382234fa7d175972a54972681b325d5814d0ceb23a
Opcode Fuzzy Hash: 5491721df6ad7ab657e95dd21b0d4c728b4e8247b75b654f02dc873897995978
Instruction Fuzzy Hash: 43213133200E8842F787AF2599C03EC2511A7887E9F1BC104FA140B2D3CF788A4AC718

Function 0000000180046524 Relevance: 12.1, APIs: 8, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 000000018004654B

Part of subcall function 00000001800407E0: _set_error_mode.LIBCMT ref: 00000001800407E9
Part of subcall function 00000001800407E0: _set_error_mode.LIBCMT ref: 00000001800407F8

Part of subcall function 0000000180040580: _set_error_mode.LIBCMT ref: 00000001800405C5
Part of subcall function 0000000180040580: _set_error_mode.LIBCMT ref: 00000001800405D6
Part of subcall function 0000000180040580: GetModuleFileNameW.KERNEL32 ref: 0000000180040638

Part of subcall function 00000001800401EC: ExitProcess.KERNEL32 ref: 00000001800401FB

Part of subcall function 00000001800429F4: malloc.LIBCMT ref: 0000000180042A1F
Part of subcall function 00000001800429F4: Sleep.KERNEL32(?,?,?,0000000180046585,?,?,?,000000018004662F), ref: 0000000180042A32

_errno.LIBCMT ref: 000000018004658D
_lock.LIBCMT ref: 00000001800465A1
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,000000018004662F), ref: 00000001800465B7
free.LIBCMT ref: 00000001800465C4
_errno.LIBCMT ref: 00000001800465C9
LeaveCriticalSection.KERNEL32(?,?,?,000000018004662F), ref: 00000001800465EC

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockfreemalloc
String ID:
API String ID: 113790786-0
Opcode ID: f6cddf33ec298a8bb8cbf7baaf3bba66f453517a4b756cab4bc748b5810b4bcf
Instruction ID: edbf6d34453fbc39e254c7b3028adf59088a67094ee2582bf57cf3f75258cf43
Opcode Fuzzy Hash: f6cddf33ec298a8bb8cbf7baaf3bba66f453517a4b756cab4bc748b5810b4bcf
Instruction Fuzzy Hash: 9421A471A01E8C81F6E7AB10E5843EE2264E74C7C8F16D425B646576E6DF38CA4CC74A

Function 0000000180040380 Relevance: 10.6, APIs: 7, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 00000001800403A9

Part of subcall function 000000018004660C: _amsg_exit.LIBCMT ref: 0000000180046636

DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,0000000180040551,?,?,00000000,000000018004663B), ref: 00000001800403DC
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,0000000180040551,?,?,00000000,000000018004663B), ref: 00000001800403FA
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,0000000180040551,?,?,00000000,000000018004663B), ref: 000000018004043A
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,0000000180040551,?,?,00000000,000000018004663B), ref: 0000000180040454
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,0000000180040551,?,?,00000000,000000018004663B), ref: 0000000180040464
ExitProcess.KERNEL32 ref: 00000001800404F0

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: DecodePointer$ExitProcess_amsg_exit_lock
String ID:
API String ID: 3411037476-0
Opcode ID: 90629936087b4b343afb6f5e2ea20390e49e002a64f4209c8e454aa55673ad60
Instruction ID: 28dce3b8938bf884f7e9275428b3a2511fbaf5e224c98a8887a53a350d5d9406
Opcode Fuzzy Hash: 90629936087b4b343afb6f5e2ea20390e49e002a64f4209c8e454aa55673ad60
Instruction Fuzzy Hash: 5041BD71212F8885E6C28F11EC8439962A5F78CBCCF25C424FA5E537A5EF78C68D8709

Function 00000001800481E0 Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180048203
_errno.LIBCMT ref: 000000018004820B

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 9c7078870c8113ac2fa39057a7caf9cf7a186e07d7669db40971e880b171e245
Instruction ID: 88e291cd6d8539d56209442e2423bdf494ec1d3842b4b11067e362a5da303880
Opcode Fuzzy Hash: 9c7078870c8113ac2fa39057a7caf9cf7a186e07d7669db40971e880b171e245
Instruction Fuzzy Hash: 4321D032310D4C41FA976F15DA813ED2611AB48BF8F1B8B05FE340B2D3CEB88A45A358

Function 0000000180044ED4 Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180044EF7
_errno.LIBCMT ref: 0000000180044EFF

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: e06bde92bf7a4f08831d8cf039223712935559a8b634ef27faa4aece7a856289
Instruction ID: 3623e0460e9e27de6361ba960c2d9fdc26985ee9637d6ca9ed7da609fcd3abb5
Opcode Fuzzy Hash: e06bde92bf7a4f08831d8cf039223712935559a8b634ef27faa4aece7a856289
Instruction Fuzzy Hash: 64212333210E4C46F697AF25D9C13ED2611AB88BE9F1BC114FA140B2D3CF788A49C758

Function 00000001800490FC Relevance: 10.6, APIs: 7, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180049115
FlushFileBuffers.KERNEL32(?,?,?,0000000180043B12), ref: 0000000180049178
GetLastError.KERNEL32(?,?,?,0000000180043B12), ref: 0000000180049182
__doserrno.LIBCMT ref: 0000000180049192
_errno.LIBCMT ref: 0000000180049199

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$BuffersErrorFileFlushLast__doserrno
String ID:
API String ID: 1845094721-0
Opcode ID: efec3c3d13410bf04e0dd30c0ef053db8f256237de7b4ac0eddf3cca2fd18b4a
Instruction ID: aae8da55411f6dd9c1530ed359ea5e4f4d8b6876908d31b57a3ddde22457d520
Opcode Fuzzy Hash: efec3c3d13410bf04e0dd30c0ef053db8f256237de7b4ac0eddf3cca2fd18b4a
Instruction Fuzzy Hash: 3D21F931701E8D41F6936FA598C83ED2651A7887D8F1BC528B615173E2CE788A8CD358

Function 000000018004757C Relevance: 9.1, APIs: 6, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000000018004759B

Part of subcall function 000000018004332C: _amsg_exit.LIBCMT ref: 0000000180043342

Part of subcall function 00000001800471B8: _getptd.LIBCMT ref: 00000001800471C2
Part of subcall function 00000001800471B8: _amsg_exit.LIBCMT ref: 000000018004725F

Part of subcall function 0000000180047274: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,00000001800475B6,?,?,?,?,?,0000000180047773), ref: 000000018004729E

Part of subcall function 00000001800429F4: malloc.LIBCMT ref: 0000000180042A1F
Part of subcall function 00000001800429F4: Sleep.KERNEL32(?,?,?,0000000180046585,?,?,?,000000018004662F), ref: 0000000180042A32

free.LIBCMT ref: 0000000180047626

Part of subcall function 000000018003E220: HeapFree.KERNEL32(?,?,?,000000018000110D), ref: 000000018003E236
Part of subcall function 000000018003E220: _errno.LIBCMT ref: 000000018003E240

_lock.LIBCMT ref: 0000000180047656
free.LIBCMT ref: 00000001800476F9
free.LIBCMT ref: 0000000180047725
_errno.LIBCMT ref: 000000018004772A

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: free$_amsg_exit_errno_getptd$FreeHeapSleep_lockmalloc
String ID:
API String ID: 2578750445-0
Opcode ID: 94a589883ec5155802fd95d7fab442aedf742fc852adba6379efa46134cd3324
Instruction ID: da64bb642503be74eb0f6c14831e4ed13401b41da4aced71e1065a25a4b3c3bf
Opcode Fuzzy Hash: 94a589883ec5155802fd95d7fab442aedf742fc852adba6379efa46134cd3324
Instruction Fuzzy Hash: 9351B132300E8846E7E69B24A4803EA77A1F348BC8F56C116FA4E473E7CE38C649C744

Function 0000000180045FFC Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 0000000180046015
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 000000018004606C
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 00000001800460A7
free.LIBCMT ref: 00000001800460B4
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 00000001800460BF
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 00000001800460CD

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$free
String ID:
API String ID: 517548149-0
Opcode ID: 162e3acb479bf9528d8707f072606d60b166762714a5c8eb78a8a61cfab57453
Instruction ID: 28af58077e327febc6153a716ebded174d2046a11fd0603b2a2b94e2c4208846
Opcode Fuzzy Hash: 162e3acb479bf9528d8707f072606d60b166762714a5c8eb78a8a61cfab57453
Instruction Fuzzy Hash: 31219532A04B8485EBA68F11B48039A77E4F78DFC8F498114FE8A07764EF38D695C709

Function 0000000180043934 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000018004394D
_errno.LIBCMT ref: 0000000180043955

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 3cad00805c535d9d6a24c2447e46d4ac982fe79615d762552acafacf46815b53
Instruction ID: 94c96575089f4780a32a9ec00bd264dd4655c24e9f54b770cefb0f1c2659e3b0
Opcode Fuzzy Hash: 3cad00805c535d9d6a24c2447e46d4ac982fe79615d762552acafacf46815b53
Instruction Fuzzy Hash: 6B110632A00E8C42F6976F2699C23DC2651A7487E9F27E518B516073D3CEB88E48C758

Function 00000001800432A8 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00000001800408ED,?,?,?,?,000000018003E245,?,?,?,000000018000110D), ref: 00000001800432B2
FlsGetValue.KERNEL32(?,?,?,00000001800408ED,?,?,?,?,000000018003E245,?,?,?,000000018000110D), ref: 00000001800432C0
SetLastError.KERNEL32(?,?,?,00000001800408ED,?,?,?,?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180043318

Part of subcall function 0000000180042A74: Sleep.KERNEL32(?,?,?,00000001800432DB,?,?,?,00000001800408ED,?,?,?,?,000000018003E245), ref: 0000000180042AB9

FlsSetValue.KERNEL32(?,?,?,00000001800408ED,?,?,?,?,000000018003E245,?,?,?,000000018000110D), ref: 00000001800432EC
free.LIBCMT ref: 000000018004330F

Part of subcall function 00000001800431F0: _lock.LIBCMT ref: 0000000180043244
Part of subcall function 00000001800431F0: _lock.LIBCMT ref: 0000000180043263

GetCurrentThreadId.KERNEL32 ref: 0000000180043300

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: 6c9f45206866909c37ad9c1b1df65dd8d4f15302a450987df3cd1bb5765d3834
Instruction ID: e35cefd1ee5cff6cda42b7689ae65c05deeff37c9490ea75c646b2ce74ee25c0
Opcode Fuzzy Hash: 6c9f45206866909c37ad9c1b1df65dd8d4f15302a450987df3cd1bb5765d3834
Instruction Fuzzy Hash: 4B018830200F8886FFD79F6594C53A86261AB4D7D8F05C624FD25033D1EE38C68C8314

Function 000000018003F8D4 Relevance: 7.7, APIs: 5, Instructions: 170COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003F913
_invalid_parameter_noinfo.LIBCMT ref: 000000018003F91E
memcpy_s.LIBCMT ref: 000000018003F9E7
_fileno.LIBCMT ref: 000000018003FA5A
_errno.LIBCMT ref: 000000018003FAD9

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$_fileno_invalid_parameter_noinfomemcpy_s
String ID:
API String ID: 897514287-0
Opcode ID: 9c77f83cd8700deaabc0fd9fd6977863926e76bbc046ac42a92e242d67ca67a7
Instruction ID: 0586abbaa753a26bf92c3da2f0c0844abfb432f7583a0abf359983cbd5339943
Opcode Fuzzy Hash: 9c77f83cd8700deaabc0fd9fd6977863926e76bbc046ac42a92e242d67ca67a7
Instruction Fuzzy Hash: 4B513431304A4895EAB79E2695007BB6B80B74DBE4F19C7217E6D57BD0CF36C69A8340

Function 0000000180048EF4 Relevance: 7.6, APIs: 5, Instructions: 137COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000180046524: _FF_MSGBANNER.LIBCMT ref: 000000018004654B

_lock.LIBCMT ref: 0000000180048F2E
_lock.LIBCMT ref: 0000000180048F87
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,?,?,?,00000109,0000000180049480), ref: 0000000180048F9C
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000109,0000000180049480), ref: 0000000180048FC7
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00000109,0000000180049480), ref: 0000000180048FD7

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$_lock$CountEnterInitializeLeaveSpin
String ID:
API String ID: 3451527041-0
Opcode ID: ad7bfc99954593bcf8eda28a1d2ef663cbe48e0c93a53522361127f56cae083a
Instruction ID: 8c218b1dd958de25de949e51088d6abf58d8baf781aaa410045e41d8f4ca076a
Opcode Fuzzy Hash: ad7bfc99954593bcf8eda28a1d2ef663cbe48e0c93a53522361127f56cae083a
Instruction Fuzzy Hash: 9351E672601F4886EBA28B50D4803ADA691F7987ECF068625FE6A033D5DF78C65DC705

Function 0000000180041920 Relevance: 7.6, APIs: 5, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 000000018004193D

Part of subcall function 00000001800439F8: _errno.LIBCMT ref: 0000000180043A01
Part of subcall function 00000001800439F8: _invalid_parameter_noinfo.LIBCMT ref: 0000000180043A0C

_errno.LIBCMT ref: 000000018004194D
_errno.LIBCMT ref: 0000000180041969
_isatty.LIBCMT ref: 00000001800419CA
_getbuf.LIBCMT ref: 00000001800419D6

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$_fileno_getbuf_invalid_parameter_noinfo_isatty
String ID:
API String ID: 2574049805-0
Opcode ID: 4ff880635ef4d904e09ebc87325dda54b86b1ac69e38fcb8f2c0d3ea48b9a742
Instruction ID: eb1a6f5e6da6c3769f147ceaaaa7fc0fc70cae78f6684998a98c0054d036f7c8
Opcode Fuzzy Hash: 4ff880635ef4d904e09ebc87325dda54b86b1ac69e38fcb8f2c0d3ea48b9a742
Instruction Fuzzy Hash: CD41F472600F4C4AEBD69F29C4913EC36A0F748BD8F168215FA69473D5DE34CA55C788

Function 000000018004A458 Relevance: 7.6, APIs: 5, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 000000018004A4B2
malloc.LIBCMT ref: 000000018004A516
MultiByteToWideChar.KERNEL32 ref: 000000018004A55E
GetStringTypeW.KERNEL32 ref: 000000018004A575
free.LIBCMT ref: 000000018004A589

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide$StringTypefreemalloc
String ID:
API String ID: 307345228-0
Opcode ID: 93dcc5b94d4ecd0e86884504227929fb1291d854fb79cbca14ab971fb09c5493
Instruction ID: c1e8cdc11ca7ad10a2207395aac586f5b43039c7c9522db95887dc8847b2f22a
Opcode Fuzzy Hash: 93dcc5b94d4ecd0e86884504227929fb1291d854fb79cbca14ab971fb09c5493
Instruction Fuzzy Hash: 1F419432204F8486FB929F25A8407DA6395F78DBECF5A8611BE2D477D4DF38C5098708

Function 0000000180042E78 Relevance: 7.6, APIs: 5, Instructions: 91COMMONLIBRARYCODE

Download Yara Rule

APIs

_ctrlfp.LIBCMT ref: 0000000180042EB9
_exception_enabled.LIBCMT ref: 0000000180042EDB

Part of subcall function 0000000180042DBC: _set_statfp.LIBCMT ref: 0000000180042DE3
Part of subcall function 0000000180042DBC: _set_statfp.LIBCMT ref: 0000000180042E56

_raise_excf.LIBCMT ref: 0000000180042F27
_ctrlfp.LIBCMT ref: 0000000180042F73
_ctrlfp.LIBCMT ref: 0000000180042FA4

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _ctrlfp$_set_statfp$_exception_enabled_raise_excf
String ID:
API String ID: 3843346586-0
Opcode ID: 4fed85a8e9323bfe2c854ad3ef067d745824d256f9f05b55b1c983bcfd5a2ff9
Instruction ID: 35ab72a1ed03ce81a25cb5b39f41f12cf8ca01baf8c7fa63cc16a06614d8d2ce
Opcode Fuzzy Hash: 4fed85a8e9323bfe2c854ad3ef067d745824d256f9f05b55b1c983bcfd5a2ff9
Instruction Fuzzy Hash: 5041E432614E888AE752DB26E4813EEB771FBCD3C8F415325FA4956A58DF38D589CB00

Function 000000018003E624 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,000000018003E739,?,?,?,?,00000001800129B9), ref: 000000018003E64D
DecodePointer.KERNEL32(?,?,?,000000018003E739,?,?,?,?,00000001800129B9), ref: 000000018003E65D

Part of subcall function 0000000180042B80: _errno.LIBCMT ref: 0000000180042B89
Part of subcall function 0000000180042B80: _invalid_parameter_noinfo.LIBCMT ref: 0000000180042B94

EncodePointer.KERNEL32(?,?,?,000000018003E739,?,?,?,?,00000001800129B9), ref: 000000018003E6DB

Part of subcall function 0000000180042AF8: realloc.LIBCMT ref: 0000000180042B23
Part of subcall function 0000000180042AF8: Sleep.KERNEL32(?,?,00000000,000000018003E6CB,?,?,?,000000018003E739,?,?,?,?,00000001800129B9), ref: 0000000180042B3F

EncodePointer.KERNEL32(?,?,?,000000018003E739,?,?,?,?,00000001800129B9), ref: 000000018003E6EB
EncodePointer.KERNEL32(?,?,?,000000018003E739,?,?,?,?,00000001800129B9), ref: 000000018003E6F8

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
String ID:
API String ID: 1909145217-0
Opcode ID: ed15b638c86beb6079fb653881b7bedfcb1da94e35fa47f475b2029b95edd674
Instruction ID: fe7b83a0f1e081e7fa5e6d38d200593cd4bdb274e8300509f1d988dc7ce839eb
Opcode Fuzzy Hash: ed15b638c86beb6079fb653881b7bedfcb1da94e35fa47f475b2029b95edd674
Instruction Fuzzy Hash: B521A130302B8881EA939B52E9893CAA352B34EBD4F45C825F91E17394DE78C68D8344

Function 000000018004634C Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000000180046383
GetCurrentProcessId.KERNEL32 ref: 000000018004638E
GetCurrentThreadId.KERNEL32 ref: 000000018004639A
GetTickCount.KERNEL32 ref: 00000001800463A6
QueryPerformanceCounter.KERNEL32 ref: 00000001800463B7

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 92565ea8d5c85b212df12a7ebaa521c2a5878a6861afd3c9b07c384d7c5c1395
Instruction ID: 4acdcd43e76b003da33731daa7b3035c29bec53c6226794cfad176108422307a
Opcode Fuzzy Hash: 92565ea8d5c85b212df12a7ebaa521c2a5878a6861afd3c9b07c384d7c5c1395
Instruction Fuzzy Hash: 3101A131214E4886E792CF21E8847857360F74DBD8F05A520FE6A177A0DF38CAC88305

Function 0000000180048DB0 Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180048DB9
_errno.LIBCMT ref: 0000000180048DC1

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 04538ce0f69410465c08cf912922deca18a28768c91d40277fbb7ad585d34a5d
Instruction ID: 3fb9fc9a06773a5ddc4cf9db8930bc32603d4213745492d31301100f49cfba50
Opcode Fuzzy Hash: 04538ce0f69410465c08cf912922deca18a28768c91d40277fbb7ad585d34a5d
Instruction Fuzzy Hash: 730181B2A01E4C41FE976B55C8C13EC22519B98BE9FA7CB05F629063D2CFB846089355

Function 000000018002E3F0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 281COMMON

Download Yara Rule

APIs

powf.LIBCMT ref: 000000018002E76E

Strings

Failed to refit Opcode model., xrefs: 000000018002E902
..\..\Cooking\src\ConvexMeshBuilder.cpp, xrefs: 000000018002E912
Failed to rebuild Opcode model., xrefs: 000000018002E940

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: powf
String ID: ..\..\Cooking\src\ConvexMeshBuilder.cpp$Failed to rebuild Opcode model.$Failed to refit Opcode model.
API String ID: 3445610689-3682976713
Opcode ID: 216dec962e8dca91ec4070bef38bf642e1f4696c0a72cbfcd53967bfc60aac4b
Instruction ID: c1c056e1c85f343c2078a2337025b71bb37fd292796a6b4142674db4036b91a6
Opcode Fuzzy Hash: 216dec962e8dca91ec4070bef38bf642e1f4696c0a72cbfcd53967bfc60aac4b
Instruction Fuzzy Hash: A5E14233A347C89AD342CB3694853E9B360FF6E789F299716EB04321B5DB2161D5AF10

Function 0000000180041694 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

_fltout2.LIBCMT ref: 00000001800416CF
_errno.LIBCMT ref: 00000001800416D9
_invalid_parameter_noinfo.LIBCMT ref: 00000001800416E0

Strings

-, xrefs: 00000001800416FB

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _errno_fltout2_invalid_parameter_noinfo
String ID: -
API String ID: 485257318-2547889144
Opcode ID: 7fdfd41007377c7044378e94245d290bf8d3290ad409f6aff9913dfa4249c632
Instruction ID: d709b449ce76c0cccf1e9d4ca559e2f814d34352179fa1e3acc4947a0398de61
Opcode Fuzzy Hash: 7fdfd41007377c7044378e94245d290bf8d3290ad409f6aff9913dfa4249c632
Instruction Fuzzy Hash: 5831F832308E8849EBA29A21E4807DDB7A0BB49BD9F55C211FF9807BC5DF38C649C704

Function 0000000180047EF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180047F09
_invalid_parameter_noinfo.LIBCMT ref: 0000000180047F15
_errno.LIBCMT ref: 0000000180047F3C

Strings

1, xrefs: 0000000180047F8B

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID: 1
API String ID: 2819658684-2212294583
Opcode ID: acab422b16e29b316407dfade680dd80396a7f151f61521eb08063fae4db2bda
Instruction ID: 3afd2d037a64dffeabbd375ce9f5099401c357d53f3d192c0fa9e8baf7547702
Opcode Fuzzy Hash: acab422b16e29b316407dfade680dd80396a7f151f61521eb08063fae4db2bda
Instruction Fuzzy Hash: 8C21C232719AC895F7979B2484903EC6A9097197C8F9BC071B64D06383DE2ACB4DC719

Function 0000000180043114 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 0000000180043122
malloc.LIBCMT ref: 000000018004312E

Part of subcall function 000000018003E168: _FF_MSGBANNER.LIBCMT ref: 000000018003E198
Part of subcall function 000000018003E168: HeapAlloc.KERNEL32(?,?,00000000,0000000180042A24,?,?,?,0000000180046585,?,?,?,000000018004662F), ref: 000000018003E1BD
Part of subcall function 000000018003E168: _callnewh.LIBCMT ref: 000000018003E1D6
Part of subcall function 000000018003E168: _errno.LIBCMT ref: 000000018003E1E1
Part of subcall function 000000018003E168: _errno.LIBCMT ref: 000000018003E1EC

std::exception::exception.LIBCMT ref: 000000018004319B

Strings

bad allocation, xrefs: 000000018004316B

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _callnewh_errno$AllocHeapmallocstd::exception::exception
String ID: bad allocation
API String ID: 2837191506-2104205924
Opcode ID: 69166dead89ba0001818fcb42f863f8f744a8727467665a40b2d329f3b4ae9c4
Instruction ID: 2638e90aacf5b7bd257e9f3c7290f5987344553ab20e9d5bcdf450cefdde47fc
Opcode Fuzzy Hash: 69166dead89ba0001818fcb42f863f8f744a8727467665a40b2d329f3b4ae9c4
Instruction Fuzzy Hash: FF012971210F4D95FAA2EF10FC913E923A1AB4C3C8F999515B98A466A6EF78C34CC744

Function 00000001800401B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,000000FF,00000001800401F9,?,?,00000028,000000018003E1B1,?,?,00000000,0000000180042A24,?,?,?,0000000180046585), ref: 00000001800401BF
GetProcAddress.KERNEL32(?,?,000000FF,00000001800401F9,?,?,00000028,000000018003E1B1,?,?,00000000,0000000180042A24,?,?,?,0000000180046585), ref: 00000001800401D4

Strings

CorExitProcess, xrefs: 00000001800401CA
mscoree.dll, xrefs: 00000001800401B8

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: ba0dafc19b2472185031fd18bc234a06f9b3256a42d53cff56055289a2376332
Instruction ID: a0660a350e574b67e0b4226d0f2eee7d3bf1d40f10e0bb7c7f0877cdf3d5dc59
Opcode Fuzzy Hash: ba0dafc19b2472185031fd18bc234a06f9b3256a42d53cff56055289a2376332
Instruction Fuzzy Hash: 47E01230701B0841FF9B5B90ACE87E812905B4DB85F49D428A81E163A0DE78C7CDC354

Function 0000026DB5F026B0 Relevance: 6.4, APIs: 5, Instructions: 132COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 0000026DB5F02707
SetLastError.KERNEL32 ref: 0000026DB5F02746

Memory Dump Source

Source File: 00000006.00000002.3723009009.0000026DB5F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026DB5F00000, based on PE: true

Associated: 00000006.00000002.3723009009.0000026DB5F46000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26db5f00000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 50d4aa64397910f34370dcdd3f25db7b3cd1b44d2d627c561aa8e3d7ca6c4d4e
Instruction ID: 704abdf99882da1150ed68e9be238f7420c9e97eaaa618776be8d67a3753709f
Opcode Fuzzy Hash: 50d4aa64397910f34370dcdd3f25db7b3cd1b44d2d627c561aa8e3d7ca6c4d4e
Instruction Fuzzy Hash: 90510F36B19B4486DB64CF19E44432AB7E0F78CB88F55052AEA8E877A8DB3DC444CB14

Function 0000000180032FB0 Relevance: 6.2, APIs: 4, Instructions: 194COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180030FB0: wprintf.LIBCMT ref: 00000001800310BC

sinf.LIBCMT ref: 00000001800330CF
cosf.LIBCMT ref: 00000001800330DA
sinf.LIBCMT ref: 00000001800331BF
cosf.LIBCMT ref: 00000001800331CA

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: cosfsinf$wprintf
String ID:
API String ID: 2107656780-0
Opcode ID: 382b214eebf19062cad19f456cb08a0201fd66ced005d341dfe06ad299dadf82
Instruction ID: 46b4470296fbe892be20eddff3f83e40b80dd16ede03d11ccee520d7224549a9
Opcode Fuzzy Hash: 382b214eebf19062cad19f456cb08a0201fd66ced005d341dfe06ad299dadf82
Instruction Fuzzy Hash: D5819632A24B8C85E253973754823EAB350BF6E3D5F2ED712FE4436672DB3592859700

Function 0000000180012900 Relevance: 6.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

APIs

cosf.LIBCMT ref: 00000001800129EF
sinf.LIBCMT ref: 00000001800129FB
cosf.LIBCMT ref: 0000000180012A1F
sinf.LIBCMT ref: 0000000180012A33

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: cosfsinf
String ID:
API String ID: 3160392742-0
Opcode ID: 710fe8378ab7627c6d3ad517a7fb43d291aca31b161ca0839560dead9768729b
Instruction ID: 1cead7b32d2bbf2f5b55d1c3a91411fd1ac8757cce8477ee880dc762cf88697a
Opcode Fuzzy Hash: 710fe8378ab7627c6d3ad517a7fb43d291aca31b161ca0839560dead9768729b
Instruction Fuzzy Hash: B961A332A20BCC89F3539B3598413E9B390FF6D399F59D316F958637A1EB3496968300

Function 00000001800466C4 Relevance: 6.2, APIs: 4, Instructions: 159COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180046712
_invalid_parameter_noinfo.LIBCMT ref: 000000018004671D
DecodePointer.KERNEL32(?,?,?,?,?,00000001800418D4), ref: 00000001800467CC
_lock.LIBCMT ref: 00000001800467F7

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: DecodePointer_errno_invalid_parameter_noinfo_lock
String ID:
API String ID: 27599310-0
Opcode ID: 3ba312c050f11dc89975966b9274c87d68241d0575a534c57e7272571b709c94
Instruction ID: 3bc55bf60f611b24502ee0385f2e896cb3150c86a8d65ec0ab32753a95d692e4
Opcode Fuzzy Hash: 3ba312c050f11dc89975966b9274c87d68241d0575a534c57e7272571b709c94
Instruction Fuzzy Hash: BA519931A04F4882F6EB8B1494C43E96791F78D7CCF66C519F95A026A4EF39DA4DC30A

Function 000000018003F378 Relevance: 6.1, APIs: 4, Instructions: 131COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003F39D
_invalid_parameter_noinfo.LIBCMT ref: 000000018003F3A8
_fileno.LIBCMT ref: 000000018003F3B5

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _errno_fileno_invalid_parameter_noinfo
String ID:
API String ID: 3179357039-0
Opcode ID: d41cd86fc7fb8144f4059a54d214e4fa40f97208075d2dc81462a2ea984e8e8f
Instruction ID: d0906d9fb1a41af227b7a35f2f9a52febfb977d410d2cbb6bbfff6933d0bdc86
Opcode Fuzzy Hash: d41cd86fc7fb8144f4059a54d214e4fa40f97208075d2dc81462a2ea984e8e8f
Instruction Fuzzy Hash: 6B51AE32200B8D86EBB79E25C4453AB3791E788BD8F5AC115EE45073D5CE76CA49C340

Function 000000018003F6B8 Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003F6EF
_invalid_parameter_noinfo.LIBCMT ref: 000000018003F6FA
_flush.LIBCMT ref: 000000018003F7AF
_fileno.LIBCMT ref: 000000018003F7D0

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _errno_fileno_flush_invalid_parameter_noinfo
String ID:
API String ID: 329365992-0
Opcode ID: 698076d28cb656be0e290576a6c6d4183abae3acb9cc80cd1dacd601588005bc
Instruction ID: 994570d0ed5c695223296e2820c58eafbc39b0a3d3290f0a7fd1d0bd978d184a
Opcode Fuzzy Hash: 698076d28cb656be0e290576a6c6d4183abae3acb9cc80cd1dacd601588005bc
Instruction Fuzzy Hash: 3041383130864846EEFB8E26A5443FFA781B74CBD4F2AC224BE55477D5DE39C64A8300

Function 0000000180041424 Relevance: 6.1, APIs: 4, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000180040AE0: _getptd.LIBCMT ref: 0000000180040AF2

_errno.LIBCMT ref: 0000000180041462
_invalid_parameter_noinfo.LIBCMT ref: 000000018004146C
_errno.LIBCMT ref: 0000000180041490
_invalid_parameter_noinfo.LIBCMT ref: 000000018004149A

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd
String ID:
API String ID: 1297830140-0
Opcode ID: 685b8ff2d911154aa2a8e8b67757949be9fab10ec942415c646d9afbcf8df801
Instruction ID: 7cefe7ca653a2f4658f3ee0a3df96f0f0be2bf27072e95f2b595b8178f122df2
Opcode Fuzzy Hash: 685b8ff2d911154aa2a8e8b67757949be9fab10ec942415c646d9afbcf8df801
Instruction Fuzzy Hash: 2441B132204B888AEB92EF15D5C43DD77A0F788BD5F568121EB8A43B92DF38C559C704

Function 0000000273F41010 Relevance: 6.1, APIs: 4, Instructions: 107sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0000000273F41055
_amsg_exit.MSVCRT ref: 0000000273F4107F

Memory Dump Source

Source File: 00000006.00000002.3713823424.0000000273F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000273F40000, based on PE: true

Associated: 00000006.00000002.3713766770.0000000273F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3713823424.0000000273F85000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_273f40000_rundll32.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 1aa7096d3279892f89bb6938d1e8f798873b932fab0900364294d29769eafb3e
Instruction ID: b36ed253b1f92ff08f278adfa0ead6049e2a2874eebc081211355efa6209b103
Opcode Fuzzy Hash: 1aa7096d3279892f89bb6938d1e8f798873b932fab0900364294d29769eafb3e
Instruction Fuzzy Hash: 08417C31E0CA4885F765DB1AEC497AA2395B784BE4F744025DE0C87FA1EE28CA40B343

Function 00000001800440E4 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00000001800440F8

Part of subcall function 000000018004660C: _amsg_exit.LIBCMT ref: 0000000180046636

InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,000000018001BA07), ref: 00000001800441B0
free.LIBCMT ref: 00000001800441C5
EnterCriticalSection.KERNEL32 ref: 00000001800441E7

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$CountEnterInitializeSpin_amsg_exit_lockfree
String ID:
API String ID: 3786353176-0
Opcode ID: 2d8fe9b17452f9be50c8f4dde2f5c65ad41ce5bf3704b10e52e00b94b0c4d927
Instruction ID: 77d012aec7b7a8e0eae38a5513b7aa1e5a3cf52bfde04b3ae6aefb7f7a7b0724
Opcode Fuzzy Hash: 2d8fe9b17452f9be50c8f4dde2f5c65ad41ce5bf3704b10e52e00b94b0c4d927
Instruction Fuzzy Hash: BC419132611F8882F7969B15E8803AC7761F758BD8F16C515EA590B2F1DF38CA89C748

Function 000000018003F36C Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003F2C3
_invalid_parameter_noinfo.LIBCMT ref: 000000018003F2CE
_errno.LIBCMT ref: 000000018003F300
_errno.LIBCMT ref: 000000018003F312

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: 99ea2aa7fa037c728c670b1af3ab4c704a45c8a6972333f03af08050f1a032be
Instruction ID: a8714d15938ca0f6a90d651474b82c1258147739466bb9e11812dd49b4ea1a94
Opcode Fuzzy Hash: 99ea2aa7fa037c728c670b1af3ab4c704a45c8a6972333f03af08050f1a032be
Instruction Fuzzy Hash: B921C335614A8A85FBA3AB21A8013AF6391B74CBC4F06D421BA8987B85DF3DC705C744

Function 00000001800471B8 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00000001800471C2

Part of subcall function 000000018004332C: _amsg_exit.LIBCMT ref: 0000000180043342

_lock.LIBCMT ref: 00000001800471F0
free.LIBCMT ref: 0000000180047226
_amsg_exit.LIBCMT ref: 000000018004725F

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _amsg_exit$_getptd_lockfree
String ID:
API String ID: 2148533958-0
Opcode ID: 448ee291d70af40f8b290fc170a3ec04642eda76fc7755001fed3b988956531a
Instruction ID: 03751925d89ad7c75a090659d8e6fec9e03ae648af79c615cbbbc49a299d30f7
Opcode Fuzzy Hash: 448ee291d70af40f8b290fc170a3ec04642eda76fc7755001fed3b988956531a
Instruction Fuzzy Hash: F9110031215E4882EAD69B51E5817E973A4F78C7C8F499026FA4D037A6DF38C658CB05

Function 00000001800431C8 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsFree.KERNEL32(?,?,?,?,000000018003FFDE), ref: 00000001800431D7
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000018003FFDE), ref: 00000001800464B7
free.LIBCMT ref: 00000001800464C0
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000018003FFDE), ref: 00000001800464E7

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: 9228b09e253a007911eda0d127ec13b25624cc88dbbd8a24fc5e966267fe7591
Instruction ID: 7a905e3c905827164463eee99df514b0c51316a8045c2e4bb92215e5cfa9d33c
Opcode Fuzzy Hash: 9228b09e253a007911eda0d127ec13b25624cc88dbbd8a24fc5e966267fe7591
Instruction Fuzzy Hash: 5011A731A41E88CAFFE68F11F4803987360F799BE8F598216F659022B5DF38C68D8705

Function 00000001800491D4 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00000001800491E8

Part of subcall function 000000018004660C: _amsg_exit.LIBCMT ref: 0000000180046636

fclose.LIBCMT ref: 0000000180049218
DeleteCriticalSection.KERNEL32(?,?,?,?,?,0000000180043D17), ref: 000000018004923C
free.LIBCMT ref: 000000018004924D

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalDeleteSection_amsg_exit_lockfclosefree
String ID:
API String ID: 594724896-0
Opcode ID: 68e91f0215962c8046d3153dc38de0d0fe5a82dc01a661f0b9ce8fe4bd2a4dd0
Instruction ID: 0c0a23507bb2629b1bc646a7cbb6b0bd2226b194344c5b0705f97f05c29633ea
Opcode Fuzzy Hash: 68e91f0215962c8046d3153dc38de0d0fe5a82dc01a661f0b9ce8fe4bd2a4dd0
Instruction Fuzzy Hash: 53119435505E4892E6928B59E8C43DD7760F7C8BD8F22C225FA6A433B5CF79C649C708

Function 0000000180047A88 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000000180047A8E

Part of subcall function 000000018004332C: _amsg_exit.LIBCMT ref: 0000000180043342

_getptd.LIBCMT ref: 0000000180047AAE
_lock.LIBCMT ref: 0000000180047AC1
_amsg_exit.LIBCMT ref: 0000000180047AEF

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _amsg_exit_getptd$_lock
String ID:
API String ID: 3670291111-0
Opcode ID: 1e2951db7288fe683079fa74c1d0abc9f5b6e3ca7d7c7624e94539af6c24109d
Instruction ID: 30bf2c9c459df01ed59fad58da7d5b88ae189090fbb2b18f494d1813002e01c0
Opcode Fuzzy Hash: 1e2951db7288fe683079fa74c1d0abc9f5b6e3ca7d7c7624e94539af6c24109d
Instruction Fuzzy Hash: 3EF0187170180881F6D6AB5184817ED2361E79C7C8F0A9175FA0D073D3DE24875CC719

Function 0000000180034DC0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 380COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180032FB0: sinf.LIBCMT ref: 00000001800330CF
Part of subcall function 0000000180032FB0: cosf.LIBCMT ref: 00000001800330DA

Part of subcall function 0000000180032FB0: sinf.LIBCMT ref: 00000001800331BF
Part of subcall function 0000000180032FB0: cosf.LIBCMT ref: 00000001800331CA

wprintf.LIBCMT ref: 00000001800350B0
wprintf.LIBCMT ref: 000000018003522C

Strings

Cant normalize ZERO vector, xrefs: 00000001800350A9, 0000000180035225

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: cosfsinfwprintf
String ID: Cant normalize ZERO vector
API String ID: 478498997-1862362117
Opcode ID: 8f3b28573348b3f5bc6031dba9d50d39b873ffff9a8f37479b0f46ab6967f4a8
Instruction ID: f98a87a50659f58f53137574a4a326717961e7e6fcb01f50f0ee04a1c3ccac6a
Opcode Fuzzy Hash: 8f3b28573348b3f5bc6031dba9d50d39b873ffff9a8f37479b0f46ab6967f4a8
Instruction Fuzzy Hash: 08028633924B888AD352CB3790856AAB760FFAE3D4F299702FE44727B5DB35D5449B00

Function 000000018003FCA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000000018003FD5E

Part of subcall function 0000000180042E78: _ctrlfp.LIBCMT ref: 0000000180042EB9
Part of subcall function 0000000180042E78: _exception_enabled.LIBCMT ref: 0000000180042EDB
Part of subcall function 0000000180042E78: _raise_excf.LIBCMT ref: 0000000180042F27
Part of subcall function 0000000180042E78: _ctrlfp.LIBCMT ref: 0000000180042F73

Strings

!, xrefs: 000000018003FD88
asinf, xrefs: 000000018003FD12

Memory Dump Source

Source File: 00000006.00000002.3709705453.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.3708081627.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709822904.000000018004E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709871787.000000018005C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3709927111.000000018005E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3710854422.0000000180062000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711678307.0000000180064000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3711773658.0000000180068000.00000010.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3712804747.0000000180069000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd

Similarity

API ID: _ctrlfp$_exception_enabled_raise_excf_set_statfp
String ID: !$asinf
API String ID: 3072139147-2917828882
Opcode ID: ff56a0d4b1c6a47029269032c783d636fad6bda69c86f508603d91954b0104b9
Instruction ID: d0c98440cba4b73ae54bff3046531fc7f845b546b7e426e5b618ba2336869eec
Opcode Fuzzy Hash: ff56a0d4b1c6a47029269032c783d636fad6bda69c86f508603d91954b0104b9
Instruction Fuzzy Hash: C051AA329246CC86E2A3C73BA4813E6B750AFAD3C5F29C705F940756B5DF2A91995F00

Function 0000026DB5F01C80 Relevance: 5.2, APIs: 4, Instructions: 177COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 0000026DB5F01D0E
SetLastError.KERNEL32 ref: 0000026DB5F01D6A

Memory Dump Source

Source File: 00000006.00000002.3723009009.0000026DB5F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000026DB5F00000, based on PE: true

Associated: 00000006.00000002.3723009009.0000026DB5F46000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26db5f00000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 5e3dd03f4e36ac629c9e35720315601d05ef0c3755c38ff15dc0a5ec62299b24
Instruction ID: e20c92273ac364b1c8b2e606a10b2d5d3abd151bbac4ed5518cc8299c239f9d7
Opcode Fuzzy Hash: 5e3dd03f4e36ac629c9e35720315601d05ef0c3755c38ff15dc0a5ec62299b24
Instruction Fuzzy Hash: 13919A76719B8886DB60CF0AE89475AB7A0F7CCB98F554115EA8E83768DF3DC444CB00

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FW3x3p4eZ5.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\50adb1.rbs

C:\Users\user\AppData\Roaming\vierm_soft_x64.dll

C:\Windows\Installer\50adaf.msi

C:\Windows\Installer\MSIAE8A.tmp

C:\Windows\Installer\MSIAF18.tmp

C:\Windows\Installer\MSIAF48.tmp

C:\Windows\Installer\MSIAF68.tmp

C:\Windows\Installer\MSIAFE6.tmp

C:\Windows\Installer\MSIB093.tmp

C:\Windows\Installer\SourceHash{61449C75-AB36-4299-A465-A142FC439D7F}

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

C:\Windows\Temp\~DF00DB0F31828C5AAA.TMP

C:\Windows\Temp\~DF33762007915439EB.TMP

C:\Windows\Temp\~DF4BD044A96DF87FA9.TMP

Windows Analysis Report
FW3x3p4eZ5.msi

Function 00844BA0 Relevance: 36.5, APIs: 24, Instructions: 502
comCOMMON

Function 00846A50 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 461
COMMON

Function 008457C0 Relevance: 6.0, APIs: 4, Instructions: 35
COMMON

Function 0084CDB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
COMMON

Function 00845E40 Relevance: 4.6, APIs: 3, Instructions: 85
COMMON

Function 008770BB Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Function 008452F0 Relevance: 52.9, APIs: 14, Strings: 16, Instructions: 402
libraryloadersleepCOMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre