Edit tour

Windows Analysis Report
Acrobat_DC_x64_VIP_v10.12.msi

Overview

General Information

Sample name:	Acrobat_DC_x64_VIP_v10.12.msi
Analysis ID:	1560658
MD5:	b9632555b2c19b9182cab9c098c22d8e
SHA1:	100d612540c51413141f52c3888114cddb76e9a0
SHA256:	1164b944f47a9701ddd682f59c60425faed350647e3f9e562e1abc140a89c7f2
Infos:

Detection

BumbleBee

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

System process connects to network (likely due to code injection or exploit)

Yara detected BumbleBee

C2 URLs / IPs found in malware configuration

Contain functionality to detect virtual machines

Contains functionality to determine the online IP of the system

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for available system drives (often done to infect USB drives)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 7292 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Acrobat_DC_x64_VIP_v10.12.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7328 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

Reader_Install_Setup.exe (PID: 7400 cmdline: "C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe" MD5: E4E96D377207C990295577E0EBD93F79)

rundll32.exe (PID: 7408 cmdline: "rundll32.exe" "C:\Users\user\AppData\Local\Temp\Package Installation Dir\qpgEZsswIP.dll",DllRegisterServer MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
BumbleBee	This malware is delivered by an ISO file, with an DLL inside with a custom loader. Because of the unique user-agent "bumblebee" this malware was dubbed BUMBLEBEE. At the time of Analysis by Google's Threat Analysis Group (TAG) BumbleBee was observed to fetch Cobalt Strike Payloads.	EXOTIC LILY GOLD CABIN TA578 TA579	http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/bumblebee-docusign-campaign https://0xtoxin.github.io/malware%20analysis/Bumblebee-DocuSign-Campaign/ https://bin.re/blog/the-dga-of-bumblebee/ https://blog.cerbero.io/?p=2617	https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee

Malware Configuration

Threatname: BumbleBee

{"C2 url": ["ejz7h2nwpe9p.live", "tok60x6gccij.live", "aummhmvbuvf7.live", "x5a5l51t3vh5.live", "y82gwd3wieon.live", "b8y5k2ri9mez.live", "cc3bxmp3p9ww.live", "zv119x3fg98y.live", "vrsi1nlyz8hp.live", "u8fbv3mj3v2o.live", "iri6971t7ge3.live", "9nrkgb5ymmhx.live", "72sisvsb57q6.live", "nlkef4koisho.live", "n1gd464fiz18.live", "qmgxpjkisusl.live", "vmh0ep7s9854.live", "vo3yj33yyalx.live", "541xdsl3qrmo.live", "h64g4n2r4pio.live", "bdleys30kkz3.live", "2e0ygf9sxa6j.live", "hlhhny6jyz0h.live", "w2pjbfv1lp0s.live", "ituux0ny27ur.live", "it44epclfvn0.live", "w84emvz3j8hk.live", "t6fln95iafzj.live", "jbo4jhymyavk.live", "y0rqp62hxwp0.live", "rzctrohkd26r.live", "q8txsh5ger29.live", "nmmbz5mvu9b6.live", "forned95q3gl.live", "nvzd7pgfgpxt.live", "y3md2wem8eab.live", "sztn5z9mczvv.live", "hfswfaj1th9o.live", "iaqxv2w3o0xc.live", "ugo1867z96wg.live", "sdj52uv9ye3b.live", "wrkxzshr4idg.live", "4xtvsj1w0qwx.live", "gn5827958xrg.live", "x1jlunfqrqtv.live", "hquppb63rgrg.live", "o91173l27glq.live", "3ysjrezb3os9.live", "5nhc44cf83r7.live", "utltlu232nmc.live", "px5wxjvm0958.live", "sip8h0d4tgrf.live", "3ofolpuywddt.live", "ig42hrwh0svv.live", "r4og0ibkr2i1.live", "s542jqly9hk1.live", "6yb78j9xx6kg.live", "67foms8ek35i.live", "a1xbi34msajq.live", "oltfqksrbe1h.live", "olka4w167pg5.live", "cq72kwl2pw8w.live", "em3wdkia152l.live", "4cxyghx0ba1x.live", "99onc4240lhw.live", "are8uz74o21e.live", "7u78fpro0nvy.live", "mak2p2u1p6oc.live", "3l6704byr3c4.live", "ijxbxsajcb1p.live", "qnlqvmlc95m4.live", "dkm740j7a284.live", "j40qreidx6y3.live", "we0f3yexor36.live", "dd5bzcuuvist.live", "eldzk3tkcta3.live", "a6rtdeit0sty.live", "hu3dj149h820.live", "77mk5fucuhe8.live", "437jwomut9vr.live", "eqg3217g92zf.live", "i22gcdhfevxk.live", "xxdueooznk6v.live", "tzcodnn2epik.live", "ejr4r59avayq.live", "0ws4d9s611dt.live", "frsgmv876w5a.live", "ntrzvqm429kj.live", "3l9jbihmbpmk.live", "cbugpmw95dcb.live", "miq50i5wpk85.live", "h8pwl3uhwlfn.live", "qj3zj9oywxx7.live", "zd6j8je6phb4.live", "t6ocigyxberq.live", "pdim2swkrf2v.live", "mppytmrfpgug.live", "i5ke68h24a00.live", "qxul3spnx991.live", "vzrt76g9gk0g.live", "yc6716yc7nf7.live", "87bnnasq71mu.live", "obmwpmuwhfu7.live", "0aw4a73tdsz1.live", "n6nzy4xlso4s.live", "syhmn2nbxrtr.live", "exiarctkfedq.live", "j5p6emlxlecl.live", "egdk83k09qmr.live", "0fhr0297aorb.live", "6z4lwstr3zxx.live", "lh37yjie545p.live", "lfi8tslls020.live", "ppgwgn0qtww4.live", "0k6o18rmf93s.live", "sucnfknz0x3m.live", "r33j2bx1ieh9.live", "rti8b3e5byh3.live", "uj8gs5xxvv4g.live", "y7bc5b0ezh5m.live", "vh378qqwk9vc.live", "uamdjqdesjmn.live", "rfzo8fwm7pdw.live", "9gle7ejwpees.live", "26wem2p2aunb.live", "2ujyrqt4xzmp.live", "kg6w8hdimtgi.live", "dggn2tge08jf.live", "lygtfikzieri.live", "h8laq4jtyfqp.live", "u6ye5aivfq8b.live", "nwd3emyfsyin.live", "z3atxb3cfji3.live", "w00hvclrjhb1.live", "6mca3un8fmrd.live", "xv8ev6g1h4g3.live", "k1q1fkrd37n3.live", "btf4j310getp.live", "4p06saxn3ubp.live", "5aphqp78vw8h.live", "3r045r8mjwfp.live", "kwekpaz4eobt.live", "0eiko3lmbxbj.live", "8vxea0tldluf.live", "y2ec6qvepl7y.live", "5xlu80qs1ox1.live", "n3om81law5m7.live", "ei2svhuxkfnm.live", "kdye9rtnqezb.live", "boxoxs9gx6f5.live", "ktzb5e49zz1m.live", "ymz7vmrsh6eu.live", "x7dnaw133jnh.live", "hupacwlnz805.live", "1tlgdsxl0pqt.live", "3z5rr2y27c6j.live", "ufiiux335dpw.live", "vu32g1q7jvl3.live", "fkvo7y76r6cl.live", "aa8btew33mma.live", "yfpmjc270ree.live", "jrn2pbs4zh17.live", "7hxcfu85ux0c.live", "xkctmynb51ur.live", "16fpr15y5e2s.live", "lxck7t4mnvah.live", "2thp12dgf6rb.live", "vzq8xfz91x5d.live", "a0xjyxk6h5m7.live", "l8is8ftcfws6.live", "qtwfxhporina.live", "6lgie8q5pjdc.live", "12hpr97amca3.live", "ya8ym63w9m91.live", "kiph911rpr6p.live", "vmduug7itjpc.live", "q7bu8jglm22a.live", "9rfwwr2pkx4u.live", "0xejepvnnpze.live", "fd7cxsr946wv.live", "nsqum7l04ak6.live", "28hnsvxigwgm.live", "rlezxvz505nn.live", "r8o1vudqot70.live", "5ax9d1kvmld4.live", "fum22rxxfolh.live", "w525f7mmd4ms.live", "19pubdw7x197.live", "23k1m1uhe7kg.live", "w3d73cw4ayun.live", "e8y8k4xhyx42.live", "lsogs7k1lsrr.live", "vxcd26ui2k5o.live", "vlqwx3ydmtxh.live", "0vyvyfx6ymxv.live", "mrwrxcp86n8e.live", "dxwhiektvxsc.live", "zaig1x6gox2m.live", "l1whn6jhl8xi.live", "hwptyw6xppuu.live", "tkhk0evpw5wi.live", "tdcehfsov6o8.live", "0gylcs3gwdpp.live", "f7lj3cp91c5o.live", "op49rm7r54r1.live", "g8zydz0jz6bv.live", "m588j6oqsmyc.live", "jgckcltjx3q4.live", "gdo249s9ctn2.live", "1l7skmurzjhn.live", "08yr9hhkf9zh.live", "82oolxmgd19l.live", "3ipyuro17prh.live", "e7c1o9hymmkq.live", "i7teaxg9fq17.live", "vwz9poay9t88.live", "kaky1v99z650.live", "z7w1125qgaak.live", "ff7fsl0xpmig.live", "wwp2hnto3y50.live", "xj0airqray7d.live", "x39w37ihaw67.live", "a88mnb53f6ao.live", "agvzlu1xi8aq.live", "rigwjjv5e0te.live", "8f503mspar1t.live", "u86t183m8fjl.live", "n8r9e6f4eybg.live", "twh0pzti1jmc.live", "gxr3yjh3ez0o.live", "13gdw8hd0f5g.live", "u07wbc76jc3l.live", "hadsf1l0oorw.live", "vdx5gmp7hohn.live", "aho8skpvfpxw.live", "bd5sokdfx4rb.live", "di7gouks27ly.live", "9yvk5z9213sf.live", "k2xk3c8ka53h.live", "164kx6yftp7e.live", "p5dpz5k9s4hh.live", "2xokn358s23t.live", "9drofm4qhicr.live", "velmddsj68vd.live", "adu5tcdt1mw8.live", "s1hfevtelz76.live", "y1y2su385jdx.live", "yj4obmh1laef.live", "0i5mk5xlq0p0.live", "sbxmkuudcb2j.live", "bto73r7u8xfq.live", "57qrnj91bqd6.live", "ppakbng3anmz.live", "ydp5gh48yi5c.live", "lnksjujtesl1.live", "toooegs0ua4k.live", "uzpp0a72mgf8.live", "w0qtz6j8u8h0.live", "mmerhgt2a428.live", "k596zkzwcv8x.live", "j7hox858m1yw.live", "vt762jefdhwk.live", "kqofayjh1zst.live", "271bk6bm6ek7.live", "464ulfkbkxi6.live", "fpqzlfi32bhw.live", "x1glqki124qz.live", "4vh1mae0a37r.live", "28gh31g08o7w.live", "bsm3ushv2khf.live", "hxzt6iva3ycu.live", "k6ncoqtenmyi.live", "x7lbv7k4xmot.live", "i3ddusdlpj8z.live", "3yywf2zmb2m5.live", "xx6itd99vg7m.live", "dd9bojxysyeb.live", "u1uaoomqywpz.live", "r4feghmjdqmx.live", "bhkgnyvwctkm.live", "byx6cdkrouzc.live", "65ymc9fdwffj.live", "orp3efts3f5z.live", "2eiuyz0zf5qc.live", "p3840f9xv0n9.live", "8oz8f5ir0n5l.live", "i762u8xbamii.live", "j7hkay3ccvu5.live", "n4jcm1f5n25c.live", "exe12ldlj0nb.live", "z70o1vrhp5kt.live", "4tapo4p2dzqj.live", "9nsdtl72ktuk.live", "ipmh0eee13h2.live", "dg6aspb5wt99.live", "b5n5p7r75ln3.live", "va5rnvsffage.live", "z2ki56hqcxzx.live", "nketun9udno5.live", "v9hu15wlr3a3.live"], "DGA Seed": 18312320459530330518, "Domain Length": 300, "Domain Count": 12}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_BumbleBee	Yara detected BumbleBee	Joe Security
00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Bumblebee_35f50bea	unknown	unknown	0x2daa1:$a2: 31 DA 48 31 C7 45 D8 C9 B9 E8 03 C7 45 DC 00 00 BA 01 C7 45 E0 00 00 00 48 C7 45 E4 B8 88 77 66 C7 45 E8 55 44 33 22 C7 45 EC 11 FF D0 EB C6 45

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.rundll32.exe.22e65fc0000.2.raw.unpack	JoeSecurity_BumbleBee	Yara detected BumbleBee	Joe Security
3.2.rundll32.exe.22e65fc0000.2.raw.unpack	Windows_Trojan_Bumblebee_35f50bea	unknown	unknown	0x2daa1:$a2: 31 DA 48 31 C7 45 D8 C9 B9 E8 03 C7 45 DC 00 00 BA 01 C7 45 E0 00 00 00 48 C7 45 E4 B8 88 77 66 C7 45 E8 55 44 33 22 C7 45 EC 11 FF D0 EB C6 45
3.2.rundll32.exe.22e65fc0000.2.unpack	JoeSecurity_BumbleBee	Yara detected BumbleBee	Joe Security
3.2.rundll32.exe.22e65fc0000.2.unpack	Windows_Trojan_Bumblebee_35f50bea	unknown	unknown	0x2cea1:$a2: 31 DA 48 31 C7 45 D8 C9 B9 E8 03 C7 45 DC 00 00 BA 01 C7 45 E0 00 00 00 48 C7 45 E4 B8 88 77 66 C7 45 E8 55 44 33 22 C7 45 EC 11 FF D0 EB C6 45

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 3.2.rundll32.exe.22e65fc0000.2.raw.unpack

Malware Configuration Extractor: BumbleBee {"C2 url": ["ejz7h2nwpe9p.live", "tok60x6gccij.live", "aummhmvbuvf7.live", "x5a5l51t3vh5.live", "y82gwd3wieon.live", "b8y5k2ri9mez.live", "cc3bxmp3p9ww.live", "zv119x3fg98y.live", "vrsi1nlyz8hp.live", "u8fbv3mj3v2o.live", "iri6971t7ge3.live", "9nrkgb5ymmhx.live", "72sisvsb57q6.live", "nlkef4koisho.live", "n1gd464fiz18.live", "qmgxpjkisusl.live", "vmh0ep7s9854.live", "vo3yj33yyalx.live", "541xdsl3qrmo.live", "h64g4n2r4pio.live", "bdleys30kkz3.live", "2e0ygf9sxa6j.live", "hlhhny6jyz0h.live", "w2pjbfv1lp0s.live", "ituux0ny27ur.live", "it44epclfvn0.live", "w84emvz3j8hk.live", "t6fln95iafzj.live", "jbo4jhymyavk.live", "y0rqp62hxwp0.live", "rzctrohkd26r.live", "q8txsh5ger29.live", "nmmbz5mvu9b6.live", "forned95q3gl.live", "nvzd7pgfgpxt.live", "y3md2wem8eab.live", "sztn5z9mczvv.live", "hfswfaj1th9o.live", "iaqxv2w3o0xc.live", "ugo1867z96wg.live", "sdj52uv9ye3b.live", "wrkxzshr4idg.live", "4xtvsj1w0qwx.live", "gn5827958xrg.live", "x1jlunfqrqtv.live", "hquppb63rgrg.live", "o91173l27glq.live", "3ysjrezb3os9.live", "5nhc44cf83r7.live", "utltlu232nmc.live", "px5wxjvm0958.live", "sip8h0d4tgrf.live", "3ofolpuywddt.live", "ig42hrwh0svv.live", "r4og0ibkr2i1.live", "s542jqly9hk1.live", "6yb78j9xx6kg.live", "67foms8ek35i.live", "a1xbi34msajq.live", "oltfqksrbe1h.live", "olka4w167pg5.live", "cq72kwl2pw8w.live", "em3wdkia152l.live", "4cxyghx0ba1x.live", "99onc4240lhw.live", "are8uz74o21e.live", "7u78fpro0nvy.live", "mak2p2u1p6oc.live", "3l6704byr3c4.live", "ijxbxsajcb1p.live", "qnlqvmlc95m4.live", "dkm740j7a284.live", "j40qreidx6y3.live", "we0f3yexor36.live", "dd5bzcuuvist.live", "eldzk3tkcta3.live", "a6rtdeit0sty.live", "hu3dj149h820.live", "77mk5fucuhe8.live", "437jwomut9vr.live", "eqg3217g92zf.live", "i22gcdhfevxk.live", "xxdueooznk6v.live", "tzcodnn2epik.live", "ejr4r59avayq.live", "0ws4d9s611dt.live", "frsgmv876w5a.live", "ntrzvqm429kj.live", "3l9jbihmbpmk.live", "cbugpmw95dcb.live", "miq50i5wpk85.live", "h8pwl3uhwlfn.live", "qj3zj9oywxx7.live", "zd6j8je6phb4.live", "t6ocigyxberq.live", "pdim2swkrf2v.live", "mppytmrfpgug.live", "i5ke68h24a00.live", "qxul3spnx991.live", "vzrt76g9gk0g.live", "yc6716yc7nf7.live", "87bnnasq71mu.live", "obmwpmuwhfu7.live", "0aw4a73tdsz1.live", "n6nzy4xlso4s.live", "syhmn2nbxrtr.live", "exiarctkfedq.live", "j5p6emlxlecl.live", "egdk83k09qmr.live", "0fhr0297aorb.live", "6z4lwstr3zxx.live", "lh37yjie545p.live", "lfi8tslls020.live", "ppgwgn0qtww4.live", "0k6o18rmf93s.live", "sucnfknz0x3m.live", "r33j2bx1ieh9.live", "rti8b3e5byh3.live", "uj8gs5xxvv4g.live", "y7bc5b0ezh5m.live", "vh378qqwk9vc.live", "uamdjqdesjmn.live", "rfzo8fwm7pdw.live", "9gle7ejwpees.live", "26wem2p2aunb.live", "2ujyrqt4xzmp.live", "kg6w8hdimtgi.live", "dggn2tge08jf.live", "lygtfikzieri.live", "h8laq4jtyfqp.live", "u6ye5aivfq8b.live", "nwd3emyfsyin.live", "z3atxb3cfji3.live", "w00hvclrjhb1.live", "6mca3un8fmrd.live", "xv8ev6g1h4g3.live", "k1q1fkrd37n3.live", "btf4j310getp.live", "4p06saxn3ubp.live", "5aphqp78vw8h.live", "3r045r8mjwfp.live", "kwekpaz4eobt.liv

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\qpgEZsswIP.dll

ReversingLabs: Detection: 13%

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DD475EBC-D960-4AF4-BB8A-BE91FA942756}

Jump to behavior

Source:

Binary string: C:\adm\jenkins\workspace\New_RDC_Sol_Plutus_Win_Build_git\2.0\dev\target\win\Release\Adobe Download Manager.pdb source: Reader_Install_Setup.exe, 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 45.155.37.158 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 45.83.20.213 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 46.249.38.179 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 149.154.153.2 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 188.166.15.250 443	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: ejz7h2nwpe9p.live
Source: Malware configuration extractor	URLs: tok60x6gccij.live
Source: Malware configuration extractor	URLs: aummhmvbuvf7.live
Source: Malware configuration extractor	URLs: x5a5l51t3vh5.live
Source: Malware configuration extractor	URLs: y82gwd3wieon.live
Source: Malware configuration extractor	URLs: b8y5k2ri9mez.live
Source: Malware configuration extractor	URLs: cc3bxmp3p9ww.live
Source: Malware configuration extractor	URLs: zv119x3fg98y.live
Source: Malware configuration extractor	URLs: vrsi1nlyz8hp.live
Source: Malware configuration extractor	URLs: u8fbv3mj3v2o.live
Source: Malware configuration extractor	URLs: iri6971t7ge3.live
Source: Malware configuration extractor	URLs: 9nrkgb5ymmhx.live
Source: Malware configuration extractor	URLs: 72sisvsb57q6.live
Source: Malware configuration extractor	URLs: nlkef4koisho.live
Source: Malware configuration extractor	URLs: n1gd464fiz18.live
Source: Malware configuration extractor	URLs: qmgxpjkisusl.live
Source: Malware configuration extractor	URLs: vmh0ep7s9854.live
Source: Malware configuration extractor	URLs: vo3yj33yyalx.live
Source: Malware configuration extractor	URLs: 541xdsl3qrmo.live
Source: Malware configuration extractor	URLs: h64g4n2r4pio.live
Source: Malware configuration extractor	URLs: bdleys30kkz3.live
Source: Malware configuration extractor	URLs: 2e0ygf9sxa6j.live
Source: Malware configuration extractor	URLs: hlhhny6jyz0h.live
Source: Malware configuration extractor	URLs: w2pjbfv1lp0s.live
Source: Malware configuration extractor	URLs: ituux0ny27ur.live
Source: Malware configuration extractor	URLs: it44epclfvn0.live
Source: Malware configuration extractor	URLs: w84emvz3j8hk.live
Source: Malware configuration extractor	URLs: t6fln95iafzj.live
Source: Malware configuration extractor	URLs: jbo4jhymyavk.live
Source: Malware configuration extractor	URLs: y0rqp62hxwp0.live
Source: Malware configuration extractor	URLs: rzctrohkd26r.live
Source: Malware configuration extractor	URLs: q8txsh5ger29.live
Source: Malware configuration extractor	URLs: nmmbz5mvu9b6.live
Source: Malware configuration extractor	URLs: forned95q3gl.live
Source: Malware configuration extractor	URLs: nvzd7pgfgpxt.live
Source: Malware configuration extractor	URLs: y3md2wem8eab.live
Source: Malware configuration extractor	URLs: sztn5z9mczvv.live
Source: Malware configuration extractor	URLs: hfswfaj1th9o.live
Source: Malware configuration extractor	URLs: iaqxv2w3o0xc.live
Source: Malware configuration extractor	URLs: ugo1867z96wg.live
Source: Malware configuration extractor	URLs: sdj52uv9ye3b.live
Source: Malware configuration extractor	URLs: wrkxzshr4idg.live
Source: Malware configuration extractor	URLs: 4xtvsj1w0qwx.live
Source: Malware configuration extractor	URLs: gn5827958xrg.live
Source: Malware configuration extractor	URLs: x1jlunfqrqtv.live
Source: Malware configuration extractor	URLs: hquppb63rgrg.live
Source: Malware configuration extractor	URLs: o91173l27glq.live
Source: Malware configuration extractor	URLs: 3ysjrezb3os9.live
Source: Malware configuration extractor	URLs: 5nhc44cf83r7.live
Source: Malware configuration extractor	URLs: utltlu232nmc.live
Source: Malware configuration extractor	URLs: px5wxjvm0958.live
Source: Malware configuration extractor	URLs: sip8h0d4tgrf.live
Source: Malware configuration extractor	URLs: 3ofolpuywddt.live
Source: Malware configuration extractor	URLs: ig42hrwh0svv.live
Source: Malware configuration extractor	URLs: r4og0ibkr2i1.live
Source: Malware configuration extractor	URLs: s542jqly9hk1.live
Source: Malware configuration extractor	URLs: 6yb78j9xx6kg.live
Source: Malware configuration extractor	URLs: 67foms8ek35i.live
Source: Malware configuration extractor	URLs: a1xbi34msajq.live
Source: Malware configuration extractor	URLs: oltfqksrbe1h.live
Source: Malware configuration extractor	URLs: olka4w167pg5.live
Source: Malware configuration extractor	URLs: cq72kwl2pw8w.live
Source: Malware configuration extractor	URLs: em3wdkia152l.live
Source: Malware configuration extractor	URLs: 4cxyghx0ba1x.live
Source: Malware configuration extractor	URLs: 99onc4240lhw.live
Source: Malware configuration extractor	URLs: are8uz74o21e.live
Source: Malware configuration extractor	URLs: 7u78fpro0nvy.live
Source: Malware configuration extractor	URLs: mak2p2u1p6oc.live
Source: Malware configuration extractor	URLs: 3l6704byr3c4.live
Source: Malware configuration extractor	URLs: ijxbxsajcb1p.live
Source: Malware configuration extractor	URLs: qnlqvmlc95m4.live
Source: Malware configuration extractor	URLs: dkm740j7a284.live
Source: Malware configuration extractor	URLs: j40qreidx6y3.live
Source: Malware configuration extractor	URLs: we0f3yexor36.live
Source: Malware configuration extractor	URLs: dd5bzcuuvist.live
Source: Malware configuration extractor	URLs: eldzk3tkcta3.live
Source: Malware configuration extractor	URLs: a6rtdeit0sty.live
Source: Malware configuration extractor	URLs: hu3dj149h820.live
Source: Malware configuration extractor	URLs: 77mk5fucuhe8.live
Source: Malware configuration extractor	URLs: 437jwomut9vr.live
Source: Malware configuration extractor	URLs: eqg3217g92zf.live
Source: Malware configuration extractor	URLs: i22gcdhfevxk.live
Source: Malware configuration extractor	URLs: xxdueooznk6v.live
Source: Malware configuration extractor	URLs: tzcodnn2epik.live
Source: Malware configuration extractor	URLs: ejr4r59avayq.live
Source: Malware configuration extractor	URLs: 0ws4d9s611dt.live
Source: Malware configuration extractor	URLs: frsgmv876w5a.live
Source: Malware configuration extractor	URLs: ntrzvqm429kj.live
Source: Malware configuration extractor	URLs: 3l9jbihmbpmk.live
Source: Malware configuration extractor	URLs: cbugpmw95dcb.live
Source: Malware configuration extractor	URLs: miq50i5wpk85.live
Source: Malware configuration extractor	URLs: h8pwl3uhwlfn.live
Source: Malware configuration extractor	URLs: qj3zj9oywxx7.live
Source: Malware configuration extractor	URLs: zd6j8je6phb4.live
Source: Malware configuration extractor	URLs: t6ocigyxberq.live
Source: Malware configuration extractor	URLs: pdim2swkrf2v.live
Source: Malware configuration extractor	URLs: mppytmrfpgug.live
Source: Malware configuration extractor	URLs: i5ke68h24a00.live
Source: Malware configuration extractor	URLs: qxul3spnx991.live
Source: Malware configuration extractor	URLs: vzrt76g9gk0g.live
Source: Malware configuration extractor	URLs: yc6716yc7nf7.live
Source: Malware configuration extractor	URLs: 87bnnasq71mu.live
Source: Malware configuration extractor	URLs: obmwpmuwhfu7.live
Source: Malware configuration extractor	URLs: 0aw4a73tdsz1.live
Source: Malware configuration extractor	URLs: n6nzy4xlso4s.live
Source: Malware configuration extractor	URLs: syhmn2nbxrtr.live
Source: Malware configuration extractor	URLs: exiarctkfedq.live
Source: Malware configuration extractor	URLs: j5p6emlxlecl.live
Source: Malware configuration extractor	URLs: egdk83k09qmr.live
Source: Malware configuration extractor	URLs: 0fhr0297aorb.live
Source: Malware configuration extractor	URLs: 6z4lwstr3zxx.live
Source: Malware configuration extractor	URLs: lh37yjie545p.live
Source: Malware configuration extractor	URLs: lfi8tslls020.live
Source: Malware configuration extractor	URLs: ppgwgn0qtww4.live
Source: Malware configuration extractor	URLs: 0k6o18rmf93s.live
Source: Malware configuration extractor	URLs: sucnfknz0x3m.live
Source: Malware configuration extractor	URLs: r33j2bx1ieh9.live
Source: Malware configuration extractor	URLs: rti8b3e5byh3.live
Source: Malware configuration extractor	URLs: uj8gs5xxvv4g.live
Source: Malware configuration extractor	URLs: y7bc5b0ezh5m.live
Source: Malware configuration extractor	URLs: vh378qqwk9vc.live
Source: Malware configuration extractor	URLs: uamdjqdesjmn.live
Source: Malware configuration extractor	URLs: rfzo8fwm7pdw.live
Source: Malware configuration extractor	URLs: 9gle7ejwpees.live
Source: Malware configuration extractor	URLs: 26wem2p2aunb.live
Source: Malware configuration extractor	URLs: 2ujyrqt4xzmp.live
Source: Malware configuration extractor	URLs: kg6w8hdimtgi.live
Source: Malware configuration extractor	URLs: dggn2tge08jf.live
Source: Malware configuration extractor	URLs: lygtfikzieri.live
Source: Malware configuration extractor	URLs: h8laq4jtyfqp.live
Source: Malware configuration extractor	URLs: u6ye5aivfq8b.live
Source: Malware configuration extractor	URLs: nwd3emyfsyin.live
Source: Malware configuration extractor	URLs: z3atxb3cfji3.live
Source: Malware configuration extractor	URLs: w00hvclrjhb1.live
Source: Malware configuration extractor	URLs: 6mca3un8fmrd.live
Source: Malware configuration extractor	URLs: xv8ev6g1h4g3.live
Source: Malware configuration extractor	URLs: k1q1fkrd37n3.live
Source: Malware configuration extractor	URLs: btf4j310getp.live
Source: Malware configuration extractor	URLs: 4p06saxn3ubp.live
Source: Malware configuration extractor	URLs: 5aphqp78vw8h.live
Source: Malware configuration extractor	URLs: 3r045r8mjwfp.live
Source: Malware configuration extractor	URLs: kwekpaz4eobt.live
Source: Malware configuration extractor	URLs: 0eiko3lmbxbj.live
Source: Malware configuration extractor	URLs: 8vxea0tldluf.live
Source: Malware configuration extractor	URLs: y2ec6qvepl7y.live
Source: Malware configuration extractor	URLs: 5xlu80qs1ox1.live
Source: Malware configuration extractor	URLs: n3om81law5m7.live
Source: Malware configuration extractor	URLs: ei2svhuxkfnm.live
Source: Malware configuration extractor	URLs: kdye9rtnqezb.live
Source: Malware configuration extractor	URLs: boxoxs9gx6f5.live
Source: Malware configuration extractor	URLs: ktzb5e49zz1m.live
Source: Malware configuration extractor	URLs: ymz7vmrsh6eu.live
Source: Malware configuration extractor	URLs: x7dnaw133jnh.live
Source: Malware configuration extractor	URLs: hupacwlnz805.live
Source: Malware configuration extractor	URLs: 1tlgdsxl0pqt.live
Source: Malware configuration extractor	URLs: 3z5rr2y27c6j.live
Source: Malware configuration extractor	URLs: ufiiux335dpw.live
Source: Malware configuration extractor	URLs: vu32g1q7jvl3.live
Source: Malware configuration extractor	URLs: fkvo7y76r6cl.live
Source: Malware configuration extractor	URLs: aa8btew33mma.live
Source: Malware configuration extractor	URLs: yfpmjc270ree.live
Source: Malware configuration extractor	URLs: jrn2pbs4zh17.live
Source: Malware configuration extractor	URLs: 7hxcfu85ux0c.live
Source: Malware configuration extractor	URLs: xkctmynb51ur.live
Source: Malware configuration extractor	URLs: 16fpr15y5e2s.live
Source: Malware configuration extractor	URLs: lxck7t4mnvah.live
Source: Malware configuration extractor	URLs: 2thp12dgf6rb.live
Source: Malware configuration extractor	URLs: vzq8xfz91x5d.live
Source: Malware configuration extractor	URLs: a0xjyxk6h5m7.live
Source: Malware configuration extractor	URLs: l8is8ftcfws6.live
Source: Malware configuration extractor	URLs: qtwfxhporina.live
Source: Malware configuration extractor	URLs: 6lgie8q5pjdc.live
Source: Malware configuration extractor	URLs: 12hpr97amca3.live
Source: Malware configuration extractor	URLs: ya8ym63w9m91.live
Source: Malware configuration extractor	URLs: kiph911rpr6p.live
Source: Malware configuration extractor	URLs: vmduug7itjpc.live
Source: Malware configuration extractor	URLs: q7bu8jglm22a.live
Source: Malware configuration extractor	URLs: 9rfwwr2pkx4u.live
Source: Malware configuration extractor	URLs: 0xejepvnnpze.live
Source: Malware configuration extractor	URLs: fd7cxsr946wv.live
Source: Malware configuration extractor	URLs: nsqum7l04ak6.live
Source: Malware configuration extractor	URLs: 28hnsvxigwgm.live
Source: Malware configuration extractor	URLs: rlezxvz505nn.live
Source: Malware configuration extractor	URLs: r8o1vudqot70.live
Source: Malware configuration extractor	URLs: 5ax9d1kvmld4.live
Source: Malware configuration extractor	URLs: fum22rxxfolh.live
Source: Malware configuration extractor	URLs: w525f7mmd4ms.live
Source: Malware configuration extractor	URLs: 19pubdw7x197.live
Source: Malware configuration extractor	URLs: 23k1m1uhe7kg.live
Source: Malware configuration extractor	URLs: w3d73cw4ayun.live
Source: Malware configuration extractor	URLs: e8y8k4xhyx42.live
Source: Malware configuration extractor	URLs: lsogs7k1lsrr.live
Source: Malware configuration extractor	URLs: vxcd26ui2k5o.live
Source: Malware configuration extractor	URLs: vlqwx3ydmtxh.live
Source: Malware configuration extractor	URLs: 0vyvyfx6ymxv.live
Source: Malware configuration extractor	URLs: mrwrxcp86n8e.live
Source: Malware configuration extractor	URLs: dxwhiektvxsc.live
Source: Malware configuration extractor	URLs: zaig1x6gox2m.live
Source: Malware configuration extractor	URLs: l1whn6jhl8xi.live
Source: Malware configuration extractor	URLs: hwptyw6xppuu.live
Source: Malware configuration extractor	URLs: tkhk0evpw5wi.live
Source: Malware configuration extractor	URLs: tdcehfsov6o8.live
Source: Malware configuration extractor	URLs: 0gylcs3gwdpp.live
Source: Malware configuration extractor	URLs: f7lj3cp91c5o.live
Source: Malware configuration extractor	URLs: op49rm7r54r1.live
Source: Malware configuration extractor	URLs: g8zydz0jz6bv.live
Source: Malware configuration extractor	URLs: m588j6oqsmyc.live
Source: Malware configuration extractor	URLs: jgckcltjx3q4.live
Source: Malware configuration extractor	URLs: gdo249s9ctn2.live
Source: Malware configuration extractor	URLs: 1l7skmurzjhn.live
Source: Malware configuration extractor	URLs: 08yr9hhkf9zh.live
Source: Malware configuration extractor	URLs: 82oolxmgd19l.live
Source: Malware configuration extractor	URLs: 3ipyuro17prh.live
Source: Malware configuration extractor	URLs: e7c1o9hymmkq.live
Source: Malware configuration extractor	URLs: i7teaxg9fq17.live
Source: Malware configuration extractor	URLs: vwz9poay9t88.live
Source: Malware configuration extractor	URLs: kaky1v99z650.live
Source: Malware configuration extractor	URLs: z7w1125qgaak.live
Source: Malware configuration extractor	URLs: ff7fsl0xpmig.live
Source: Malware configuration extractor	URLs: wwp2hnto3y50.live
Source: Malware configuration extractor	URLs: xj0airqray7d.live
Source: Malware configuration extractor	URLs: x39w37ihaw67.live
Source: Malware configuration extractor	URLs: a88mnb53f6ao.live
Source: Malware configuration extractor	URLs: agvzlu1xi8aq.live
Source: Malware configuration extractor	URLs: rigwjjv5e0te.live
Source: Malware configuration extractor	URLs: 8f503mspar1t.live
Source: Malware configuration extractor	URLs: u86t183m8fjl.live
Source: Malware configuration extractor	URLs: n8r9e6f4eybg.live
Source: Malware configuration extractor	URLs: twh0pzti1jmc.live
Source: Malware configuration extractor	URLs: gxr3yjh3ez0o.live
Source: Malware configuration extractor	URLs: 13gdw8hd0f5g.live
Source: Malware configuration extractor	URLs: u07wbc76jc3l.live
Source: Malware configuration extractor	URLs: hadsf1l0oorw.live
Source: Malware configuration extractor	URLs: vdx5gmp7hohn.live
Source: Malware configuration extractor	URLs: aho8skpvfpxw.live
Source: Malware configuration extractor	URLs: bd5sokdfx4rb.live
Source: Malware configuration extractor	URLs: di7gouks27ly.live
Source: Malware configuration extractor	URLs: 9yvk5z9213sf.live
Source: Malware configuration extractor	URLs: k2xk3c8ka53h.live
Source: Malware configuration extractor	URLs: 164kx6yftp7e.live
Source: Malware configuration extractor	URLs: p5dpz5k9s4hh.live
Source: Malware configuration extractor	URLs: 2xokn358s23t.live
Source: Malware configuration extractor	URLs: 9drofm4qhicr.live
Source: Malware configuration extractor	URLs: velmddsj68vd.live
Source: Malware configuration extractor	URLs: adu5tcdt1mw8.live
Source: Malware configuration extractor	URLs: s1hfevtelz76.live
Source: Malware configuration extractor	URLs: y1y2su385jdx.live
Source: Malware configuration extractor	URLs: yj4obmh1laef.live
Source: Malware configuration extractor	URLs: 0i5mk5xlq0p0.live
Source: Malware configuration extractor	URLs: sbxmkuudcb2j.live
Source: Malware configuration extractor	URLs: bto73r7u8xfq.live
Source: Malware configuration extractor	URLs: 57qrnj91bqd6.live
Source: Malware configuration extractor	URLs: ppakbng3anmz.live
Source: Malware configuration extractor	URLs: ydp5gh48yi5c.live
Source: Malware configuration extractor	URLs: lnksjujtesl1.live
Source: Malware configuration extractor	URLs: toooegs0ua4k.live
Source: Malware configuration extractor	URLs: uzpp0a72mgf8.live
Source: Malware configuration extractor	URLs: w0qtz6j8u8h0.live
Source: Malware configuration extractor	URLs: mmerhgt2a428.live
Source: Malware configuration extractor	URLs: k596zkzwcv8x.live
Source: Malware configuration extractor	URLs: j7hox858m1yw.live
Source: Malware configuration extractor	URLs: vt762jefdhwk.live
Source: Malware configuration extractor	URLs: kqofayjh1zst.live
Source: Malware configuration extractor	URLs: 271bk6bm6ek7.live
Source: Malware configuration extractor	URLs: 464ulfkbkxi6.live
Source: Malware configuration extractor	URLs: fpqzlfi32bhw.live
Source: Malware configuration extractor	URLs: x1glqki124qz.live
Source: Malware configuration extractor	URLs: 4vh1mae0a37r.live
Source: Malware configuration extractor	URLs: 28gh31g08o7w.live
Source: Malware configuration extractor	URLs: bsm3ushv2khf.live
Source: Malware configuration extractor	URLs: hxzt6iva3ycu.live
Source: Malware configuration extractor	URLs: k6ncoqtenmyi.live
Source: Malware configuration extractor	URLs: x7lbv7k4xmot.live
Source: Malware configuration extractor	URLs: i3ddusdlpj8z.live
Source: Malware configuration extractor	URLs: 3yywf2zmb2m5.live
Source: Malware configuration extractor	URLs: xx6itd99vg7m.live
Source: Malware configuration extractor	URLs: dd9bojxysyeb.live
Source: Malware configuration extractor	URLs: u1uaoomqywpz.live
Source: Malware configuration extractor	URLs: r4feghmjdqmx.live
Source: Malware configuration extractor	URLs: bhkgnyvwctkm.live
Source: Malware configuration extractor	URLs: byx6cdkrouzc.live
Source: Malware configuration extractor	URLs: 65ymc9fdwffj.live
Source: Malware configuration extractor	URLs: orp3efts3f5z.live
Source: Malware configuration extractor	URLs: 2eiuyz0zf5qc.live
Source: Malware configuration extractor	URLs: p3840f9xv0n9.live
Source: Malware configuration extractor	URLs: 8oz8f5ir0n5l.live
Source: Malware configuration extractor	URLs: i762u8xbamii.live
Source: Malware configuration extractor	URLs: j7hkay3ccvu5.live
Source: Malware configuration extractor	URLs: n4jcm1f5n25c.live
Source: Malware configuration extractor	URLs: exe12ldlj0nb.live
Source: Malware configuration extractor	URLs: z70o1vrhp5kt.live
Source: Malware configuration extractor	URLs: 4tapo4p2dzqj.live
Source: Malware configuration extractor	URLs: 9nsdtl72ktuk.live
Source: Malware configuration extractor	URLs: ipmh0eee13h2.live
Source: Malware configuration extractor	URLs: dg6aspb5wt99.live
Source: Malware configuration extractor	URLs: b5n5p7r75ln3.live
Source: Malware configuration extractor	URLs: va5rnvsffage.live
Source: Malware configuration extractor	URLs: z2ki56hqcxzx.live
Source: Malware configuration extractor	URLs: nketun9udno5.live
Source: Malware configuration extractor	URLs: v9hu15wlr3a3.live

Contains functionality to determine the online IP of the system

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000022E65FCFC4C InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,std::_Deallocate, https://api.ipify.org/

3_2_0000022E65FCFC4C

Source: Joe Sandbox View

IP Address: 188.166.15.250 188.166.15.250

Source: Joe Sandbox View	ASN Name: EDIS-AS-EUAT EDIS-AS-EUAT
Source: Joe Sandbox View	ASN Name: SHOCK-1US SHOCK-1US
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: DEDIPATH-LLCUS DEDIPATH-LLCUS

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000022E660F4FB0 select,__WSAFDIsSet,__WSAFDIsSet,recv,WSAGetLastError,Sleep,WSAGetLastError,getsockopt,getsockopt,std::_Deallocate,std::_Deallocate,WSAGetLastError,WSAGetLastError,

3_2_0000022E660F4FB0

Source: Reader_Install_Setup.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Reader_Install_Setup.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Reader_Install_Setup.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Reader_Install_Setup.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Reader_Install_Setup.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Reader_Install_Setup.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Reader_Install_Setup.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Reader_Install_Setup.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Reader_Install_Setup.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: http://myexternalip.com/raw
Source: Reader_Install_Setup.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Reader_Install_Setup.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Reader_Install_Setup.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Reader_Install_Setup.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Reader_Install_Setup.exe, 00000002.00000002.4178286591.0000000007642000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4185510324.000000000A452000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr	String found in binary or memory: http://typekit.com/eulas/0000000000000000000176ff
Source: Reader_Install_Setup.exe, 00000002.00000002.4184616950.0000000009702000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4185510324.000000000A452000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr	String found in binary or memory: http://typekit.com/eulas/000000000000000000017701
Source: Reader_Install_Setup.exe, 00000002.00000002.4184616950.0000000009702000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4185510324.000000000A452000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr	String found in binary or memory: http://typekit.com/eulas/000000000000000000017702
Source: Reader_Install_Setup.exe, 00000002.00000002.4178286591.0000000007642000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4185510324.000000000A452000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr	String found in binary or memory: http://typekit.com/eulas/000000000000000000017703
Source: Reader_Install_Setup.exe, 00000002.00000002.4185510324.000000000A452000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4178286591.00000000076AA000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4173381032.000000000356B000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr	String found in binary or memory: http://typekit.com/eulas/000000000000000000017704
Source: Reader_Install_Setup.exe, 00000002.00000002.4185510324.000000000A452000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4178286591.00000000076AA000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4173381032.000000000356B000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr	String found in binary or memory: http://typekit.com/eulas/000000000000000000017706
Source: Reader_Install_Setup.exe.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/http://myexternalip.com/rawIP
Source: Reader_Install_Setup.exe, Reader_Install_Setup.exe, 00000002.00000003.1761747071.00000000094A0000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000003.1756406466.0000000007729000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4182341319.0000000009260000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000003.1760605699.00000000077A0000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000003.1756350671.0000000009698000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000003.1750169262.0000000003570000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://getbootstrap.com/)
Source: Reader_Install_Setup.exe	String found in binary or memory: https://github.com/Fin
Source: Reader_Install_Setup.exe, 00000002.00000002.4177803623.00000000074CA000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000003.1750611438.0000000003560000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Financial-Times/polyfill-service/issues/317
Source: Reader_Install_Setup.exe, Reader_Install_Setup.exe, 00000002.00000003.1761747071.00000000094A0000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4182341319.0000000009260000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000003.1756350671.0000000009698000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000003.1750169262.0000000003570000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/twbs/bootstrap/blob/main/LICENSE)
Source: Reader_Install_Setup.exe, Reader_Install_Setup.exe, 00000002.00000002.4178233121.00000000075B0000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmp, Reader_Install_Setup.exe, 00000002.00000003.1748114672.00000000075B5000.00000004.00000020.00020000.00000000.sdmp, 231[1].2.dr	String found in binary or memory: https://mths.be/array-from
Source: Reader_Install_Setup.exe, Reader_Install_Setup.exe, 00000002.00000002.4178233121.00000000075B0000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmp, Reader_Install_Setup.exe, 00000002.00000003.1748114672.00000000075B5000.00000004.00000020.00020000.00000000.sdmp, 231[1].2.dr	String found in binary or memory: https://mths.be/array-of
Source: Reader_Install_Setup.exe, 00000002.00000002.4178433184.000000000771A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://p.typekit.net/
Source: Reader_Install_Setup.exe, 00000002.00000002.4177118828.000000000741D000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr	String found in binary or memory: https://p.typekit.net/p.gif
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4178433184.0000000007749000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://p.typekit.net/p.gif?s=1&k=bxf0ivf&ht=tk&h=C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5CTemp%5CPa
Source: Reader_Install_Setup.exe, 00000002.00000002.4178433184.000000000771A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdc.adobe.io/SZ%
Source: Reader_Install_Setup.exe, Reader_Install_Setup.exe, 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176878067.0000000004990000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4171708465.00000000014B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdc.adobe.io/adm/actionList
Source: Reader_Install_Setup.exe, 00000002.00000002.4178433184.000000000779F000.00000004.00000020.00020000.00000000.sdmp, Adobe_ADM.log.2.dr	String found in binary or memory: https://rdc.adobe.io/adm/actionList?installerName=readerdc64_en_ha_install.exe&defaultInstallerName=
Source: Reader_Install_Setup.exe, 00000002.00000002.4184569460.0000000009630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdc.adobe.io/analytics/events66
Source: Reader_Install_Setup.exe, 00000002.00000002.4184569460.0000000009630000.00000004.00000020.00020000.00000000.sdmp, Adobe_ADM.log.2.dr	String found in binary or memory: https://rdc.adobe.io/analytics/events?UniqueId=CE1680CB-B496-484F-B8BA-A7D159A1C243&abbr=rdr&admErro
Source: Reader_Install_Setup.exe, 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rdc.adobe.io/analytics/eventsanalyticstestWorkflowApplication
Source: Reader_Install_Setup.exe, 00000002.00000002.4184569460.0000000009630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rdc.adobe.io:443/analytics/events?UniqueId=CE1680CB-B496-484F-B8BA-A7D159A1C243&abbr=rdr&adm
Source: Reader_Install_Setup.exe, 00000002.00000003.1761945684.0000000007675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reactjs.org/docs/error-decoder.html?invariant=
Source: Reader_Install_Setup.exe, 00000002.00000003.1749394309.00000000089DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reactjs.org/docs/error-decoder.html?invariant=arguments.length
Source: Reader_Install_Setup.exe, Reader_Install_Setup.exe, 00000002.00000002.4183756273.00000000093F0000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000003.1749261059.00000000089FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reactjs.org/link/react-polyfills
Source: Reader_Install_Setup.exe, 00000002.00000002.4183756273.00000000093F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reactjs.org/link/react-polyfillsThis
Source: Reader_Install_Setup.exe, 00000002.00000003.1749261059.00000000089FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reactjs.org/link/react-polyfillsn.unstable_shouldYieldn.unstable_forceFrameRate
Source: Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/
Source: Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/-U
Source: Reader_Install_Setup.exe, 00000002.00000002.4177607787.00000000074B1000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr	String found in binary or memory: https://use.typekit.net/af/40207f/0000000000000000000176ff/27/
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/40207f/0000000000000000000176ff/27/a?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/40207f/0000000000000000000176ff/27/d?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/40207f/0000000000000000000176ff/27/l?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4177607787.00000000074B1000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr	String found in binary or memory: https://use.typekit.net/af/4b3e87/000000000000000000017706/27/
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/4b3e87/000000000000000000017706/27/a?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/4b3e87/000000000000000000017706/27/d?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/4b3e87/000000000000000000017706/27/l?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4177607787.00000000074B1000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr	String found in binary or memory: https://use.typekit.net/af/74ffb1/000000000000000000017702/27/
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/74ffb1/000000000000000000017702/27/a?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/74ffb1/000000000000000000017702/27/d?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/74ffb1/000000000000000000017702/27/l?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4177607787.00000000074B1000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr	String found in binary or memory: https://use.typekit.net/af/a2527e/000000000000000000017704/27/
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/a2527e/000000000000000000017704/27/a?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4178433184.0000000007749000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/a2527e/000000000000000000017704/27/d?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/a2527e/000000000000000000017704/27/l?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4177607787.00000000074B1000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr	String found in binary or memory: https://use.typekit.net/af/cb695f/000000000000000000017701/27/
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/cb695f/000000000000000000017701/27/a?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/cb695f/000000000000000000017701/27/d?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/cb695f/000000000000000000017701/27/l?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4177607787.00000000074B1000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr	String found in binary or memory: https://use.typekit.net/af/eaf09c/000000000000000000017703/27/
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/eaf09c/000000000000000000017703/27/a?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/eaf09c/000000000000000000017703/27/d?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/af/eaf09c/000000000000000000017703/27/l?primer=0635fba006f1437d962ae878ad04a
Source: Reader_Install_Setup.exe, 00000002.00000002.4171708465.00000000014B4000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, 160[1].2.dr	String found in binary or memory: https://use.typekit.net/bxf0ivf.js
Source: Reader_Install_Setup.exe, 00000002.00000002.4171708465.00000000014B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/bxf0ivf.js020
Source: Reader_Install_Setup.exe, 00000002.00000002.4171708465.00000000014B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/bxf0ivf.jsQ
Source: Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/bxf0ivf.jsRc
Source: Reader_Install_Setup.exe, 00000002.00000003.1749261059.00000000089FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/bxf0ivf.jsn.type
Source: Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/uT

E-Banking Fraud

Yara detected BumbleBee

Source: Yara match	File source: 3.2.rundll32.exe.22e65fc0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.22e65fc0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.rundll32.exe.22e65fc0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Bumblebee_35f50bea Author: unknown
Source: 3.2.rundll32.exe.22e65fc0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Bumblebee_35f50bea Author: unknown
Source: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Bumblebee_35f50bea Author: unknown

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FEF23C GetModuleHandleA,GetProcAddress,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,	3_2_0000022E65FEF23C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65CA8C31 NtCreateSection,	3_2_0000022E65CA8C31
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65CA9390 NtOpenFile,	3_2_0000022E65CA9390
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65CA8D40 NtCreateSection,NtMapViewOfSection,	3_2_0000022E65CA8D40

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\411fe0.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{DD475EBC-D960-4AF4-BB8A-BE91FA942756}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2128.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\411fe2.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\411fe2.msi	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\411fe2.msi

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Code function: 2_2_00B599E0	2_2_00B599E0
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Code function: 2_2_00B43BB0	2_2_00B43BB0
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Code function: 2_2_00B5F4C0	2_2_00B5F4C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E660F7450	3_2_0000022E660F7450
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E660F60B0	3_2_0000022E660F60B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E660F4FB0	3_2_0000022E660F4FB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FD505C	3_2_0000022E65FD505C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E660F7B20	3_2_0000022E660F7B20
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E660F6C60	3_2_0000022E660F6C60
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E660F57C0	3_2_0000022E660F57C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E66122288	3_2_0000022E66122288
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E661202B0	3_2_0000022E661202B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FC61C8	3_2_0000022E65FC61C8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FC4160	3_2_0000022E65FC4160
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FF0110	3_2_0000022E65FF0110
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FFD460	3_2_0000022E65FFD460
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FC63A4	3_2_0000022E65FC63A4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E6611B21C	3_2_0000022E6611B21C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FC4290	3_2_0000022E65FC4290
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E6610E250	3_2_0000022E6610E250
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FF8E20	3_2_0000022E65FF8E20
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FF0E00	3_2_0000022E65FF0E00
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E66068F00	3_2_0000022E66068F00
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E66102040	3_2_0000022E66102040
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FC4040	3_2_0000022E65FC4040
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E66129CC8	3_2_0000022E66129CC8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E6611ACD4	3_2_0000022E6611ACD4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FCCFA0	3_2_0000022E65FCCFA0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FE5F50	3_2_0000022E65FE5F50
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FD9F18	3_2_0000022E65FD9F18
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FF4EC0	3_2_0000022E65FF4EC0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FCBE7C	3_2_0000022E65FCBE7C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E6611FAE0	3_2_0000022E6611FAE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FFDB40	3_2_0000022E65FFDB40
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FC3930	3_2_0000022E65FC3930
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E6610E870	3_2_0000022E6610E870
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FF8B70	3_2_0000022E65FF8B70
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FC3AC0	3_2_0000022E65FC3AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FFBAAF	3_2_0000022E65FFBAAF
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FE5A90	3_2_0000022E65FE5A90
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FFC6FA	3_2_0000022E65FFC6FA
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E66120528	3_2_0000022E66120528
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FEB768	3_2_0000022E65FEB768
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FF8720	3_2_0000022E65FF8720
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FFB71F	3_2_0000022E65FFB71F
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FDA6E8	3_2_0000022E65FDA6E8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E6610E610	3_2_0000022E6610E610
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFA5B5A53	3_2_00007FFDFA5B5A53
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFA5B5A30	3_2_00007FFDFA5B5A30
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFA5B6D10	3_2_00007FFDFA5B6D10
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFA5B5760	3_2_00007FFDFA5B5760
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65CA7DA4	3_2_0000022E65CA7DA4

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000022E65FC67EC appears 95 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000022E65FCF290 appears 95 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000022E660CF158 appears 42 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000022E65FD1A6C appears 41 times

Source: Reader_Install_Setup.exe.1.dr

Static PE information: Resource name: PNG type: DOS executable (COM, 0x8C-variant)

Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: 3.2.rundll32.exe.22e65fc0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Bumblebee_35f50bea reference_sample = 9fff05a5aa9cbbf7d37bc302d8411cbd63fb3a28dc6f5163798ae899b9edcda6, os = windows, severity = x86, creation_date = 2022-04-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Bumblebee, fingerprint = f2e07a9b7d143ca13852f723e7d0bd55365d6f8b5d9315b7e24b7f1101010820, id = 35f50bea-c497-4cc6-b915-8ad3aca7bee6, last_modified = 2022-06-09
Source: 3.2.rundll32.exe.22e65fc0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Bumblebee_35f50bea reference_sample = 9fff05a5aa9cbbf7d37bc302d8411cbd63fb3a28dc6f5163798ae899b9edcda6, os = windows, severity = x86, creation_date = 2022-04-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Bumblebee, fingerprint = f2e07a9b7d143ca13852f723e7d0bd55365d6f8b5d9315b7e24b7f1101010820, id = 35f50bea-c497-4cc6-b915-8ad3aca7bee6, last_modified = 2022-06-09
Source: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Bumblebee_35f50bea reference_sample = 9fff05a5aa9cbbf7d37bc302d8411cbd63fb3a28dc6f5163798ae899b9edcda6, os = windows, severity = x86, creation_date = 2022-04-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Bumblebee, fingerprint = f2e07a9b7d143ca13852f723e7d0bd55365d6f8b5d9315b7e24b7f1101010820, id = 35f50bea-c497-4cc6-b915-8ad3aca7bee6, last_modified = 2022-06-09

Source: Reader_Install_Setup.exe.1.dr

Static PE information: Section: UPX1 ZLIB complexity 0.9888474447202166

Source: classification engine

Classification label: mal100.troj.evad.winMSI@6/73@0/5

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000022E65FF4DE0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,StrCmpIW,Process32NextW,CloseHandle,

3_2_0000022E65FF4DE0

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000022E65FF1450 CoCreateInstance,CoSetProxyBlanket,GetModuleHandleW,GetProcAddress,CoSetProxyBlanket,new,_com_util::ConvertStringToBSTR,_com_issue_error,new,_com_util::ConvertStringToBSTR,_com_issue_error,SysFreeString,SysFreeString,VariantInit,VariantClear,

3_2_0000022E65FF1450

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CML2185.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe_ADM.log
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Adobe_GDE.log

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DFCDF6CF734A63117B.TMP

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\System32\rundll32.exe "rundll32.exe" "C:\Users\user\AppData\Local\Temp\Package Installation Dir\qpgEZsswIP.dll",DllRegisterServer

Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);

Source: Acrobat_DC_x64_VIP_v10.12.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 88.31%

Source: Reader_Install_Setup.exe	String found in binary or memory: {\r\n .yZVqwct25RQtg_rJyphu {\r\n -ms-flex-flow: row nowrap;\r\n flex-flow: row nowrap;\r\n -ms-flex-pack: start;\r\n justify-content: flex-start;\r\n }\r\n .yZVqwct25RQtg_rJyphu .UdZ9h4yDyt7zzl_efcFz {\r\n -ms-flex-direction: row;\r\n fle
Source: Reader_Install_Setup.exe	String found in binary or memory: essage": "Congratulations" }, "ActionList_Verify": { "message": "Verifying install..." }, "ActionList_ErrorUpdateMessage": { "message": "The command line argument -installer is required but not provided." }, "ActionList_AlreadyExist
Source: Reader_Install_Setup.exe	String found in binary or memory: 95GF_bATvy {\r\n z-index: 1;\r\n}\r\n\r\n.zL1_mT_7fs5uZHMuZ2nw {\r\n display: -ms-flexbox;\r\n display: flex;\r\n -ms-flex-wrap: wrap;\r\n flex-wrap: wrap;\r\n -ms-flex-pack: start;\r\n justify-content: flex-start;\r\n}\r\n\r\n.zL1_mT_7fs5uZHMuZ2nw .c1S
Source: Reader_Install_Setup.exe	String found in binary or memory: -start;\r\n }\r\n .g82qRD5i9MRBdeNytiPv .UdZ9h4yDyt7zzl_efcFz {\r\n -ms-flex-direction: row;\r\n flex-direction: row;\r\n }\r\n .g82qRD5i9MRBdeNytiPv .UdZ9h4yDyt7zzl_efcFz .WNvdx4uqUWtr9A7ET3s8 {\r\n position: absolute;\r\n }\r\n .g82qRD5i9MRBde
Source: Reader_Install_Setup.exe	String found in binary or memory: t !important;\r\n justify-content: flex-start !important;\r\n }\r\n .mXqDCUtaC_JMHMad0ZwV {\r\n -ms-flex-pack: end !important;\r\n justify-content: flex-end !important;\r\n }\r\n .qOrqtkCp3ivHw7SVfILq {\r\n -ms-flex-pack: center !important;\r\n
Source: Reader_Install_Setup.exe	String found in binary or memory: lgende program(mer) bruger filer, som skal opdateres af Acrobat-installationen. Disse filer opdateres senere, efter disse programmer er blevet genstartet:" }, "ButtonOK": { "message": "OK" }, "ReaderSAPP_UninstallMessage": { "message": "F
Source: Reader_Install_Setup.exe	String found in binary or memory: y-content: space-around !important;\r\n }\r\n .SkBdZQ4j6W8eEExZe0hD {\r\n -ms-flex-align: start !important;\r\n align-items: flex-start !important;\r\n }\r\n .WAJbhUQHN23bq7qy5Sn4 {\r\n -ms-flex-align: end !important;\r\n align-items: flex-end
Source: Reader_Install_Setup.exe	String found in binary or memory: er-mid marker-start overline-position overline-thickness paint-order panose-1 pointer-events rendering-intent shape-rendering stop-color stop-opacity strikethrough-position strikethrough-thickness stroke-dasharray stroke-dashoffset stroke-linecap stroke-linejo
Source: Reader_Install_Setup.exe	String found in binary or memory: che Fertig stellen und starten Sie den Installationsvorgang neu." }, "invalidSKU": { "message": "Das {0}-Installationsprogramm ist veraltet oder eine Datei wurde umbenannt. Klicken Sie auf Fertig stellen, um das aktuelle Installa
Source: Reader_Install_Setup.exe	String found in binary or memory: .Km2Za0W8caH7Y94_8Cii {\r\n -ms-flex-align: stretch !important;\r\n align-items: stretch !important;\r\n }\r\n .W43tG1Sz8VgKlzT3ABdI {\r\n -ms-flex-line-pack: start !important;\r\n align-content: flex-start !important;\r\n }\r\n .jl0mwv_1IlwXKT
Source: Reader_Install_Setup.exe	String found in binary or memory: art;\r\n align-items: flex-start;\r\n -ms-flex-pack: center;\r\n justify-content: center;\r\n}\r\n\r\n.KreO5lkqzKRYE6kMOpU8 > .SI26_236LLhD2moOSicV,\r\n.KreO5lkqzKRYE6kMOpU8 > .znKiFK8BtK3Ryz9nqB1f {\r\n width: 100%;\r\n}\r\n\r\n.KreO5lkqzKRYE6kMOpU8 > .SI
Source: Reader_Install_Setup.exe	String found in binary or memory: -flex-flow: row nowrap;\r\n flex-flow: row nowrap;\r\n -ms-flex-pack: start;\r\n justify-content: flex-start;\r\n }\r\n .HR7PgL6swGh5IOFzTcX2 .UdZ9h4yDyt7zzl_efcFz {\r\n -ms-flex-direction: row;\r\n flex-direction: row;\r\n }\r\n .HR7PgL6swG
Source: Reader_Install_Setup.exe	String found in binary or memory: gn: start !important;\r\n align-self: flex-start !important;\r\n }\r\n .eLScPzCVVKub71kFSTo6 {\r\n -ms-flex-item-align: end !important;\r\n align-self: flex-end !important;\r\n }\r\n .AjPsmeBDtyK_yy_tIXdq {\r\n -ms-flex-item-align: center !impo
Source: Reader_Install_Setup.exe	String found in binary or memory: -ms-flex-pack: start;\r\n justify-content: flex-start;\r\n}\r\n\r\n.q2Zc28XrMrY0gB3RKQXQ > .P9ttp5CfYv4K8NwPCfAS,\r\n.q2Zc28XrMrY0gB3RKQXQ > .m8oOHyBtRiyoCu3QS5_q, .q2Zc28XrMrY0gB3RKQXQ > .uTTRfMaOKj_KeT7DYxKx, .q2Zc28XrMrY0gB3RKQXQ > .iJvWw3vT2QR1DLdPDvu3, .
Source: Reader_Install_Setup.exe	String found in binary or memory: "flex-shrink-0":"on8QKWtR02qa9o9le_l4","flex-shrink-1":"sSYTlm_fbXuMQ2nOLx0w","justify-content-start":"DASZHkth1o5IOMZyhTDx","justify-content-end":"LAWb7Cbf0N5DYoYZseWF","justify-content-center":"FXBomI8D0oPm5hc8wxwA","justify-content-between":"wcoUwDW3XLAvF5X
Source: Reader_Install_Setup.exe	String found in binary or memory: \r\n\r\n.sSYTlm_fbXuMQ2nOLx0w {\r\n -ms-flex-negative: 1 !important;\r\n flex-shrink: 1 !important;\r\n}\r\n\r\n.DASZHkth1o5IOMZyhTDx {\r\n -ms-flex-pack: start !important;\r\n justify-content: flex-start !important;\r\n}\r\n\r\n.LAWb7Cbf0N5DYoYZseWF {\r\n
Source: Reader_Install_Setup.exe	String found in binary or memory: Hf_0","justify-content-around":"YZxKsrbvidFu366yCv8k","align-items-start":"kzhaT0Oba_fChd17ICcv","align-items-end":"DfrSF9G_NhJxaBrTyI9E","align-items-center":"T2gjS8V2_aCimczn_mvA","align-items-baseline":"wvV162mt8CM64dJRJC_K","align-items-stretch":"uwleunsKz
Source: Reader_Install_Setup.exe	String found in binary or memory: ustify-content: flex-start !important;\r\n }\r\n .y9ejXHhttjAEgovYXYMU {\r\n -ms-flex-pack: end !important;\r\n justify-content: flex-end !important;\r\n }\r\n .COPRSpy9kETB_SZQ4smx {\r\n -ms-flex-pack: center !important;\r\n justify-content: c
Source: Reader_Install_Setup.exe	String found in binary or memory: r\n justify-content: flex-start;\r\n align-items: flex-end;\r\n}\r\n\r\n.IDKVSl_h7I8AUkTJyJZR{\r\n color:#505050;\r\n margin-left: auto;\r\n}\r\n\r\n.mdye5L_d5nxHhgXOJzOl {\r\n background-color: #2680eb\r\n}\r\n\r\n.uA6xPsp_APEYTCYzQpAm {\r\n
Source: Reader_Install_Setup.exe	String found in binary or memory: ZoW2nYlOE4","align-content-start":"Ux_l3vTkayi2Nq7VsaVG","align-content-end":"NeoGktt2uqAOkIls2tkD","align-content-center":"kFFYrbLbLECA7hshfgB4","align-content-between":"_ovIEpiGXhGpst7ciRVY","align-content-around":"lkHcf3zkijisAIDcTRgA","align-content-stretc
Source: Reader_Install_Setup.exe	String found in binary or memory: ":"NEedZEkDvapuuRM76fDm","align-self-auto":"HZJOrTsRFta7TuRD5mLC","align-self-start":"OcYm86Cu28Oe4t9OrHGy","align-self-end":"Wie7fqOQFV_ARe1Jw09R","align-self-center":"M8kCN1fgOGwZVFJ3wLAX","align-self-baseline":"JItXRBa5bZTWWkWA6xmX","align-self-stretch":"B3
Source: Reader_Install_Setup.exe	String found in binary or memory: d !important;\r\n }\r\n .AwPLyaWsRJ3kVfxTYAKZ {\r\n -ms-flex-align: start !important;\r\n align-items: flex-start !important;\r\n }\r\n .JLhQyJ9YeJ2Xzm4rGI0o {\r\n -ms-flex-align: end !important;\r\n align-items: flex-end !important;\r\n }\r\n
Source: Reader_Install_Setup.exe	String found in binary or memory: lign-items: flex-start !important;\r\n}\r\n\r\n.DfrSF9G_NhJxaBrTyI9E {\r\n -ms-flex-align: end !important;\r\n align-items: flex-end !important;\r\n}\r\n\r\n.T2gjS8V2_aCimczn_mvA {\r\n -ms-flex-align: center !important;\r\n align-items: center !important;\
Source: Reader_Install_Setup.exe	String found in binary or memory: {\r\n -ms-flex-align: stretch !important;\r\n align-items: stretch !important;\r\n }\r\n .kaIxRiZtzxK_YyZMBHo_ {\r\n -ms-flex-line-pack: start !important;\r\n align-content: flex-start !important;\r\n }\r\n .l1QG33TebFm8kJRTmnh7 {\r\n -ms-fl
Source: Reader_Install_Setup.exe	String found in binary or memory: aVG {\r\n -ms-flex-line-pack: start !important;\r\n align-content: flex-start !important;\r\n}\r\n\r\n.NeoGktt2uqAOkIls2tkD {\r\n -ms-flex-line-pack: end !important;\r\n align-content: flex-end !important;\r\n}\r\n\r\n.kFFYrbLbLECA7hshfgB4 {\r\n -ms-flex-
Source: Reader_Install_Setup.exe	String found in binary or memory: y-content-sm-start":"B5btvvlXn96uf7yGf1tR","justify-content-sm-end":"PoT2qU4sMKBleURcc2cJ","justify-content-sm-center":"AVIeQzlddzrtDxIBXkKd","justify-content-sm-between":"ivJwQA579UzEbjI7CkZ_","justify-content-sm-around":"z68IWjEqXuP67bRb8eEp","align-items-sm
Source: Reader_Install_Setup.exe	String found in binary or memory: start":"fJTv_QJTsr6EO2H1q4V3","align-items-sm-end":"w8v8i3VE57doJW3WhKMD","align-items-sm-center":"xPBnP81DTQHre7ixEe_q","align-items-sm-baseline":"Fv8YCtye3D9Er3k3sYNM","align-items-sm-stretch":"V6bazQgwJb2yoGr1NWeW","align-content-sm-start":"WLLVW2mH0bVmfnnP
Source: Reader_Install_Setup.exe	String found in binary or memory: ;\r\n align-self: auto !important;\r\n}\r\n\r\n.OcYm86Cu28Oe4t9OrHGy {\r\n -ms-flex-item-align: start !important;\r\n align-self: flex-start !important;\r\n}\r\n\r\n.Wie7fqOQFV_ARe1Jw09R {\r\n -ms-flex-item-align: end !important;\r\n align-self: flex-end
Source: Reader_Install_Setup.exe	String found in binary or memory: sm-auto":"IzdFJiZ2UCQMY9aGg_QA","align-self-sm-start":"iiYDHEA6tQXlGqaKw7jz","align-self-sm-end":"uq0dyk4fScobfEBVnATd","align-self-sm-center":"UpE4hJfsUm5TuZtTZvsv","align-self-sm-baseline":"e4_Oxc7RitQH_sjNSulu","align-self-sm-stretch":"k3cpKukN1yqN0o_bwWbO"
Source: Reader_Install_Setup.exe	String found in binary or memory: r\n align-self: flex-start !important;\r\n }\r\n .gvNgooS8lRGqBrL8T2NG {\r\n -ms-flex-item-align: end !important;\r\n align-self: flex-end !important;\r\n }\r\n .hd7N4PctGEIBBTckCPnz {\r\n -ms-flex-item-align: center !important;\r\n align-se
Source: Reader_Install_Setup.exe	String found in binary or memory: -reverse":"vy8MgiufjANaWTk_ZwWQ","flex-md-fill":"Oew_loBO0_dkmOrnii5w","flex-md-grow-0":"suF3M9_Dg1jwPDHryUtV","flex-md-grow-1":"NgldPqvt9DiqtAbphcRj","flex-md-shrink-0":"InhTYOgC9dF8dQSb1MLY","flex-md-shrink-1":"OqqmkSrciAjIMRn4zhht","justify-content-md-start
Source: Reader_Install_Setup.exe	String found in binary or memory: :"hkIpV6klVOwAo752VSvr","justify-content-md-end":"eLk5KmeziN3FG_ZvWUbk","justify-content-md-center":"wx9l9CrohZahb5XLMrGW","justify-content-md-between":"ysWVT3V793_xoLXozo0y","justify-content-md-around":"cCZYopTiajqBE6zSF4mb","align-items-md-start":"THpMIn_rv9
Source: Reader_Install_Setup.exe	String found in binary or memory: C"),a=!0,l="launchReader"),"true"===o.showLaunchAcrobat&&(i=t("Launch_Acrobat"),a=!0,l="launchAcrobat"),"true"===o.showLaunchReaderSAPP&&(i=t("Launch_Reader_DC"),a=!0,l="launchReaderSAPP")),a){var f="0";s&&(f="1");var p="<data><launchReaderSAPP>"+f+"</launchRe
Source: Reader_Install_Setup.exe	String found in binary or memory: XJ1zTlRSw","align-items-md-end":"GDHTGrjlGD0S0f1_DiJ5","align-items-md-center":"wtOokl2f_oejiBt8WE_w","align-items-md-baseline":"RZpDrGEVofFZ2OwqC2qL","align-items-md-stretch":"wekS_MR1HkGU6Ej1xqxk","align-content-md-start":"LkRjjQuLuuq2HISiPqJR","align-conten
Source: Reader_Install_Setup.exe	String found in binary or memory: s-flexbox;\r\n display: flex;\r\n -ms-flex-align: start;\r\n align-items: flex-start;\r\n -ms-flex-pack: justify;\r\n justify-content: space-between;\r\n padding: 1rem 1rem;\r\n border-bottom: 1px solid #dee2e6;\r\n border-top-left-radius: calc(0.3rem
Source: Reader_Install_Setup.exe	String found in binary or memory: Rz26TjBddI4","align-self-md-start":"xTvlYZBtMd3hxVUw0G1S","align-self-md-end":"fZE3fFOWzrNpoqLg33AU","align-self-md-center":"R1In6pl7PW91BoY3krKQ","align-self-md-baseline":"J1mijNk_O5u2_BNY_hz0","align-self-md-stretch":"NAXMdJmeSI56lhqzCE60","flex-lg-row":"mj9
Source: Reader_Install_Setup.exe	String found in binary or memory: tvvlXn96uf7yGf1tR {\r\n -ms-flex-pack: start !important;\r\n justify-content: flex-start !important;\r\n }\r\n .PoT2qU4sMKBleURcc2cJ {\r\n -ms-flex-pack: end !important;\r\n justify-content: flex-end !important;\r\n }\r\n .AVIeQzlddzrtDxIBXkKd
Source: Reader_Install_Setup.exe	String found in binary or memory: Gw99NEZmcvYy","flex-lg-fill":"HKtXJhwNMeSoCd3MgKGQ","flex-lg-grow-0":"dvvTGp7Qb5VsoLexKoAj","flex-lg-grow-1":"MF9RSy7GVU0ZJs8Gio4O","flex-lg-shrink-0":"lPtuBlsAx25tEyrdPW0j","flex-lg-shrink-1":"smDQGRg_vRvZ1zTRxO2O","justify-content-lg-start":"hz1rXkTClh20Fh5L
Source: Reader_Install_Setup.exe	String found in binary or memory: T5h","justify-content-lg-end":"mXqDCUtaC_JMHMad0ZwV","justify-content-lg-center":"qOrqtkCp3ivHw7SVfILq","justify-content-lg-between":"LdfUwIH0FNecJPWWPrg1","justify-content-lg-around":"nVtckCgiojWEvbI_02td","align-items-lg-start":"SkBdZQ4j6W8eEExZe0hD","align-
Source: Reader_Install_Setup.exe	String found in binary or memory: lex-pack: distribute !important;\r\n justify-content: space-around !important;\r\n }\r\n .fJTv_QJTsr6EO2H1q4V3 {\r\n -ms-flex-align: start !important;\r\n align-items: flex-start !important;\r\n }\r\n .w8v8i3VE57doJW3WhKMD {\r\n -ms-flex-align:
Source: Reader_Install_Setup.exe	String found in binary or memory: tems-lg-end":"WAJbhUQHN23bq7qy5Sn4","align-items-lg-center":"kd6x9h_3ZymIzA4bgzN7","align-items-lg-baseline":"KO8aNPXTLKYLQxI6em9l","align-items-lg-stretch":"Km2Za0W8caH7Y94_8Cii","align-content-lg-start":"W43tG1Sz8VgKlzT3ABdI","align-content-lg-end":"jl0mwv_1
Source: Reader_Install_Setup.exe	String found in binary or memory: -self-lg-start":"G9A3tlQ35wA03mx2tzqx","align-self-lg-end":"eLScPzCVVKub71kFSTo6","align-self-lg-center":"AjPsmeBDtyK_yy_tIXdq","align-self-lg-baseline":"tEiZrAGTU4ltRxVsQYja","align-self-lg-stretch":"zM8DoQ0E3PzQ1e4NdlbO","flex-xl-row":"xiURbQvawKtv3lpRx8BS",
Source: Reader_Install_Setup.exe	String found in binary or memory: Y84ydtiU3il6ry9nY {\r\n -webkit-animation: none;\r\n animation: none;\r\n }\r\n}\r\n\r\n.W6C_Cm_0CSNW7ljg2Y9l {\r\n display: -ms-flexbox;\r\n display: flex;\r\n -ms-flex-align: start;\r\n align-items: flex-start;\r\n}\r\n\r\n.xyiYCq7vZX3AEsLK_h4t {\
Source: Reader_Install_Setup.exe	String found in binary or memory: t -installer is required but not provided." }, "ActionList_AlreadyExists": { "message": "Application already installed" }, "ActionList_Complete": { "message": "Installation complete" }, "ActionList_Cancelled": { "message": "Can
Source: Reader_Install_Setup.exe	String found in binary or memory: ());i.push([r.id,".h3prVibJIx6xMWozlLvS{\r\n display: flex;\r\n flex-direction: row;\r\n flex-wrap: nowrap;\r\n align-content: flex-end;\r\n justify-content: flex-start;\r\n align-items: flex-end;\r\n}",""]),i.locals={container:"h3prVibJIx6xM
Source: Reader_Install_Setup.exe	String found in binary or memory: -xl-fill":"kGKaQXNtKVolETkb6VY_","flex-xl-grow-0":"NeShcrAZ5y_hpxB1Krrg","flex-xl-grow-1":"ysC1kPY5k3OAcyOOrAZF","flex-xl-shrink-0":"c7DdFRyXaVXxSNLm96SA","flex-xl-shrink-1":"vVfhGb47ZI1vy9SKdLAy","justify-content-xl-start":"EMKOqdcLxlLCtgNKAVN9","justify-cont
Source: Reader_Install_Setup.exe	String found in binary or memory: nt-xl-end":"y9ejXHhttjAEgovYXYMU","justify-content-xl-center":"COPRSpy9kETB_SZQ4smx","justify-content-xl-between":"mYnlm8yqHdRJ8jWo0Ula","justify-content-xl-around":"SRf5p8hsCyhBY1KbbllG","align-items-xl-start":"AwPLyaWsRJ3kVfxTYAKZ","align-items-xl-end":"JLhQ
Source: Reader_Install_Setup.exe	String found in binary or memory: iYDHEA6tQXlGqaKw7jz {\r\n -ms-flex-item-align: start !important;\r\n align-self: flex-start !important;\r\n }\r\n .uq0dyk4fScobfEBVnATd {\r\n -ms-flex-item-align: end !important;\r\n align-self: flex-end !important;\r\n }\r\n .UpE4hJfsUm5TuZtTZ
Source: Reader_Install_Setup.exe	String found in binary or memory: J9YeJ2Xzm4rGI0o","align-items-xl-center":"TnX6CLfh8vo_Q_DeYU2g","align-items-xl-baseline":"VtD1JQ5GGSN55msvqOuH","align-items-xl-stretch":"r3SPzoMrEJe9HyIuwWCJ","align-content-xl-start":"kaIxRiZtzxK_YyZMBHo_","align-content-xl-end":"l1QG33TebFm8kJRTmnh7","alig
Source: Reader_Install_Setup.exe	String found in binary or memory: Congratulations": { "message": "Gratulerer!" }, "ActionList_Verify": { "message": "Verifiserer installasjon ..." }, "ActionList_ErrorUpdateMessage": { "message": "Kommandolinjeargumentet -installasjonsprogram kreves, men er ikke oppg
Source: Reader_Install_Setup.exe	String found in binary or memory: -content-xl-center":"MV4EN51PwhHoa9MTCThc","align-content-xl-between":"ch_UlL0T5dkZlpBCGf6z","align-content-xl-around":"qeeJg8mLhC36_AtZhgPi","align-content-xl-stretch":"VnQjhwHZwYkSNDH0IDLS","align-self-xl-auto":"f6I_MfERc6Cd5U2cvKdb","align-self-xl-start":"P
Source: Reader_Install_Setup.exe	String found in binary or memory: Adobe Acrobat" }, "Congratulations": { "message": "Onnittelut" }, "ActionList_Verify": { "message": "Tarkistetaan asennusta..." }, "ActionList_ErrorUpdateMessage": { "message": "Komentoriviargumentti -installer vaaditaan, mutt
Source: Reader_Install_Setup.exe	String found in binary or memory: -ms-flex-pack: start !important;\r\n justify-content: flex-start !important;\r\n }\r\n .eLk5KmeziN3FG_ZvWUbk {\r\n -ms-flex-pack: end !important;\r\n justify-content: flex-end !important;\r\n }\r\n .wx9l9CrohZahb5XLMrGW {\r\n -ms-flex-pack:
Source: Reader_Install_Setup.exe	String found in binary or memory: : "..." }, "ActionList_ErrorUpdateMessage": { "message": " -installer " }, "ActionList_AlreadyExists": { "message": "
Source: Reader_Install_Setup.exe	String found in binary or memory: mportant;\r\n justify-content: space-around !important;\r\n }\r\n .THpMIn_rv9gXJ1zTlRSw {\r\n -ms-flex-align: start !important;\r\n align-items: flex-start !important;\r\n }\r\n .GDHTGrjlGD0S0f1_DiJ5 {\r\n -ms-flex-align: end !important;\r\n
Source: Reader_Install_Setup.exe	String found in binary or memory: important;\r\n }\r\n .wekS_MR1HkGU6Ej1xqxk {\r\n -ms-flex-align: stretch !important;\r\n align-items: stretch !important;\r\n }\r\n .LkRjjQuLuuq2HISiPqJR {\r\n -ms-flex-line-pack: start !important;\r\n align-content: flex-start !important;\r\n
Source: Reader_Install_Setup.exe	String found in binary or memory: x-pack: start;\r\n justify-content: flex-start;\r\n }\r\n .bCwZiTNFMMbBWr3jcpcC .UdZ9h4yDyt7zzl_efcFz {\r\n -ms-flex-direction: row;\r\n flex-direction: row;\r\n }\r\n .bCwZiTNFMMbBWr3jcpcC .UdZ9h4yDyt7zzl_efcFz .WNvdx4uqUWtr9A7ET3s8 {\r\n posi
Source: Reader_Install_Setup.exe	String found in binary or memory: \n -ms-flex-item-align: start !important;\r\n align-self: flex-start !important;\r\n }\r\n .fZE3fFOWzrNpoqLg33AU {\r\n -ms-flex-item-align: end !important;\r\n align-self: flex-end !important;\r\n }\r\n .R1In6pl7PW91BoY3krKQ {\r\n -ms-flex-i
Source: Reader_Install_Setup.exe	String found in binary or memory: ft..." }, "ActionList_ErrorUpdateMessage": { "message": "Das Befehlszeilenargument -installer muss angegeben werden." }, "ActionList_AlreadyExists": { "message": "Die Anwendung ist bereits installiert." }, "ActionList_Comp

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Acrobat_DC_x64_VIP_v10.12.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe "C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\rundll32.exe "rundll32.exe" "C:\Users\user\AppData\Local\Temp\Package Installation Dir\qpgEZsswIP.dll",DllRegisterServer
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe "C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\rundll32.exe "rundll32.exe" "C:\Users\user\AppData\Local\Temp\Package Installation Dir\qpgEZsswIP.dll",DllRegisterServer	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: oleaccrc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: pgpmapih.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: uianimation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DD475EBC-D960-4AF4-BB8A-BE91FA942756}

Jump to behavior

Source: Acrobat_DC_x64_VIP_v10.12.msi

Static file information: File size 2834432 > 1048576

Source:

Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe

Code function: 2_2_00F6F080 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00F6F080

Source: Reader_Install_Setup.exe.1.dr	Static PE information: real checksum: 0x16e9b1 should be: 0x165850
Source: qpgEZsswIP.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0x25b1c4

Source: qpgEZsswIP.dll.1.dr	Static PE information: section name: .rotext
Source: qpgEZsswIP.dll.1.dr	Static PE information: section name: .rodata
Source: qpgEZsswIP.dll.1.dr	Static PE information: section name: .rodata

Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Code function: 2_2_00D05D5C push ecx; ret	2_2_00D05D6F
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Code function: 2_2_00D9A90C push es; iretd	2_2_00D9A9CC
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Code function: 2_2_075751EF pushad ; iretd	2_2_075751F2
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Code function: 2_2_094A63AB push cs; retf	2_2_094A63AF
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Code function: 2_2_094A83B0 push esi; ret	2_2_094A83B2
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Code function: 2_2_094A2EA5 push esp; iretd	2_2_094A2EAB

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\Package Installation Dir\qpgEZsswIP.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Windows\System32\rundll32.exe	Code function: qemu qemu vmware vbox	3_2_0000022E65FF41F0
Source: C:\Windows\System32\rundll32.exe	Code function: vbox_req_val vbox_req_key vbox_files vbox_dirs vbox_check_mac vbox_devices vbox_window_class vbox_network_class vbox_process vbox_mac_wmi vbox_eventlog_wmi vbox_firmware_smbios vbox_firmware_acpi vbox_bus_wmi vbox_baseborad_wmi vbox_pnpentity_pcideviceid_wmi vbox_pnpentity_controllers_wmi vbox_pnpentity_vboxname_wmi vmware_reg_key_value vmware_reg_keys vmware_files vmware_dir vmware_mac vmware_adapter_name vmware_devices vmware_processes vmware_firmware_smbios vmware_firmware_ACPI qemu_reg_key_value qemu_reg_key_value qemu_processes qemu_processes qemu_dir qemu_dir qemu_firmware_acpi qemu_firmware_acpi qemu_firmware_smbios qemu_firmware_smbios	3_2_0000022E65FE7198
Source: C:\Windows\System32\rundll32.exe	Code function: vboxvideo VBoxVideoW8 VBoxWddm	3_2_0000022E65FF2160
Source: C:\Windows\System32\rundll32.exe	Code function: System32\drivers\VBoxMouse.sys System32\drivers\VBoxGuest.sys System32\drivers\VBoxSF.sys System32\drivers\VBoxVideo.sys System32\vboxdisp.dll System32\vboxhook.dll System32\vboxmrxnp.dll System32\vboxogl.dll System32\vboxoglarrayspu.dll System32\vboxoglcrutil.dll System32\vboxoglerrorspu.dll System32\vboxoglfeedbackspu.dll System32\vboxoglpackspu.dll System32\vboxoglpassthroughspu.dll System32\vboxservice.exe System32\vboxservice.exe System32\vboxtray.exe System32\VBoxControl.exe	3_2_0000022E65FF1D10
Source: C:\Windows\System32\rundll32.exe	Code function: VBOX VBOX VEN_VBOX	3_2_0000022E65FF2F00
Source: C:\Windows\System32\rundll32.exe	Code function: VBoxWddm VBoxSF VBoxMouse VBoxGuest	3_2_0000022E65FF4650
Source: C:\Windows\System32\rundll32.exe	Code function: vbox VBOX	3_2_0000022E65FF2470

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: rundll32.exe	Binary or memory string: QEMU-GA.EXE
Source: rundll32.exe	Binary or memory string: VMUSRVC.EXE
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: 00:0C:29PV00:1C:14CHECKING MAC STARTING WITH %S00:50:56\\.\HGFSVMWAREVMTOOLSD.EXE\\.\VMCIVMWAREUSER.EXEVMWARETRAY.EXEVMACTHLP.EXEVGAUTHSERVICE.EXEVMWARECHECKING VWWARE PROCESS %S VMWAREVMSRVC.EXECHECKING VIRTUAL PC PROCESSES %S VMUSRVC.EXESOFTWARE\MICROSOFT\VIRTUAL MACHINE\GUEST\PARAMETERSQEMUVDAGENT.EXEQEMU-GA.EXECHECKING QEMU PROCESSES %S VDSERVICE.EXESPICE GUEST TOOLSQEMU-GAQEMUCHECKING QEMU DIRECTORY %S BOCHSQEMUBXPCSOFTWARE\WINEWINE_GET_UNIX_FILE_NAMESYSTEM\CONTROLSET001\SERVICES\VIOSTORSYSTEM\CONTROLSET001\SERVICES\VIOSCSISYSTEM\CONTROLSET001\SERVICES\VIRTIOSERIALSYSTEM\CONTROLSET001\SERVICES\VIRTIO-FS SERVICESYSTEM\CONTROLSET001\SERVICES\BALLOONSERVICESYSTEM\CONTROLSET001\SERVICES\BALLOONSYSTEM32\DRIVERS\BALLOON.SYSSYSTEM\CONTROLSET001\SERVICES\NETKVMSYSTEM32\DRIVERS\PVPANIC.SYSSYSTEM32\DRIVERS\NETKVM.SYSSYSTEM32\DRIVERS\VIOGPUDO.SYSSYSTEM32\DRIVERS\VIOFS.SYSSYSTEM32\DRIVERS\VIORNG.SYSSYSTEM32\DRIVERS\VIOINPUT.SYSSYSTEM32\DRIVERS\VIOSER.SYSSYSTEM32\DRIVERS\VIOSCSI.SYSVIRTIO-WIN\SYSTEM32\DRIVERS\VIOSTOR.SYSBOT.EXESAMPLE.EXEMALWARE.EXESANDBOX.EXEKLAVME.EXETEST.EXETESTAPP.EXEMYAPP.EXECHECKING IF PROCESS FILE NAME LOOKS LIKE A HASH: %S CHECKING IF PROCESS FILE NAME CONTAINS: %S SANDBOXCURRENTUSERHAPUBWSEMILYIT-ADMINHONG LEEMILLERJOHNSONPETER WILSONMILOZSSAND BOXTIMMYMALTESTMALWAREVIRUSTEST USERCHECKING IF USERNAME MATCHES : %S JOHN DOESIZESELECT * FROM WIN32_LOGICALDISKVBOXQEMUVMWAREVIRTUALSELECT * FROM WIN32_COMPUTERSYSTEMHVM DOMUMODELSELECT * FROM WIN32_FANXENVIRTIOVMWSYSTEM\CURRENTCONTROLSET\ENUM\IDEPROCEXP64.EXESYSTEM\CURRENTCONTROLSET\ENUM\SCSIDESKTOPPRL_TOOLS.EXEPRL_CC.EXE

Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 4090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 3620000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 4010000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 4390000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 7470000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 7510000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 7530000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 8E50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 8EB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 8F50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 8FB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 9010000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 9070000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 90D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 90F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 9190000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 91D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 9220000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 9240000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 9260000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 9340000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 93C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 9400000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 7450000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 88F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 8910000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 8BD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 8BF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 94A0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 9520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 8C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 9A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 8C30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 8C50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 8ED0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 8F90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 7590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 8D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 8C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 94C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 8C90000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 8C70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: 8CB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: F80000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Memory allocated: FA0000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,

3_2_0000022E65FF4850

Source: C:\Windows\System32\rundll32.exe

Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,

3_2_0000022E65FF4CD0

Source: C:\Windows\System32\msiexec.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Package Installation Dir\qpgEZsswIP.dll

Jump to dropped file

Source: C:\Windows\System32\rundll32.exe TID: 7616	Thread sleep count: 61 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7616	Thread sleep time: -122000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7616	Thread sleep count: 85 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7616	Thread sleep time: -255000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7616	Thread sleep count: 73 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7616	Thread sleep time: -146000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7616	Thread sleep count: 76 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7616	Thread sleep time: -228000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe

Code function: 2_2_00D068EA VirtualQuery,GetSystemInfo,

2_2_00D068EA

Source: rundll32.exe	Binary or memory string: VBoxGuest
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: VMware
Source: rundll32.exe	Binary or memory string: VBoxMouse
Source: rundll32.exe	Binary or memory string: Checking qemu processes %s
Source: rundll32.exe	Binary or memory string: vmmemctl
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: 00:0c:29PV00:1C:14Checking MAC starting with %s00:50:56\\.\HGFSVMWarevmtoolsd.exe\\.\vmcivmwareuser.exevmwaretray.exevmacthlp.exeVGAuthService.exeVMwareChecking VWware process %s VMWAREVMSrvc.exeChecking Virtual PC processes %s VMUSrvc.exeSOFTWARE\Microsoft\Virtual Machine\Guest\ParametersQEMUvdagent.exeqemu-ga.exeChecking qemu processes %s vdservice.exeSPICE Guest Toolsqemu-gaqemuChecking QEMU directory %s BOCHSQEMUBXPCSOFTWARE\Winewine_get_unix_file_nameSYSTEM\ControlSet001\Services\viostorSYSTEM\ControlSet001\Services\vioscsiSYSTEM\ControlSet001\Services\VirtioSerialSYSTEM\ControlSet001\Services\VirtIO-FS ServiceSYSTEM\ControlSet001\Services\BalloonServiceSYSTEM\ControlSet001\Services\BALLOONSystem32\drivers\balloon.sysSYSTEM\ControlSet001\Services\netkvmSystem32\drivers\pvpanic.sysSystem32\drivers\netkvm.sysSystem32\drivers\viogpudo.sysSystem32\drivers\viofs.sysSystem32\drivers\viorng.sysSystem32\drivers\vioinput.sysSystem32\drivers\vioser.sysSystem32\drivers\vioscsi.sysVirtio-Win\System32\drivers\viostor.sysbot.exesample.exemalware.exesandbox.exeklavme.exetest.exetestapp.exemyapp.exeChecking if process file name looks like a hash: %s Checking if process file name contains: %s SandboxCurrentUserHAPUBWSEmilyIT-ADMINHong LeeMillerJohnsonPeter Wilsonmilozssand boxtimmymaltestmalwarevirustest userChecking if username matches : %s John DoeSizeSELECT * FROM Win32_LogicalDiskvboxqemuvmwareVirtualSELECT * FROM Win32_ComputerSystemHVM domUModelSELECT * FROM Win32_FanxenvirtioVMWSystem\CurrentControlSet\Enum\IDEprocexp64.exeSystem\CurrentControlSet\Enum\SCSIDesktopprl_tools.exeprl_cc.exe
Source: rundll32.exe	Binary or memory string: System32\drivers\vmnetuserif.sys
Source: rundll32.exe, 00000003.00000002.4170488563.0000022E64164000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rodu8971434D56-1548-ED3D-AEE6-C75AECD93BF0VMware, Inc.Noney
Source: rundll32.exe	Binary or memory string: qemu-ga.exe
Source: rundll32.exe	Binary or memory string: \\.\VBoxMiniRdrDN
Source: Reader_Install_Setup.exe, 00000002.00000002.4171708465.0000000001505000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe	Binary or memory string: VBoxTrayToolWnd
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: VMWARE
Source: rundll32.exe	Binary or memory string: \\.\VBoxTrayIPC
Source: rundll32.exe	Binary or memory string: VBoxTrayToolWndClass
Source: rundll32.exe	Binary or memory string: System32\drivers\VBoxMouse.sys
Source: rundll32.exe	Binary or memory string: vmmouse
Source: rundll32.exe	Binary or memory string: VMUSrvc.exe
Source: rundll32.exe	Binary or memory string: \\.\HGFS
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: vmware_reg_keys
Source: rundll32.exe	Binary or memory string: vmwareuser.exe
Source: rundll32.exe	Binary or memory string: qemu-ga
Source: rundll32.exe	Binary or memory string: System32\drivers\VBoxGuest.sys
Source: rundll32.exe	Binary or memory string: vmware
Source: rundll32.exe	Binary or memory string: System32\drivers\vmmouse.sys
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: vmware_dir
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: vmware_devices
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: vmware_processes
Source: rundll32.exe	Binary or memory string: System32\vboxservice.exe
Source: rundll32.exe	Binary or memory string: \\.\VBoxGuest
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: qemu_reg_key_value
Source: rundll32.exe	Binary or memory string: vboxservice.exe
Source: rundll32.exe	Binary or memory string: System32\vboxtray.exe
Source: rundll32.exe	Binary or memory string: \\.\vmci
Source: rundll32.exe	Binary or memory string: HARDWARE\ACPI\FADT\VBOX__
Source: rundll32.exe	Binary or memory string: VMWare\
Source: rundll32.exe	Binary or memory string: System32\drivers\vmhgfs.sys
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: vmware_reg_key_value
Source: rundll32.exe	Binary or memory string: VBoxSF
Source: rundll32.exe	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: rundll32.exe	Binary or memory string: vboxtray.exe
Source: rundll32.exe	Binary or memory string: vmwaretray.exe
Source: rundll32.exe	Binary or memory string: System32\drivers\vmx86.sys
Source: rundll32.exe, 00000003.00000002.4170488563.0000022E64132000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: rundll32.exe	Binary or memory string: System32\drivers\vmnet.sys
Source: rundll32.exe, 00000003.00000002.4170488563.0000022E64132000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stringComputer System ProductComputer System ProductG59S8971434D56-1548-ED3D-AEE6-C75AECD93BF0VMware, Inc.Noney*
Source: rundll32.exe	Binary or memory string: vmtoolsd.exe
Source: rundll32.exe	Binary or memory string: vmhgfs
Source: Reader_Install_Setup.exe, 00000002.00000002.4171708465.0000000001505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWs1?
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: vmware_adapter_name
Source: rundll32.exe	Binary or memory string: HARDWARE\ACPI\RSDT\VBOX__
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: '\\.\pipe\VBoxMiniRdDN\\.\VBoxGuest\\.\pipe\VBoxTrayIPC\\.\VBoxTrayIPCVBoxTrayToolWndClassChecking device %s VirtualBox Shared FoldersVBoxTrayToolWndvboxtray.exevboxservice.exeSELECT * FROM Win32_NetworkAdapterConfigurationChecking VirtualBox process %s 08:00:27MACAddressVBoxVideoW8vboxvideoSELECT * FROM Win32_NTEventlogFileVBoxWddmSystemFileNameVirtualBoxSourcesVBOXvboxDeviceIdSELECT * FROM Win32_PnPEntityNamePCI\VEN_80EE&DEV_CAFE82441FX82801FBOpenHCD82371SBACPIBus_BUS_0SELECT * FROM Win32_BusPNP_BUS_0PCI_BUS_0ProductSELECT * FROM Win32_BaseBoardManufacturerVirtualBoxSELECT * FROM Win32_PnPDeviceOracle CorporationPNPDeviceIDCaptionVEN_VBOXVMWAREHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0SystemManufacturerSYSTEM\ControlSet001\Control\SystemInformationChecking reg key %sSystemProductNameSystem32\drivers\vmnet.sysSOFTWARE\VMware, Inc.\VMware ToolsSystem32\drivers\vmusb.sysSystem32\drivers\vmmouse.sysSystem32\drivers\vmci.sysSystem32\drivers\vm3dmp.sysSystem32\drivers\vmmemctl.sysSystem32\drivers\vmhgfs.sysSystem32\drivers\vmrawdsk.sysSystem32\drivers\vmx86.sysSystem32\drivers\vmkdb.sysSystem32\drivers\vmusbmouse.sysSystem32\drivers\vmnetadapter.sysSystem32\drivers\vmnetuserif.sys
Source: rundll32.exe	Binary or memory string: \\.\pipe\VBoxTrayIPC
Source: rundll32.exe	Binary or memory string: System32\vboxhook.dll
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: qemu_processes
Source: rundll32.exe	Binary or memory string: System32\drivers\vmnetadapter.sys
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: qemu_dir
Source: rundll32.exe	Binary or memory string: System32\vboxmrxnp.dll
Source: rundll32.exe, 00000003.00000002.4170488563.0000022E64127000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rundll32.exe	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: BChecking Parallels processes: %sVBoxMouseVBoxSFvmciVBoxGuestvmmousevmhgfsvmusbvmmemctlvmx_svgavmusbmousevmx86vmxnetFailed to get services list.
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: vmware_firmware_smbios
Source: rundll32.exe	Binary or memory string: System32\drivers\vmci.sys
Source: rundll32.exe	Binary or memory string: VMSrvc.exe
Source: rundll32.exe	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: rundll32.exe	Binary or memory string: vmx86
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: vmware_mac
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: qemu_firmware_acpi
Source: rundll32.exe	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxGuest
Source: rundll32.exe	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxService
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: iVMWare\
Source: rundll32.exe	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxMouse
Source: rundll32.exe	Binary or memory string: VMWare
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: vmware_files
Source: rundll32.exe	Binary or memory string: Checking QEMU directory %s
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: vmware_firmware_ACPI
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: ntdll.dllkernel32.dllLdrLoadDllLdrGetProcedureAddressZwProtectVirtualMemoryRtlAnsiStringToUnicodeStringRtlFreeUnicodeStringNtQueueApcThreadIsWow64ProcessLoadLibraryAZwQueryInformationProcessRtlNtStatusToDosErrorNtResumeProcessZwAllocateVirtualMemoryZwWriteVirtualMemoryZwReadVirtualMemoryZwGetContextThreadZwSetContextThreadNtMapViewOfSectionNtCreateSectionNtUnmapViewOfSectionZwCloseROOT\CIMV2CoSetProxyBlanketole32.dllWin32_ProcessCreateCommandLineWin32_ProcessStartupShowWindowCreateFlagsReturnValueProcessStartupInformationProcessIdSELECT * FROM Win32_ComputerSystemProductUUIDDomainSELECT * FROM Win32_ComputerSystem NameSELECT * FROM Win32_ComputerSystemCaptionSELECT * FROM Win32_OperatingSystem WQLIdentifierHARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0HARDWARE\Description\SystemVBOXVideoBiosVersionSystemBiosVersionSystemBiosDateVIRTUALBOXChecking reg key HARDWARE\Description\System - %s is set to %s06/23/99HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\DSDT\VBOX__SOFTWARE\Oracle\VirtualBox Guest AdditionsHARDWARE\ACPI\RSDT\VBOX__SYSTEM\ControlSet001\Services\VBoxMouseSYSTEM\ControlSet001\Services\VBoxGuestSYSTEM\ControlSet001\Services\VBoxSFSYSTEM\ControlSet001\Services\VBoxServiceChecking reg key %s SYSTEM\ControlSet001\Services\VBoxVideoSystem32\drivers\VBoxGuest.sysSystem32\drivers\VBoxMouse.sysSystem32\drivers\VBoxVideo.sysSystem32\drivers\VBoxSF.sysSystem32\vboxhook.dllSystem32\vboxdisp.dllSystem32\vboxogl.dllSystem32\vboxmrxnp.dllSystem32\vboxoglcrutil.dllSystem32\vboxoglarrayspu.dllSystem32\vboxoglfeedbackspu.dllSystem32\vboxoglerrorspu.dllSystem32\vboxoglpassthroughspu.dllSystem32\vboxoglpackspu.dllSystem32\vboxtray.exeSystem32\vboxservice.exeChecking file %s System32\VBoxControl.exe%ProgramW6432%oracle\virtualbox guest additions\\\.\VBoxMiniRdrDN
Source: rundll32.exe	Binary or memory string: System32\drivers\VBoxSF.sys
Source: rundll32.exe	Binary or memory string: System32\drivers\vmmemctl.sys
Source: rundll32.exe, rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: qemu_firmware_smbios
Source: rundll32.exe, 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: client_idgroup_namesys_versionclient_versionsession_idiphashtask_statetask_idtask_resulttasksFORTHEEMPERORclient_pingclient_ipgeneralclient_typesessuuidusercheck_xenpsexp_runningwine_exportswine_reqvbox_req_valvbox_req_keyvbox_filesvbox_dirsvbox_check_macvbox_devicesvbox_window_classvbox_network_classvbox_processvbox_mac_wmivbox_eventlog_wmivbox_firmware_smbiosvbox_firmware_acpivbox_bus_wmivbox_baseborad_wmivbox_pnpentity_pcideviceid_wmivbox_pnpentity_controllers_wmivbox_pnpentity_vboxname_wmivmware_reg_key_valuevmware_reg_keysvmware_filesvmware_dirvmware_macvmware_adapter_namevmware_devicesvmware_processesvmware_firmware_smbiosvmware_firmware_ACPIvirtual_pc_processvirtual_pc_reg_keysvm_driver_servicescpu_fan_wmiqemu_reg_key_valueqemu_processesqemu_dirqemu_firmware_acpiqemu_firmware_smbioskvm_reg_keyskvm_fileskvm_dirparallels_processparallels_check_macmod_compdsksknown_umemsmsmvisfromdescknown_filesnum_of_procsreq_disk_enumproc_listbinary_db

Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe

API call chain: ExitProcess graph end node

graph_2-23905

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe

Code function: 2_2_00D0D111 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_00D0D111

Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe

Code function: 2_2_00F6F080 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00F6F080

Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Code function: 2_2_00D299BF mov eax, dword ptr fs:[00000030h]		2_2_00D299BF
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Code function: 2_2_00D1C54C mov ecx, dword ptr fs:[00000030h]		2_2_00D1C54C

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000022E65FEDCF0 GetProcessHeap,HeapAlloc,

3_2_0000022E65FEDCF0

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe "C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe"

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Code function: 2_2_00D05895 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00D05895
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Code function: 2_2_00D0D111 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00D0D111
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E66115D8C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0000022E66115D8C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E66143530 SetUnhandledExceptionFilter,	3_2_0000022E66143530

Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 45.155.37.158 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 45.83.20.213 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 46.249.38.179 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 149.154.153.2 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 188.166.15.250 443	Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000022E65FF4DE0 CreateToolhelp32Snapshot,Process32FirstW,StrCmpIW,CloseHandle,Process32NextW,StrCmpIW,Process32NextW,CloseHandle,

3_2_0000022E65FF4DE0

Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Code function: EnumSystemLocalesW,	2_2_00D27CD3
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Code function: GetLocaleInfoW,	2_2_00D2EC98
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_00D2E816
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	2_2_00D2E403
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Code function: GetLocaleInfoW,	2_2_00D2E5FE
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00D2ED67
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Code function: EnumSystemLocalesW,	2_2_00D2E6F0
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Code function: GetLocaleInfoW,	2_2_00D28290
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Code function: EnumSystemLocalesW,	2_2_00D2E6A5
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Code function: GetLocaleInfoW,	2_2_00D2EA69
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00D2EB92
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Code function: EnumSystemLocalesW,	2_2_00D2E78B
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,	3_2_0000022E6612D0C8
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_0000022E66131F78
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_0000022E66131D90
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_0000022E6612CABC
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_0000022E66131898
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_0000022E66131968
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,	3_2_0000022E661434F0
Source: C:\Windows\System32\rundll32.exe	Code function: TranslateName,TranslateName,IsValidCodePage,wcschr,wcschr,GetLocaleInfoW,	3_2_0000022E6613158C

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000022E65FDB25C CreateNamedPipeA,_CxxThrowException,CreateFileA,_CxxThrowException,std::_Deallocate,

3_2_0000022E65FDB25C

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000022E660F42D8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_0000022E660F42D8

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_0000022E65FF3C10 GetUserNameW,

3_2_0000022E65FF3C10

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FEAA68 RpcServerUseProtseqEpA,RpcServerRegisterIfEx,RpcServerListen,std::_Deallocate,	3_2_0000022E65FEAA68
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FEA9F4 RpcBindingFree,	3_2_0000022E65FEA9F4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FEA97C RpcBindingFree,	3_2_0000022E65FEA97C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FEA908 RpcBindingFree,	3_2_0000022E65FEA908
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FEA894 RpcBindingFree,	3_2_0000022E65FEA894
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000022E65FEAB40 RpcMgmtStopServerListening,RpcServerUnregisterIf,	3_2_0000022E65FEAB40

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Email Collection	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	22 Process Injection	21 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Software Packing	NTDS	1 System Service Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Network Connections Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Query Registry	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Virtualization/Sandbox Evasion	Proc Filesystem	321 Security Software Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	22 Process Injection	/etc/passwd and /etc/shadow	12 Virtualization/Sandbox Evasion	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Rundll32	Network Sniffing	12 Process Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Owner/User Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	Embedded Payloads	Keylogging	1 System Network Configuration Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Acrobat_DC_x64_VIP_v10.12.msi	5%	ReversingLabs	Binary.Trojan.BumbleBee

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Package Installation Dir\qpgEZsswIP.dll	13%	ReversingLabs	Win64.Trojan.BumbleBee

Source	Detection	Scanner	Label
l1whn6jhl8xi.live	0%	Avira URL Cloud	safe
9nrkgb5ymmhx.live	0%	Avira URL Cloud	safe
8vxea0tldluf.live	0%	Avira URL Cloud	safe
aho8skpvfpxw.live	0%	Avira URL Cloud	safe
9gle7ejwpees.live	0%	Avira URL Cloud	safe
a0xjyxk6h5m7.live	0%	Avira URL Cloud	safe
0xejepvnnpze.live	0%	Avira URL Cloud	safe
velmddsj68vd.live	0%	Avira URL Cloud	safe
kwekpaz4eobt.live	0%	Avira URL Cloud	safe
kaky1v99z650.live	0%	Avira URL Cloud	safe
iaqxv2w3o0xc.live	0%	Avira URL Cloud	safe
ei2svhuxkfnm.live	0%	Avira URL Cloud	safe
164kx6yftp7e.live	0%	Avira URL Cloud	safe
437jwomut9vr.live	0%	Avira URL Cloud	safe
tok60x6gccij.live	0%	Avira URL Cloud	safe
uzpp0a72mgf8.live	0%	Avira URL Cloud	safe
541xdsl3qrmo.live	0%	Avira URL Cloud	safe
vh378qqwk9vc.live	0%	Avira URL Cloud	safe
vmduug7itjpc.live	0%	Avira URL Cloud	safe
nvzd7pgfgpxt.live	0%	Avira URL Cloud	safe
ipmh0eee13h2.live	0%	Avira URL Cloud	safe
t6ocigyxberq.live	0%	Avira URL Cloud	safe
a1xbi34msajq.live	0%	Avira URL Cloud	safe
sztn5z9mczvv.live	0%	Avira URL Cloud	safe
w2pjbfv1lp0s.live	0%	Avira URL Cloud	safe
vlqwx3ydmtxh.live	0%	Avira URL Cloud	safe
forned95q3gl.live	0%	Avira URL Cloud	safe
oltfqksrbe1h.live	0%	Avira URL Cloud	safe
13gdw8hd0f5g.live	0%	Avira URL Cloud	safe
twh0pzti1jmc.live	0%	Avira URL Cloud	safe
w525f7mmd4ms.live	0%	Avira URL Cloud	safe
n3om81law5m7.live	0%	Avira URL Cloud	safe
77mk5fucuhe8.live	0%	Avira URL Cloud	safe
hlhhny6jyz0h.live	0%	Avira URL Cloud	safe
ya8ym63w9m91.live	0%	Avira URL Cloud	safe
lfi8tslls020.live	0%	Avira URL Cloud	safe
nsqum7l04ak6.live	0%	Avira URL Cloud	safe
aa8btew33mma.live	0%	Avira URL Cloud	safe
y7bc5b0ezh5m.live	0%	Avira URL Cloud	safe
eldzk3tkcta3.live	0%	Avira URL Cloud	safe
vt762jefdhwk.live	0%	Avira URL Cloud	safe
h8laq4jtyfqp.live	0%	Avira URL Cloud	safe
4p06saxn3ubp.live	0%	Avira URL Cloud	safe
7hxcfu85ux0c.live	0%	Avira URL Cloud	safe
26wem2p2aunb.live	0%	Avira URL Cloud	safe
0gylcs3gwdpp.live	0%	Avira URL Cloud	safe
s542jqly9hk1.live	0%	Avira URL Cloud	safe
ejz7h2nwpe9p.live	0%	Avira URL Cloud	safe
ppakbng3anmz.live	0%	Avira URL Cloud	safe
va5rnvsffage.live	0%	Avira URL Cloud	safe
3ysjrezb3os9.live	0%	Avira URL Cloud	safe
i5ke68h24a00.live	0%	Avira URL Cloud	safe
mmerhgt2a428.live	0%	Avira URL Cloud	safe
aummhmvbuvf7.live	0%	Avira URL Cloud	safe
r33j2bx1ieh9.live	0%	Avira URL Cloud	safe
x39w37ihaw67.live	0%	Avira URL Cloud	safe
u86t183m8fjl.live	0%	Avira URL Cloud	safe
exe12ldlj0nb.live	0%	Avira URL Cloud	safe
rzctrohkd26r.live	0%	Avira URL Cloud	safe
q8txsh5ger29.live	0%	Avira URL Cloud	safe
adu5tcdt1mw8.live	0%	Avira URL Cloud	safe
toooegs0ua4k.live	0%	Avira URL Cloud	safe
2ujyrqt4xzmp.live	0%	Avira URL Cloud	safe
rigwjjv5e0te.live	0%	Avira URL Cloud	safe
0ws4d9s611dt.live	0%	Avira URL Cloud	safe
9yvk5z9213sf.live	0%	Avira URL Cloud	safe
9nsdtl72ktuk.live	0%	Avira URL Cloud	safe
pdim2swkrf2v.live	0%	Avira URL Cloud	safe
xj0airqray7d.live	0%	Avira URL Cloud	safe
4vh1mae0a37r.live	0%	Avira URL Cloud	safe
orp3efts3f5z.live	0%	Avira URL Cloud	safe
qxul3spnx991.live	0%	Avira URL Cloud	safe
kiph911rpr6p.live	0%	Avira URL Cloud	safe
r4og0ibkr2i1.live	0%	Avira URL Cloud	safe
271bk6bm6ek7.live	0%	Avira URL Cloud	safe
5aphqp78vw8h.live	0%	Avira URL Cloud	safe
nketun9udno5.live	0%	Avira URL Cloud	safe
mak2p2u1p6oc.live	0%	Avira URL Cloud	safe
6mca3un8fmrd.live	0%	Avira URL Cloud	safe
w3d73cw4ayun.live	0%	Avira URL Cloud	safe
6lgie8q5pjdc.live	0%	Avira URL Cloud	safe
ufiiux335dpw.live	0%	Avira URL Cloud	safe
egdk83k09qmr.live	0%	Avira URL Cloud	safe
z7w1125qgaak.live	0%	Avira URL Cloud	safe
zd6j8je6phb4.live	0%	Avira URL Cloud	safe
u1uaoomqywpz.live	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
9nrkgb5ymmhx.live	true	Avira URL Cloud: safe	unknown
8vxea0tldluf.live	true	Avira URL Cloud: safe	unknown
velmddsj68vd.live	true	Avira URL Cloud: safe	unknown
0xejepvnnpze.live	true	Avira URL Cloud: safe	unknown
aho8skpvfpxw.live	true	Avira URL Cloud: safe	unknown
9gle7ejwpees.live	true	Avira URL Cloud: safe	unknown
a0xjyxk6h5m7.live	true	Avira URL Cloud: safe	unknown
l1whn6jhl8xi.live	true	Avira URL Cloud: safe	unknown
kwekpaz4eobt.live	true	Avira URL Cloud: safe	unknown
kaky1v99z650.live	true	Avira URL Cloud: safe	unknown
iaqxv2w3o0xc.live	true	Avira URL Cloud: safe	unknown
ei2svhuxkfnm.live	true	Avira URL Cloud: safe	unknown
164kx6yftp7e.live	true	Avira URL Cloud: safe	unknown
tok60x6gccij.live	true	Avira URL Cloud: safe	unknown
437jwomut9vr.live	true	Avira URL Cloud: safe	unknown
vh378qqwk9vc.live	true	Avira URL Cloud: safe	unknown
uzpp0a72mgf8.live	true	Avira URL Cloud: safe	unknown
541xdsl3qrmo.live	true	Avira URL Cloud: safe	unknown
nvzd7pgfgpxt.live	true	Avira URL Cloud: safe	unknown
vmduug7itjpc.live	true	Avira URL Cloud: safe	unknown
ipmh0eee13h2.live	true	Avira URL Cloud: safe	unknown
a1xbi34msajq.live	true	Avira URL Cloud: safe	unknown
t6ocigyxberq.live	true	Avira URL Cloud: safe	unknown
sztn5z9mczvv.live	true	Avira URL Cloud: safe	unknown
w2pjbfv1lp0s.live	true	Avira URL Cloud: safe	unknown
vlqwx3ydmtxh.live	true	Avira URL Cloud: safe	unknown
forned95q3gl.live	true	Avira URL Cloud: safe	unknown
oltfqksrbe1h.live	true	Avira URL Cloud: safe	unknown
w525f7mmd4ms.live	true	Avira URL Cloud: safe	unknown
13gdw8hd0f5g.live	true	Avira URL Cloud: safe	unknown
77mk5fucuhe8.live	true	Avira URL Cloud: safe	unknown
twh0pzti1jmc.live	true	Avira URL Cloud: safe	unknown
n3om81law5m7.live	true	Avira URL Cloud: safe	unknown
hlhhny6jyz0h.live	true	Avira URL Cloud: safe	unknown
lfi8tslls020.live	true	Avira URL Cloud: safe	unknown
ya8ym63w9m91.live	true	Avira URL Cloud: safe	unknown
nsqum7l04ak6.live	true	Avira URL Cloud: safe	unknown
aa8btew33mma.live	true	Avira URL Cloud: safe	unknown
vt762jefdhwk.live	true	Avira URL Cloud: safe	unknown
y7bc5b0ezh5m.live	true	Avira URL Cloud: safe	unknown
h8laq4jtyfqp.live	true	Avira URL Cloud: safe	unknown
4p06saxn3ubp.live	true	Avira URL Cloud: safe	unknown
eldzk3tkcta3.live	true	Avira URL Cloud: safe	unknown
7hxcfu85ux0c.live	true	Avira URL Cloud: safe	unknown
26wem2p2aunb.live	true	Avira URL Cloud: safe	unknown
s542jqly9hk1.live	true	Avira URL Cloud: safe	unknown
0gylcs3gwdpp.live	true	Avira URL Cloud: safe	unknown
ppakbng3anmz.live	true	Avira URL Cloud: safe	unknown
ejz7h2nwpe9p.live	true	Avira URL Cloud: safe	unknown
va5rnvsffage.live	true	Avira URL Cloud: safe	unknown
r33j2bx1ieh9.live	true	Avira URL Cloud: safe	unknown
i5ke68h24a00.live	true	Avira URL Cloud: safe	unknown
aummhmvbuvf7.live	true	Avira URL Cloud: safe	unknown
3ysjrezb3os9.live	true	Avira URL Cloud: safe	unknown
mmerhgt2a428.live	true	Avira URL Cloud: safe	unknown
u86t183m8fjl.live	true	Avira URL Cloud: safe	unknown
exe12ldlj0nb.live	true	Avira URL Cloud: safe	unknown
x39w37ihaw67.live	true	Avira URL Cloud: safe	unknown
rzctrohkd26r.live	true	Avira URL Cloud: safe	unknown
adu5tcdt1mw8.live	true	Avira URL Cloud: safe	unknown
q8txsh5ger29.live	true	Avira URL Cloud: safe	unknown
2ujyrqt4xzmp.live	true	Avira URL Cloud: safe	unknown
toooegs0ua4k.live	true	Avira URL Cloud: safe	unknown
rigwjjv5e0te.live	true	Avira URL Cloud: safe	unknown
9yvk5z9213sf.live	true	Avira URL Cloud: safe	unknown
0ws4d9s611dt.live	true	Avira URL Cloud: safe	unknown
9nsdtl72ktuk.live	true	Avira URL Cloud: safe	unknown
pdim2swkrf2v.live	true	Avira URL Cloud: safe	unknown
orp3efts3f5z.live	true	Avira URL Cloud: safe	unknown
xj0airqray7d.live	true	Avira URL Cloud: safe	unknown
qxul3spnx991.live	true	Avira URL Cloud: safe	unknown
4vh1mae0a37r.live	true	Avira URL Cloud: safe	unknown
5aphqp78vw8h.live	true	Avira URL Cloud: safe	unknown
r4og0ibkr2i1.live	true	Avira URL Cloud: safe	unknown
kiph911rpr6p.live	true	Avira URL Cloud: safe	unknown
271bk6bm6ek7.live	true	Avira URL Cloud: safe	unknown
nketun9udno5.live	true	Avira URL Cloud: safe	unknown
6mca3un8fmrd.live	true	Avira URL Cloud: safe	unknown
mak2p2u1p6oc.live	true	Avira URL Cloud: safe	unknown
w3d73cw4ayun.live	true	Avira URL Cloud: safe	unknown
ufiiux335dpw.live	true	Avira URL Cloud: safe	unknown
egdk83k09qmr.live	true	Avira URL Cloud: safe	unknown
6lgie8q5pjdc.live	true	Avira URL Cloud: safe	unknown
z7w1125qgaak.live	true	Avira URL Cloud: safe	unknown
zd6j8je6phb4.live	true	Avira URL Cloud: safe	unknown
u1uaoomqywpz.live	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://use.typekit.net/af/a2527e/000000000000000000017704/27/l?primer=0635fba006f1437d962ae878ad04a	Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp	false	high
https://use.typekit.net/af/4b3e87/000000000000000000017706/27/d?primer=0635fba006f1437d962ae878ad04a	Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp	false	high
https://use.typekit.net/bxf0ivf.jsn.type	Reader_Install_Setup.exe, 00000002.00000003.1749261059.00000000089FB000.00000004.00000020.00020000.00000000.sdmp	false	high
https://use.typekit.net/uT	Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://use.typekit.net/af/4b3e87/000000000000000000017706/27/a?primer=0635fba006f1437d962ae878ad04a	Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp	false	high
https://use.typekit.net/af/40207f/0000000000000000000176ff/27/a?primer=0635fba006f1437d962ae878ad04a	Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp	false	high
https://use.typekit.net/bxf0ivf.js020	Reader_Install_Setup.exe, 00000002.00000002.4171708465.00000000014B4000.00000004.00000020.00020000.00000000.sdmp	false	high
https://use.typekit.net/af/74ffb1/000000000000000000017702/27/	Reader_Install_Setup.exe, 00000002.00000002.4177607787.00000000074B1000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr	false	high
https://use.typekit.net/af/eaf09c/000000000000000000017703/27/d?primer=0635fba006f1437d962ae878ad04a	Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4171708465.000000000151E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://use.typekit.net/af/40207f/0000000000000000000176ff/27/l?primer=0635fba006f1437d962ae878ad04a	Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp	false	high
https://use.typekit.net/af/4b3e87/000000000000000000017706/27/l?primer=0635fba006f1437d962ae878ad04a	Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp	false	high
https://use.typekit.net/af/a2527e/000000000000000000017704/27/d?primer=0635fba006f1437d962ae878ad04a	Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4178433184.0000000007749000.00000004.00000020.00020000.00000000.sdmp	false	high
https://reactjs.org/link/react-polyfills	Reader_Install_Setup.exe, Reader_Install_Setup.exe, 00000002.00000002.4183756273.00000000093F0000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000003.1749261059.00000000089FB000.00000004.00000020.00020000.00000000.sdmp	false	high
http://typekit.com/eulas/0000000000000000000176ff	Reader_Install_Setup.exe, 00000002.00000002.4178286591.0000000007642000.00000004.00000020.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4185510324.000000000A452000.00000004.00000800.00020000.00000000.sdmp, Reader_Install_Setup.exe, 00000002.00000002.4176100272.00000000048A1000.00000004.00000020.00020000.00000000.sdmp, bxf0ivf[1].js.2.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.153.2	unknown	European Union	57169	EDIS-AS-EUAT	true
45.155.37.158	unknown	Netherlands	395092	SHOCK-1US	true
188.166.15.250	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	true
45.83.20.213	unknown	Latvia	35913	DEDIPATH-LLCUS	true
46.249.38.179	unknown	Netherlands	57043	HOSTKEY-ASNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560658
Start date and time:	2024-11-22 05:02:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Acrobat_DC_x64_VIP_v10.12.msi
Detection:	MAL
Classification:	mal100.troj.evad.winMSI@6/73@0/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .msi Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.32.238.192, 23.32.238.210, 2.20.174.133, 23.32.238.235, 23.32.238.211, 192.168.2.4, 3.248.26.100, 54.77.72.255, 54.74.179.44, 23.218.208.137
Excluded domains from analysis (whitelisted): rdc.adobe.io, e4578.dscg.akamaiedge.net, fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, a1874.dscg1.akamai.net, fe3cr.delivery.mp.microsoft.com, p.typekit.net-stls-v3.edgesuite.net, ocsp.digicert.com, use-stls.adobe.com.edgesuite.net, ssl-delivery.adobe.com.edgekey.net, geo-dc.adobe.com, dlmping2.adobe.com, a1988.dscg1.akamai.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Acrobat_DC_x64_VIP_v10.12.msi

Simulations

Behavior and APIs

Time	Type	Description
23:04:00	API Interceptor	285x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
188.166.15.250	GkyZlYczv9.dll	Get hash	malicious	BumbleBee	Browse
	ZRemI0ixC6.dll	Get hash	malicious	BumbleBee	Browse
	PWzQpJQHzb.msi	Get hash	malicious	Unknown	Browse
	Q6yuW8YIMR.dll	Get hash	malicious	BumbleBee	Browse
	7rbJdaTZe2.dll	Get hash	malicious	BumbleBee	Browse
	1JYlOOKImO.dll	Get hash	malicious	BumbleBee	Browse
	bGvIeUxVdy.msi	Get hash	malicious	Unknown	Browse
	QsLhL1pw3t.msi	Get hash	malicious	Unknown	Browse
	zoHnNvuTkk.dll	Get hash	malicious	BumbleBee	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
EDIS-AS-EUAT	otis.exe	Get hash	malicious	Unknown	Browse	192.121.170.106
	ssowoface.dll	Get hash	malicious	Unknown	Browse	192.36.61.122
	ssowoface.dll	Get hash	malicious	Unknown	Browse	192.36.61.122
	msws.msi	Get hash	malicious	ORPCBackdoor	Browse	151.236.9.174
	msws.msi	Get hash	malicious	ORPCBackdoor	Browse	151.236.9.174
	Mcb5K3TOWT.exe	Get hash	malicious	Unknown	Browse	192.36.38.33
	987123.exe	Get hash	malicious	LummaC, Eternity Stealer, LummaC Stealer, SmokeLoader, Stealc, zgRAT	Browse	192.36.38.33
	16GAuqLUFK.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Stealc	Browse	192.36.38.33
	NBHEkIKDCr.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	192.36.38.33
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	192.36.38.33
SHOCK-1US	GkyZlYczv9.dll	Get hash	malicious	BumbleBee	Browse	144.208.127.113
	1ZhE3yY8rV.ps1	Get hash	malicious	Unknown	Browse	217.195.153.196
	sd2.ps1	Get hash	malicious	AgentTesla, KoiLoader	Browse	217.195.153.196
	ZRemI0ixC6.dll	Get hash	malicious	BumbleBee	Browse	144.208.127.113
	PWzQpJQHzb.msi	Get hash	malicious	Unknown	Browse	144.208.127.113
	Q6yuW8YIMR.dll	Get hash	malicious	BumbleBee	Browse	144.208.127.113
	7rbJdaTZe2.dll	Get hash	malicious	BumbleBee	Browse	144.208.127.113
	1JYlOOKImO.dll	Get hash	malicious	BumbleBee	Browse	144.208.127.113
	bGvIeUxVdy.msi	Get hash	malicious	Unknown	Browse	144.208.127.113
	QsLhL1pw3t.msi	Get hash	malicious	Unknown	Browse	144.208.127.113
DEDIPATH-LLCUS	Kellyb Timesheet Report.pdf	Get hash	malicious	HTMLPhisher	Browse	185.156.109.33
	https://drive.google.com/file/d/11kk4glvCJRDeJ3XhdemRR_FFW8tGlSei/view?usp=sharing_eip&ts=67364a0b	Get hash	malicious	Unknown	Browse	103.114.163.132
	x86.elf	Get hash	malicious	Unknown	Browse	45.149.222.146
	bin.sh.elf	Get hash	malicious	Mirai	Browse	185.243.57.145
	nuklear.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	193.43.68.31
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	38.143.204.166
	nabarm5.elf	Get hash	malicious	Unknown	Browse	161.8.2.27
	bin.armv7l.elf	Get hash	malicious	Mirai	Browse	84.245.34.238
	12Vjq7Yv2E.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	45.89.110.133
	7WyBcig6e3.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	45.89.110.133
DIGITALOCEAN-ASNUS	http://www.tqltrax.com	Get hash	malicious	Unknown	Browse	206.189.225.178
	https://cabinetstogollc-my.sharepoint.com/:b:/g/personal/store802_cabinetstogo_com/EYepBlB4QExJsG0U-4jKG4ABoZxLg7rdp0_zjjwabbUc1g?e=q4iRIE&com.microsoft.intune.mam.appmdmmgtstate=2&com.microsoft.intune.mam.policysource=2&com.microsoft.intune.mam.identity=mcle%40novozymes.com&com.microsoft.intune.mam.policy=1&com.micro	Get hash	malicious	Unknown	Browse	188.166.2.160
	NEW ORDER- 4788467.exe	Get hash	malicious	Remcos	Browse	206.189.218.238
	mipsel.elf	Get hash	malicious	Gafgyt	Browse	139.59.211.214
	https://msf-update.cloud/?rid=wDbmX0h	Get hash	malicious	Unknown	Browse	162.243.5.136
	https://floreslaherradura.com/?uid=a2FuZGVyc29uQGJxbGF3LmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	167.71.91.68
	https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html	Get hash	malicious	Gabagool	Browse	164.90.149.168
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	161.35.223.150
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	95.85.30.215
	dlr.arm7.elf	Get hash	malicious	Unknown	Browse	138.197.188.56

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	8308
Entropy (8bit):	5.625426500002003
Encrypted:	false
SSDEEP:	96:2mrqJeJEtpH8Zei2kaUgTCsTl0UgTCk3XaTlY682KsKwJAzRCrACLp64wIS5bGez:Pr0Y68ZeYtgOIhgOXiTILpY
MD5:	867CF235EAD949A46ED7212D21777E53
SHA1:	B117CF970285449CD5524952AB37151DB510B0F1
SHA-256:	248D1EF1C1420BB9D7E494276C09BCD6A2FEFEB6DC2C783A8DDB36F96F6CD1F2
SHA-512:	01F56139DFA564D8579AE82CB664C10B243D2E406246FB6A6B17C37119FA28A717583A2D0275CDF27B4A9B023E3965F42440B65784B4DFDF2A7DAE41807268B0
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@d.uY.@.....@.....@.....@.....@.....@......&.{DD475EBC-D960-4AF4-BB8A-BE91FA942756}..FWojXRpxua..Acrobat_DC_x64_VIP_v10.12.msi.@.....@.....@.....@........&.{73232F59-F6AA-4764-AEA4-731717E1ED5E}.....@.....@.....@.....@.......@.....@.....@.......@......FWojXRpxua......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{CA18E5D1-6D13-4F6E-8DAC-FB15EF2DFD0D}&.{DD475EBC-D960-4AF4-BB8A-BE91FA942756}.@......&.{55196117-3D71-4100-B339-6770670A36D9}&.{DD475EBC-D960-4AF4-BB8A-BE91FA942756}.@......&.{55196117-3D71-4100-B339-6770670A36D9}&.{00000000-0000-0000-0000-000000000000}.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..;.C:\Users\user\AppData\Local\Temp\Package Installation Dir\....S.C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe....I.C:\Users\user\AppData\Local\Temp\Package Installation Dir\qpgEZsswIP.dll....Reg

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\close_200.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	2653
Entropy (8bit):	7.647120494009284
Encrypted:	false
SSDEEP:	48:/ccNn2VsrJ3+obhE82UlsP0PFNc7LUZEKlax2rLbbjQDQxm5DVD0UHe:0k2qgafLmIcLaE+acrnQMgFb+
MD5:	ECD545FC4A0E81B5BC0076FC34D49B7A
SHA1:	79C27CFC7054FF4C52D428E63CF91264984FDD89
SHA-256:	B733F9351938AD36C8E733639F581F4BBD70840874E6EF05101F8E1D8CCDBD7F
SHA-512:	EBC6AD8FC54CD5E6EF2143F73D23EED39E23A43007BF3BAEF828F35578836E6F5F859F74B234F667B65F58568FEA817AF124204F746AEEB006BDF396183626D0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...(...(........m....tEXtSoftware.Adobe ImageReadyq.e<...(iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)" xmpMM:InstanceID="xmp.iid:BA558B0B5D6B11E48A78D1F371D518A4" xmpMM:DocumentID="xmp.did:BA558B0C5D6B11E48A78D1F371D518A4"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:BA558B095D6B11E48A78D1F371D518A4" stRef:documentID="xmp.did:BA558B0A5D6B11E48A78D1F371D518A4"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>........IDATx..ml.E..g...IS>T...q.. ..Z..!.hU.F".@ML!1&4....o....!1\|..p...[%D..F..".....Z..'hR...........]{o...

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\gray_button_200.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 442 x 62, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1747
Entropy (8bit):	7.063636331533908
Encrypted:	false
SSDEEP:	48:4ccvnLEVY0J30MTfY+Nw2CeaEskLNnthkpJp9NSk/:vMUYj+ftNwTGHLNntYvUw
MD5:	E7D16937762F83E1A274AF5C87466DDE
SHA1:	1CEF0A62593619A01B0A35AB353AA9F3336B81EB
SHA-256:	12F303172CD2382BEF4B057233E5E4782EA8E20C979778BB8264AAB458E02B7B
SHA-512:	65070D08BA253905BE0B1B95C9BF196B4CF71BFACE102FC384CCE50527F546D29992C4087E124623F8D043877E78C8FBA4B4718C9FB9AFBC55D0F55E53956E53
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.......>.....].......tEXtSoftware.Adobe ImageReadyq.e<...piTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:868482c0-3e81-4d13-b7d0-967d56927215" xmpMM:DocumentID="xmp.did:91F9D87F562B11E494A1902F47C3AA34" xmpMM:InstanceID="xmp.iid:91F9D87E562B11E494A1902F47C3AA34" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:CD78A1A450BD11E4B9B2B51D48DF50D6" stRef:documentID="xmp.did:CD78A1A550BD11E4B9B2B51D48DF50D6"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>H79.....IDATx...1K.Q.....`$.......@.$t...E

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\info_icon_100.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 13 x 13, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1290
Entropy (8bit):	6.799771034908577
Encrypted:	false
SSDEEP:	24:p1hepWwjx82lY2T3UVgWDyJ3VaQG8bqZGl3C2LcAQ3jOMFt:3ccNn2QT+J3jWQ3twim
MD5:	5853F412D28F0CAA8704AA92267398DD
SHA1:	22E0E555BD039F5752E27E195EE5B162E84559BA
SHA-256:	FA043DF1591ED69DACB50CBCD5D38E3EC30B493636CD5F23C38290371BC037D4
SHA-512:	2C27C6454A80662886419070E2228D001B6650A5826CFE2BE8865036563DE425C6CB174F69E668A47A36588176A7E1890B409D7F91B7A04AD4C0C215A6B746E0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.............r..\|....tEXtSoftware.Adobe ImageReadyq.e<...&iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 Macintosh" xmpMM:InstanceID="xmp.iid:DBDE1574953611E495AEF9EA3C1F0781" xmpMM:DocumentID="xmp.did:DBDE1575953611E495AEF9EA3C1F0781"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:C04B797F953311E495AEF9EA3C1F0781" stRef:documentID="xmp.did:C04B7980953311E495AEF9EA3C1F0781"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..c`...zIDATx.LR;K.A....(..X...&.`..B.D+I....X(.?H.........G Z....m.!MB...F.vo.vo.........sLJIV&....*...K..x.\..1

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\progressbar_blue_active_100.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 469 x 21, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	15306
Entropy (8bit):	1.8694156803319382
Encrypted:	false
SSDEEP:	48:l/6DeilYk29WJsEvkHYal+03r8L5o2k242NxN+Y97sc5ey7HbZdRaDN:lSyoYkEWmFmPDNxNX7sc51HfRaDN
MD5:	BB94A177F10BF764D11F94D24A5DB5AA
SHA1:	6864B58952B19248F4C5EA5C8764C52E207268A7
SHA-256:	CAAFEA31074BA909EC57C9DCDD1B1C0256E5626939CC768B8A041FE42762E230
SHA-512:	D2875EB5AD9FF76FF233ADA04FA77AECDBB0C9A80BCD85B0C50087786B47E97FEEC189D18164E15784CD96850849EE4E1920D7D98157CA7AD317BA03E8C66111
Malicious:	false
Preview:	.PNG........IHDR..............&t.....pHYs...............9.iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/". xmlns:tiff="http://ns.adobe.com/tiff/1.0/". xmlns:exif="http://ns.adobe.com/exif/1.0/">. <xmpMM:OriginalDocumentID>xmp.did:d310b992-d270-4e81-a192-9dd67f063430</xmpMM:OriginalDocumentID>. <xmpMM:DocumentID>xmp.did:9B19ACF050A311

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\progressbar_blue_active_125.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 586 x 26, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3364
Entropy (8bit):	7.87299365047781
Encrypted:	false
SSDEEP:	48:3/6DocieftI9G9f6A+FIDOWu0lDl+gm7QyTtctIInQSy6IVpqlnBcODRdX/eV0C/:3SDZ/I09Da01l+gmkyTt6Hk8nTr00o
MD5:	5E3F8861E897F1D865A1DCA095AFB15A
SHA1:	39FB6435750370FCF30AFDCEABC840947FCA17A3
SHA-256:	A2C424618DE66C97F91833FE2EDB4BB05E03561E60AC40405771D2DEBB8CCB41
SHA-512:	17F65092D4D98A88D858E1141859773FFD6978E513E0DB728C41AAE1C67436E702CE8D1EFCE04E99DDEEF40CD67E9241AF25856A6F02759C24C1F906AB4F31EC
Malicious:	false
Preview:	.PNG........IHDR...J.........H2sG....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\progressbar_blue_active_150.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 704 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3562
Entropy (8bit):	7.868968527311014
Encrypted:	false
SSDEEP:	96:RSDZ/I09Da01l+gmkyTt6Hk8nTOYxLGxcVzPIJ:RSDS0tKg9E05TOGLGxcVzPIJ
MD5:	A78E3DD64D86A9B46CCDFF105793DCE6
SHA1:	3FBFA289B12439C85F09E5419B064F151CEC768C
SHA-256:	151DBC44177A314FB720ED909EAD366760B69C69DAF676FEA52248AC7AD71D9A
SHA-512:	15B513572A9AB51FDAC9E6E068E10388499387E789909DFFAFD8AC0C7250DE8BE18D344CFA734C44D7941D01691261FACD0D1A95589E6A2750DE23C569F175EA
Malicious:	false
Preview:	.PNG........IHDR....... ........D....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\progressbar_blue_active_200.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 938 x 42, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	15852
Entropy (8bit):	2.180251018498586
Encrypted:	false
SSDEEP:	48:Lnt/6DeilYk29WJsEvkHYSvl+03r8L6uo2mrxN+Y97sc5ZT7QHuJ21mVwL+zNxSG:ZSyoYkEWmFbxNX7sc55jJ2UVJS/1hm
MD5:	0F78C8C46DAD3F68D060B406AA0BBF1F
SHA1:	036AB74F8CE9D123260CEC6CFF908876CA370128
SHA-256:	C08F7720960B2E21B1F8F106D80BCB1AF7C11433E3B35D7AE2994254A2A2583C
SHA-512:	5639E0753C37D3D7755F7062792E6FEBB8DE2BF045A37D63CEAA01633D8AD235E3DA31B8F8624B49FDE92D5A10B007450EA7BDC10519A75B464073A77221218F
Malicious:	false
Preview:	.PNG........IHDR.......*......$.[....pHYs...............9.iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/". xmlns:tiff="http://ns.adobe.com/tiff/1.0/". xmlns:exif="http://ns.adobe.com/exif/1.0/">. <xmpMM:OriginalDocumentID>xmp.did:d310b992-d270-4e81-a192-9dd67f063430</xmpMM:OriginalDocumentID>. <xmpMM:DocumentID>xmp.did:9B19ACF450A311

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\progressbar_darkgray_base_100.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 469 x 21, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	15271
Entropy (8bit):	1.8452160313088866
Encrypted:	false
SSDEEP:	48:l/6DeilYk29WJsEvkHY+ldKb8LVoBd8xN+Y97sc5ey72M+1ZVO73:lSyoYkEWmFvxNX7sc51F+w73
MD5:	E60583E0C49F0D046D2CFEF1179A8390
SHA1:	0B135A9B5145F3CFECE8B1E250374CC36D1062B6
SHA-256:	E90F2CD8CA1D0FEB9A8C73908CA021B085816A9F469C4B4CA07C12F1996C7A59
SHA-512:	A5A4F52243F8E12C83C8B93D38BEF532CE842B33F75C54FC35E37C1BB6B15C035BB926D9FA2BDD200BD13C64AC478983C9D4A64DB1E5B39C347A22104BE338AE
Malicious:	false
Preview:	.PNG........IHDR..............&t.....pHYs...............9.iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/". xmlns:tiff="http://ns.adobe.com/tiff/1.0/". xmlns:exif="http://ns.adobe.com/exif/1.0/">. <xmpMM:OriginalDocumentID>xmp.did:d310b992-d270-4e81-a192-9dd67f063430</xmpMM:OriginalDocumentID>. <xmpMM:DocumentID>xmp.did:4795134350A411

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\progressbar_darkgray_base_200.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 938 x 42, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	15718
Entropy (8bit):	2.093683853279598
Encrypted:	false
SSDEEP:	48:Lnt/6DeilYk29WJsEvkHY2c0ldKb8LCcjogERxN+Y97sc5ZT7b55CdptFVCX8PhQ:ZSyoYkEWmFFc/c2xNX7sc55bDChmsQ
MD5:	CD614F26DD67507EF8C17E5A3133A45E
SHA1:	E2561CA51CCA6CAB76C8F5EB0F12ED1F26E52D15
SHA-256:	30558D6E8D8F862D10D1DF81DBB6C54503F3ADE7DD134DC2CE1E3F0AC9C4D0BC
SHA-512:	3581FA40BF869C94AB3BDD7A72476B21B3FE2FE7DBF2D9157086829677471E6C4E7ADF1A647A769A5010505E591A99EE3239587E8D8314CF6E058CFE9A0EAC84
Malicious:	false
Preview:	.PNG........IHDR.......*......$.[....pHYs...............9.iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/". xmlns:tiff="http://ns.adobe.com/tiff/1.0/". xmlns:exif="http://ns.adobe.com/exif/1.0/">. <xmpMM:OriginalDocumentID>xmp.did:d310b992-d270-4e81-a192-9dd67f063430</xmpMM:OriginalDocumentID>. <xmpMM:DocumentID>xmp.did:4795133F50A411

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\progressbar_pole_null_100.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 469 x 21, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4006
Entropy (8bit):	7.7061956531048965
Encrypted:	false
SSDEEP:	96:xk2UD9C4cfrisM3CtXOKGKMifbU77frXKtKis:xA9C4JsMaaKMaU7H6Iz
MD5:	864C92E2AD1CCBE672119BFD82DD128F
SHA1:	79F76150628D2775CA0896FAEEE778DA9538533C
SHA-256:	E299AEA7584E17F41D1EE2BAE28F491A26CB7E7D4B95B366D485C300D06D3BAB
SHA-512:	12B968B5BA605D04CC2C967DF12A8D03A73478AE77443CEC20E547C12189E3E661A82E07CD40AB56F3941E37809BC690708C7479F64B9CF0059B820A588F93BA
Malicious:	false
Preview:	.PNG........IHDR..............&t.....tEXtSoftware.Adobe ImageReadyq.e<...(iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)" xmpMM:InstanceID="xmp.iid:BE40EF6756F011E49982F9FD4AE2C288" xmpMM:DocumentID="xmp.did:BE40EF6856F011E49982F9FD4AE2C288"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:138771F856F011E49982F9FD4AE2C288" stRef:documentID="xmp.did:BE40EF6656F011E49982F9FD4AE2C288"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>27K.....IDATx..;o\...w..7..K\|.........`()..T.A..@R)....X.L.T*........)..%...\|S9........,a_.B.......3w...-/.

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\progressbar_pole_null_125.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 586 x 26, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	17542
Entropy (8bit):	7.948114370250419
Encrypted:	false
SSDEEP:	384:iJXE05JIf/2oqt5dWebFm6rCvQbJ+6Xi3E8ueIuE+x1Fmz:S35JIfeh5d9hC6+h3EOZmz
MD5:	566E1E4BC5914CDC4AADAB38A9C637BA
SHA1:	09462221E91CE30669AB09FDD613D16E3906A8CD
SHA-256:	2B268037A8D69346D4FE413D19874DA3C91260B265357129EB8310CB1A0E6401
SHA-512:	4D88028503B851897608745E9D85B6B96B32701FE9FF8E5A9825100235A62D85F7C35379AE6AD6696DF93842C6676DF70010A96CD94FC7A5C79C9F79C3169FE4
Malicious:	false
Preview:	.PNG........IHDR...J.........H2sG....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\progressbar_pole_null_150.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 704 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	19025
Entropy (8bit):	7.953390283515495
Encrypted:	false
SSDEEP:	384:4JXE054wd0iiQWVm6Dra/Dx0oabj8BzAYa0oEAXpPwRZMN5/Tk/i+:E354wd0iGQkaLx0hbj8Dyp4RS5LN+
MD5:	8125AE6D5A5FB78C5B13C84A221AC120
SHA1:	C08EF525B815E282DEE44CBB809E1EEDD09BFF3A
SHA-256:	7817B734D26F6C3EA8E1C22E1DEDE8BE8C7F711C1924D2B3BA2AE5346C7F526D
SHA-512:	BF11C87713314A6732A2CD00E137078A28AE827EAF1128817D4CB7BD2836930050ED3355BF3AF7979E8199DAB62EAD311314F831B85857CB4EDC8C39A25DF5B7
Malicious:	false
Preview:	.PNG........IHDR....... ........D....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\progressbar_pole_null_200.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 938 x 42, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	8079
Entropy (8bit):	7.832542660896185
Encrypted:	false
SSDEEP:	192:V9Re03MEaczLw7jZe290sKruwPVSclaAlf+RCAaWY:nRNMBJ7jZe2hKrusVM3CA1Y
MD5:	CB231F0311D26F6EC4FAA626F826F14B
SHA1:	90731FAF98307EACE4CA024E43CF912BBC461864
SHA-256:	0AF4A194FBC1A6E78552F299348F0D60D5B2B9AB014E41A56E57D46AB18DC889
SHA-512:	5FBA8C6D81063D9A8229F4D9DACACF1671A052F6DDC8B08F324E42895F4D760217788873685C86AED7E1DFFBE88EC151CC76895CBBBE499FF6B416D3088B0246
Malicious:	false
Preview:	.PNG........IHDR.......*......$.[....tEXtSoftware.Adobe ImageReadyq.e<...(iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)" xmpMM:InstanceID="xmp.iid:BE40EF6B56F011E49982F9FD4AE2C288" xmpMM:DocumentID="xmp.did:BE40EF6C56F011E49982F9FD4AE2C288"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:BE40EF6956F011E49982F9FD4AE2C288" stRef:documentID="xmp.did:BE40EF6A56F011E49982F9FD4AE2C288"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>...@....IDATx....ez........ff.+..Y$..M$$"1.L6......D..d...".X3.."..,.HF...."....".E2`\|i..v.ovw.8...}.m.z.O

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\status_icon_caution_100.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 24 x 21, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	15685
Entropy (8bit):	2.1042569927335855
Encrypted:	false
SSDEEP:	96:XSDoYkEWmadf6xNX7sc5otTxXkdE4ypXYt:XSDrk6adfoGxUWzXYt
MD5:	784ABEA138D9F1E5A1026162AF5BF2CD
SHA1:	111F835763A39EC7B8F697B1D90B22BFD3666A57
SHA-256:	5C7B6B5456CAABC9D5A928AC892D9903836693960517C4E534A5DE1ACD6AE428
SHA-512:	01BE96B4A05768641113679E96778B44A2EA22EE127349DEAC80A90BF5540518FF352054884AC51A3719A882BE1676C85515EFC66D8641F3F0E82336366CB612
Malicious:	false
Preview:	.PNG........IHDR.............\..&....pHYs...............9.iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/". xmlns:tiff="http://ns.adobe.com/tiff/1.0/". xmlns:exif="http://ns.adobe.com/exif/1.0/">. <xmpMM:DocumentID>xmp.did:EA6FFBE8583611E48B3EF836581BB4DA</xmpMM:DocumentID>. <xmpMM:InstanceID>xmp.iid:282ff2f8-5a68-4a52-b1dc-91de0f2f07

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\status_icon_caution_125.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 30 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3838
Entropy (8bit):	7.91008458008801
Encrypted:	false
SSDEEP:	96:ySDZ/I09Da01l+gmkyTt6Hk8nTvxTQrgyZt:ySDS0tKg9E05TvlQ8yZt
MD5:	4A2BF8C96F910B1B2AE63A9F4A0D4B8F
SHA1:	D1665DF62B650FEB01035D5123D0BFC8EA75742C
SHA-256:	0CB2F4EE1C451A8825EB8EDB45858B28345F73423C7A7AEF4168C46F7E3638BF
SHA-512:	6E894AAB6239D6EC66E79EC156BC79AE12AC2D9DD877D00CEF760F9F278C99F0CB9816E64B6358206A8D2087DFA05B75DE7ACDB2AFD1563608298F645E32867C
Malicious:	false
Preview:	.PNG........IHDR.............k.?.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\status_icon_caution_150.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 36 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3942
Entropy (8bit):	7.915201742478639
Encrypted:	false
SSDEEP:	96:GSDZ/I09Da01l+gmkyTt6Hk8nTN7L3bPDoifR7b:GSDS0tKg9E05TpPsSb
MD5:	CA3872EAE64C5BFD8D41198990B11950
SHA1:	97221D798EF24E4B3384B254B17B7561901A9304
SHA-256:	3438623C461F8F141976A931D3C00F6877D07CF4A8B534AF1EF9FDFE8B0C6174
SHA-512:	1863BB97606D6157A98CEAAD6D043428913952B86D6B2C9B0C7AA85148DD40483CDC0D3BF430C681249652F1F8D785F23392829C700F862C89435F10046F9C20
Malicious:	false
Preview:	.PNG........IHDR...$... .....z......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\status_icon_caution_200.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 48 x 42, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	16468
Entropy (8bit):	2.5316051074868398
Encrypted:	false
SSDEEP:	96:pSDoYkEWmK9p4xNX7sc5p/zWrDHtfQ5i8D74W:pSDrk6qs/YDHt45i8D7z
MD5:	3683A511B9DBA974CD9F36A6B023E423
SHA1:	2E5B6B0F66094A5692F53E6DF055B2889AAE709E
SHA-256:	210F1B214ECCDE9E148072A10FC0E263FE6A443341BE4DC9630C47BC84796101
SHA-512:	2D010284ECEDD131F1A07E1A34A3C882B0A342EDF794355AC531592AA34CBB19B4792C7DFE489F5F341A91CEAC1F187C824010CC8340F2959EF0F76D1D88C274
Malicious:	false
Preview:	.PNG........IHDR...0...*......O.z....pHYs...............9.iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/". xmlns:tiff="http://ns.adobe.com/tiff/1.0/". xmlns:exif="http://ns.adobe.com/exif/1.0/">. <xmpMM:DocumentID>xmp.did:F64702B9583611E48199864854E8DF1F</xmpMM:DocumentID>. <xmpMM:InstanceID>xmp.iid:19e2d7fb-cbd8-4318-85de-a4692cc16e

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\status_icon_check_100.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 24 x 21, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	6.743983154707753
Encrypted:	false
SSDEEP:	24:G1hepWwh82lYSKwx2fSVhCtT3JryJ3V0emG66dMYOF0aK3Uk+4c1mjmD/Bn5R:MccvnLHqrk0J3+r1jcUk+4+TD/95R
MD5:	74172250EC6AA49412189DBC0C1ED6E2
SHA1:	AB844088660A6ED32A6274C06CC05D659FEB1EAD
SHA-256:	B7771AC44AB547A772787C6DB58AFCAB0E603E8F9127F3A486A7792EE3E04A90
SHA-512:	ACC43D5A267754E2C971C2A14A1392F8936D5E87BDB4D5A41D57F87783AC31DB30D7D6FD0820ADF568FD28CA001E9A0869AC0118A5DDACB746378CF35388C979
Malicious:	false
Preview:	.PNG........IHDR.............\..&....tEXtSoftware.Adobe ImageReadyq.e<...piTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:A221B57F583611E4A24EEB6D32DEE939" xmpMM:DocumentID="xmp.did:1EB36218562B11E494A1902F47C3AA34" xmpMM:InstanceID="xmp.iid:1EB36217562B11E494A1902F47C3AA34" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:385c59cf-353e-4037-b78d-79b10c708ef3" stRef:documentID="xmp.did:A221B57F583611E4A24EEB6D32DEE939"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.d.$....IDATx.b...?.-........o..2....d....

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\status_icon_check_125.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 30 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3270
Entropy (8bit):	7.889166904606499
Encrypted:	false
SSDEEP:	96:ySDZ/I09Da01l+gmkyTt6Hk8nTyHtne3Ws:ySDS0tKg9E05TyZs
MD5:	CD14309BBB8F5AD698E3196BBFCA88B6
SHA1:	77ABAE837386F0BCE173F86156AE02FE62255876
SHA-256:	CF9AF9956E356D637E43A0B82C9328B13764ECD0BB3E3686A08AA2C2640A6C8B
SHA-512:	5F863CF9B696504E0193C56BBBBED240E2D6BD782BB15391B2EAE7B8137B12BBB9818966F8AC6048C1C490056C660D95AD16541C57492DC997B85BA459392634
Malicious:	false
Preview:	.PNG........IHDR.............k.?.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\status_icon_check_150.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 36 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3424
Entropy (8bit):	7.89764633408354
Encrypted:	false
SSDEEP:	96:GSDZ/I09Da01l+gmkyTt6Hk8nTirbKMa7pJdD:GSDS0tKg9E05TcteR
MD5:	AA02AB840568AD99107CDECE6621C3AC
SHA1:	5813000FF1348CF78C41E0B0B90387EF7FF8A83B
SHA-256:	8743B4FEBE9F3C99E1C5B647255E6367DDAC8580E1388FEAF78E0BC84FBB1776
SHA-512:	F3938E87EAA095EC69D814514176559C2B153C75802C12ADDDDBAEC67D476AEB6A6FD2066BE536265B28C36C8C0B5BFF940205F96C898861739D4E2EFF86A029
Malicious:	false
Preview:	.PNG........IHDR...$... .....z......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\status_icon_check_200.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 48 x 42, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3671
Entropy (8bit):	7.905884132187789
Encrypted:	false
SSDEEP:	48:p/6DocieftI9G9f6A+FIDOWu0lDl+gm7QyTtctIInQSy6IVpqlnBcODnyDQqkHjz:pSDZ/I09Da01l+gmkyTt6Hk8nTnythI
MD5:	1B00A6BCC425DBD0ACB92E3664488B0D
SHA1:	BBD3CF9F25ADD0D1386A5AE18823FD0F880B11BA
SHA-256:	48BEE3671DED91AEE651F5CAC0CBEFD83D760F02EFD376F77364C238F1B14389
SHA-512:	2CF00A629C540483D182B4E73140182A2CA0402FC296705A80A46BA0A8DB2F6D5A34067AE69331218D871288D6EAE8EE3D5AC740568A6A2C536510C32FE65AE8
Malicious:	false
Preview:	.PNG........IHDR...0.........O.z....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\status_icon_x_100.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 24 x 21, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1313
Entropy (8bit):	6.639591320735671
Encrypted:	false
SSDEEP:	24:G1hepWwh82lYSKwKQFDfSVVtT3JryJ3VJ4kKQKGySGk2V5ZmvMwrtDZbM:MccvnLXd0J34Hs4vZmJrtDJM
MD5:	BD94C635B00CC2EA4872591AE3DAC517
SHA1:	BEE4E084C00B4366D950D6411836FDFBE8429940
SHA-256:	AACA1B27A5186DF31E60AB0BCFE35D411E03FD7CD069FAFB92314947FD92F256
SHA-512:	DCCFFFF2EC7F6A42DA6D8366A7B3021DF114E66D00183FCBD1DB0EBD99DCF0605F10BA5733D2E449DDA0D6395931BCAC0FEBAE27C2FC2F9C1089F1F941D2E89C
Malicious:	false
Preview:	.PNG........IHDR.............\..&....tEXtSoftware.Adobe ImageReadyq.e<...piTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:BD5CA0B1583611E4AF4082BD038A9F50" xmpMM:DocumentID="xmp.did:45DBC055562A11E494A1902F47C3AA34" xmpMM:InstanceID="xmp.iid:45DBC054562A11E494A1902F47C3AA34" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:c6a04b65-591f-4d99-94f7-102af1675f50" stRef:documentID="xmp.did:BD5CA0B1583611E4AF4082BD038A9F50"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>X..Z...GIDATx.b...?.-...#..FFF.7.j.@.F ~.

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\status_icon_x_125.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 30 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3356
Entropy (8bit):	7.899201293051617
Encrypted:	false
SSDEEP:	96:ySDZ/I09Da01l+gmkyTt6Hk8nT8a3vpTiM:ySDS0tKg9E05T8a3vEM
MD5:	B33C312C95B36E4A3B0F4984B9FE09F2
SHA1:	D41E2580ED7A0722E9941565F578EB05FE8DFAFA
SHA-256:	BA0D355243271CB79F5E3EAA3BCAA8BF9169C2E5B0B8E98C6E8418CF6F15AB9D
SHA-512:	CC3402171F5329C9B89385500CA35EF8DBF17BF01B2A6DF006D404CFCD4533166A8F856F9DE3E21CBFF771143A5029F5922FA13EFC4DC15B922C80BD24DF1AAF
Malicious:	false
Preview:	.PNG........IHDR.............k.?.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\status_icon_x_150.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 36 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3365
Entropy (8bit):	7.901512383605323
Encrypted:	false
SSDEEP:	96:GSDZ/I09Da01l+gmkyTt6Hk8nTgLQqSfKe:GSDS0tKg9E05TgL6Ke
MD5:	5CC222F110ED5839F910FBBA15F35368
SHA1:	9E99B854069795EFFDD033049CB93F9E431CC98F
SHA-256:	EEE6E710161A3AA8488FB4C1F118B43FA5C377ECDEDFFAAE78A81865F16CF288
SHA-512:	EFDBAD80A13988170B67E72D75AE444482A5CCDC16E23001CFCBC2C11FB127B953D2641621F0FC5964B9881AB2D0EF507E4131C433F90A08C110E810B8BFA112
Malicious:	false
Preview:	.PNG........IHDR...$... .....z......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\status_icon_x_200.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 48 x 42, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1684
Entropy (8bit):	7.08618077937191
Encrypted:	false
SSDEEP:	24:g1hepWwh82lYSKwKQFgSVRtT3JryJ3VJ4kKQKGubbZAqHjWKC6/dRv3ioRPBdQBD:+ccvnLs50J34H9bfiohhQBNuA
MD5:	8E680B8EF37CFFCE4A9CD767D343A175
SHA1:	6EF6922007DEA53DD42D010C6DF6860527C703EC
SHA-256:	6B9CAE182EC085BD8CC7D52DE0FD175CE7CB0186119C8E6E85230FCF9D10E318
SHA-512:	0129FD9615655AF3174EADBD11B6C19F3FEA40B3E362F16B18C3A5EDE0E3F57457C53B0A3CAFEE4F3827E6CE6308BD328BD42389EB9CFE27A6BEB28D1A5FEA51
Malicious:	false
Preview:	.PNG........IHDR...0...*......O.z....tEXtSoftware.Adobe ImageReadyq.e<...piTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:BD5CA0B1583611E4AF4082BD038A9F50" xmpMM:DocumentID="xmp.did:1EB36214562B11E494A1902F47C3AA34" xmpMM:InstanceID="xmp.iid:45DBC058562A11E494A1902F47C3AA34" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:c6a04b65-591f-4d99-94f7-102af1675f50" stRef:documentID="xmp.did:BD5CA0B1583611E4AF4082BD038A9F50"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.e.Q....IDATx...k.A..gC..P/...M..". ..."

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\transparent.gif

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	43
Entropy (8bit):	3.0314906788435274
Encrypted:	false
SSDEEP:	3:CUkwltxlHh/:P/
MD5:	325472601571F31E1BF00674C368D335
SHA1:	2DAEAA8B5F19F0BC209D976C02BD6ACB51B00B0A
SHA-256:	B1442E85B03BDCAF66DC58C7ABB98745DD2687D86350BE9A298A1D9382AC849B
SHA-512:	717EA0FF7F3F624C268ECCB244E24EC1305AB21557ABB3D6F1A7E183FF68A2D28F13D1D2AF926C9EF6D1FB16DD8CBE34CD98CACF79091DDDC7874DCEE21ECFDC
Malicious:	false
Preview:	GIF89a.............!.......,...........D..;

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\warning_icon_200.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 76 x 66, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	17247
Entropy (8bit):	2.887938120045245
Encrypted:	false
SSDEEP:	96:ySDoYkEWmENcxNX7sc5gojgiitBvkkrXa3dIFPDob5sT1hPutlb:ySDrk62CRjkjrK3SPDui1c
MD5:	7395444416AB7A3D5A196E2F46269AFF
SHA1:	5CC1B423AA9AE9C9006FD64050A7D75260E76FD0
SHA-256:	59BC5272A4A2940EF7AAD07C960200135DD9909B3150C3322F0E62C1E40709B6
SHA-512:	55BCEE0E633EA8793A47B2D84D6E0420B664A0762C65D6D0ABD3D9286A74A94F470E383E637712EC9E0F973DD22EA7257C74A899FD74EBE454F30872547C13DB
Malicious:	false
Preview:	.PNG........IHDR...L...B.......0[....pHYs...............9.iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/". xmlns:tiff="http://ns.adobe.com/tiff/1.0/". xmlns:exif="http://ns.adobe.com/exif/1.0/">. <xmpMM:OriginalDocumentID>xmp.did:2BF1BFAD2BD911E49916CB7D9A165688</xmpMM:OriginalDocumentID>. <xmpMM:DocumentID>xmp.did:7BB8A9BE583711E498

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\yellow_button_100.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 202 x 41, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1465
Entropy (8bit):	6.904092804952445
Encrypted:	false
SSDEEP:	24:Yw1hepWwh82lYSKwT3cSVFctT3UyJ3VHmyLGSOKsQ1DR2t3mRmQeO:PccvnLydrmLJ35vLGqR2ZVO
MD5:	75F7FA789C4322D218C258859275E6A0
SHA1:	E788FC36747D28FB39891779FD9204AD24AFA977
SHA-256:	F85D45BBDB7B50784D1920270D4EDC1398F59DB6B2385BDAE999F5A4B7D0B65E
SHA-512:	7E3FFF74720840506019C3C4294D2BF493C9B64699F99C5CDC5F94557EBE6DAA62DC143C96F97A549A7731D17F7C47C6B7FE7D348EBA9E4B84836E9861DB0A21
Malicious:	false
Preview:	.PNG........IHDR.......).....t.......tEXtSoftware.Adobe ImageReadyq.e<...kiTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:d310b992-d270-4e81-a192-9dd67f063430" xmpMM:DocumentID="xmp.did:6505BAB3562211E494A1902F47C3AA34" xmpMM:InstanceID="xmp.iid:6505BAB2562211E494A1902F47C3AA34" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:683DC7D2583811E49348A22987B030AD" stRef:documentID="xmp.did:683DC7D3583811E49348A22987B030AD"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>........IDATx...J.A....q..WA$.J#.FP....bga...

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\yellow_button_125.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 253 x 51, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3825
Entropy (8bit):	7.899828298029405
Encrypted:	false
SSDEEP:	96:GVSDZ/I09Da01l+gmkyTt6Hk8nTXF62en2u7fzj:GVSDS0tKg9E05TX02en2kH
MD5:	37CD17C8DB198EB4D52395A29DD578D3
SHA1:	64D2FDA1B06B6BEABA8280CFBA70704ADA45704E
SHA-256:	BB6A3E1DD1C5F113FC353C1820B404FCDD3AD705C0D0FEBF8A10D3618C4CF226
SHA-512:	BD28CDDE100FC6FAF2FF487C8EA9FC77B60FFB864CF50F26DC0F796D00D1824B253D230766CA61D8A17801E81D6B5783C3A7C1C084EEF9EF4B41A39ABBCE5BC5
Malicious:	false
Preview:	.PNG........IHDR.......3.....\..8....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\yellow_button_150.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 303 x 64, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4072
Entropy (8bit):	7.892738630774733
Encrypted:	false
SSDEEP:	96:ESSDZ/I09Da01l+gmkyTt6Hk8nThUw0Gcly:ESSDS0tKg9E05ThUw01ly
MD5:	5927724DA5CADF0E47941A63F15E6317
SHA1:	BB829E636D66D39C1DDDAAAA7888208288E60C99
SHA-256:	EBE49CCCE22216C64235DE639DFE6027E91346DF06B0D87FCE40D517E78C3E02
SHA-512:	E670D2218668048B3743056AEB3EB811F59201E37A4B9F323E475C14665B479D98C8F09B99DD9342CB7F4A3DB8CDACB72F4169B4E20BB71CEA8A88979EEBBB84
Malicious:	false
Preview:	.PNG........IHDR.../...@.....K.......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\yellow_button_200.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 404 x 82, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1974
Entropy (8bit):	7.23321888926861
Encrypted:	false
SSDEEP:	48:4cccvnLmdh9mLJ35vLbYcnLgC8hMsjkXzEHQslHiz:4bM1jbYugfhf1cz
MD5:	3CC66D6F10C087608BD2F42109C31E5C
SHA1:	FECEB483410580219C41347EB652C70AB42F589C
SHA-256:	411958454CC7B99DE0C5B4B03DFB232BAFD9A4C1C0B078791EB2C6AE24B1B088
SHA-512:	F17DBD0BCCFC0CF52793C1FC81014E36E7FD0C2C86CEDFE0131E3E5A719FB547742279C03D309DA3414BC3E502BE7CDA71CE0069F9B85762C42C9834604D1EFD
Malicious:	false
Preview:	.PNG........IHDR.......R.....s.".....tEXtSoftware.Adobe ImageReadyq.e<...kiTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:d310b992-d270-4e81-a192-9dd67f063430" xmpMM:DocumentID="xmp.did:6505BAB7562211E494A1902F47C3AA34" xmpMM:InstanceID="xmp.iid:6505BAB6562211E494A1902F47C3AA34" xmp:CreatorTool="Adobe Photoshop CC (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:683DC7D2583811E49348A22987B030AD" stRef:documentID="xmp.did:683DC7D3583811E49348A22987B030AD"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?><.1....IDATx...MoTe...w.E.c-.....8@b`..m7l..F

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\yellow_button_mini_100.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 114 x 20, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1265
Entropy (8bit):	6.514955455049238
Encrypted:	false
SSDEEP:	24:o1hepWwh82lYSKwTXteSVUGtT3JryJ3V+Td6aBAYGzZpdyaEt8oDf:mccvnLA70J3ydEYePd1EtN
MD5:	6EB683E95CD60BB514B2BC7C636B64EB
SHA1:	BF7C964F94C3114CF746410159F0511C0B91BE08
SHA-256:	EABE78CA6F8CFBB6E7D53FD04DBFFAA9D9FBD6949AB2141713A24B58EFAC30A7
SHA-512:	852015492F896487BFC146182D9946035E785725EC104467DE98B7BFBF26715AA297470573A4A93ACC425FB93CC0B0C4DA8F154500D2B3C9E1DC01B519F95EC4
Malicious:	false
Preview:	.PNG........IHDR...r.........Qpi:....tEXtSoftware.Adobe ImageReadyq.e<...tiTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:d310b992-d270-4e81-a192-9dd67f063430" xmpMM:DocumentID="xmp.did:CFA096EA562911E494A1902F47C3AA34" xmpMM:InstanceID="xmp.iid:CFA096E9562911E494A1902F47C3AA34" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:e30d50b9-c156-4001-8a22-fde2496e8f6a" stRef:documentID="xmp.did:8F6F774E583811E4A679D6C85F0991F3"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..(.....IDATx..Aj.@....A]..ERA..1r..

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\yellow_button_mini_125.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 143 x 25, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3360
Entropy (8bit):	7.8900672229753885
Encrypted:	false
SSDEEP:	96:xSDZ/I09Da01l+gmkyTt6Hk8nTPlR9r5h1:xSDS0tKg9E05TPlP1
MD5:	13EDCA9A9A75F8CC9AE24A9DAA61C478
SHA1:	EB5B1D3CDAF35BA32B4D5005F30DE6F7944410A4
SHA-256:	1CC5C7A5D650CBC028B38CF50EBB4A72EE807E3BA7F26941DF0F6A10E776CF95
SHA-512:	39D77B7DBDECC129A2622C9ABA855E2AC24B4F1E3F117705F4C8A0E7BBB2CC8E3228AA69B5ED29D732AD466685460A232236D7DF680AAE497123A8C67CB771FC
Malicious:	false
Preview:	.PNG........IHDR..............\}.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\yellow_button_mini_150.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 171 x 30, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3495
Entropy (8bit):	7.89343889560188
Encrypted:	false
SSDEEP:	96:BSDZ/I09Da01l+gmkyTt6Hk8nTvDeQN/zt:BSDS0tKg9E05TvDeQN/zt
MD5:	18DC81914DD758BFDA5C8C7453B5F692
SHA1:	1BC05BAF1DD0CF9B5C4153804237AEC8461A3753
SHA-256:	60A7FEF3552E22A4AE610F9001C0A3BAD4DD3D6F7D2A8B18F190F91513D7A6B6
SHA-512:	F9912153C5E8D77D983C71A99C6263D788AD26B4FB4F8B4E03F7EC79FDBFE9BF2F0B436963960343EDCD1B6E819F571BD72E67A132A678FC437AA927C88E09D3
Malicious:	false
Preview:	.PNG........IHDR.............S.......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\yellow_button_mini_200.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 228 x 40, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1540
Entropy (8bit):	6.953620509090344
Encrypted:	false
SSDEEP:	24:F1hepWwh82lYSKwTXtySVU/tT3JryJ3V+Td6aBAYGCOk4qbxclLzXH9ARLaFc+/t:rccvnLMW0J3ydEY4gGl/dAReFpBdEO
MD5:	1BF8E27E0893ADBD55BA53DF8DC54B9A
SHA1:	DE6B1E5387476A4174193C0FDF87DAE539C31688
SHA-256:	65EF4CB1B2E87057569616F96FF909A8E31DC468319A1C03B61F2560B7F9631A
SHA-512:	C7C710EDA324E31D4E2A0C323C31F9B2E3725265B63E13DDF6382BB7C0AF4504B93F20B39088ED510D2D2BA6829D14116D6A7215ECC3F98E4C1A773DFB36E394
Malicious:	false
Preview:	.PNG........IHDR.......(......}VB....tEXtSoftware.Adobe ImageReadyq.e<...tiTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:d310b992-d270-4e81-a192-9dd67f063430" xmpMM:DocumentID="xmp.did:CFA096EE562911E494A1902F47C3AA34" xmpMM:InstanceID="xmp.iid:CFA096ED562911E494A1902F47C3AA34" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:e30d50b9-c156-4001-8a22-fde2496e8f6a" stRef:documentID="xmp.did:8F6F774E583811E4A679D6C85F0991F3"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>x......&IDATx...OK"a.......%.R...;....

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\yellow_button_short_100.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 122 x 41, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1444
Entropy (8bit):	6.84914262697585
Encrypted:	false
SSDEEP:	24:61hepWwh82lYSKwTXtASVUDtT3JryJ3V/snhSGTndQaiOzzE5We2C0Di3InHPl0g:YccvnL2e0J3rEndQaFz2WedB4HdN
MD5:	45B41112162E9B633E54D315A182983F
SHA1:	7AB62C3D0812305DA419FAD34F3A3E7EEADFC572
SHA-256:	EB2ACBBDA0DA676B8E12AF944DB41F916380F7EAF70818FD70626D3D6B1564C2
SHA-512:	1C4649B53ACF2BC9015F56E4EC650D112803E2088E1438C59791788958521F45946C1B74FEEA335FC181A326EE29369FF937B2A71891C181D6836ECA829B1C18
Malicious:	false
Preview:	.PNG........IHDR...z...)......C=.....tEXtSoftware.Adobe ImageReadyq.e<...tiTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:d310b992-d270-4e81-a192-9dd67f063430" xmpMM:DocumentID="xmp.did:CFA096F2562911E494A1902F47C3AA34" xmpMM:InstanceID="xmp.iid:CFA096F1562911E494A1902F47C3AA34" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:d99b3e1d-1bc8-4b70-9ba7-bd9ea50b9821" stRef:documentID="xmp.did:D2A0077F583711E4A1D0D2EB38AA961A"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.t_5....IDATx..AK.A..gf'.......3.K`..

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\yellow_button_short_125.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 153 x 51, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3785
Entropy (8bit):	7.909192793023571
Encrypted:	false
SSDEEP:	96:ISDZ/I09Da01l+gmkyTt6Hk8nTMGC/S+bduWnNK:ISDS0tKg9E05TMGC/SCuJ
MD5:	80E0C0646B0E68900A5917908E00A1DC
SHA1:	A1595BF04F137CBC9C59534AC4AD89ED426099E1
SHA-256:	803012ADAB2ECC8BF5A415A1CD0B3275DC111102E8079996AAE15252E5465883
SHA-512:	30FD15CAD438151843E7A9AC4F93580FBB107F3513E40E42BE8A538BB5626DA53513201D42CBF9B2CCFC6761EF4B3E87D3298968C82429F0ACB28DB3BAE84D75
Malicious:	false
Preview:	.PNG........IHDR.......3.......2....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\yellow_button_short_150.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 183 x 62, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3954
Entropy (8bit):	7.911174881926204
Encrypted:	false
SSDEEP:	96:79SDZ/I09Da01l+gmkyTt6Hk8nTeeh4UEJZ9nJvm:BSDS0tKg9E05TeC4UG9nJ+
MD5:	793051F2B56DBAB490F90D882D0E0564
SHA1:	A4EA713715FED209E236901479C7CFCEC2EE8EAA
SHA-256:	9EFCA08473FC2478111C4B55EF97611F95435CE0BDADE9C80247EEFA2AA9E363
SHA-512:	22D3A9A832A3857244388E02C64C61DAEE8B064157C50335D41C8E65696516A513CFA50C40649CE07202A82DDA3F4845E21E6EA36222FFA4AF1C73A5AE583987
Malicious:	false
Preview:	.PNG........IHDR.......>.....i......pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\yellow_button_short_200.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	PNG image data, 244 x 82, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1887
Entropy (8bit):	7.215984262146164
Encrypted:	false
SSDEEP:	48:zzrccvnL3tf0J3r0ZwSgxn+URFIlfJbUzvjIe:4MNqJ5xn+llhYzrN
MD5:	E34E6D888B89626B6932BEFF5DF5306A
SHA1:	2DF20A1C6D917C13E9373690B8645674224600FF
SHA-256:	A93CA7125EBAE14039AAF0A771D489D17D6C20BB2D2B1E1B8B489496415CBCA9
SHA-512:	318DE9554148FAA225018A0A2D176F26EB4DA6F3F500AC00408E573C7DCEE025A479EA4C67EF7E1011EB4DB526AEFCB15D79672BE65D03EAFCABF1877FE3F26B
Malicious:	false
Preview:	.PNG........IHDR.......R.....cj......tEXtSoftware.Adobe ImageReadyq.e<...tiTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:d310b992-d270-4e81-a192-9dd67f063430" xmpMM:DocumentID="xmp.did:45DBC051562A11E494A1902F47C3AA34" xmpMM:InstanceID="xmp.iid:45DBC050562A11E494A1902F47C3AA34" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:d99b3e1d-1bc8-4b70-9ba7-bd9ea50b9821" stRef:documentID="xmp.did:D2A0077F583711E4A1D0D2EB38AA961A"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.D.=....IDATx....o.u...O.vLV.H'.).b...

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	49120
Entropy (8bit):	0.0017331682157558962
Encrypted:	false
SSDEEP:	3:Ztt:T
MD5:	0392ADA071EB68355BED625D8F9695F3
SHA1:	777253141235B6C6AC92E17E297A1482E82252CC
SHA-256:	B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
SHA-512:	EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\160[1]

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1369
Entropy (8bit):	5.042349729995224
Encrypted:	false
SSDEEP:	24:OPH/wMz8MespW0mWUvF0k6aM94NaM94SKCBMazEJMThHyaPqAVg7vVsI6:OXntkRWmFC9u9sCaazECFHyafVFH
MD5:	AB2A2BC6C53F862BA5018B7A6EA76C08
SHA1:	3BF47FD954DC9DCE93DA87B0EA42F78488646A4E
SHA-256:	240B1B561A404C5309587A17F3B0FBFF6ACEE2E816D565BDE1999C60CB00FC1F
SHA-512:	78180D38566AF52FB74B71AB9BE9009E4A75B36C6D27056C851849B7077CD1F8C0500F1178FBFE3CDFAE590B9A9A6DDAB812E460971D03F0127C01E09648AF03
Malicious:	false
Preview:	.<!doctype html>..<html lang="en" style="font-size:3.26vh">..<head>.. <meta charset="UTF-8">.. <meta http-equiv="X-UA-Compatible" content="IE=Edge">.. <script src="https://use.typekit.net/bxf0ivf.js" type="text/javascript"></script>.. <script type="text/javascript">try { Typekit.load(); } catch (e) {}</script>.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>ADM</title>.. <style>.. body {.. margin: 0px;.. background-color: #ffffff;.. -webkit-tap-highlight-color: rgba(0,0,0,0);.. font-style: normal;.. border-top:1px solid #c7c6c7;.. }.. </style>.. <script>.. function onLoadComplete() {.. function messageFromNative(message, jsonDataString) {.. window.messageFromNative(message, jsonDataString).. }.. window.sendMessageToNative("documentReady", "").. }.. </script>.. <script defer="defer" src="../SC

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\d[1]

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	Web Open Font Format, CFF, length 40156, version 0.0
Category:	dropped
Size (bytes):	40156
Entropy (8bit):	7.99077330546425
Encrypted:	true
SSDEEP:	768:zqK4oMIHg6OWlw62kItML9n0TM+rMiVIoZSruxA443l0PPv:zf45IAFemML9n0TfVIeauxB43l03v
MD5:	83E5380B9DC2077B664E383CF6FCF47E
SHA1:	D8AE10285EADED477A647A39293E9294958C0572
SHA-256:	741A4BC7D04FC8385F9A1DB0CCC586A224F14233B08D764D37EA165163A247A0
SHA-512:	8EB2833ABC2C13491D2BD30B962A41457AEEA3F5C782108E6319B0ABDE0C97AA3B347D57E8A031DBC5B4BCF5DB3729D68D6F2A098E182BD5C62E761A1476B313
Malicious:	false
Preview:	wOFFOTTO...........l........................BASE...D...F...Fe!].CFF ...8..v.....Q<..DYNA..zD........d...GDYN..{@.......Q.ow#GPOS..\|`...z..7LUd..OS/2.......Y...`].y.cmap................gasp................head.......5...6..%ghhea.......!...$....hmtx............h8+.maxp...0.........0P.name............E..post........... ...2..............ideoromn..DFLT..cyrl..grek..latn...................Y..............x.c`d```5...5...+.3.......P/....??...[.....L Q.b..n...x...n.@.....!.V,.@.cGV.FB$m..j.H..6N<i..`O#...@..X.$<......#g........x....^}.-.x.S..t1.\|......,=.b...............S.J\|...e..s.O......;.]j>z>D.\|.\|.W...1...R.b.....}muQ..ra...R.3)Fy......T..1...s..c.g...d8..O....'M......FW...-...X..+c...H....t..].\|=.e"..R........o.fm.......:T.^Q..z...c(.S..........a..w.KN{.l...M]..tu9...k.b.L.N...v...Y..R.[0....1...C*/..8.^...GM..r....jvfx..<.o..t.P.....=Kv-.kr..n.....5.%.9].>q......f:.3<C.e9.-5.:Yz4O....:e....+b.}.oS..1x.c`f.........).....B3.1.1..E.9..XX..X......P........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\d[2]

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	Web Open Font Format, CFF, length 39564, version 0.0
Category:	dropped
Size (bytes):	39564
Entropy (8bit):	7.989107484119666
Encrypted:	false
SSDEEP:	768:cyVNSFlHRrs14+NsyQTfaVEAiYgPA9eFXPi37iRX3+qqVFtZN7Pv:XSFlKTcfaVaYgweFXPiLknHqXtDv
MD5:	A870EE6A735514C321010F19CE3644D7
SHA1:	59FE54D58D3C53AF232A98A6EFA98170ECCEDD20
SHA-256:	79E3A4E2C2274ACD602155924DC8C0B7C3AFDCD40450B2DFEDA302AD8E140649
SHA-512:	B0AEBF67D8989C8F794592A892997C2372FEA9D0076E6EFAD032DD643FB5BB23C730A7EF1FF14807A52DB058E68D9094D8EE713DD2EB82E2676E90430BE29F1C
Malicious:	false
Preview:	wOFFOTTO........... ........................BASE...D...F...Fe(].CFF ...@..sm.....m..DYNA..w.........c...GDYN..x...."...Q.y.GPOS..y.......7vo...OS/2.......Y...`[.t.cmap................gasp................head.......4...6..%`hhea.......!...$....hmtx............9!2.maxp...8.........0P.name.............8I.post...p....... ...2..............ideoromn..DFLT..cyrl..grek..latn...................`..............x.c`d```5.J}..5...+.3........P..?.?....1 ....$..fn.Rx..An.@....I..jo0.>...!..$H........`a{.=Ab.u.]...B..E..T..<...Y....3.{o....._.....k....x......c.Mj.......f~..B......9...s..A.V......g.Mj.{>F...\|..0.[.5>=.P..1X....}iuV..\|n..)b..R..TL...b.K].X.R...M..!..H...?....N...N...p..x..21...wS.J.T.m...;.Jv..Y....e..B.....kk....o.&.rn....z~u...%. .Bq\..X.`.M.b.....)p...Y-........r.L.`.5+..i>5.;.<..C3%'...U...X......D..{.!F.~...8=..c.~y.{w.s..{..U........._....~.j......)Sg.....R^:.u[v..m.....j.eJ.w.u.T.....Oy.s-..m.x..x.c`f.........................L,,LL,..L.@yF.(

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\231[1]

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	563251
Entropy (8bit):	5.75805253327619
Encrypted:	false
SSDEEP:	6144:dbbVuAi2W7oxxnXKC9SjJ0Xh1kb9um4vMeQNQwQhevcaqLS:xVuAnW7unXrGE5S
MD5:	040FFE97A1DC9ABA5AF7AEBFBECDC32D
SHA1:	6A76A00485518A4F39E3D6646FD5B11FEB556967
SHA-256:	189CC8DE6F0D71E1039D3659BF9A2A5C4386AC8AF3492AC2B00322176D22DA3A
SHA-512:	903BB763403D7CB5AB54CCF14A92B22853CE135B724637CCBD72204C8A5746033587BC4E9895C64574A6C78A6623D32BEA3DC4D3E740B4CF4D49EAA86A4CA0A9
Malicious:	false
Preview:	var index;!function(){var r={1758:function(r,n,e){function t(r){return t="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(r){return typeof r}:function(r){return r&&"function"==typeof Symbol&&r.constructor===Symbol&&r!==Symbol.prototype?"symbol":typeof r},t(r)}!function(r,n){./! https://mths.be/array-of v0.1.0 by @mathias /.!function(){"use strict";var r=function(){try{var r={},n=Object.defineProperty,e=n(r,r,r)&&n}catch(r){}return e}(),n=function(){for(var n,e=arguments,t=e.length,o=function(r){try{return!!new r}catch(r){return!1}}(this)?new this(t):new Array(t),a=0;a<t;)n=e[a],r?r(o,a,{value:n,writable:!0,enumerable:!0,configurable:!0}):o[a]=n,a+=1;return o.length=t,o};r?r(Array,"of",{value:n,configurable:!0,writable:!0}):Array.of=n}(),Object.defineProperty(Array.prototype,"fill",{configurable:!0,value:function(r){if(this===n\|\|null===this)throw new TypeError(this+" is not an object");var e=Object(this),t=Math.max(Math.min(e.length,9007199254740991),0)\|\|0,o=1 in a

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\d[1]

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	Web Open Font Format, CFF, length 40596, version 0.0
Category:	dropped
Size (bytes):	40596
Entropy (8bit):	7.990882155754029
Encrypted:	true
SSDEEP:	768:B2Ws4f6Rc1d7fPlzKC8h7Wy1qmDG8WCecBE6SvNxkCTuLQjlrXPv:B21o6A7fPlh8iPClQNxkC6+1/v
MD5:	590A9EEBC0AC0BA776529CBA1D5B718A
SHA1:	E1AA96B54C162F1DEA3CE203B45CD115051BA351
SHA-256:	28195F698F74D701F5B253495756F7ECD70C50047C1F795952587E6F3E742B19
SHA-512:	387ADC334C00F4083660107D9C4C3FE3461F1BF4D135A2A7DCF475FFC9C04680D0ECEA30591F253DF584F8F063CC430D69162AD1B8BFFB6C01972079BF6447BF
Malicious:	false
Preview:	wOFFOTTO...................................BASE...D...F...Fe.].CFF ...P..w....n..z.DYNA..{.........d...GDYN..\|....#...Q0.exGPOS..~.......7JT...OS/2.......Y...`].z.cmap................gasp................head.......4...6..%}hhea...$...!...$....hmtx............t.).maxp...H.........0P.name................post...x....... ...2..............ideoromn..DFLT..cyrl..grek..latn...................W..............x.c`d```5.R.{fz<..W.f..@.....0....>.....\f.&.(.h...x...n.@.E..IUUB]...D.*e..X.x...T....... l..'(\|D.......t..t...4.T.xd....o.m.o..........W......{nR....=\|.\|.w.-t..YA.5Wy..s....s......\|..{nR...!...#\|h\|.....I.J....L..oK..R\.SS.M.X=....b../l)F......2.I....H.&....!M.H..(._....9......p......E.p;..TJ..c.&..T.{.g.J.{/..$...zJ......v.n.z..rj..fye[..u.]u.'..P..>f0.@....%g....c.h...M\l...R.....c.H.V...v././....\|1...0.RU...@N..17..!...UCG...y...sn\.....K..8...n..o.uNqgA.u..yZA]...(N..._...nJ....s......S.@...9..^....!...+.j..a.].g.....l..x.c`fbeV``e``.b.```...q.F..@QnN

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\d[2]

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	Web Open Font Format, CFF, length 40248, version 0.0
Category:	dropped
Size (bytes):	40248
Entropy (8bit):	7.989634769609523
Encrypted:	false
SSDEEP:	768:LDFkEGYLN2ySKC2EspJHit0n4ZHtSxGHRT99rgv8sBe9gUR98RzVuppM+2RX2xQ5:L2E7N6u/its45ExGHR/8v8Dg29OzVu/M
MD5:	C26C1B68EDD07AB0069CF2EFE0886C1F
SHA1:	3579AED1FC9953159F817E57E7899849AC94EA85
SHA-256:	72073CA6C71BCC781491B054C4325A663834082457FD896CB6E1E9931BF6E013
SHA-512:	5459372E0DD2056437217F9668C393111C54E3C31FBDCA997E9D06C1DC3519DBA0AB0AB7B1F28A10AE10009AC828AEA9BFC21A2E58185F79E2403FEEEF424E32
Malicious:	false
Preview:	wOFFOTTO...8...............................BASE...D...F...Fe.].CFF ...@..vs........DYNA..z.........d...GDYN..{...."...QZ].BGPOS..\|....c..7B....OS/2.......Y...`^B{.cmap...0............gasp................head.......4...6..%phhea.......!...$....hmtx...8..........%.maxp...8.........0P.name...............]post........... ...2..............ideoromn..DFLT..cyrl..grek..latn...................U..............x.c`d```5..,....o....P..\|r...........k ....$..Y\.jx...n.0....'E..}..{hZ..8...@29.....~hH....;t.#.......y..@.(.5.!.!....RW.............[x...G....65[.......z~..A.?X...rU......s....#......<{>F...\|..2.;X..<.P..1Z....}eu^..bi.)c.WR..L...Vb.+]..l.W...1..e:...,.#.....z<.:.S.:.....E..........P*...c....T..6..T.. .d..HF.....X...v.~......G........9. .Bq\.FX.`.M.c....s..e....h.3v.....8.fH....4gM..+...X..R....Y..KD....D.......?..=N.<..._.........y......C...U....[.....~.lN.~.....W..{.\^;..?.._..a...T...t.....K.Y....}...2..x.c`f.`na`e``.b.```...q.F..@Qn.f&..&&....v.<#..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\d[1]

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	Web Open Font Format, CFF, length 39972, version 0.0
Category:	dropped
Size (bytes):	39972
Entropy (8bit):	7.991697943495219
Encrypted:	true
SSDEEP:	768:/CjC6+7R1Cf1RSIpcme1GO3SgcXFwwSUyaXgofeoUyN+MPv:/Cjh+lQf1xpG3S1XFwwSUyaXgofPqov
MD5:	DF0CD5EDE266E9EA694C3D28209FCE9F
SHA1:	ECCA8585322A40CF1D0A479EBE67597ADF50E69D
SHA-256:	5ECD3C64E4C0D1A51D13E2762BECB9E7DA2ACD30D670058A6B16761BE3E017DB
SHA-512:	B747532E1CDF0C57EF67D45389B61D14ACAF19BC36A9E007189F0F551CBC3D13AD518803A572AB061CB42F129C1AAEEFF25AB066C72CBE4B562841624D5EAE75
Malicious:	false
Preview:	wOFFOTTO...$.......8........................BASE...D...F...Fe$].CFF ...4..t..../.>.PDYNA..y ........c...GDYN..z...."...Q..mGPOS..{@......7v_...OS/2.......Y...`\Wv.cmap................gasp................head.......4...6..%uhhea.......!...$....hmtx...$........P+/kmaxp...,.........0P.name................post........... ...2..............ideoromn..DFLT..cyrl..grek..latn...................\..............x.c`d```5..S.........(.p>94.F......\|..ef`....&c..x.RKn.0..9N...Qt.5.v..R 8.Wv..Y%...%..........0...]t.S...@G...M..!q.{3C.Q....<t.o.=.a...^a...>...>9....a.........J.....O.=..b.{.x{......p.......~8\|......$.....:..U.h.84F...e].ul.J.I...f..F.u......2.q1..,.#...xr5..m..N]......N..,D..].P..ii.e...Trx6.....6I(#...z..S]..9Tz.1rY.f....'..U.G..P..D..P".&^....8.,x].....7.....e..sl.F.Jc#.Y..s...Th............aL.....E...t..(;..U...;....,......^H...LJ..g.x.A^[....X.._.g6.kb..}G..%.n.e......}.X....]?g^;~C.^4..t...<...x.c`f\|.8.......).....B3.1.1.E.Y..XX..X......P............

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\d[2]

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	Web Open Font Format, CFF, length 37480, version 0.0
Category:	dropped
Size (bytes):	37480
Entropy (8bit):	7.989671357448148
Encrypted:	false
SSDEEP:	768:+Fth4mFn+GiKkGQPWdGPgIVw9xRju2H3/Nn/byU:Am+nxiKsPWdGPH+FuVU
MD5:	EE10AE517D40542F597A9E0E2852B52B
SHA1:	D30F8C2467A4689844268B82E0E2ECFE3464CDAE
SHA-256:	ED1815F9829E1F6A710FCDC182613F614F4887E39281E095360BEEC1CCC72348
SHA-512:	A327F9E3B5B9AA8CB13BC118DA5F26AF5C3A8DBB66128F36F18E09EB019A222846694A6A8C13FDC48F0460BC9E79BA7EA9DC8AA9EB8B30F63576448328E83ACB
Malicious:	false
Preview:	wOFFOTTO...h.......T........................BASE...D...F...Fe$].CFF ...8..l....x.Q.DYNA..pT.......\|Zh`.GDYN..q<.......9J..uGPOS..rL......3.*^..OS/2.......]...`\Xv.cmap...T.........G.;gasp................head.......4...6.:%Fhhea.......$...$.$..hmtx...T........;..Xmaxp...0.........0P.name...........~n\.hpost...<....... ...2..............ideoromn..DFLT..cyrl..grek..latn...................\..............x.c`d```5...v........(.p>9..F.W...b.\|............8x.RKn.0..9...m.U.]..@(Z..8..N...6.$.`}\.1.#....A.=I......"(...>>..;<.C..8[..5w-...G..O.w.Y;\|.!>;..[\|u..}<R.u_qW.....{K.;x.e......p..o....;....'.;...(u..2.bq...k1+...Ud.J.q..yz.1...ZW{.[.U..bf.,MB.....z2..M...C7..3.RWuZ.....D .R.Mi....Trp6....Zfi..P.C.^.n..]..9..652)s_.gQ.?..`..<@ ..8'.c..14....0.9W..{.0[ag.. .....#..6..v..jr.......M...kFm...._8..k.%S.~.~.N..e.X.......%w.....es.i;...e.=.V-.kr.....9...k8kF..c....Z..W.t....9.;.c~K.C}sj..=u.k.]]..}.7........x.c`f..8.......)....o......`....fefba.dbQ``jg```d..G.'W....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\bxf0ivf[1].js

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	Unicode text, UTF-8 text, with very long lines (2369)
Category:	dropped
Size (bytes):	18413
Entropy (8bit):	5.5692261470401165
Encrypted:	false
SSDEEP:	384:S12hpIgIVsUGiRm4lIeU4iDFeFs2NdFJsQF+i:SF7GiRm4X0JqsG7Ui
MD5:	CFE609917C9E7D4EED2C80563DED171B
SHA1:	2E5BBD88B040662BF8023FD6A9D55CC760008695
SHA-256:	AD84B43FFD121E46AC4D2FA817B5863E4802C523BC3FB5E864DB28B3DB0E2514
SHA-512:	1F600E1ABF1814C89589462ADE13F2E5399082236829EB45A530C852AE135910CB332D540B228DA744B60241BC74E85A3E5EB60CBC65B860E8E9148AF79C54D7
Malicious:	false
Preview:	/. The Typekit service used to deliver this font or fonts for use on websites. * is provided by Adobe and is subject to these Terms of Use. * http://www.adobe.com/products/eulas/tou_typekit. For font license. * information, see the list below.. . adobe-clean:. * - http://typekit.com/eulas/000000000000000000017701. * - http://typekit.com/eulas/000000000000000000017702. * - http://typekit.com/eulas/000000000000000000017703. * - http://typekit.com/eulas/0000000000000000000176ff. * - http://typekit.com/eulas/000000000000000000017704. * - http://typekit.com/eulas/000000000000000000017706. . . 2009-2024 Adobe Systems Incorporated. All Rights Reserved.. */.if(!window.Typekit)window.Typekit={};window.Typekit.config={"a":"19707152","c":[".tk-adobe-clean","\"adobe-clean\",sans-serif",".tk-adobe-clean-condensed","\"adobe-clean-condensed\",sans-serif"],"fi":[7180,7181,7182,7184,7185,22474],"fc":[{"id":7180,"family":"adobe-clean","src":"https://use.typekit.net/af/cb695f/000000

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\p[1].gif

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	35
Entropy (8bit):	2.9302005337813077
Encrypted:	false
SSDEEP:	3:CUHaaatrllH5:aB
MD5:	81144D75B3E69E9AA2FA3E9D83A64D03
SHA1:	F0FBC60B50EDF5B2A0B76E0AA0537B76BF346FFC
SHA-256:	9B9265C69A5CC295D1AB0D04E0273B3677DB1A6216CE2CCF4EFC8C277ED84B39
SHA-512:	2D073E10AE40FDE434EB31CBEDD581A35CD763E51FB7048B88CAA5F949B1E6105E37A228C235BC8976E8DB58ED22149CFCCF83B40CE93A28390566A28975744A
Malicious:	false
Preview:	GIF89a.............,..............;

C:\Users\user\AppData\Local\Temp\Adobe_ADMLogs\Adobe_ADM.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (491), with CRLF line terminators
Category:	dropped
Size (bytes):	26886
Entropy (8bit):	3.598336168264256
Encrypted:	false
SSDEEP:	768:UJHlHjrJx4gVdVbYYBOreyVjol/yfisfYFv:U5lHjrJx4gVdVbYYBceyVjol/StYFv
MD5:	8031F01C0D5815F86E7F16E673DC059D
SHA1:	BFEB6524C1DEF5DEC27CB7D4A4CB66E15A8EB8B1
SHA-256:	C95E16811FA92F7C0EA1A46DA803C3A33D6D9B75F9F49F182EE2E3FCE380EC91
SHA-512:	762EE17CC99566CE053168DF7B817235382C1C655F4AB79A51D2EB63855BF3A5A7410A1406369ECF9000F49883874C569023DE83B6E0D538684CDFA48E170BBD
Malicious:	false
Preview:	..1.1./.2.2./.2.4. .0.0.:.1.1.:.2.5.:.8.7.6. .\|. .[.I.N.F.O.]. .\|. . .\|. .A.D.M. .\|. . .\|. .A.p.p.l.i.c.a.t.i.o.n.C.o.n.t.e.x.t. .\|. . .\|. . .\|. .7.4.0.4. .\|. ........................ .A.D.M. .W.o.r.k.f.l.o.w. .s.t.a.r.t... .V.e.r.s.i.o.n.:. .2...0...0...7.0.2.s. ..........................*.....1.1./.2.2./.2.4. .0.0.:.1.1.:.2.5.:.8.7.6. .\|. .[.T.R.A.C.E.]. .\|. . .\|. .A.D.M. .\|. . .\|. .A.p.p.l.i.c.a.t.i.o.n.C.o.n.t.e.x.t. .\|. . .\|. . .\|. .7.4.0.4. .\|. .C.o.m.m.a.n.d. .L.i.n.e. .:. .t.e.s.t...e.x.e. .....1.1./.2.2./.2.4. .0.0.:.1.1.:.2.5.:.8.7.6. .\|. .[.I.N.F.O.]. .\|. . .\|. .A.D.M. .\|. . .\|. .A.p.p.l.i.c.a.t.i.o.n.C.o.n.t.e.x.t. .\|. . .\|. . .\|. .7.4.0.4. .\|. .A.d.m.i.n. .a.n.d. .n.o.t. .c.h.i.l.d. .p.r.o.c.e.s.s... .N.o. .n.e.e.d. .f.o.r. .I.P.C.....1.1./.2.2./.2.4. .0.0.:.1.1.:.2.6.:.6.5.8. .\|. .[.I.N.F.O.]. .\|. . .\|. .A.D.M. .\|. . .\|. .A.p.p.l.i.c.a.t.i.o.n.C.o.n.t.e.x.t. .\|. . .\|. . .\|. .7.4.0.4. .\|. .W.h.i.t.e. .l.i.s.t.e.d. .U.R.L.s. .

C:\Users\user\AppData\Local\Temp\Adobe_ADMLogs\Adobe_GDE.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	390
Entropy (8bit):	3.1136621375241704
Encrypted:	false
SSDEEP:	6:QRdOWqnRarVADi6Iy3MCdOWqnRarLgNZSY:Q7OWqnRahAu6xOWqnRafuZ3
MD5:	CA73468830B594BDD1AFE7CC68423B37
SHA1:	89C7050C2179B8BCAB0E1C2180B6AD7BF518CFFE
SHA-256:	EA7619F5E3A99B6BBB3BA2229C24F760A043672904DC2356B3889687D2FFEC8D
SHA-512:	AE16C99E147D9F7FCC6663710E9372A3FEBD54EE2A5553788C4B3F47369035FA17B7D48C4003DAF92DF2A6942F2E773EF64B504716385A736C2C33D8FFAB0E7A
Malicious:	false
Preview:	..1.1./.2.2./.2.4. .0.0.:.1.1.:.3.1.:.3.3.9. .\|. .[.I.N.F.O.]. .\|. . .\|. . .\|. . .\|. . .\|. . .\|. . .\|. .7.6.3.6. .\|. ....................s.t.a.r.t. .o.f. .D.o.w.n.l.o.a.d................*.....1.1./.2.2./.2.4. .0.0.:.1.1.:.3.1.:.3.3.9. .\|. .[.I.N.F.O.]. .\|. . .\|. . .\|. . .\|. . .\|. . .\|. . .\|. .7.6.3.6. .\|. .G.D.E. .V.e.r.s.i.o.n. .i.s. .2...0...0...1.....

C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	1450040
Entropy (8bit):	7.923308096978353
Encrypted:	false
SSDEEP:	24576:8c+ApDgcz6SWzMi+6iulvI4rTUJOH/akEElC80FN3kxZP+xzkc3ET:8k/SWslrroJOfrEN80moxzr3c
MD5:	E4E96D377207C990295577E0EBD93F79
SHA1:	6C6ED98B484F8A1A145EBE7D900DF36FB4ABC931
SHA-256:	AC6311039D5BFE719198C15577D3EE870185529F9510F5C0DDC066F1C8D8C462
SHA-512:	3DB14A6F3DFA2E2768B1C25A65BC6F48C5DC763D80FEE576CD7D0B21F3ECDCD25C0096B10C947F6B24999C23DF75709604A4DC0FD1D894CDB1B9A556E1E6EAF7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......F?...^...^...^...,...^...,../^...,...^...,...^.."...^.."...^..".._...^...^..d....^...,...^...#...^...^...]...#..>^...#...^...#7..^...#...^..Rich.^..........PE..L...#X.d...............#.....P...@....C..P....D...@..........................PD...........@......................... ..l....JD.......D..J..............8...LD.............................l.C.......C.......................).....................UPX0.....@..............................UPX1.........P......................@....rsrc....P....D..N..................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!....

C:\Users\user\AppData\Local\Temp\Package Installation Dir\qpgEZsswIP.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2452992
Entropy (8bit):	6.606309621583536
Encrypted:	false
SSDEEP:	24576:04MRPjr8C5Gi0v4/bplKYFhoFA496+Se7dwSWt+0zvhsCIA8A3RmzlQ68:2Rfr/bqM2XpWAWJ8MKlQ
MD5:	3CF367E01D074E622E14C36FE1685C0A
SHA1:	F9B347B843F438564E606A7D3E273659E0FB7CC7
SHA-256:	2CB0AEA0F3DFE49B99F5F7A0E6F6020413C916E4A21D05D2DF1CCA3DE3E7E91D
SHA-512:	4033D7E17E673EC67947367FED5F5992D578B61A0DA0D24743D03AB0E1BF17F26BCE7F80D5B0D23F87736E3D8C429FD4420BEC708C295D81D125700BBF4AB3A9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...`.f.d.c.d.`.d...a.`.d...g.e.d...`.i.d..8....d..8..f.d..8..n.d..[..`.d.c.e.!.d...a.a.d...d.b.d.....b.d.c...b.d...f.b.d.Richc.d.........................PE..d.....>g.........." .......... ......$........................................%...........`.............................................h...h...(.....%.......%.H.............%......................................................................................text............................... ..`.rotext.(F.......H.................. ..`.rodata............................. ..`.rdata..f...........................@..@.data...............................@....pdata..H.....%......Z%.............@..@.gfids........%......b%.............@..@.rodata.X.....%......d%.............@..@.rsrc.........%......f%.............@..@.reloc........%......h%.............@..B........................................

C:\Windows\Installer\411fe0.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: FWojXRpxua, Author: fwRTnJqOge, Keywords: Installer, Comments: This installer database contains the logic and data required to install FWojXRpxua., Template: x64;1033, Revision Number: {73232F59-F6AA-4764-AEA4-731717E1ED5E}, Create Time/Date: Wed Nov 20 20:52:00 2024, Last Saved Time/Date: Wed Nov 20 20:52:00 2024, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
Category:	dropped
Size (bytes):	2834432
Entropy (8bit):	7.991420826606059
Encrypted:	true
SSDEEP:	49152:/O05mqQDiCjwnwVv+i2MF/NtSftHFDSy4dx21N+NfSf/wXoCBBUQZcUJ8+mp3gi/:/rABiCjwnwVmGF1t6R1j4dx8Njf/w4C2
MD5:	B9632555B2C19B9182CAB9C098C22D8E
SHA1:	100D612540C51413141F52C3888114CDDB76E9A0
SHA-256:	1164B944F47A9701DDD682F59C60425FAED350647E3F9E562E1ABC140A89C7F2
SHA-512:	B90B26AF09115C4AD37F5CB40135DE51835CCFFBD666168934062FB587A9111FA535E21C1E231AED76A5E871D63A9F71B686367DEFED3D584F6D76F75E5ACB52
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\411fe2.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: FWojXRpxua, Author: fwRTnJqOge, Keywords: Installer, Comments: This installer database contains the logic and data required to install FWojXRpxua., Template: x64;1033, Revision Number: {73232F59-F6AA-4764-AEA4-731717E1ED5E}, Create Time/Date: Wed Nov 20 20:52:00 2024, Last Saved Time/Date: Wed Nov 20 20:52:00 2024, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
Category:	dropped
Size (bytes):	2834432
Entropy (8bit):	7.991420826606059
Encrypted:	true
SSDEEP:	49152:/O05mqQDiCjwnwVv+i2MF/NtSftHFDSy4dx21N+NfSf/wXoCBBUQZcUJ8+mp3gi/:/rABiCjwnwVmGF1t6R1j4dx8Njf/w4C2
MD5:	B9632555B2C19B9182CAB9C098C22D8E
SHA1:	100D612540C51413141F52C3888114CDDB76E9A0
SHA-256:	1164B944F47A9701DDD682F59C60425FAED350647E3F9E562E1ABC140A89C7F2
SHA-512:	B90B26AF09115C4AD37F5CB40135DE51835CCFFBD666168934062FB587A9111FA535E21C1E231AED76A5E871D63A9F71B686367DEFED3D584F6D76F75E5ACB52
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI2128.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	2400
Entropy (8bit):	5.6314585785076074
Encrypted:	false
SSDEEP:	48:2LPeu8kz7pw0JepUTuSP3Bfxpy21k6xNEbmp4UtGHpWaAeU1DFnToBoEVlt3CX:2Lrpu0JUS5VjxNEb9UtTre6xaoEPlc
MD5:	E32BAF243068F06A2553365E2583DE4C
SHA1:	FB27E7811D8B0CFCF1EE51A5E1EDEC188F037034
SHA-256:	CD291283CC631EA2F02F8A0DFC1A39E54A236296C2C87C9219966720468816A2
SHA-512:	C19F4464A518E82D16F8955844C024839D6E1B6B98CEF55ECD1AAC8D7A90E4D74DC4901685D9F1A6156D78D2AA3B6CDEAEBBA1C73437EF1C88A4EAB9BC782C14
Malicious:	false
Preview:	...@IXOS.@.....@d.uY.@.....@.....@.....@.....@.....@......&.{DD475EBC-D960-4AF4-BB8A-BE91FA942756}..FWojXRpxua..Acrobat_DC_x64_VIP_v10.12.msi.@.....@.....@.....@........&.{73232F59-F6AA-4764-AEA4-731717E1ED5E}.....@.....@.....@.....@.......@.....@.....@.......@......FWojXRpxua......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{CA18E5D1-6D13-4F6E-8DAC-FB15EF2DFD0D}S.C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe.@.......@.....@.....@......&.{55196117-3D71-4100-B339-6770670A36D9}I.C:\Users\user\AppData\Local\Temp\Package Installation Dir\qpgEZsswIP.dll.@.......@.....@.....@...........@....&.{00000000-0000-0000-0000-000000000000}.@.....@.....@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]...@8.;..@.....@......;.C:\Users\user\AppData\Local\Temp\Package Installation Dir\..%.1\y_o6-t3z\

C:\Windows\Installer\SourceHash{DD475EBC-D960-4AF4-BB8A-BE91FA942756}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1732042294653637
Encrypted:	false
SSDEEP:	12:JSbX72FjlAGiLIlHVRpIh/7777777777777777777777777vDHFfeT3F/yrl0i8Q:JzQI5w9q/7F
MD5:	649A3DE56FE8AE281BFAD7748EE46BB9
SHA1:	98FAB8F7CCCADCA0E20D62D3DC61CD3BCB9F9E2F
SHA-256:	520334E9924A4BB23DBE7CD62A6655889B3E8DF53A35F0826E062A0F5889E249
SHA-512:	C325323B79D627CBA2BE2DCCC4E3E0D05660DC4FD0C1742071AC27F78C79F13A2563079AEA7D43D77A25662136CE79DFB307A81F1E6BFA1891DE22F9071CE993
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5305406280957934
Encrypted:	false
SSDEEP:	48:L8PhKuRc06WXJ6nT5TWSngoeE9ST4S5oVrQ9ST4SInA:yhK1xnTASg9s9sr
MD5:	5EA175FA2109B6180ADAD4DA15460DA7
SHA1:	F9732F3392CB2CE927869CE1EE6F37788D60F64A
SHA-256:	4279D064C6536B2CA149DDEAA72EBCCE1FD21ED2BD173FD6F1849577E19D140F
SHA-512:	B685D0B82C9D25C6566FD1699DA3CC09FA95A212A7EEBA2383DA669388629F4639F396623C475FD75EE954F970716D40AA2B33F95C34FC0E9C8B12A6CEF0B6DA
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.375174937647703
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauG:zTtbmkExhMJCIpErL
MD5:	19786CF0013F89C44B43AE5C492C1177
SHA1:	950FF4E4E1F74268CCF8967AA8865F6C494BBB39
SHA-256:	5D44F56AA272D7C311EAA7F33CF7DC84FAAE6F8F6C9B3B9E35C25082C9E449CC
SHA-512:	12C5BEB7704D0F11668F004C95CD5CE57495856BEE997CA9F5B245B4992A89F0F2813E6B63E0CC574888FEDE843B27C5790BDEDDA5F5933BB2B2558A6AFA90B4
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF2D4DE71D769C830E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2281286952976211
Encrypted:	false
SSDEEP:	48:Y4VCucNveFXJJT5sWSngoeE9ST4S5oVrQ9ST4SInA:3C2xT3Sg9s9sr
MD5:	27D78B2A97F2942ED379F99FD85E6378
SHA1:	44CEAA763B8034B403AFE642813B0DA073B23A91
SHA-256:	0D71A45DD4114357941BF8CDDA4B3F56FA1E3915AC48E64EFDE9F670642CBCEB
SHA-512:	EC89BB31E788AD0EA14B862B30D1B395B586B92FC9DC5E97CE8769D0A1E2EFB1656DF8F85B9FD09DFC273933E8B7942AC6DA89AC4B0EDCA2222BD80EE1CF4EF9
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF59F7A1C0E0C152F6.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2281286952976211
Encrypted:	false
SSDEEP:	48:Y4VCucNveFXJJT5sWSngoeE9ST4S5oVrQ9ST4SInA:3C2xT3Sg9s9sr
MD5:	27D78B2A97F2942ED379F99FD85E6378
SHA1:	44CEAA763B8034B403AFE642813B0DA073B23A91
SHA-256:	0D71A45DD4114357941BF8CDDA4B3F56FA1E3915AC48E64EFDE9F670642CBCEB
SHA-512:	EC89BB31E788AD0EA14B862B30D1B395B586B92FC9DC5E97CE8769D0A1E2EFB1656DF8F85B9FD09DFC273933E8B7942AC6DA89AC4B0EDCA2222BD80EE1CF4EF9
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF6FDB52E1D39B702F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7AD34F472113CBEC.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.0785955619753621
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOG+eT3PZl9vYSIiVky6l51:2F0i8n0itFzDHFfeT3F/yr
MD5:	A2333A8EC90D63A56D2F45EC8F69063B
SHA1:	A650B9628485889B714E4FF3F075A07BE6697697
SHA-256:	9DC781F715FA46C8810595D2BF3F60B2A788AAA08248705B2E64CDA62B243E93
SHA-512:	EDBC08EFB148C100778881671FAEA6AFD0CFA1B9CA8F8124E493047CEC183267A73AE2F86DEA83A21362A64341D97F474A7AEBFE491339024539FAC68C619A41
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF82DC173EA9B2E5A4.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF832A20BD922DF0D0.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5305406280957934
Encrypted:	false
SSDEEP:	48:L8PhKuRc06WXJ6nT5TWSngoeE9ST4S5oVrQ9ST4SInA:yhK1xnTASg9s9sr
MD5:	5EA175FA2109B6180ADAD4DA15460DA7
SHA1:	F9732F3392CB2CE927869CE1EE6F37788D60F64A
SHA-256:	4279D064C6536B2CA149DDEAA72EBCCE1FD21ED2BD173FD6F1849577E19D140F
SHA-512:	B685D0B82C9D25C6566FD1699DA3CC09FA95A212A7EEBA2383DA669388629F4639F396623C475FD75EE954F970716D40AA2B33F95C34FC0E9C8B12A6CEF0B6DA
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8A2D58691AB68D30.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5305406280957934
Encrypted:	false
SSDEEP:	48:L8PhKuRc06WXJ6nT5TWSngoeE9ST4S5oVrQ9ST4SInA:yhK1xnTASg9s9sr
MD5:	5EA175FA2109B6180ADAD4DA15460DA7
SHA1:	F9732F3392CB2CE927869CE1EE6F37788D60F64A
SHA-256:	4279D064C6536B2CA149DDEAA72EBCCE1FD21ED2BD173FD6F1849577E19D140F
SHA-512:	B685D0B82C9D25C6566FD1699DA3CC09FA95A212A7EEBA2383DA669388629F4639F396623C475FD75EE954F970716D40AA2B33F95C34FC0E9C8B12A6CEF0B6DA
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9530616AEBCBA1BC.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA7A4C73575971EA7.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBCF72FB53F632D77.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFCDF6CF734A63117B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.13020342250802835
Encrypted:	false
SSDEEP:	24:VDAHca29SMClt4ipVlF+/CWneE9SMClt4ipV7V2BwGhlrkgri+2Ho9wh:BAp29ST4S9oeE9ST4S5oVr2nIW
MD5:	79A4BF63F3D53CADD4CA640D8E1BD388
SHA1:	A3E1C6B81F8ECF053F9C36024624D38D9A864E22
SHA-256:	DF3ED01DEF3DB5AB7142AC5FA9FAC0DC3E472D2E564F94D5FAA96DA080FECD44
SHA-512:	969023A92792FC2A91EC06EA23737340C77693233EE6BA1FB5A9F4D5318C082F9ABE2296D6E63EA86844CBB12144097417B5C0223EF9406FCF4D810CB859AA0D
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFEC762020B6FBC4AA.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2281286952976211
Encrypted:	false
SSDEEP:	48:Y4VCucNveFXJJT5sWSngoeE9ST4S5oVrQ9ST4SInA:3C2xT3Sg9s9sr
MD5:	27D78B2A97F2942ED379F99FD85E6378
SHA1:	44CEAA763B8034B403AFE642813B0DA073B23A91
SHA-256:	0D71A45DD4114357941BF8CDDA4B3F56FA1E3915AC48E64EFDE9F670642CBCEB
SHA-512:	EC89BB31E788AD0EA14B862B30D1B395B586B92FC9DC5E97CE8769D0A1E2EFB1656DF8F85B9FD09DFC273933E8B7942AC6DA89AC4B0EDCA2222BD80EE1CF4EF9
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: FWojXRpxua, Author: fwRTnJqOge, Keywords: Installer, Comments: This installer database contains the logic and data required to install FWojXRpxua., Template: x64;1033, Revision Number: {73232F59-F6AA-4764-AEA4-731717E1ED5E}, Create Time/Date: Wed Nov 20 20:52:00 2024, Last Saved Time/Date: Wed Nov 20 20:52:00 2024, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
Entropy (8bit):	7.991420826606059
TrID:	Microsoft Windows Installer (60509/1) 88.31% Generic OLE2 / Multistream Compound File (8008/1) 11.69%
File name:	Acrobat_DC_x64_VIP_v10.12.msi
File size:	2'834'432 bytes
MD5:	b9632555b2c19b9182cab9c098c22d8e
SHA1:	100d612540c51413141f52c3888114cddb76e9a0
SHA256:	1164b944f47a9701ddd682f59c60425faed350647e3f9e562e1abc140a89c7f2
SHA512:	b90b26af09115c4ad37f5cb40135de51835ccffbd666168934062fb587a9111fa535e21c1e231aed76a5e871d63a9f71b686367defed3d584f6d76f75e5acb52
SSDEEP:	49152:/O05mqQDiCjwnwVv+i2MF/NtSftHFDSy4dx21N+NfSf/wXoCBBUQZcUJ8+mp3gi/:/rABiCjwnwVmGF1t6R1j4dx8Njf/w4C2
TLSH:	CDD5339471DA5B33F28F89BD1706A1820B2D7D390EDB6A53B1E43937303639E9E568D0
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Target ID:	0
Start time:	23:03:06
Start date:	21/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Acrobat_DC_x64_VIP_v10.12.msi"
Imagebase:	0x7ff700e00000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:03:06
Start date:	21/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff700e00000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	23:03:07
Start date:	21/11/2024
Path:	C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe"
Imagebase:	0xb30000
File size:	1'450'040 bytes
MD5 hash:	E4E96D377207C990295577E0EBD93F79
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 5%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	23:03:07
Start date:	21/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	"rundll32.exe" "C:\Users\user\AppData\Local\Temp\Package Installation Dir\qpgEZsswIP.dll",DllRegisterServer
Imagebase:	0x7ff71d3a0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BumbleBee, Description: Yara detected BumbleBee, Source: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Bumblebee_35f50bea, Description: unknown, Source: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	17.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	42.7%
Total number of Nodes:	1278
Total number of Limit Nodes:	35

Executed Functions

Function 00B43BB0 Relevance: 175.6, APIs: 51, Strings: 48, Instructions: 2345COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,?,?,?,CancelPort,0000000A), ref: 00B440A7
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B440B7
CloseHandle.KERNEL32(?,HTTPSend_03,0000000B,Error_NativeToUTF8,00000012,?,?,?,?,?,?,?), ref: 00B44262
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00B4426B

Strings

`ato, xrefs: 00B44766, 00B449BA, 00B44C4C, 00B45089, 00B453DC, 00B45627, 00B46089
Failed to connect to server, in HttpSend, xrefs: 00B448E9
Certificate not matching., xrefs: 00B45F3B
Failed to delete file: '%s' LastError:%d, xrefs: 00B459D2
GET, xrefs: 00B4522C
HTTPConnector::HTTPSend :: WinHttpSetStatusCallback failed, xrefs: 00B450A8
WinHttpOpen_01, xrefs: 00B4446D
Error_InvalidArguments, xrefs: 00B46197
WinHttpSetStatusCallback_01, xrefs: 00B44FBF
http://, xrefs: 00B43E0A
Failed in making http request, in HttpSend, xrefs: 00B452E8
HTTPConnector::HTTPSend, xrefs: 00B43C3E
Failed in multibyte to wide conversion, in HttpSend, xrefs: 00B4415F
HTTPConnectorError, xrefs: 00B44164, 00B4444B, 00B44692, 00B448EE, 00B44B60, 00B44F97, 00B452ED, 00B45536, 00B45C61
Failed to open http request, in HttpSend, xrefs: 00B44B5B
Failed in quering WinHttpHeaders error:%d, xrefs: 00B45C5C
WinHttpQueryHeaders_01, xrefs: 00B45B98
HTTPConnector::HTTPSend :: After callback : error Type : %d, error code : %d, xrefs: 00B45ADB
https://, xrefs: 00B43DA7, 00B43DCE
HTTPConnector::HTTPSend :: WinHttpOpen failed : %d, xrefs: 00B44536
HTTPConnector::HTTPSend :: WinHttpOpenRequest failed : %d, xrefs: 00B44C69
CancelPort, xrefs: 00B44047
HTTPConnector::HTTPSend :: WaitForMultipleObjects returned after timeout, xrefs: 00B45832
CertificateNotMatching_01, xrefs: 00B45FA8
HTTPConnector::HTTPSend :: WinHttpSendRequest failed : %d, xrefs: 00B45400
WinHttpOpenRequest_01, xrefs: 00B44B82
Certificate: %s, xrefs: 00B45F22
WinHttpSetCredentials_01, xrefs: 00B4555E
HttpConnector, xrefs: 00B4453B, 00B44796, 00B449EA, 00B44C6E, 00B450AD, 00B45405, 00B45655
&, xrefs: 00B460CC
HTTPSend_03, xrefs: 00B441A9
HTTPSend, xrefs: 00B44645, 00B45F40
Failed to connect to server, in HttpSend with secure flag, xrefs: 00B4468D
WinHttpConnect_01, xrefs: 00B44910
HTTPConnector::HTTPSend :: WinHttpSetCredentials failed : %d, xrefs: 00B45650
WinHttpQueryOption_01, xrefs: 00B45D4D
setting secure protocols to TLS1.2 always, xrefs: 00B44640
FileUtils, xrefs: 00B459DC
WinHttpSetOption, xrefs: 00B446B4
Failed in setting proxycredentials in HttpSend error:%d, xrefs: 00B45531
Failed to open a WinHttp session, in HttpSend, xrefs: 00B44446
HTTPConnector::HTTPSend :: WinHttpConnect failed : %d, xrefs: 00B44791, 00B449E5
HTTPConnector::HTTPSend :: WaitForMultipleObjects returned with cancellation, xrefs: 00B4580E
HTTPSend_01, xrefs: 00B461C1
Failed in setting status callback in HttpSend, xrefs: 00B44F92
WinHttpSendRequest_01, xrefs: 00B45313
AAM, xrefs: 00B443C3, 00B44413
Error_NativeToUTF8, xrefs: 00B44196

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: CloseCreateEventHandle
String ID: &$AAM$CancelPort$Certificate not matching.$Certificate: %s$CertificateNotMatching_01$Error_InvalidArguments$Error_NativeToUTF8$Failed in making http request, in HttpSend$Failed in multibyte to wide conversion, in HttpSend$Failed in quering WinHttpHeaders error:%d$Failed in setting proxycredentials in HttpSend error:%d$Failed in setting status callback in HttpSend$Failed to connect to server, in HttpSend$Failed to connect to server, in HttpSend with secure flag$Failed to delete file: '%s' LastError:%d$Failed to open a WinHttp session, in HttpSend$Failed to open http request, in HttpSend$FileUtils$GET$HTTPConnector::HTTPSend$HTTPConnector::HTTPSend :: After callback : error Type : %d, error code : %d$HTTPConnector::HTTPSend :: WaitForMultipleObjects returned after timeout$HTTPConnector::HTTPSend :: WaitForMultipleObjects returned with cancellation$HTTPConnector::HTTPSend :: WinHttpConnect failed : %d$HTTPConnector::HTTPSend :: WinHttpOpen failed : %d$HTTPConnector::HTTPSend :: WinHttpOpenRequest failed : %d$HTTPConnector::HTTPSend :: WinHttpSendRequest failed : %d$HTTPConnector::HTTPSend :: WinHttpSetCredentials failed : %d$HTTPConnector::HTTPSend :: WinHttpSetStatusCallback failed$HTTPConnectorError$HTTPSend$HTTPSend_01$HTTPSend_03$HttpConnector$WinHttpConnect_01$WinHttpOpenRequest_01$WinHttpOpen_01$WinHttpQueryHeaders_01$WinHttpQueryOption_01$WinHttpSendRequest_01$WinHttpSetCredentials_01$WinHttpSetOption$WinHttpSetStatusCallback_01$`ato$http://$https://$setting secure protocols to TLS1.2 always
API String ID: 3369476804-3434179951
Opcode ID: a2860f6008778032328df26fa6558eb64d7eba556290828d86f262be8527f5ee
Instruction ID: 448484d2b0757162d543597a0db0c9a9f76155958c23a9cc9c43053ed1b7c9f7
Opcode Fuzzy Hash: a2860f6008778032328df26fa6558eb64d7eba556290828d86f262be8527f5ee
Instruction Fuzzy Hash: 36335670D01259DFDB21DB24CC49B9EBBB8AF15304F6481D9E508A7292DB70AF88DF61

Function 00B599E0 Relevance: 46.5, APIs: 7, Strings: 19, Instructions: 1003
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BA2A20: RtlInitializeCriticalSection.NTDLL(00DE08A4), ref: 00BA2A9C

CoCreateGuid.COMBASE(00000000), ref: 00B5A2C9
StringFromGUID2.COMBASE(00000000,?,00000104), ref: 00B5A2DC
GetModuleFileNameW.KERNEL32(00000000,?,00000104,00D94E3C,00000000,00D94C6C,00000002,?,?,00000000,00000000,0000000D), ref: 00B5A3B5
PathFindFileNameW.SHLWAPI(?,?,?,00000000,00000000,0000000D), ref: 00B5A3FB
GetModuleFileNameW.KERNEL32(00000000,?,00000104,00D98058,00000000,00000000,-00000002,?,?,00000000,00000000,0000000D), ref: 00B5A463
GetModuleHandleW.KERNEL32(tmmon.dll,?,?,?,?,00000000,00000038,?,?,?,?,?,00D99834,?,?,00000000), ref: 00B5A8FF
GetModuleHandleW.KERNEL32(tmmon64.dll,?,?,?,?,00000000,00000038,?,?,?,?,?,00D99834,?,?,00000000), ref: 00B5A90A

Strings

tmmon.dll, xrefs: 00B5A8FA
3, xrefs: 00B5AC89
tmmon64.dll, xrefs: 00B5A905
install, xrefs: 00B59E30, 00B59E46
5.1, xrefs: 00B59EC8, 00B59EE5
packageListCS, xrefs: 00B59BDF
false, xrefs: 00B5AC21
readerdc, xrefs: 00B5A9D7
ApplicationContext, xrefs: 00B5A157
_cra, xrefs: 00B5AA2D, 00B5AA81
live, xrefs: 00B59E10, 00B59E26
ADM, xrefs: 00B5A14B
en_US, xrefs: 00B59E50, 00B59E66
ADM, xrefs: 00B5A144
_crd, xrefs: 00B5AB04, 00B5AB58
true, xrefs: 00B5AAEA
readerdc64, xrefs: 00B5A8AE
_acr, xrefs: 00B5A8D9, 00B5AA02
en_US, xrefs: 00B5A070, 00B5A086

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: Module$FileName$Handle$CreateCriticalFindFromGuidInitializePathSectionString
String ID: 3$5.1$ADM$ADM$ApplicationContext$_acr$_cra$_crd$en_US$en_US$false$install$live$packageListCS$readerdc$readerdc64$tmmon.dll$tmmon64.dll$true
API String ID: 2029594171-4111704561
Opcode ID: 3d36ca98547ab5bb0d1e05bae0b8d69175c09030bcacc3596361ecf38b19086f
Instruction ID: 6893dc1d346fcb6861425792d99f413fe4353792c0cf76f35f0dc7a65656413b
Opcode Fuzzy Hash: 3d36ca98547ab5bb0d1e05bae0b8d69175c09030bcacc3596361ecf38b19086f
Instruction Fuzzy Hash: 53B28C70D053D8CAEB10EF64DD94B997BB0EB65308F1482D9D448AB392D7B52AC8CF61

Function 00F6F080 Relevance: 7.7, APIs: 5, Instructions: 207
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 00F6F1C2
GetProcAddress.KERNEL32(?,00F57FF9), ref: 00F6F1E0
ExitProcess.KERNEL32(?,00F57FF9), ref: 00F6F1F1
VirtualProtect.KERNEL32(00B30000,00001000,00000004,?,00000000), ref: 00F6F23F
VirtualProtect.KERNEL32(00B30000,00001000), ref: 00F6F254

Memory Dump Source

Source File: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: e5db3ce5cb6f0904c5b26aff4a31ed20d7db6bf37ba937b433649e7730662efd
Instruction ID: bce6671636fca9899c1e5b4baad5395d6b191ef1bc8945ae63f7e2f2a5d61026
Opcode Fuzzy Hash: e5db3ce5cb6f0904c5b26aff4a31ed20d7db6bf37ba937b433649e7730662efd
Instruction Fuzzy Hash: EA5138B2E507529BD7208EB8FCC0660B7A0EB533747680739C5E6C73C6E7A4590EA764

Function 00B42C70 Relevance: 36.3, APIs: 12, Strings: 12, Instructions: 303
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00B42CC0
GlobalFree.KERNEL32(?), ref: 00B42DBA
GlobalFree.KERNEL32(?), ref: 00B42DC5
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 00B42E35
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?), ref: 00B42E77
GetLastError.KERNEL32 ref: 00B42F1A
GlobalFree.KERNEL32(?), ref: 00B42F9B
GlobalFree.KERNEL32(?), ref: 00B42FA6
GlobalFree.KERNEL32(?), ref: 00B42FB1
GlobalFree.KERNEL32(?), ref: 00B42FCD
GlobalFree.KERNEL32(?), ref: 00B42FD8
GlobalFree.KERNEL32(?), ref: 00B42DD0

Part of subcall function 00B38570: __Init_thread_footer.LIBCMT ref: 00B385F3

Strings

`ato, xrefs: 00B42FE3
GetIEProxyInfo - proxy fetched is :%s, xrefs: 00B42CFA
://, xrefs: 00B42D3D
https=, xrefs: 00B42D03
GetIEProxyInfo - No default proxy present on the user machine, xrefs: 00B42DF7
GetIEProxyInfo - invalid arguments, xrefs: 00B4300E
GetIEProxyInfo - Failed to get proxy setting for current user :%d, xrefs: 00B42CC7
HTTPConnectorError, xrefs: 00B43013
GetIEProxyInfo - Failed to get proxy for the url, error:%d, xrefs: 00B42F21
WinHTTP AutoProxy, xrefs: 00B42E82
GetIEProxyInfo - autoconfig url on the machine is :%s, xrefs: 00B42EB6
GetIEProxyInfo - proxy Url is %s, xrefs: 00B42F7B

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: FreeGlobal$ByteCharErrorLastMultiWide$Init_thread_footer
String ID: ://$GetIEProxyInfo - Failed to get proxy for the url, error:%d$GetIEProxyInfo - Failed to get proxy setting for current user :%d$GetIEProxyInfo - No default proxy present on the user machine$GetIEProxyInfo - autoconfig url on the machine is :%s$GetIEProxyInfo - invalid arguments$GetIEProxyInfo - proxy Url is %s$GetIEProxyInfo - proxy fetched is :%s$HTTPConnectorError$WinHTTP AutoProxy$`ato$https=
API String ID: 1541574466-452352629
Opcode ID: a91dab4cbe7e8fa33f9f2f41e220ddcf3eb99b463b0f8056c3a3c45f94c2ef94
Instruction ID: 260126ac0311a5a2f0cb19095203bd62b7043ffd0dd98661de082ca46b97106f
Opcode Fuzzy Hash: a91dab4cbe7e8fa33f9f2f41e220ddcf3eb99b463b0f8056c3a3c45f94c2ef94
Instruction Fuzzy Hash: 15A1D531A043029FDB249F24CC09B6BBBE8EF85714F4805ADFC45A7291DB75D905EBA2

Function 00BD2340 Relevance: 21.2, APIs: 14, Instructions: 197
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(00DDDCA0), ref: 00BD234E
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,00DDDC84,00DDDC84,?,00BD26BD,00000004,00BCFF21,00BBC3C6,00BCD7F3,00B41B52,00000002,?), ref: 00BD23BD
GlobalHandle.KERNEL32(00DDDC94), ref: 00BD23C7
GlobalUnlock.KERNEL32(00000000), ref: 00BD23D9
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 00BD23F4
GlobalLock.KERNEL32(00000000), ref: 00BD23FF
RtlLeaveCriticalSection.NTDLL(00DDDCA0), ref: 00BD244B
GlobalHandle.KERNEL32(00DDDC94), ref: 00BD245F
GlobalLock.KERNEL32(00000000), ref: 00BD246A
RtlLeaveCriticalSection.NTDLL(00DDDCA0), ref: 00BD2474
RtlEnterCriticalSection.NTDLL(00000000), ref: 00BD24FD
RtlLeaveCriticalSection.NTDLL(00000000), ref: 00BD2510
LocalFree.KERNEL32(?), ref: 00BD2519
TlsSetValue.KERNEL32(00000000,00000000), ref: 00BD2538

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: Global$CriticalSection$Leave$AllocEnterHandleLock$FreeLocalUnlockValue
String ID:
API String ID: 3723562325-0
Opcode ID: 0941098dd9d04bc2e673dd888ea54e38213d8509ec21092cc4b401e2c79ac357
Instruction ID: 4e43c21f05dbf86d0fcfdff6530aa2223287d766e2a8d25ba0be8d0b914f6074
Opcode Fuzzy Hash: 0941098dd9d04bc2e673dd888ea54e38213d8509ec21092cc4b401e2c79ac357
Instruction Fuzzy Hash: 2C616C31A00345EFDB149F68D888A99BBE4EF54315F5480AAEE01DB361EB71E951CFA0

Function 00B43730 Relevance: 19.5, APIs: 2, Strings: 9, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32(00000000), ref: 00B438D1
SetEvent.KERNEL32(?), ref: 00B43AB8

Part of subcall function 00B38570: __Init_thread_footer.LIBCMT ref: 00B385F3

Strings

WINHTTP_CALLBACK_STATUS_HEADERS_AVAILABLE..., xrefs: 00B4380E
WINHTTP_CALLBACK_STATUS_HEADERS_AVAILABLE : error : %d, xrefs: 00B43957
HTTPConnectorError, xrefs: 00B43865
HttpConnector, xrefs: 00B43A7A
WINHTTP_CALLBACK_STATUS_HEADERS_AVAILABLE : Successful header(s): %d, xrefs: 00B4398E
WINHTTP_CALLBACK_STATUS_READ_COMPLETE : complete, xrefs: 00B43A0F
HTTP Request Status code:407. The proxy requires authentication., xrefs: 00B43860
WINHTTP_CALLBACK_STATUS_REQUEST_ERROR : error : %d, xrefs: 00B43A75
WINHTTP_CALLBACK_STATUS_REQUEST_ERROR..., xrefs: 00B43A5D

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: Event$Init_thread_footer
String ID: HTTP Request Status code:407. The proxy requires authentication.$HTTPConnectorError$HttpConnector$WINHTTP_CALLBACK_STATUS_HEADERS_AVAILABLE : Successful header(s): %d$WINHTTP_CALLBACK_STATUS_HEADERS_AVAILABLE : error : %d$WINHTTP_CALLBACK_STATUS_HEADERS_AVAILABLE...$WINHTTP_CALLBACK_STATUS_READ_COMPLETE : complete$WINHTTP_CALLBACK_STATUS_REQUEST_ERROR : error : %d$WINHTTP_CALLBACK_STATUS_REQUEST_ERROR...
API String ID: 1146775995-3466066548
Opcode ID: b7fa8089b8bebd5db99c6c088394ca751bb83113b2633705a672d921b70da8a8
Instruction ID: e7f817dbd5b506e3ad1fe54f970599d518771915d229b4e923946c1948c7f8f8
Opcode Fuzzy Hash: b7fa8089b8bebd5db99c6c088394ca751bb83113b2633705a672d921b70da8a8
Instruction Fuzzy Hash: DFB1E070A003059FDB24DF64DC85B6EB3F4EF44B14F1805AEE947AB291DB71AA44EB60

Function 00D319CD Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D31714: CreateFileW.KERNEL32(00000000,00000000,?,00D31A76,?,?,00000000,?,00D31A76,00000000,0000000C), ref: 00D31731

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D31AE1
__dosmaperr.LIBCMT ref: 00D31AE8
GetFileType.KERNEL32(00000000), ref: 00D31AF4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D31AFE
__dosmaperr.LIBCMT ref: 00D31B07
CloseHandle.KERNEL32(00000000), ref: 00D31B27
CloseHandle.KERNEL32(00000000), ref: 00D31C74
GetLastError.KERNEL32 ref: 00D31CA6
__dosmaperr.LIBCMT ref: 00D31CAD

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 3cd5bfc50db5363fdfedf1c98f6b0bb040452eba73da1b6785387dfdb7bc3c3d
Instruction ID: 5b6a5d010a24c2a844a4a982125112b84b6d522c8d91a8a5e92a29d973d475b4
Opcode Fuzzy Hash: 3cd5bfc50db5363fdfedf1c98f6b0bb040452eba73da1b6785387dfdb7bc3c3d
Instruction Fuzzy Hash: F3A12236A042569FCF19AF68DC91BAD7BA1EB06320F180159E815DF391DB34D842CB71

Function 094A00F3 Relevance: 10.1, Strings: 6, Instructions: 2576COMMON

Download Yara Rule

Strings

Px#, xrefs: 094A1526
x#, xrefs: 094A149F
Py#, xrefs: 094A151B
Pw#, xrefs: 094A1489
@y#, xrefs: 094A1531
`x#, xrefs: 094A1494

Memory Dump Source

Source File: 00000002.00000002.4184237496.00000000094A0000.00000010.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_94a0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID: @y#$Pw#$Px#$Py#$`x#$x#
API String ID: 0-644835717
Opcode ID: 80a34aaf7873a7ecf5cda67f28829f60f9fc3db50f86a149088fb0475e62cc52
Instruction ID: ec45d4e733485f68b74a655b7089a35d9cf891cde46e654c8d0a4050ca56c3cb
Opcode Fuzzy Hash: 80a34aaf7873a7ecf5cda67f28829f60f9fc3db50f86a149088fb0475e62cc52
Instruction Fuzzy Hash: 78230570A083109FDB24CF64CC82BAEB7A5EF68754F14444AF956AB381D7B6DC81CB61

Function 00D28D30 Relevance: 9.3, APIs: 6, Instructions: 298
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7a18ee4142467658f8b8714d03f3c11b413e617bceb3685022c6831572ed1a
Instruction ID: 1950bd2cc1be270acb9fb4707ec08fb500ef554f0c2c3ed869c4e4e3b31f62c5
Opcode Fuzzy Hash: 9b7a18ee4142467658f8b8714d03f3c11b413e617bceb3685022c6831572ed1a
Instruction Fuzzy Hash: 01B1F570A04369AFDB01DF98E990BADBBB2EF65318F184159E504AB392CB71D941CB70

Function 094A0594 Relevance: 8.7, Strings: 6, Instructions: 1184COMMON

Download Yara Rule

Strings

Px#, xrefs: 094A1526
x#, xrefs: 094A149F
Py#, xrefs: 094A151B
Pw#, xrefs: 094A1489
@y#, xrefs: 094A1531
`x#, xrefs: 094A1494

Memory Dump Source

Source File: 00000002.00000002.4184237496.00000000094A0000.00000010.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_94a0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID: @y#$Pw#$Px#$Py#$`x#$x#
API String ID: 0-644835717
Opcode ID: 243518fe595f6eda0b372ca2746696323c13ba09c58db3f1a2daadc8e7993e07
Instruction ID: bcdd2031d405b1c8a0c516753369de6e4b38f27ee8cdbc96878187fe012cb13b
Opcode Fuzzy Hash: 243518fe595f6eda0b372ca2746696323c13ba09c58db3f1a2daadc8e7993e07
Instruction Fuzzy Hash: 99A2AD71A043148FDB24CF58C881BAEB7B1BFA9314F15819AE949AB351D771EC81CFA1

Function 094A050A Relevance: 8.2, Strings: 6, Instructions: 654COMMON

Download Yara Rule

Strings

Px#, xrefs: 094A1526
x#, xrefs: 094A149F
Py#, xrefs: 094A151B
Pw#, xrefs: 094A1489
@y#, xrefs: 094A1531
`x#, xrefs: 094A1494

Memory Dump Source

Source File: 00000002.00000002.4184237496.00000000094A0000.00000010.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_94a0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID: @y#$Pw#$Px#$Py#$`x#$x#
API String ID: 0-644835717
Opcode ID: 2d80d9d508caaf611a659bfabf5e6e01dbfce1684e61f8001edd4c75e81831bd
Instruction ID: b1e76127058fab8118394bd449edbd1c5578bc6ba2be95049970b6a718f672c5
Opcode Fuzzy Hash: 2d80d9d508caaf611a659bfabf5e6e01dbfce1684e61f8001edd4c75e81831bd
Instruction Fuzzy Hash: 0D42A071A083148FDB24CF58C881BAAB7F1EF99314F15819AE949AB352D771EC42CF91

Function 00D291F5 Relevance: 3.1, APIs: 2, Instructions: 52
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,?,00008000,00D267ED,00008000,00D267ED,?,?,?,00D292FF,00D267ED,?,00000000,00D267ED,?), ref: 00D29231
GetLastError.KERNEL32(00000000,?,?,?,00D292FF,00D267ED,?,00000000,00D267ED,?,00000000,00008000,00D267ED,?,?,00D319EA), ref: 00D2923E

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 8f5ea1538c0c887f8d8b6c144e762856031b11cffff9a060984c98e0314fee4d
Instruction ID: 4f7fb0d9dacc46fa988c417d80736840b697a20d3c1ec142b5f6f9394e46268d
Opcode Fuzzy Hash: 8f5ea1538c0c887f8d8b6c144e762856031b11cffff9a060984c98e0314fee4d
Instruction Fuzzy Hash: 76012B32A14218FFCB058F94EC0599E7B2AEF91324F680204F8119B291EA71ED51CBB0

Function 00D24ED8 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00D2D385,?,00000000,?,?,00D2D626,?,00000007,?,?,00D2DB81,?,?), ref: 00D24EEE
GetLastError.KERNEL32(?,?,00D2D385,?,00000000,?,?,00D2D626,?,00000007,?,?,00D2DB81,?,?), ref: 00D24EF9

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 228d90fcf436747bdb8ed2e095add5812aa33b6d264715fd3f01d4bedd76b5bf
Instruction ID: e7a25d345a0027fca3a0792d9a60a0b580c847392221cb3128717d62ed5128b4
Opcode Fuzzy Hash: 228d90fcf436747bdb8ed2e095add5812aa33b6d264715fd3f01d4bedd76b5bf
Instruction Fuzzy Hash: CFE0E631104364ABCB112BE5BC097993B69EF90755F544411FA0CD7561DA75E850CBB4

Function 00D269A0 Relevance: 2.6, APIs: 2, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,00D2698F,00D31BC0,?,00000000,00000000), ref: 00D269F6
GetLastError.KERNEL32(?,00000000,?,00D2698F,00D31BC0,?,00000000,00000000), ref: 00D26A00

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 7ff471e3b169cef3a1da0d5814f589cb9bdb53801fccab6a01fcf41033db8ede
Instruction ID: a4ea7366dff588e274aee8093fc99ef3b53ad2118f3c53c41f29f1d87b9a5743
Opcode Fuzzy Hash: 7ff471e3b169cef3a1da0d5814f589cb9bdb53801fccab6a01fcf41033db8ede
Instruction Fuzzy Hash: 4E114C336043342BC620673479857AD2B8A9BA273CF280219FD18DB2D2DE71DCC1D6B0

Function 00D26831 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsopen_s.LIBCMT ref: 00D267E8

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 25e599c42cc8e809c57d9cb658c7f53879adc4e200c333fa3a8a6a81ac670089
Instruction ID: 13eb06d2406a1c0f7e411fd8a7f9445c546940e66893dba9ded3547d7cb95be2
Opcode Fuzzy Hash: 25e599c42cc8e809c57d9cb658c7f53879adc4e200c333fa3a8a6a81ac670089
Instruction Fuzzy Hash: 56113672A0420AAFCB05DF58E941D9B7BF9EF48314F1440AAF809AB351D671EE11CBA4

Function 00BD2676 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00BD267D

Part of subcall function 00BD2164: TlsAlloc.KERNEL32(?,00BD26A9,00000004,00BCFF21,00BBC3C6,00BCD7F3,00B41B52,00000002,?,?,?,?,?,00000002,?,?), ref: 00BD2183
Part of subcall function 00BD2164: RtlInitializeCriticalSection.NTDLL(00DDDCA0), ref: 00BD2194

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: AllocCriticalH_prolog3InitializeSection
String ID:
API String ID: 2369468792-0
Opcode ID: 769f8a8a5c4077d2701dcd48511139e5212a08d763d1d1ac06de601321e0c453
Instruction ID: 45a002ce5080f9ee70bd193d49887af08a5824d374d544b66a1bd40467378979
Opcode Fuzzy Hash: 769f8a8a5c4077d2701dcd48511139e5212a08d763d1d1ac06de601321e0c453
Instruction Fuzzy Hash: 8B1139346027828BDF25AF78C855A6AB7E5EF64350B1400AAA905DB3A0FF74DC50DBB0

Function 00D2553B Relevance: 1.5, APIs: 1, Instructions: 44
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(00000000,00000000,00BA383D,00D2223E), ref: 00D25598

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2234d18b5224f5a2fca5220dd22a1925db799956f141b61b3b32fefd86514dc4
Instruction ID: 8f47f94e7381428e439a127d6965fb7070bf6e2f9089b57a29a5e67d79d55960
Opcode Fuzzy Hash: 2234d18b5224f5a2fca5220dd22a1925db799956f141b61b3b32fefd86514dc4
Instruction Fuzzy Hash: 49F09632504A75A6DB212E65FC00F6B376BDFB1B7CF1D4125FC549A198DB30D90085B0

Function 00D27C69 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,00B3BA7E,00000000), ref: 00D27CAA

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a4596ee47dbfd22af7ce6773ee1401279f8d2d9ddb27178eaf626aecbb0cc890
Instruction ID: b142f685b3dcd5db2289f085eb9e111ef737dc2407a956fd3d7b7a27ff6d13d9
Opcode Fuzzy Hash: a4596ee47dbfd22af7ce6773ee1401279f8d2d9ddb27178eaf626aecbb0cc890
Instruction Fuzzy Hash: 20F0B431508630679B316F76BC05B5A375AEF607A8B198121BC04EA291CA20DC00A6F1

Function 00D31714 Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00D31A76,?,?,00000000,?,00D31A76,00000000,0000000C), ref: 00D31731

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6a82c109321ca21cf946c11b1fc04544119a8eefbde3de8b19115111661af034
Instruction ID: a7867c8f221d94d38493582a82744edf938b4cc87dd3b89f10fd4577f532dc9e
Opcode Fuzzy Hash: 6a82c109321ca21cf946c11b1fc04544119a8eefbde3de8b19115111661af034
Instruction Fuzzy Hash: C2D06C3200020DFBDF028F84DD06EDA3BAAFB48715F014100BE1896120C732E822AB90

Function 00B46D70 Relevance: 1.4, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

Part of subcall function 00B985C0: CoCreateGuid.COMBASE(00000000), ref: 00B985E5
Part of subcall function 00B985C0: StringFromGUID2.COMBASE(00000000,?,00000104), ref: 00B985F8

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B46F2A

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: CloseCreateFromGuidHandleString
String ID:
API String ID: 849493299-0
Opcode ID: 88803ab86313bbb0bbcf1d46754c5e77c07747c3828aed061318968e4deb53f9
Instruction ID: 9c41bc0db1734015ec82237dd117e24976c17cdd0492d1a6beb74fc941aa0645
Opcode Fuzzy Hash: 88803ab86313bbb0bbcf1d46754c5e77c07747c3828aed061318968e4deb53f9
Instruction Fuzzy Hash: BD5178B0900709EFDB10DFA4C855B9EBBF5FF05304F10825DE519AB291E775A648CBA1

Function 07584000 Relevance: .7, Instructions: 740COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4178155286.0000000007581000.00000010.00000800.00020000.00000000.sdmp, Offset: 07581000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7581000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c11e29946336cee951b577333642840d5421237d58b7aec868e903d98d38bb67
Instruction ID: 269715366b8086533cc834a3022a948f3cffed402eb4590da51084e635a4ce8c
Opcode Fuzzy Hash: c11e29946336cee951b577333642840d5421237d58b7aec868e903d98d38bb67
Instruction Fuzzy Hash: 4C4213F0A043A39FEB60EF54C881BFEB7A1BB45714F14415AED427B281D775AC818BA1

Function 094B1000 Relevance: .7, Instructions: 685COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4184237496.00000000094A0000.00000010.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_94a0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c61bdfdc06fd60cab63b1a7bf51b1ec0c918f231309377e14c7e8665fb0791a
Instruction ID: dbaacf67adb8fbe664fe673eb6a2ed5cd659094f7cfab36723d1fbb311da70fd
Opcode Fuzzy Hash: 0c61bdfdc06fd60cab63b1a7bf51b1ec0c918f231309377e14c7e8665fb0791a
Instruction Fuzzy Hash: CA428B71A082159FDB14CF94C8A1AFEB7B1BF4C354F14845AE956AF381C771A882CBB1

Function 07583E44 Relevance: .5, Instructions: 526COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4178155286.0000000007581000.00000010.00000800.00020000.00000000.sdmp, Offset: 07581000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7581000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2596648553a9b1cf466968bf920834d6d9643a37fd392aa70693f6f088bb42e
Instruction ID: 1bb082879220a1b6dd803e70b47740079e3d7a75f342dda258c4bb39d892db36
Opcode Fuzzy Hash: b2596648553a9b1cf466968bf920834d6d9643a37fd392aa70693f6f088bb42e
Instruction Fuzzy Hash: E231A0F1E0424A9FCF14CF58C8C1AEEBBA5FB58314F20466EDD15A7385C735A9428BA1

Function 07582359 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4178155286.0000000007581000.00000010.00000800.00020000.00000000.sdmp, Offset: 07581000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7581000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: defd298594bfb4a21df6a0d02bd579671f184f44d441b39138153176e86fd888
Instruction ID: 9d3510993d420ec7f215fe042422a6b166fc8a69e166fd6fac7add34fdf5cb55
Opcode Fuzzy Hash: defd298594bfb4a21df6a0d02bd579671f184f44d441b39138153176e86fd888
Instruction Fuzzy Hash: B031C0B0A0421A8FCB14CF08C490BE9FFF5FF49314F104249D958AB351D771A851CBA1

Function 094A05A1 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4184237496.00000000094A0000.00000010.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_94a0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76df6767d01c63359bb40def81e2ed6dd3debf5e6c8071960e31521be257d5ee
Instruction ID: 6d463f25a898ded1f0e1312a9e44aacd12c2fb153dff6ca52b8e424d77c50b5e
Opcode Fuzzy Hash: 76df6767d01c63359bb40def81e2ed6dd3debf5e6c8071960e31521be257d5ee
Instruction Fuzzy Hash: 8391A075A042148FDB24CF18C881BAAFBF1BFA5314F15858AE98997392D771EC81CF51

Function 094A0604 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4184237496.00000000094A0000.00000010.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_94a0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97efe8956e3bf4ec913870b747cb07b8268e1d5141a94a443109f04984a1d820
Instruction ID: bc61e325e35c5fa1306e40381fe94977de6f9812f41245e96e893243e41af4a2
Opcode Fuzzy Hash: 97efe8956e3bf4ec913870b747cb07b8268e1d5141a94a443109f04984a1d820
Instruction Fuzzy Hash: BC818B75A042188FDB24CF18C881BAAF7F1FFA5314F15858AE949A7351D771EC818F90

Function 094A05D6 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4184237496.00000000094A0000.00000010.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_94a0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e2583c3b5290e93044d3b048df18a09978d3564a531a8bdca5e13ec86c5ee52
Instruction ID: e035989ff35646810db00fa2e770f006b8c96a1f92d546968a8ea5f67873abf8
Opcode Fuzzy Hash: 1e2583c3b5290e93044d3b048df18a09978d3564a531a8bdca5e13ec86c5ee52
Instruction Fuzzy Hash: 15818A75A042288FDB24CF18C881BAAFBB1FFA5314F15858AE949A7351D771EC818F90

Function 094A05ED Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4184237496.00000000094A0000.00000010.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_94a0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a882e042448d23381000f6acd6786c4098fd64cc809502a51a9e25bbccd5df72
Instruction ID: be5b828f94bbf7ebfdedb0544a3e845fe29cbe702d1d8c3425f48f12d458964b
Opcode Fuzzy Hash: a882e042448d23381000f6acd6786c4098fd64cc809502a51a9e25bbccd5df72
Instruction Fuzzy Hash: B9818A75A042288FDB24CF18C881BAAFBB1FFA5314F15858AE949A7351D771EC818F90

Function 094A061D Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4184237496.00000000094A0000.00000010.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_94a0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c79f9237adef790e3e348840f65e62ec9f43b749af93ea54cfa569b7112fa3f6
Instruction ID: 05d35d5d7298dccab981ec7d4f238dfb290b99b9e7522a7082fc9fb2c388cf6b
Opcode Fuzzy Hash: c79f9237adef790e3e348840f65e62ec9f43b749af93ea54cfa569b7112fa3f6
Instruction Fuzzy Hash: 5D819A75A002188FDB24CF18C881BAAFBF5FFA5314F15858AE959A7351D771EC818F90

Function 07572485 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4178128333.0000000007570000.00000010.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7570000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be9087f37778a2f0e00e02fe602c10948d445b2f37a7f8af824cc9eaf0eb3ad9
Instruction ID: 55e115d022873f38ada3c0788fc43820fe800d77ebaf1d5fc6f06c44b9230933
Opcode Fuzzy Hash: be9087f37778a2f0e00e02fe602c10948d445b2f37a7f8af824cc9eaf0eb3ad9
Instruction Fuzzy Hash: 065128B0605351AFEB30CB68ECC5BE9BBE5BF45308F40545AEA459B282C7B598D0C762

Function 0758C486 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4178179412.0000000007588000.00000010.00000800.00020000.00000000.sdmp, Offset: 07588000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7588000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 649fdf076a9a05f18817ee256ad97f1b6acd3b9a53dde0da4ba1b3386893716d
Instruction ID: c776ba197982dd34fd75a5189803a264ecd03f36f2a3f645f3382775fe17c5b2
Opcode Fuzzy Hash: 649fdf076a9a05f18817ee256ad97f1b6acd3b9a53dde0da4ba1b3386893716d
Instruction Fuzzy Hash: 3541F9F07503419FDB64AA2ECC81BFA7795FF45356F0414FAEA02A7292CB65D840CA72

Function 07585800 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4178155286.0000000007581000.00000010.00000800.00020000.00000000.sdmp, Offset: 07581000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7581000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50a378427a63d53d17ac1717f3caae47638427df574b7563f629619e27c14733
Instruction ID: 4543d4e57f86a8263bb1bdda1dd49d7f99a0bd89a53728ddccd4f280a925505f
Opcode Fuzzy Hash: 50a378427a63d53d17ac1717f3caae47638427df574b7563f629619e27c14733
Instruction Fuzzy Hash: AB5103B0910705CFDB60EF24C881BEABBB4FF06324F10455AE5567B280E7719891CFA1

Function 07586C00 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4178155286.0000000007581000.00000010.00000800.00020000.00000000.sdmp, Offset: 07581000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7581000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a92b151bda8de5bad770c2cb1cdf9ededf225818d57f65ff6135a920b77c82d
Instruction ID: 713e0457b93b5c562b5cb3e5afeb20447885cb70bd0b8b1322fca7e960956952
Opcode Fuzzy Hash: 7a92b151bda8de5bad770c2cb1cdf9ededf225818d57f65ff6135a920b77c82d
Instruction Fuzzy Hash: C741D0B1A042159FDB44DF04C881AEAFBE5FF88320F158659ED59BB341D730AD50CB91

Function 07582400 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4178155286.0000000007581000.00000010.00000800.00020000.00000000.sdmp, Offset: 07581000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7581000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e46cdedc51c8aebec2c499059d03266105cdedeceacd1a0b5fe34ef790c67f2
Instruction ID: 5a3a6f066273b232982fba72470cf3778f4b6f06d77428bca59b645b9a2de9c9
Opcode Fuzzy Hash: 0e46cdedc51c8aebec2c499059d03266105cdedeceacd1a0b5fe34ef790c67f2
Instruction Fuzzy Hash: 6C4103F064431A9FDB10EF55C891BD9BFA0FF05318F104249E9647B391D7B59851CBA1

Function 075760A7 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4178128333.0000000007570000.00000010.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7570000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9b55a97035ad6bcaca227b14fd1da25b0d55b9a3d183eb96bb9ff579eb23dd
Instruction ID: 575766bc09e3fdb30f469253f2b7854e19ef9851885b85830d622a883e27351e
Opcode Fuzzy Hash: bb9b55a97035ad6bcaca227b14fd1da25b0d55b9a3d183eb96bb9ff579eb23dd
Instruction Fuzzy Hash: E231DFB0208A05AFD710CF54E895FE4B7E4FF85315F00895AE9698B252C766E852CF82

Function 07585000 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4178155286.0000000007581000.00000010.00000800.00020000.00000000.sdmp, Offset: 07581000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7581000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eac3cf6cc0f7ba0a37a11a574997fef5e58117c384ced377420f5b0c66faebd8
Instruction ID: e270ce9e6b992fb168ca2381c2a813672a6564f247cdcd8c07d494f72301a59a
Opcode Fuzzy Hash: eac3cf6cc0f7ba0a37a11a574997fef5e58117c384ced377420f5b0c66faebd8
Instruction Fuzzy Hash: AD2105F0A81309AFCB509F55C881BEDBBA8FF05325F11055AE914B7250E771A8A0CBD1

Function 07585D08 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4178155286.0000000007581000.00000010.00000800.00020000.00000000.sdmp, Offset: 07581000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7581000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5b7abdd2f27be169af9fa2078febcf2d1edc5f075dac55f452b313f4aef613d
Instruction ID: e0fa56438e88e800e4e81a91b2946b83fc76c7a0770cea98d388a301ed3b068a
Opcode Fuzzy Hash: a5b7abdd2f27be169af9fa2078febcf2d1edc5f075dac55f452b313f4aef613d
Instruction Fuzzy Hash: 1F21CFF4615302AFDB54EF64CD81BE973E4FF08300F090859EA66A7341E775AA608B52

Function 0757BE00 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4178128333.0000000007570000.00000010.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7570000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 457c74c03af57ddb8bb4ffb747e669c148456a8c49c27bd5e6526f9dff0418be
Instruction ID: 49e79fb91e9f6b185104e681d0260c095437fbac3c84891a418744852588730d
Opcode Fuzzy Hash: 457c74c03af57ddb8bb4ffb747e669c148456a8c49c27bd5e6526f9dff0418be
Instruction Fuzzy Hash: CC117FF1604602AFDB118B59DC41FE6B7E8FF45620F050559FE6597390C770A851CB92

Function 0758C17E Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4178179412.0000000007588000.00000010.00000800.00020000.00000000.sdmp, Offset: 07588000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7588000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c850dc9ea37eeb6862c18a3d9ccc3ac32f16f6253fa2d8c5a2bb6444d98efde9
Instruction ID: 329e9285c604ee1f3d532e80a1c8406dbc751777c93894ac8ad841ba0b6d7d54
Opcode Fuzzy Hash: c850dc9ea37eeb6862c18a3d9ccc3ac32f16f6253fa2d8c5a2bb6444d98efde9
Instruction Fuzzy Hash: 6D11D0B1A0430A9FD714EE84D881EFEB765FF85324F10495FE856A3240D73694928BB2

Function 07582800 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4178155286.0000000007581000.00000010.00000800.00020000.00000000.sdmp, Offset: 07581000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7581000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678436ddbd8a6178c57f25b01b4fd7121a1e7eb6849344afacac82f1969dffe5
Instruction ID: 9eda1bf7c5120bdbd22721e495f427d3c2084edfa24f87e9bb62daae1c364bd8
Opcode Fuzzy Hash: 678436ddbd8a6178c57f25b01b4fd7121a1e7eb6849344afacac82f1969dffe5
Instruction Fuzzy Hash: 7B1159F13543065BFF15AA688C83AE87B84FF02315F000258EE16F7291DB5084508FA3

Function 07585E1D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4178155286.0000000007581000.00000010.00000800.00020000.00000000.sdmp, Offset: 07581000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7581000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 913b1049c1e21815ac4318ec5e2d1e5bfd9f3c85f7ba482aad62345d5d3ad043
Instruction ID: 32d38baeef3c695667ae93723df51a834b299a45b5278f724bc4c058d208900a
Opcode Fuzzy Hash: 913b1049c1e21815ac4318ec5e2d1e5bfd9f3c85f7ba482aad62345d5d3ad043
Instruction Fuzzy Hash: 0B01BCB4204202DFDB51DF00C985BD8B7F0BF08300F054885EEA8AB351E370E9608B51

Function 075769E7 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4178128333.0000000007570000.00000010.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7570000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a957b861ae27b0335069c878d781d4fd09fa8e4295bb6eff5febc2c7e43e678e
Instruction ID: 605069234511b25fda6f4f94df5c1798e018546b63360a164d5a066d04bb3d02
Opcode Fuzzy Hash: a957b861ae27b0335069c878d781d4fd09fa8e4295bb6eff5febc2c7e43e678e
Instruction Fuzzy Hash: 08F0A0707453009FC721DF68EC84AE6F7E4EF5A224F4044AAF9058B2A1D765AC15C7A1

Function 0758692D Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4178155286.0000000007581000.00000010.00000800.00020000.00000000.sdmp, Offset: 07581000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7581000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db59ac67821130910f598bad10fcee95a2b9d1ca029c691c4f86db083eee0064
Instruction ID: 5006abdbd4afc2107b0a8e59540e88c74a0c15950b53a827759e816a9ae7d64c
Opcode Fuzzy Hash: db59ac67821130910f598bad10fcee95a2b9d1ca029c691c4f86db083eee0064
Instruction Fuzzy Hash: 1CE01AB5904300EFDB50DF54C841ACCF7B1FF44720F554489A991B7651D775A6909B42

Function 075885CC Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4178179412.0000000007588000.00000010.00000800.00020000.00000000.sdmp, Offset: 07588000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7588000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6dbea24120f4455d6630bef83c9494dda02ae4ab5fe4c8c2a02be772db9305f
Instruction ID: 0107fc82a744aa824c73316ea0f933589dbf41f427069d5365089832d6fa90de
Opcode Fuzzy Hash: b6dbea24120f4455d6630bef83c9494dda02ae4ab5fe4c8c2a02be772db9305f
Instruction Fuzzy Hash: CEC012377091184B8210CA8CEC40886F3D8EBC8235B1546ABEA6CC3210D622E9204BC1

Function 07585CE5 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4178155286.0000000007581000.00000010.00000800.00020000.00000000.sdmp, Offset: 07581000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7581000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3532e9bdfe9ef099b1936e328aa43655ded7bb1c9341291ff2a9e6df166d0ba8
Instruction ID: b1590a68f721173106c3388df8dfbef386e990dbc92692afeda48d5af673b162
Opcode Fuzzy Hash: 3532e9bdfe9ef099b1936e328aa43655ded7bb1c9341291ff2a9e6df166d0ba8
Instruction Fuzzy Hash: D9C012B1916380AFCB82CF6498858C87BF0BA40220B808595E8648B622E6288A25CB02

Function 07586177 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4178155286.0000000007581000.00000010.00000800.00020000.00000000.sdmp, Offset: 07581000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7581000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19428025f0653ecc33206f3e38f56e9203df3e159b0e4ff622f88e20b853b1fa
Instruction ID: a42d597332dd9ba43e7184a328fb6c576bbfbf249660cc83bfa584320e119e00
Opcode Fuzzy Hash: 19428025f0653ecc33206f3e38f56e9203df3e159b0e4ff622f88e20b853b1fa
Instruction Fuzzy Hash: 46C02BB4C101014FC780CF18C4811C9F7E0FB40220FA081409C29C3233D624E54747C1

Function 074F074F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0F47 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F075F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0F57 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0757 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0F6F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0F7F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F077F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0F77 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0F0F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0F1F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0F17 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0F27 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0F3F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F07CF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0BD7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0BFF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0BF7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0F87 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F079F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F03BF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F024F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0657 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0A6F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0E6F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F027F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0A7F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0E7F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0207 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0E1F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0A2F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0E2F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0A3F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0A37 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0AEF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F02F7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0EF7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0E8F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0A87 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0E97 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0EA7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F02BF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F06B7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F057F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0D7F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0577 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0D0F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F051F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0D27 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F093F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F09DF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F09D7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F05D7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F05EF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F05F7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F09F7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F058F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F018F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0D87 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0187 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F019F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0597 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0197 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F01AF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F01A7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F01B7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0DB7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F084F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F044F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0847 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0C47 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0857 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F046F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0467 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F047F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0477 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F041F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0817 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F042F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F043F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F04CF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F04DF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F04D7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F04EF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F04E7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F04F7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F088F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F048F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0887 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0487 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F0897 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F04AF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F08A7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Function 074F04B7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4177953352.00000000074F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_74f0000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction ID: a3e7ff57c30c3c519a6f4ef2049b59df0173dbf1574db4df29bb93500e9b721c
Opcode Fuzzy Hash: 2a53f5df87aa036113af4922cf7daa5a5d1063a47a94a9813af2550d5e07c575
Instruction Fuzzy Hash:

Non-executed Functions

Function 00D2EB92 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(51CEB70F,2000000B,00000000,00000002,00000000,?,?,?,00D2EEB0,?,00000000), ref: 00D2EC2B
GetLocaleInfoW.KERNEL32(51CEB70F,20001004,00000000,00000002,00000000,?,?,?,00D2EEB0,?,00000000), ref: 00D2EC54
GetACP.KERNEL32(?,?,00D2EEB0,?,00000000), ref: 00D2EC69

Strings

ACP, xrefs: 00D2EBB0
OCP, xrefs: 00D2EBE6

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 67b5ac98156fb240d7f6395721ca878d291c196a429c03296ed5b2e5a425bfa9
Instruction ID: a74fbd4d9d5caa278edd852aba1683e5d7997cc37b26917cd5c2cbd8148a9fe7
Opcode Fuzzy Hash: 67b5ac98156fb240d7f6395721ca878d291c196a429c03296ed5b2e5a425bfa9
Instruction Fuzzy Hash: 2D21C532A00125AADB349F95E940A9773A6ABB0F5CF5E4164F94ADB214E732DD40E370

Function 00D2ED67 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D25250: GetLastError.KERNEL32(?,00000008,00D1C949), ref: 00D25254
Part of subcall function 00D25250: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00D252F6

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00D2EE73
IsValidCodePage.KERNEL32(00000000), ref: 00D2EEBC
IsValidLocale.KERNEL32(?,00000001), ref: 00D2EECB
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00D2EF13
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00D2EF32

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 72ab6e1275e4bc39b998856739f01eea3ece494385683d21e964984d2119e48e
Instruction ID: 27815a1baebed99617339c060859bc89d6d2026424d7069fa50d22eac59e2847
Opcode Fuzzy Hash: 72ab6e1275e4bc39b998856739f01eea3ece494385683d21e964984d2119e48e
Instruction Fuzzy Hash: B3517C72A00225ABEB10EFA4EC45EBA77B8FF68709F090569F915E7190E770D9048B71

Function 00D2E403 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D25250: GetLastError.KERNEL32(?,00000008,00D1C949), ref: 00D25254
Part of subcall function 00D25250: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00D252F6

GetACP.KERNEL32(?,?,?,?,?,?,00D20F1A,?,?,?,?,?,-00000050,?,?,?), ref: 00D2E4C4
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00D20F1A,?,?,?,?,?,-00000050,?,?), ref: 00D2E4EF
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00D2E652

Strings

utf8, xrefs: 00D2E5C1

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: 4d84f2d8a28af6146276657e4ff016c645616e7175b957796272a327aa31a3a2
Instruction ID: 0d7c2b3a006dd2d3f7e0d6cd5bb0edde2adabc3d21684d7d9dbeed46933bac37
Opcode Fuzzy Hash: 4d84f2d8a28af6146276657e4ff016c645616e7175b957796272a327aa31a3a2
Instruction Fuzzy Hash: 0F71F531600726AADB24BB35EC46FBA73A8EF6471CF18446AF505D7181FB70E94187B0

Function 00D068EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00D0682F,0000001C,00D06A24,00000000,?,?,?,?,?,?,?,00D0682F,00000004,00DDFB9C,00D06AB4), ref: 00D068FB
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00D0682F,00000004,00DDFB9C,00D06AB4), ref: 00D06916

Strings

D, xrefs: 00D0690A

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 8f68092fde93546da5aab53dc0d687b0cf1fcfb8c3a09a210ef4d111776aef79
Instruction ID: bf5ace5b878b1d5415f460ddf6605c6078b91ac89253e502572555910df3418d
Opcode Fuzzy Hash: 8f68092fde93546da5aab53dc0d687b0cf1fcfb8c3a09a210ef4d111776aef79
Instruction Fuzzy Hash: AC01F772A00209ABDF14DE29DC05BDE7BA9AFC4325F0CC220ED1DDB290EA34DC118A90

Function 00D2E816 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00D25250: GetLastError.KERNEL32(?,00000008,00D1C949), ref: 00D25254
Part of subcall function 00D25250: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00D252F6

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D2E86A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D2E8B4
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D2E97A

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 0a9c5055f35bb5e0ecbcd54902d03b5156755b66a80deeed8d414a4ee75f9022
Instruction ID: 006b38e035025087cf9e3c4082941fdaf764ac07487fdbb31a4afe921550b99e
Opcode Fuzzy Hash: 0a9c5055f35bb5e0ecbcd54902d03b5156755b66a80deeed8d414a4ee75f9022
Instruction Fuzzy Hash: E26194715002279FDB689F28EC82BBA77A8FF24318F18417AE905C6685E774D981DF70

Function 00D0D111 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00D0D209
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00D0D213
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00D0D220

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: fbcb8608e363ec476cde1668ffde33731a26d4cddd4f0d0745f5c069630ccac1
Instruction ID: e77c3d85913de07b39cf785f5674fc4736066bd657a573eaaeb072fd78685529
Opcode Fuzzy Hash: fbcb8608e363ec476cde1668ffde33731a26d4cddd4f0d0745f5c069630ccac1
Instruction Fuzzy Hash: F431B3749013189BCB21DF68DC89B8DBBB4AF08310F5041DAE40CA7291EB749B818F68

Function 00B5F4C0 Relevance: 2.0, Strings: 1, Instructions: 706COMMON

Download Yara Rule

Strings

gfff, xrefs: 00B5F964

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 9dda268794dd3365b89b01b4e000648b92b51f4880f13e6b30b1c81e6e6272ee
Instruction ID: 1ef6612da54bc3e68f7088616518f1d66f5ae937ebfee8ade284af656a123b40
Opcode Fuzzy Hash: 9dda268794dd3365b89b01b4e000648b92b51f4880f13e6b30b1c81e6e6272ee
Instruction Fuzzy Hash: CF527C74D0424A8BDB05CF68C4907EDFBF2EF59301F2882EAD855AB351D734988ACB94

Function 00D2EA69 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00D25250: GetLastError.KERNEL32(?,00000008,00D1C949), ref: 00D25254
Part of subcall function 00D25250: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00D252F6

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00D2EABD

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: fa0b98e78e5ed8b2b9d095f190cab5260ff72e56e06c69891f6fbf1659da6bdb
Instruction ID: e7f8325e252442858393de46c12bf08ba21cd4cbe861918b01833b2ecc005f6c
Opcode Fuzzy Hash: fa0b98e78e5ed8b2b9d095f190cab5260ff72e56e06c69891f6fbf1659da6bdb
Instruction Fuzzy Hash: 9B219272604226ABDF289E25EC42EBA73A8EF55318F14007AFD02D7191EB75ED40DB74

Function 00D2E6F0 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D25250: GetLastError.KERNEL32(?,00000008,00D1C949), ref: 00D25254
Part of subcall function 00D25250: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00D252F6

EnumSystemLocalesW.KERNEL32(00D2E816,00000001,00000000,?,?,?,00D2EE47,00000000,?,?,?), ref: 00D2E762

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 9e527d107473dfd096d26f878ea215f0bb9b5c77db416e61d567960a4653035f
Instruction ID: 982cf515753fc73b97d0ca75743e41470395e0c9a40d6f51fe352c02b1d49ee2
Opcode Fuzzy Hash: 9e527d107473dfd096d26f878ea215f0bb9b5c77db416e61d567960a4653035f
Instruction Fuzzy Hash: 8B11083B6047119FEB189F39E8916BAB791FF9035DB18442CE98787B40E371B942C760

Function 00D2EC98 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00D25250: GetLastError.KERNEL32(?,00000008,00D1C949), ref: 00D25254
Part of subcall function 00D25250: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00D252F6

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00D2EB13,00000000,00000000,?), ref: 00D2ECC4

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 16e4ba2fcf2fdb85a8a06d2ddfa28c67681c658c48425b1332a74abe59fb2e0c
Instruction ID: ce3fb89c6214e1a74eb79ea8df0b184ce4b48ce091ecc9684c49e2fe94e90d49
Opcode Fuzzy Hash: 16e4ba2fcf2fdb85a8a06d2ddfa28c67681c658c48425b1332a74abe59fb2e0c
Instruction Fuzzy Hash: 72F0CD32500131BBDF285765DC4ABBA7758EB5075CF1D4829EC56A3180DA74FD41D5F0

Function 00D2E5FE Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00D25250: GetLastError.KERNEL32(?,00000008,00D1C949), ref: 00D25254
Part of subcall function 00D25250: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00D252F6

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00D2E652

Strings

utf8, xrefs: 00D2E5C1

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID: utf8
API String ID: 3736152602-905460609
Opcode ID: d86f83ea831f253a6172b69bef30e7639c4c89ac049fa2e4ccfe814438841651
Instruction ID: 57609984a16d432a3ebc4e207bc7f0548b917e4624be0ed3ae14630347610923
Opcode Fuzzy Hash: d86f83ea831f253a6172b69bef30e7639c4c89ac049fa2e4ccfe814438841651
Instruction Fuzzy Hash: A6F0C832610215ABCB14AB74EC46EBA33ACDF54319F14017AF507D7281EA78ED048774

Function 00D2E78B Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D25250: GetLastError.KERNEL32(?,00000008,00D1C949), ref: 00D25254
Part of subcall function 00D25250: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00D252F6

EnumSystemLocalesW.KERNEL32(00D2EA69,00000001,?,?,?,?,00D2EE0B,?,?,?,?), ref: 00D2E7D5

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: e8782162ddb71399258d95c3ccf4c3fa4bba393eed37b030a58d15481634c69b
Instruction ID: c0865a05949389cc9babffc4f5c799fad5d799305da3d92991ae25e97e51acd5
Opcode Fuzzy Hash: e8782162ddb71399258d95c3ccf4c3fa4bba393eed37b030a58d15481634c69b
Instruction Fuzzy Hash: 14F0C2362003149FDB145F75E891A7A7B95FF8076CF09442DF9058B680D671AC01C670

Function 00D27CD3 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D243B1: RtlEnterCriticalSection.NTDLL(-00DE0160), ref: 00D243C0

EnumSystemLocalesW.KERNEL32(00D27CC6,00000001,00DCFA10,0000000C,00D28135,00000000), ref: 00D27D0B

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 0da2f8ec94b05770bd1ebc931b0e212c8f2c597c6aaf725af874b5b31d8c58c6
Instruction ID: 4027d25c8224e29528a1529c522b33cf7126aef92865cb55093c93db86de5659
Opcode Fuzzy Hash: 0da2f8ec94b05770bd1ebc931b0e212c8f2c597c6aaf725af874b5b31d8c58c6
Instruction Fuzzy Hash: C4F0C972A44714EFD710EF58E842B9977B1EB44725F10812AE815DB3A1CAB599448F60

Function 00D2E6A5 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D25250: GetLastError.KERNEL32(?,00000008,00D1C949), ref: 00D25254
Part of subcall function 00D25250: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00D252F6

EnumSystemLocalesW.KERNEL32(00D2E5FE,00000001,?,?,?,00D2EE69,?,?,?,?), ref: 00D2E6DC

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 529207d65f11ac82a3f152df419d6f93ee7b2e0b1145b3cc2826984565d88a76
Instruction ID: 9947d86e92bd709e4d26135fc7deeab85527065c23de4efc8e637b673ade8fc3
Opcode Fuzzy Hash: 529207d65f11ac82a3f152df419d6f93ee7b2e0b1145b3cc2826984565d88a76
Instruction Fuzzy Hash: 32F0553630021597CB149F39E845A6ABF94EFE1729B0A0058EA0A8B290C631D842C7B0

Function 00D28290 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,?,?,?,?,00D21A80,?,20001004,00000000,00000002), ref: 00D282C4

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: cd0c392e69b68d39502cb84fdaee50952e300f442dd037c4d6347e1baa121e66
Instruction ID: 56329cc9aeb63e1ae36c3ad1ab312416454db634f5dd7e4038308f14b3894625
Opcode Fuzzy Hash: cd0c392e69b68d39502cb84fdaee50952e300f442dd037c4d6347e1baa121e66
Instruction Fuzzy Hash: 69E04F35501628FBCF122F60EC05EAE3E1AEF64766F054010FD1566221CB75C921AAF4

Function 00D299BF Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a17970b61489502ba60a40ba5fe6d5ed7b00a4b343cb89e20bd7a194d5aceb0
Instruction ID: a9d0fbe013d427aefba591bb20b0b5ff4aeb6179e1120b7773b93cd2de59bd9f
Opcode Fuzzy Hash: 4a17970b61489502ba60a40ba5fe6d5ed7b00a4b343cb89e20bd7a194d5aceb0
Instruction Fuzzy Hash: E2E04632915238EBCB24DB89991598AF2ECEB44B18F15049AB511E3100C270DE40CBE0

Function 00D1C54C Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba09cb2b25d7ad3c5c86da38ba895a255f370f433b8eabb3635a0f4d1c6449a9
Instruction ID: cadb65123fd0c751804765aa4e419349d8b9ce9321048fab2541c74db38cbe24
Opcode Fuzzy Hash: ba09cb2b25d7ad3c5c86da38ba895a255f370f433b8eabb3635a0f4d1c6449a9
Instruction Fuzzy Hash: 3DC08CB4090D605ADE29D914A2F13E83356E3A1F82F88248CC4030BA43CD1EECC3EA30

Function 00BD27C2 Relevance: 15.2, APIs: 10, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00BD27C9
RtlEnterCriticalSection.NTDLL(00000000), ref: 00BD27DA
TlsGetValue.KERNEL32(?,?,00000000,?,?,00000002,?,?,?,00B478FA,?,807DFC22), ref: 00BD27F6
LocalAlloc.KERNEL32(00000000,00000000,00000010,?,?,00000000,?,?,00000002,?,?,?,00B478FA,?,807DFC22), ref: 00BD285F
LocalReAlloc.KERNEL32(?,00000000,00000002,00000010,?,?,00000000,?,?,00000002,?,?,?,00B478FA,?,807DFC22), ref: 00BD286D
TlsSetValue.KERNEL32(?,00000000,807DFC22), ref: 00BD289E
RtlLeaveCriticalSection.NTDLL(00B478FA), ref: 00BD28BC

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterH_prolog3_catchLeave
String ID:
API String ID: 1707010094-0
Opcode ID: 9ad0b5a28677820268ae6a05daf35cd66c67a0b9858871b7c2a5259838fd175d
Instruction ID: b82a48f5bc996f1a6eb5238eaf9cce7a320755af36bdfdfa38926415f24990ee
Opcode Fuzzy Hash: 9ad0b5a28677820268ae6a05daf35cd66c67a0b9858871b7c2a5259838fd175d
Instruction Fuzzy Hash: 0251A970900B449FCB24DF15C885B6ABBF0FF10310F1085AEE95A9B7A1EB71E900CBA0

Function 00B43510 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 173COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000029,00000000,00000000,00000000,00000000,807DFC22,00000000,00000000), ref: 00B43582
GetLastError.KERNEL32 ref: 00B435D2

Strings

Digest, xrefs: 00B43675
Negotiate, xrefs: 00B43708
Basic, xrefs: 00B43648
NTLM, xrefs: 00B436A6
Passport, xrefs: 00B436D7

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: ErrorLast
String ID: Basic$Digest$NTLM$Negotiate$Passport
API String ID: 1452528299-3737144375
Opcode ID: 0d2464d3dda777f6f238cbe277eb512edd5ab955daccf78a5a403602bf24abcc
Instruction ID: 2c136008d957c0f9f9505ff9d0680bc91e94b296fc99761c1ea45bebdf003303
Opcode Fuzzy Hash: 0d2464d3dda777f6f238cbe277eb512edd5ab955daccf78a5a403602bf24abcc
Instruction Fuzzy Hash: 4A51E471A04209ABDB14CFA8CC42BEEBBF0EF58B10F184159E905B72C1E771A644CB71

Function 00D0A180 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00D0A1B7
___except_validate_context_record.LIBVCRUNTIME ref: 00D0A1BF
_ValidateLocalCookies.LIBCMT ref: 00D0A248
__IsNonwritableInCurrentImage.LIBCMT ref: 00D0A273
_ValidateLocalCookies.LIBCMT ref: 00D0A2C8

Strings

csm, xrefs: 00D0A25D

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c6d3b230ae5c4e2958217111e33cdef2bff5b8371f2fe09be890985593a37a9f
Instruction ID: 0417fc44f2f5dfb258ca6835601ef6c0688a8db150683744c40313b1b1ab244e
Opcode Fuzzy Hash: c6d3b230ae5c4e2958217111e33cdef2bff5b8371f2fe09be890985593a37a9f
Instruction Fuzzy Hash: 4D419F34A00309ABCF10DF6CC885B9E7BA5EF45324F188165E91D9B392D736DA05CBB6

Function 00B980D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 89COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,74DF2F60,?,?,?,?,?), ref: 00B980EF
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?), ref: 00B9813E
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00B98148

Strings

Failed to convert WideCharToMultiByte. ErrorCode::%d, xrefs: 00B9814F
StringUtils, xrefs: 00B98112, 00B98159
Error allocating memory while converting Native string to UTF8 string, xrefs: 00B98108

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: Error allocating memory while converting Native string to UTF8 string$Failed to convert WideCharToMultiByte. ErrorCode::%d$StringUtils
API String ID: 1717984340-36406343
Opcode ID: ae95f5bde8d6d0ec8ef987e72cf8fc027990f329f15fca01cc7b20637688b7f1
Instruction ID: 1865c93461b0e2db3725dc0ea6196f8d08881fb957450cccef19e8fcfd056229
Opcode Fuzzy Hash: ae95f5bde8d6d0ec8ef987e72cf8fc027990f329f15fca01cc7b20637688b7f1
Instruction Fuzzy Hash: C821EB367853147AEA2076A85C07FBB3B98CF97B21F1402A5FD04B72C2D9E1590642B6

Function 00D27E9C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00D27FA9,00000000,?,00000000,00000000,?,?,00D28213,00000021,FlsSetValue,00D8DB34,00D8DB3C,00000000), ref: 00D27F5D

Strings

api-ms-, xrefs: 00D27EF3
ext-ms-, xrefs: 00D27F07

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 6b29eb52634ff59ea8a2d2e81dc1bdc1735918e9ade67470c3053f83e83989c3
Instruction ID: bfffd7c5eda2ffd53f4af133cd475b7bc5e3898f209579fe1f053dfaf54cb966
Opcode Fuzzy Hash: 6b29eb52634ff59ea8a2d2e81dc1bdc1735918e9ade67470c3053f83e83989c3
Instruction Fuzzy Hash: AB21F335A09321ABDB319B60BD81A5A3768EF65768F280150F915E73D0EB30ED01C6F0

Function 00D06835 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00D068B0,00D06813,00D06AB4), ref: 00D0684C
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00D06862
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00D06877

Strings

KERNEL32.DLL, xrefs: 00D06847
ReleaseSRWLockExclusive, xrefs: 00D0686C
AcquireSRWLockExclusive, xrefs: 00D0685C

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 5eb2102eb99c068352124d88253348a0c330636819b62796d8927fe5ebc33fec
Instruction ID: f8da61c1d9965709d8b717b74594ac1229561e77b9d456746f5d9b1a105e6c8e
Opcode Fuzzy Hash: 5eb2102eb99c068352124d88253348a0c330636819b62796d8927fe5ebc33fec
Instruction Fuzzy Hash: D0F0AF71B423226BDF315FA09DA07BA63889A457A139D813AFC4AE32C0E610CC9457B0

Function 00B4B4B0 Relevance: 9.2, APIs: 6, Instructions: 155COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B4B4FD
std::_Lockit::_Lockit.LIBCPMT ref: 00B4B51F
std::_Lockit::~_Lockit.LIBCPMT ref: 00B4B547
__Getctype.LIBCPMT ref: 00B4B627
std::_Facet_Register.LIBCPMT ref: 00B4B669
std::_Lockit::~_Lockit.LIBCPMT ref: 00B4B693

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 3a0cf564992e15cfb249a5906c1a670dfbefd97d153e09a08a35863fa0bf9386
Instruction ID: 5d757beb67b54b7e07a488f1a1628ed63d503b5daf5539aa539253cdb03e539a
Opcode Fuzzy Hash: 3a0cf564992e15cfb249a5906c1a670dfbefd97d153e09a08a35863fa0bf9386
Instruction Fuzzy Hash: 57616AB1D05248CFDB10CF58C891BAEBBF4EB14710F248299D946AB381DB74AA45DBA1

Function 00B981B0 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 87COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00DE0C50,000000FF,00000000,00000000,00000405,?,?,00000000,00000038,?), ref: 00B981CB
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00DE0C50,000000FF,00000000,?,?,?,?,?,?,?,?,?,?,00D99834), ref: 00B9821B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00D99834,?,?,00000000,00000000,0000000D), ref: 00B98225

Strings

StringUtils, xrefs: 00B981F5, 00B98236
Error allocating memory while converting UTF8 string to Native string, xrefs: 00B981EB
Failed to convert MultiByteToWideChar. ErrorCode::%d, xrefs: 00B9822C

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: Error allocating memory while converting UTF8 string to Native string$Failed to convert MultiByteToWideChar. ErrorCode::%d$StringUtils
API String ID: 1717984340-281077328
Opcode ID: 98aa6152b4c99b22067d91a7e3707026b45f23efb588dba4f5349688fc5b48b2
Instruction ID: eed0caca477b52fd18eee608e2c7b7997e7b4bd4433977ce08d711338701831f
Opcode Fuzzy Hash: 98aa6152b4c99b22067d91a7e3707026b45f23efb588dba4f5349688fc5b48b2
Instruction Fuzzy Hash: EA213E36B853143BCB207BA46C07F9B37D8DF86711F1402A9FD09E72C2D9A1550582B5

Function 00D1C56E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,807DFC22,00000000,?,00000000,00D440B0,000000FF,?,00D1C4FE,?,?,00D1C4D2,00000000), ref: 00D1C5A3
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D1C5B5
FreeLibrary.KERNEL32(00000000,?,00000000,00D440B0,000000FF,?,00D1C4FE,?,?,00D1C4D2,00000000), ref: 00D1C5D7

Strings

CorExitProcess, xrefs: 00D1C5AD
mscoree.dll, xrefs: 00D1C59C

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 1500d54ffbdda15b3d6c7c3c74eab52fb5eb78309b35544f1fe062cd21cbf4da
Instruction ID: a7871cf4b3f273e09cdc93edb5024105d7dda06407f17235245e0cfc9fc3accf
Opcode Fuzzy Hash: 1500d54ffbdda15b3d6c7c3c74eab52fb5eb78309b35544f1fe062cd21cbf4da
Instruction Fuzzy Hash: A9018F32994719EFEB118F50EC09BAEB7B9FB04B11F444225F811E2290DB749940CAB0

Function 00BBD56F Relevance: 7.6, APIs: 5, Instructions: 118memorystringCOMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00BBD5DC
GlobalLock.KERNEL32(00000000), ref: 00BBD605
lstrcmpW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00BD9208,000000F1,00000010,00BD9BCF,00DC2A3C,00000010,00000008,00BD9922), ref: 00BBD61E
GlobalAlloc.KERNEL32(00000042,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,?,?,?), ref: 00BBD65B
GlobalLock.KERNEL32(00000000), ref: 00BBD669

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: Global$Lock$Alloc_memcpy_slstrcmp
String ID:
API String ID: 1877131249-0
Opcode ID: 78b3817e904568167ad90e8621f8c89afc868a882475728b6178d8da3cfc3171
Instruction ID: d729f051e6cca877ec00e2bbc5f45d62c6676cce48cb0c42d97825ddc20747dc
Opcode Fuzzy Hash: 78b3817e904568167ad90e8621f8c89afc868a882475728b6178d8da3cfc3171
Instruction Fuzzy Hash: 8A41B571600618EFDB119F64CC85EBABBEDEF04740B44009AF906D7261EB75ED10CBA0

Function 00D07DC6 Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D07DCD
std::_Lockit::_Lockit.LIBCPMT ref: 00D07DD8
std::_Lockit::~_Lockit.LIBCPMT ref: 00D07E46

Part of subcall function 00D07F28: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00D07F40

std::locale::_Setgloballocale.LIBCPMT ref: 00D07DF3
_Yarn.LIBCPMT ref: 00D07E09

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 41442ef83219fd16a346e087ded75c46d8a1b504533176da948192a24724d53b
Instruction ID: a3c535171be0d0b8272c9dedc8f6db3d42f289c9588174465f999afa44c51f68
Opcode Fuzzy Hash: 41442ef83219fd16a346e087ded75c46d8a1b504533176da948192a24724d53b
Instruction Fuzzy Hash: BF017C75A056159BC706EB20D84577D7BA2FF84341B18004AEC0A9B3D1CF74AE42CBF5

Function 00B48670 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00B48719

Part of subcall function 00D0982C: RaiseException.KERNEL32(E06D7363,00000001,00000003,00B383CC,?,?,?,?,00B383CC,00000000,00DCFBE8,00000000,00000000,?,00B9863E,?), ref: 00D0988C

Strings

ios_base::badbit set, xrefs: 00B486A7, 00B486D2
ios_base::failbit set, xrefs: 00B486B1
ios_base::eofbit set, xrefs: 00B486B6

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: ExceptionIos_base_dtorRaisestd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1903096808-1866435925
Opcode ID: a722f080d214d6b7781b65acfd0def844aaa7e920b5736fee651ebd7c713befa
Instruction ID: da63283c1b4870775bf173b316af6b8e6a2df714d9da030f4d82254b714b3111
Opcode Fuzzy Hash: a722f080d214d6b7781b65acfd0def844aaa7e920b5736fee651ebd7c713befa
Instruction Fuzzy Hash: 4311C8B29446046BCB10DF58DC52BAA73D8EB05710F0485AAFD58873C1EE359A04D7F5

Function 00D25B5B Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(807DFC22,00D267ED,00000000,?), ref: 00D25BBE

Part of subcall function 00D2C732: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00D29517,?,00000000,-00000008), ref: 00D2C7DE

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00D25E19
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00D25E61
GetLastError.KERNEL32 ref: 00D25F04

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: a280c7a67e6f72621a84290d8a4e2a493ed3d948de1d5f628e1cb91a78a55020
Instruction ID: d164d86a5378552699aa001d3bfabb693a04ba7fd542e9e43271c6af8e2ebfad
Opcode Fuzzy Hash: a280c7a67e6f72621a84290d8a4e2a493ed3d948de1d5f628e1cb91a78a55020
Instruction Fuzzy Hash: 50D18A75D006589FCF05CFA8E880AADBBB4FF18318F18462AE855EB355E730A945CF60

Function 00BD77A5 Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00DDDEC0), ref: 00BD77D6
RtlInitializeCriticalSection.NTDLL(00000000), ref: 00BD77EC
RtlLeaveCriticalSection.NTDLL(00DDDEC0), ref: 00BD77FA
RtlEnterCriticalSection.NTDLL(00000000), ref: 00BD7807

Part of subcall function 00BD773C: RtlInitializeCriticalSection.NTDLL(00DDDEC0), ref: 00BD7754

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$Leave
String ID:
API String ID: 713024617-0
Opcode ID: 2da31c1f6c3762f3a9f369f6624792bbdde707bf249f7da6d5f1e9a5b8135021
Instruction ID: 34e2ebbc219c620ceb9392cff2c6c80892693f928bbcd5fde21213f09ebcc28e
Opcode Fuzzy Hash: 2da31c1f6c3762f3a9f369f6624792bbdde707bf249f7da6d5f1e9a5b8135021
Instruction Fuzzy Hash: C8F062729053189BDF002B54EC88AA9BBAEEB62726F840467F941D7311EB31CC41CAB5

Function 00BD271B Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(00DDDCA0), ref: 00BD2727
TlsGetValue.KERNEL32(00DDDC84,?,?,?,?,00BD2717,00000000,00000004,00BCFF21,00BBC3C6,00BCD7F3,00B41B52,00000002,?,?,?), ref: 00BD273B
RtlLeaveCriticalSection.NTDLL(00DDDCA0), ref: 00BD2755
RtlLeaveCriticalSection.NTDLL(00DDDCA0), ref: 00BD2760

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 8bb384cfa368fc111ca0a9b69f8334ef5b968414d1193e530af4fdc1b19327e8
Instruction ID: b701ff03ba66c9ebe6a0aea2ddbb681da711274f1a26634aa8ae22625e3ec6c1
Opcode Fuzzy Hash: 8bb384cfa368fc111ca0a9b69f8334ef5b968414d1193e530af4fdc1b19327e8
Instruction Fuzzy Hash: 83F0B436200358AFCB205F15DD8886AFBACFE257623054496E926D7716DB30EC06CBB1

Function 00D3478B Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00D267ED,00000000,00000000,00000000,?,00D313F1,00000000,00000001,00000000,?,?,00D25F58,?,00D267ED,00000000), ref: 00D347A2
GetLastError.KERNEL32(?,00D313F1,00000000,00000001,00000000,?,?,00D25F58,?,00D267ED,00000000,?,?,?,00D26516,00D34918), ref: 00D347AE

Part of subcall function 00D34774: CloseHandle.KERNEL32(FFFFFFFE,00D347BE,?,00D313F1,00000000,00000001,00000000,?,?,00D25F58,?,00D267ED,00000000,?,?), ref: 00D34784

___initconout.LIBCMT ref: 00D347BE

Part of subcall function 00D34736: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00D34765,00D313DE,?,?,00D25F58,?,00D267ED,00000000,?), ref: 00D34749

WriteConsoleW.KERNEL32(00000000,00D267ED,00000000,00000000,?,00D313F1,00000000,00000001,00000000,?,?,00D25F58,?,00D267ED,00000000,?), ref: 00D347D3

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 6eef89aa99a998cb3efb252c45fbf5107116d3aabbe957c79951996c0d1d5f29
Instruction ID: 33928f3e686ae9e4b610b8159f8982e6347e555c3a1692abc4eb47b11c07e0ec
Opcode Fuzzy Hash: 6eef89aa99a998cb3efb252c45fbf5107116d3aabbe957c79951996c0d1d5f29
Instruction Fuzzy Hash: DCF0C036501265BBCF221F95DC08D993F66FB0A3A1F454110FE59D6631D732E8209BF0

Function 00D054B0 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,00D0544D,00000064), ref: 00D054D3
RtlLeaveCriticalSection.NTDLL(00DDF800), ref: 00D054DD
WaitForSingleObjectEx.KERNEL32(?,00000000,?,00D0544D,00000064,?,00B385B1,00DE0C2C,807DFC22,00000000,00D363D1,000000FF,?,00B461F5,HTTPSend_01,0000000B), ref: 00D054EE
RtlEnterCriticalSection.NTDLL(00DDF800), ref: 00D054F5

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: bf22dc2e50dc8620e5fb81e5bdbbddaf6e0022ba612c2cdfc0e04b91ccc04aee
Instruction ID: 6a2f7fe5febcb8db73fd1f76762f0102d4070ae0fc9edae469a7f447903aa9a2
Opcode Fuzzy Hash: bf22dc2e50dc8620e5fb81e5bdbbddaf6e0022ba612c2cdfc0e04b91ccc04aee
Instruction Fuzzy Hash: 58E0ED31645724BBC7011B54EC09AD93B14EF05B52B644032FE0A97360C76199409BF5

Function 00B47F40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B47F6B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00B47FCE

Part of subcall function 00D07EC3: _Yarn.LIBCPMT ref: 00D07EE2
Part of subcall function 00D07EC3: _Yarn.LIBCPMT ref: 00D07F06

Strings

bad locale name, xrefs: 00B47FF1

Memory Dump Source

Source File: 00000002.00000002.4170156045.0000000000B31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000002.00000002.4170099433.0000000000B30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E5E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E69000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000E83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F21000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4170156045.0000000000F58000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171380435.0000000000F6F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.4171417182.0000000000F70000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_b30000_Reader_Install_Setup.jbxd

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: b02b192be05bab184071c9d3eafdd21ddf1e0099b86462a2d9d2c99c0a76ed4d
Instruction ID: b742495310994795ab231bf0c4aec370b9739120333a906d66cd5cf10d9efe2f
Opcode Fuzzy Hash: b02b192be05bab184071c9d3eafdd21ddf1e0099b86462a2d9d2c99c0a76ed4d
Instruction Fuzzy Hash: D821D270809784DED721CF68C90474BBFF4EF15714F10869EE49997B81D7B5A608CBA1

Analysis Process: rundll32.exePID: 7408, Parent PID: 7328COMMON

Execution Graph

Execution Coverage:	6.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	16.7%
Total number of Nodes:	90
Total number of Limit Nodes:	4

Executed Functions

Function 0000022E660F60B0 Relevance: 77.8, APIs: 29, Strings: 15, Instructions: 775networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 0000022E660F621D
WSAGetLastError.WS2_32 ref: 0000022E660F6234
socket.WS2_32 ref: 0000022E660F653A
freeaddrinfo.WS2_32 ref: 0000022E660F6561
socket.WS2_32 ref: 0000022E660F6577
WSAGetLastError.WS2_32 ref: 0000022E660F6586
setsockopt.WS2_32 ref: 0000022E660F6606
WSAGetLastError.WS2_32 ref: 0000022E660F6619
closesocket.WS2_32 ref: 0000022E660F6626
ioctlsocket.WS2_32 ref: 0000022E660F669E
WSAGetLastError.WS2_32 ref: 0000022E660F66B1
closesocket.WS2_32 ref: 0000022E660F66BE
connect.WS2_32 ref: 0000022E660F672C
WSAGetLastError.WS2_32 ref: 0000022E660F673B
select.WS2_32 ref: 0000022E660F6794
WSASetLastError.WS2_32 ref: 0000022E660F67A7
getsockopt.WS2_32 ref: 0000022E660F67F5
WSASetLastError.WS2_32 ref: 0000022E660F67FF
__WSAFDIsSet.WS2_32 ref: 0000022E660F6811
getsockopt.WS2_32 ref: 0000022E660F6848
WSASetLastError.WS2_32 ref: 0000022E660F6852
closesocket.WS2_32 ref: 0000022E660F685B
std::_Deallocate.LIBCONCRT ref: 0000022E660F68EF
std::_Deallocate.LIBCONCRT ref: 0000022E660F691B
WSAGetLastError.WS2_32 ref: 0000022E660F695D
closesocket.WS2_32 ref: 0000022E660F696C
std::_Deallocate.LIBCONCRT ref: 0000022E660F69D8
std::_Deallocate.LIBCONCRT ref: 0000022E660F6A08
new.LIBCMT ref: 0000022E660F6C0C

Strings

(Connector::NewConnect) Timeout for connect is out : wsaerror=, xrefs: 0000022E660F6990
(Connector::NewConnect) Connection alredy exist, xrefs: 0000022E660F6139
(Connector::NewConnect) Set non-blocking mode failed : wsaerror=, xrefs: 0000022E660F66D6
ai_protocol = , xrefs: 0000022E660F6AC4
(Connector::NewConnect) Setup connection parameters failed - , xrefs: 0000022E660F6252
(Connector::NewConnect) Socket is not set in write - wsaerror= , xrefs: 0000022E660F6883
ai_family = , xrefs: 0000022E660F6AE8
failed : wsaerror=, xrefs: 0000022E660F6AA0
type= , xrefs: 0000022E660F6894
ai_socktype = , xrefs: 0000022E660F6B0C
(Connector::NewConnect) Setup socket option failed : wsaerror=, xrefs: 0000022E660F663E
L', xrefs: 0000022E660F6972
: wsaerror=, xrefs: 0000022E660F6287
(Connector::NewConnect) Attempt to connect to , xrefs: 0000022E660F6A62
(Connector::NewConnect)Create socket failed : wsaerror=, xrefs: 0000022E660F65A2

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLast$Deallocateclosesocketstd::_$getsockoptsocket$connectfreeaddrinfogetaddrinfoioctlsocketselectsetsockopt
String ID: : wsaerror=$ ai_family = $ ai_protocol = $ ai_socktype = $ failed : wsaerror=$ type= $(Connector::NewConnect) Attempt to connect to $(Connector::NewConnect) Connection alredy exist$(Connector::NewConnect) Set non-blocking mode failed : wsaerror=$(Connector::NewConnect) Setup connection parameters failed - $(Connector::NewConnect) Setup socket option failed : wsaerror=$(Connector::NewConnect) Socket is not set in write - wsaerror= $(Connector::NewConnect) Timeout for connect is out : wsaerror=$(Connector::NewConnect)Create socket failed : wsaerror=$L'
API String ID: 1663791422-4130243403
Opcode ID: fe1debe53bb62fb23178981888ee4f248a1ab2c89319792f8000e5fc88491f56
Instruction ID: 068f29e56552c7285675fd63f475003ef61a99d72e0a28c6cf8a3c9e9f6ce654
Opcode Fuzzy Hash: fe1debe53bb62fb23178981888ee4f248a1ab2c89319792f8000e5fc88491f56
Instruction Fuzzy Hash: 7D62C2A1631640B9EF50EBE2D85C3FE7368F7A1754F122525AA2D43ADADF38C944E700

Function 0000022E65FD505C Relevance: 41.2, APIs: 3, Strings: 20, Instructions: 904
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000022E66117364: GetLastError.KERNEL32 ref: 0000022E6611738E
Part of subcall function 0000022E66117364: ExitThread.KERNEL32 ref: 0000022E66117396

WaitForSingleObject.KERNEL32 ref: 0000022E65FD50CC

Strings

Trusted connection started, xrefs: 0000022E65FD5D4F
kSevFxr92Wwmuht3RfZcQHYiz4pj087CNKdlaL5D, xrefs: 0000022E65FD59FD
sdl, xrefs: 0000022E65FD5829
generate_sys_info_hit passed, xrefs: 0000022E65FD6194
shi, xrefs: 0000022E65FD5700
gdt, xrefs: 0000022E65FD58EF
300, xrefs: 0000022E65FD5294
Failed DoHandshake, xrefs: 0000022E65FD5AFB
generate_request, xrefs: 0000022E65FD6095
NEW_BLACK, xrefs: 0000022E65FD511B
ins, xrefs: 0000022E65FD588C
SrvResponseStatus != 1, xrefs: 0000022E65FD621C
plg, xrefs: 0000022E65FD5952
.live, xrefs: 0000022E65FD52C4
generate_ping, xrefs: 0000022E65FD5E95
dij, xrefs: 0000022E65FD5763
Starting connection loop, xrefs: 0000022E65FD5AC2
dex, xrefs: 0000022E65FD57C6
UnpackJsonToPong, xrefs: 0000022E65FD5F98
UnpackJsonToTasks, xrefs: 0000022E65FD61CC

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastObjectSingleThreadWait
String ID: .live$300$Failed DoHandshake$NEW_BLACK$SrvResponseStatus != 1$Starting connection loop$Trusted connection started$UnpackJsonToPong$UnpackJsonToTasks$dex$dij$gdt$generate_ping$generate_request$generate_sys_info_hit passed$ins$kSevFxr92Wwmuht3RfZcQHYiz4pj087CNKdlaL5D$plg$sdl$shi
API String ID: 1181180325-1389462401
Opcode ID: 704ea699bb37593799e970bc278b9b1975cc6b7e2285913e5d0d90780658397d
Instruction ID: 922c3e2045cd80b80288a4df9648d0ef53b06cf446d4ead4cdd6ab6aa2ad0c3b
Opcode Fuzzy Hash: 704ea699bb37593799e970bc278b9b1975cc6b7e2285913e5d0d90780658397d
Instruction Fuzzy Hash: D4A23866710B80ADEF20EFB5EC442ED37A8F761348F420615DB495BAAADF34C658E344

Function 0000022E660F4FB0 Relevance: 40.8, APIs: 13, Strings: 10, Instructions: 528
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

select.WS2_32 ref: 0000022E660F51BC
__WSAFDIsSet.WS2_32 ref: 0000022E660F51DB
__WSAFDIsSet.WS2_32 ref: 0000022E660F51F3
recv.WS2_32 ref: 0000022E660F5210
WSAGetLastError.WS2_32 ref: 0000022E660F5225
WSAGetLastError.WS2_32 ref: 0000022E660F5334
getsockopt.WS2_32 ref: 0000022E660F54BF
std::_Deallocate.LIBCONCRT ref: 0000022E660F552A
std::_Deallocate.LIBCONCRT ref: 0000022E660F555E
WSAGetLastError.WS2_32 ref: 0000022E660F5568
WSAGetLastError.WS2_32 ref: 0000022E660F567C
getsockopt.WS2_32 ref: 0000022E660F542D

Part of subcall function 0000022E660F4C80: closesocket.WS2_32 ref: 0000022E660F4CF2

Sleep.KERNEL32 ref: 0000022E660F5243

Part of subcall function 0000022E660F48E0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0000022E660F4A35

Strings

(Connector::DoRecv) Input parameters incorrect, xrefs: 0000022E660F5016
(Connector::DoRecv) Fd is not set read : wsaerror=, xrefs: 0000022E660F544E
(Connector::DoRecv) Select timeout failed : wsaerror=, xrefs: 0000022E660F56A1
(Connector::DoRecv) Nothing was recv - connection aborted : wsaerror=, xrefs: 0000022E660F53B2
(Connector::DoRecv) timeout for recv is out : wsaerror=, xrefs: 0000022E660F5585
(Connector::DoRecv) Recv buffer failed : wsaerror=, xrefs: 0000022E660F52EB
(Connector::DoRecv) No connection, xrefs: 0000022E660F50CE
(Connector::DoRecv) Fd is set exception: wsaerror=, xrefs: 0000022E660F54E0
(Connector::DoRecv) Recv buffer failed - connection aborted : wsaerror=, xrefs: 0000022E660F52A1
(Connector::DoRecv) Nothing was recv : wsaerror=, xrefs: 0000022E660F5361

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLast$Deallocategetsockoptstd::_$Ios_base_dtorSleepclosesocketrecvselectstd::ios_base::_
String ID: (Connector::DoRecv) Fd is not set read : wsaerror=$(Connector::DoRecv) Fd is set exception: wsaerror=$(Connector::DoRecv) Input parameters incorrect$(Connector::DoRecv) No connection$(Connector::DoRecv) Nothing was recv - connection aborted : wsaerror=$(Connector::DoRecv) Nothing was recv : wsaerror=$(Connector::DoRecv) Recv buffer failed - connection aborted : wsaerror=$(Connector::DoRecv) Recv buffer failed : wsaerror=$(Connector::DoRecv) Select timeout failed : wsaerror=$(Connector::DoRecv) timeout for recv is out : wsaerror=
API String ID: 1722691136-3325305776
Opcode ID: 3a1f28025f96cbf383587fb27e3240c4daede2229cf8c7aa9ac79cd90a61f0b3
Instruction ID: ddc1b3e7854863537ac0a45d2795e15aa5335668e1939c6b010b61511234ed4a
Opcode Fuzzy Hash: 3a1f28025f96cbf383587fb27e3240c4daede2229cf8c7aa9ac79cd90a61f0b3
Instruction Fuzzy Hash: FC2228B6625641B6EE90EBE5D04C3BFB368F7B1360F516621AA6D03AD6DB7CC440DB00

Function 0000022E660F57C0 Relevance: 33.7, APIs: 11, Strings: 8, Instructions: 452
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

select.WS2_32 ref: 0000022E660F59B4
__WSAFDIsSet.WS2_32 ref: 0000022E660F59D3
__WSAFDIsSet.WS2_32 ref: 0000022E660F59EB
send.WS2_32 ref: 0000022E660F5A05
getsockopt.WS2_32 ref: 0000022E660F5B18
std::_Deallocate.LIBCONCRT ref: 0000022E660F5C13
std::_Deallocate.LIBCONCRT ref: 0000022E660F5C44
WSAGetLastError.WS2_32 ref: 0000022E660F5C4E
WSAGetLastError.WS2_32 ref: 0000022E660F5D62
getsockopt.WS2_32 ref: 0000022E660F5BAB

Part of subcall function 0000022E660F4C80: closesocket.WS2_32 ref: 0000022E660F4CF2

WSAGetLastError.WS2_32 ref: 0000022E660F5A27

Part of subcall function 0000022E660F48E0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0000022E660F4A35

Strings

(Connector::DoSend) timeout for send is out : wsaerror=, xrefs: 0000022E660F5C6B
(Connector::DoSend) Fd is set exception : wsaerror=, xrefs: 0000022E660F5BCC
(Connector::DoSend) Input parameters incorrect, xrefs: 0000022E660F5826
(Connector::DoSend) Select timeout failed : wsaerror=, xrefs: 0000022E660F5D87
(Connector::DoSend) No connection, xrefs: 0000022E660F58DE
(Connector::DoSend) Send buffer failed : wsaerror=, xrefs: 0000022E660F5AA0
(Connector::DoSend) Send buffer failed - connection aborted: wsaerror=, xrefs: 0000022E660F5A59
(Connector::DoSend) Fd is not set write : wsaerror=, xrefs: 0000022E660F5B39

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLast$Deallocategetsockoptstd::_$Ios_base_dtorclosesocketselectsendstd::ios_base::_
String ID: (Connector::DoSend) Fd is not set write : wsaerror=$(Connector::DoSend) Fd is set exception : wsaerror=$(Connector::DoSend) Input parameters incorrect$(Connector::DoSend) No connection$(Connector::DoSend) Select timeout failed : wsaerror=$(Connector::DoSend) Send buffer failed - connection aborted: wsaerror=$(Connector::DoSend) Send buffer failed : wsaerror=$(Connector::DoSend) timeout for send is out : wsaerror=
API String ID: 3764467191-4057505521
Opcode ID: 2ec3235494c439a7a7e183fab81296308f71a776a6456c200898e8a14cfcd507
Instruction ID: e11d335ed3268b060ee11fc7a61fb4358e55446fa8ba8bd271891b7e2a2129f0
Opcode Fuzzy Hash: 2ec3235494c439a7a7e183fab81296308f71a776a6456c200898e8a14cfcd507
Instruction Fuzzy Hash: A70215B2225641A5EE54EBE5D00C3BFB368E7B13A0F516621EA6D03ADADF3CC441E700

Function 0000022E65FF1450 Relevance: 32.1, APIs: 14, Strings: 4, Instructions: 553comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 0000022E65FF14E8
GetModuleHandleW.KERNEL32 ref: 0000022E65FF1655
GetProcAddress.KERNEL32 ref: 0000022E65FF1665
CoSetProxyBlanket.COMBASE ref: 0000022E65FF169B
new.LIBCMT ref: 0000022E65FF1757
_com_util::ConvertStringToBSTR.COMSUPP ref: 0000022E65FF1779
_com_issue_error.COMSUPP ref: 0000022E65FF1794
new.LIBCMT ref: 0000022E65FF179F
_com_util::ConvertStringToBSTR.COMSUPP ref: 0000022E65FF17C5
_com_issue_error.COMSUPP ref: 0000022E65FF17E0
SysFreeString.OLEAUT32 ref: 0000022E65FF182A
SysFreeString.OLEAUT32 ref: 0000022E65FF186B
VariantInit.OLEAUT32 ref: 0000022E65FF1987

Strings

ROOT\CIMV2, xrefs: 0000022E65FF15A1
CoSetProxyBlanket, xrefs: 0000022E65FF165B
WQL, xrefs: 0000022E65FF17BE
ole32.dll, xrefs: 0000022E65FF164E

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: String$ConvertFree_com_issue_error_com_util::$AddressBlanketCreateHandleInitInstanceModuleProcProxyVariant
String ID: CoSetProxyBlanket$ROOT\CIMV2$WQL$ole32.dll
API String ID: 3840990785-3464224570
Opcode ID: f49ba43b31519e4b9e192c40a87efcc49914ee7b2c56dc2095fb8d1a338636ee
Instruction ID: 061c1be98a338b8c9d448450bf07b18f0c6ab4f61bce27df45cdec0493f8abed
Opcode Fuzzy Hash: f49ba43b31519e4b9e192c40a87efcc49914ee7b2c56dc2095fb8d1a338636ee
Instruction Fuzzy Hash: 04329DB6701B44A9EF14EBA6E44C7BE77A9E7A0B98F111414DB5D03F99CF78C884A310

Function 0000022E65FEAA68 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RpcServerUseProtseqEpA.RPCRT4 ref: 0000022E65FEAAAE
RpcServerRegisterIfEx.RPCRT4 ref: 0000022E65FEAAE1
RpcServerListen.RPCRT4 ref: 0000022E65FEAAF3
std::_Deallocate.LIBCONCRT ref: 0000022E65FEAB1C

Strings

\pipe\, xrefs: 0000022E65FEAA7A
ncacn_np, xrefs: 0000022E65FEAAA7

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Server$DeallocateListenProtseqRegisterstd::_
String ID: \pipe\$ncacn_np
API String ID: 2934073445-1932380190
Opcode ID: fb2b95c63c9c70d6f851d05490d9daadbe530feb8ea969676a715748920a882c
Instruction ID: 05f0897988542b7033f14c813422b670a14874d989a88520379b1350fe34d134
Opcode Fuzzy Hash: fb2b95c63c9c70d6f851d05490d9daadbe530feb8ea969676a715748920a882c
Instruction Fuzzy Hash: 35215761324580A5FF108FA1E48C7AA73AAF3F0390F511126E6AA43AE5DF2CC445DB00

Function 0000022E65CA8D40 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 471nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022E65CA9480: VirtualProtect.KERNELBASE ref: 0000022E65CA94B8
Part of subcall function 0000022E65CA9480: VirtualProtect.KERNELBASE ref: 0000022E65CA94E9

NtCreateSection.NTDLL ref: 0000022E65CA8E65
NtMapViewOfSection.NTDLL ref: 0000022E65CA8ED7

Strings

@, xrefs: 0000022E65CA8E45
@, xrefs: 0000022E65CA8E89

Memory Dump Source

Source File: 00000003.00000002.4171229611.0000022E65CA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022E65CA6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65ca6000_rundll32.jbxd

Similarity

API ID: ProtectSectionVirtual$CreateView
String ID: @$@
API String ID: 3127889780-149943524
Opcode ID: ec024777d0c7faa6f64b737617b3c1eca50247ef54ff4b2481412eee8cd88577
Instruction ID: 45f8a880c69601807e5d717c8417f39ae96a22edb4fad2f6b938ec697dca8c6b
Opcode Fuzzy Hash: ec024777d0c7faa6f64b737617b3c1eca50247ef54ff4b2481412eee8cd88577
Instruction Fuzzy Hash: 0E02FE30208B498FDBA4DF58C458BAAB7E1FBA8311F51492DE58DC73A0DB75D884CB42

Function 0000022E65CA8C31 Relevance: 1.6, APIs: 1, Instructions: 93nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022E65CA9480: VirtualProtect.KERNELBASE ref: 0000022E65CA94B8
Part of subcall function 0000022E65CA9480: VirtualProtect.KERNELBASE ref: 0000022E65CA94E9

NtCreateSection.NTDLL ref: 0000022E65CA8CE2

Memory Dump Source

Source File: 00000003.00000002.4171229611.0000022E65CA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022E65CA6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65ca6000_rundll32.jbxd

Similarity

API ID: ProtectVirtual$CreateSection
String ID:
API String ID: 3928134249-0
Opcode ID: 01aea7d5306dfd5fb0f08ae7a7d208078b26442dadfb8409917864f98d92bf90
Instruction ID: 369fb6a772347608f344576f4a6eb07fab94eeba255e12c311ccd2be2446897b
Opcode Fuzzy Hash: 01aea7d5306dfd5fb0f08ae7a7d208078b26442dadfb8409917864f98d92bf90
Instruction Fuzzy Hash: A6311030618B888FD754DB2CC859B6A7BE5FBA9311F00462EE599C33E0DB75D940CB42

Function 0000022E65CA9390 Relevance: 1.6, APIs: 1, Instructions: 79filenativeCOMMON

Download Yara Rule

APIs

NtOpenFile.NTDLL ref: 0000022E65CA9426

Memory Dump Source

Source File: 00000003.00000002.4171229611.0000022E65CA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022E65CA6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65ca6000_rundll32.jbxd

Similarity

API ID: FileOpen
String ID:
API String ID: 2669468079-0
Opcode ID: 2fba1f18ae9891822a26905f9bce1b2c4df6e157ef82356e139a9b7859376684
Instruction ID: 10da5df136d600097953c46febe01169cd242f963fcd5b5fb364a41a466ee0ab
Opcode Fuzzy Hash: 2fba1f18ae9891822a26905f9bce1b2c4df6e157ef82356e139a9b7859376684
Instruction Fuzzy Hash: E021FB30618B449FE744EF68C859B6ABBE5FBA8760F440A2EF495C33E0D664D840CB42

Function 0000022E65FD5530 Relevance: 37.1, APIs: 9, Strings: 12, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Deallocate.LIBCONCRT ref: 0000022E65FD5587
std::_Deallocate.LIBCONCRT ref: 0000022E65FD5605
std::_Deallocate.LIBCONCRT ref: 0000022E65FD573B
std::_Deallocate.LIBCONCRT ref: 0000022E65FD579E
std::_Deallocate.LIBCONCRT ref: 0000022E65FD5801
std::_Deallocate.LIBCONCRT ref: 0000022E65FD5864
std::_Deallocate.LIBCONCRT ref: 0000022E65FD58C7
std::_Deallocate.LIBCONCRT ref: 0000022E65FD592A
std::_Deallocate.LIBCONCRT ref: 0000022E65FD5986

Strings

ins, xrefs: 0000022E65FD588C
plg, xrefs: 0000022E65FD5952
User name: , xrefs: 0000022E65FD554D
kSevFxr92Wwmuht3RfZcQHYiz4pj087CNKdlaL5D, xrefs: 0000022E65FD59FD
sdl, xrefs: 0000022E65FD5829
dij, xrefs: 0000022E65FD5763
shi, xrefs: 0000022E65FD5700
gdt, xrefs: 0000022E65FD58EF
Starting connection loop, xrefs: 0000022E65FD5AC2
dex, xrefs: 0000022E65FD57C6
Failed DoHandshake, xrefs: 0000022E65FD5AFB
Domain name: , xrefs: 0000022E65FD55CB

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_
String ID: Domain name: $Failed DoHandshake$Starting connection loop$User name: $dex$dij$gdt$ins$kSevFxr92Wwmuht3RfZcQHYiz4pj087CNKdlaL5D$plg$sdl$shi
API String ID: 1323251999-3495704378
Opcode ID: 12a4600ac29fc29ee7c5ab9b27aa1996ada06b6f5febe6fb2fc552a88155e351
Instruction ID: fa458c24e9d3f01cb439b2781b3a7a3706bc4f1ce13922503ce7f3b920f12b71
Opcode Fuzzy Hash: 12a4600ac29fc29ee7c5ab9b27aa1996ada06b6f5febe6fb2fc552a88155e351
Instruction Fuzzy Hash: FFF13A76B10B90A8EB10DBB5ED442EE37B9F76138CF414115DF496BAAADF308619E304

Function 0000022E65FD50DF Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Deallocate.LIBCONCRT ref: 0000022E65FD5258
std::_Deallocate.LIBCONCRT ref: 0000022E65FD527C
std::_Deallocate.LIBCONCRT ref: 0000022E65FD536F
std::_Deallocate.LIBCONCRT ref: 0000022E65FD5398
CoInitializeEx.OLE32 ref: 0000022E65FD53B9
CoInitializeSecurity.OLE32 ref: 0000022E65FD53E7

Part of subcall function 0000022E65FD3F84: GetModuleHandleW.KERNEL32 ref: 0000022E65FD3F91
Part of subcall function 0000022E65FD3F84: GetProcAddress.KERNEL32 ref: 0000022E65FD3FAD
Part of subcall function 0000022E65FD3F84: GetProcAddress.KERNEL32 ref: 0000022E65FD3FC9
Part of subcall function 0000022E65FD3F84: GetProcAddress.KERNEL32 ref: 0000022E65FD3FE5
Part of subcall function 0000022E65FD3F84: GetProcAddress.KERNEL32 ref: 0000022E65FD4001
Part of subcall function 0000022E65FD3F84: GetProcAddress.KERNEL32 ref: 0000022E65FD401D

Part of subcall function 0000022E65FC1640: sprintf.LEGACY_STDIO_DEFINITIONS ref: 0000022E65FC171B

CoUninitialize.OLE32 ref: 0000022E65FD54A4

Part of subcall function 0000022E65FC65BC: std::_Deallocate.LIBCONCRT ref: 0000022E65FC65E4

Part of subcall function 0000022E65FD1810: std::_Deallocate.LIBCONCRT ref: 0000022E65FD1860

Strings

.live, xrefs: 0000022E65FD52C4
300, xrefs: 0000022E65FD5294
NEW_BLACK, xrefs: 0000022E65FD511B

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_$AddressProc$Initialize$HandleModuleSecurityUninitializesprintf
String ID: .live$300$NEW_BLACK
API String ID: 3648849760-3156522211
Opcode ID: 6f87fa7bc04f22c233fbe0f5198bf22356ff43927f06dad47666d4623fe1245e
Instruction ID: af301556ffb08faba63ceee35d89593a9c56a2174619d6b741c30cf4a44c8e02
Opcode Fuzzy Hash: 6f87fa7bc04f22c233fbe0f5198bf22356ff43927f06dad47666d4623fe1245e
Instruction Fuzzy Hash: 68C14B66710A80ADEB20DFB5EC883EE37A8F76134CF414115AB4957AAADF34C658E740

Function 0000022E65FD0AFC Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Deallocate.LIBCONCRT ref: 0000022E65FD0BC7
std::_Deallocate.LIBCONCRT ref: 0000022E65FD0BF1
std::_Deallocate.LIBCONCRT ref: 0000022E65FD0C1B
std::_Deallocate.LIBCONCRT ref: 0000022E65FD0D2F

Strings

Timeout counter not hitted, xrefs: 0000022E65FD0CDA
Block right now!, xrefs: 0000022E65FD0C7C
Verify , xrefs: 0000022E65FD0B5C
CheckConnection ok, xrefs: 0000022E65FD0D52
Timeout counter hitted, xrefs: 0000022E65FD0CAD

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_
String ID: Block right now!$CheckConnection ok$Timeout counter hitted$Timeout counter not hitted$Verify
API String ID: 1323251999-3710821220
Opcode ID: 91e8ceffc9b5ed7996f33046182b56978acc7b1ec32f574a8bd01ef955a1e792
Instruction ID: ce929241cc2b2192263eb3bc73969c87c72a53aaf6da2a627a75b2b20e00df8b
Opcode Fuzzy Hash: 91e8ceffc9b5ed7996f33046182b56978acc7b1ec32f574a8bd01ef955a1e792
Instruction Fuzzy Hash: 1D61A261714644A8FF00EBA2D4583FD3369E762BC8F425226AE091B7DBDF78C50AE344

Function 0000022E65FD5D70 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000022E65FCFC4C: InternetOpenA.WININET ref: 0000022E65FCFD40
Part of subcall function 0000022E65FCFC4C: InternetOpenUrlA.WININET ref: 0000022E65FCFD77
Part of subcall function 0000022E65FCFC4C: InternetReadFile.WININET ref: 0000022E65FCFDB1
Part of subcall function 0000022E65FCFC4C: InternetCloseHandle.WININET ref: 0000022E65FCFDC7
Part of subcall function 0000022E65FCFC4C: InternetCloseHandle.WININET ref: 0000022E65FCFDD0

Part of subcall function 0000022E65FC84BC: std::_Deallocate.LIBCONCRT ref: 0000022E65FC84F1

std::_Deallocate.LIBCONCRT ref: 0000022E65FD5DA7
std::_Deallocate.LIBCONCRT ref: 0000022E65FD5E0C
std::_Deallocate.LIBCONCRT ref: 0000022E65FD5E66
std::_Deallocate.LIBCONCRT ref: 0000022E65FD5EEC

Strings

generate_ping, xrefs: 0000022E65FD5E95
Failed DoHandshake, xrefs: 0000022E65FD5AFB
!conContext.Send, xrefs: 0000022E65FD5EC0

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeallocateInternetstd::_$CloseHandleOpen$FileRead
String ID: !conContext.Send$Failed DoHandshake$generate_ping
API String ID: 2270628339-1141015282
Opcode ID: dcef12f0143716c6fcf328767c18fad9f3b693b580416f6716f8ddb31c685cc4
Instruction ID: 0212112fde89ea44eb5e0567cc7e598565bfa79da75a2e5451ba64861f8bca76
Opcode Fuzzy Hash: dcef12f0143716c6fcf328767c18fad9f3b693b580416f6716f8ddb31c685cc4
Instruction Fuzzy Hash: 8E4130613116C0ACEF24EBB6DC583FE276DF762788F415216DB094BAABDF348644A344

Function 0000022E65FD05F8 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Deallocate.LIBCONCRT ref: 0000022E65FD06D9
std::_Deallocate.LIBCONCRT ref: 0000022E65FD07CB

Strings

Leave CheckDGA, xrefs: 0000022E65FD0810
Enter CheckDGA, xrefs: 0000022E65FD061E
Connect : , xrefs: 0000022E65FD078D
Trying connect to , xrefs: 0000022E65FD0677

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_
String ID: Connect : $Enter CheckDGA$Leave CheckDGA$Trying connect to
API String ID: 1323251999-1993950784
Opcode ID: 20f233c21c21cd5471f32e99e268932ec94fbb312d6a48a6e3812fb0dcc6ffaf
Instruction ID: 6c18f4fe5d34d3db241e56d88990d2df95f1ef6889f9cf45ac923e038b30182a
Opcode Fuzzy Hash: 20f233c21c21cd5471f32e99e268932ec94fbb312d6a48a6e3812fb0dcc6ffaf
Instruction Fuzzy Hash: 4851C0A2710601A9FE04DBA6D4487FD2369FB62B94F025326DF2D0B6D6EF78C551A340

Function 0000022E65FD5B1F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Deallocate.LIBCONCRT ref: 0000022E65FD5B95

Part of subcall function 0000022E65FC84BC: std::_Deallocate.LIBCONCRT ref: 0000022E65FC84F1

std::_Deallocate.LIBCONCRT ref: 0000022E65FD5BF6
std::_Deallocate.LIBCONCRT ref: 0000022E65FD5CA1
std::_Deallocate.LIBCONCRT ref: 0000022E65FD5D02

Strings

Connection still not trusted, xrefs: 0000022E65FD5D36
Failed DoHandshake, xrefs: 0000022E65FD5AFB

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_
String ID: Connection still not trusted$Failed DoHandshake
API String ID: 1323251999-1812421182
Opcode ID: de3b16d71f3c64bbeb3a9a4d213765ac19685f7042b9c91e0232d157e2fc2636
Instruction ID: 87a8b99860817db52b5e9aea77aa83939fd0581155dc556dcdbc68c8df5721b7
Opcode Fuzzy Hash: de3b16d71f3c64bbeb3a9a4d213765ac19685f7042b9c91e0232d157e2fc2636
Instruction Fuzzy Hash: CC61C491310AC4A9FF60EBA6DD8C3FD236DE762784F424211CB0D4B6AADF39C645A344

Function 0000022E65FCED00 Relevance: 9.1, APIs: 6, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0000022E65FCED3D
Concurrency::cancel_current_task.LIBCPMT ref: 0000022E65FCED5C
new.LIBCMT ref: 0000022E65FCED65
std::_Deallocate.LIBCONCRT ref: 0000022E65FCEDC2
std::_Deallocate.LIBCONCRT ref: 0000022E65FCEE03

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_taskDeallocatestd::_
String ID:
API String ID: 4012121645-0
Opcode ID: a5d8e2f53df483de64681540a5985e6c93cddb737d03efc1223fc0de7a8d95fc
Instruction ID: 34b773da1ed31b5cbb48dfb42bb2987e78f0d737a3774fa9e667e944c16f15dc
Opcode Fuzzy Hash: a5d8e2f53df483de64681540a5985e6c93cddb737d03efc1223fc0de7a8d95fc
Instruction Fuzzy Hash: 6F31F062710B40A5EE21CBA6E84D36A6268F764BF0F178731DB7903BC9DF34C491A740

Function 0000022E6612CB54 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 0000022E6612CC76

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 5518f5723a9ae15c3b47f29bd54c226d4d22c6a755726b2ae6182f5791a5fc79
Instruction ID: d5250356e2ad6e2884019a66c32c5fc4cb771a4e88561d282df8564135b1a74e
Opcode Fuzzy Hash: 5518f5723a9ae15c3b47f29bd54c226d4d22c6a755726b2ae6182f5791a5fc79
Instruction Fuzzy Hash: 5441C8E1B21640B2FE559B96A80C775639DB774FD0F0B85259F1D4B784EA3CC481A350

Function 0000022E661174C8 Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000022E661174EC
CreateThread.KERNEL32 ref: 0000022E6611752D
GetLastError.KERNEL32 ref: 0000022E6611753B
CloseHandle.KERNEL32 ref: 0000022E66117558
FreeLibrary.KERNEL32 ref: 0000022E66117567

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
String ID:
API String ID: 2067211477-0
Opcode ID: 8499ebcfb489e6abf4be75a7ed433c87ea7f4c968203c23ab6766defdc016f9d
Instruction ID: 553468bb54f711fa4ee4bc1b644167f4eef7597cf251fd1686b897572479acdd
Opcode Fuzzy Hash: 8499ebcfb489e6abf4be75a7ed433c87ea7f4c968203c23ab6766defdc016f9d
Instruction Fuzzy Hash: 382187B5B21740A2FE44DFE6E41C279E3B8ABA4BC0F4645229D0D47755DE3CDC45A720

Function 0000022E65FECF64 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112registryCOMMON

Download Yara Rule

APIs

RegGetValueW.ADVAPI32 ref: 0000022E65FECFFC
RegGetValueW.ADVAPI32 ref: 0000022E65FED091

Strings

SOFTWARE\UnknownDB, xrefs: 0000022E65FECFAA
size, xrefs: 0000022E65FECFEE

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Value
String ID: SOFTWARE\UnknownDB$size
API String ID: 3702945584-2725006514
Opcode ID: 779c2b9991392ed6cce1135317e07aba87e22e4d6296f17204ed0016e4cc1eee
Instruction ID: e2bef63bc97e3677e7fba8dd978324886f338fe8b697c58247d1aec4793b8e90
Opcode Fuzzy Hash: 779c2b9991392ed6cce1135317e07aba87e22e4d6296f17204ed0016e4cc1eee
Instruction Fuzzy Hash: 7741AD32710600ADEB20DFA6E8547AD77A9F794798F51122AEF1993BA8DF34C50AC704

Function 0000022E65FD5FC4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

std::_Deallocate.LIBCONCRT ref: 0000022E65FD5FFC
std::_Deallocate.LIBCONCRT ref: 0000022E65FD6021

Strings

Failed DoHandshake, xrefs: 0000022E65FD5AFB
!UnpackJsonToPong, xrefs: 0000022E65FD5FC4

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_
String ID: !UnpackJsonToPong$Failed DoHandshake
API String ID: 1323251999-1879821257
Opcode ID: 3165a10a6efd50f27fc1fa08b378d428c97d6487fd12466fcb4ef25551fb45b5
Instruction ID: 7fd0fb257eab2f799432ea009a5b340f600f7007f4f96bb93129737120e2de71
Opcode Fuzzy Hash: 3165a10a6efd50f27fc1fa08b378d428c97d6487fd12466fcb4ef25551fb45b5
Instruction Fuzzy Hash: B93161613206546CFF04EBA6DC482FD3769EBA2788F421116AB0A479ABDF34C544E344

Function 0000022E65FD5F2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Deallocate.LIBCONCRT ref: 0000022E65FD5EEC
std::_Deallocate.LIBCONCRT ref: 0000022E65FD5F56

Strings

!conContext.Recv, xrefs: 0000022E65FD5F2A
Failed DoHandshake, xrefs: 0000022E65FD5AFB

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_
String ID: !conContext.Recv$Failed DoHandshake
API String ID: 1323251999-3186422887
Opcode ID: d2d97e8434d17e397a28033c1717756c4744cc76921495651a119bee157946e6
Instruction ID: b4de2bc6527c7b05849d8a457a21384760a5d1becf55d95c014f18b3829d48ad
Opcode Fuzzy Hash: d2d97e8434d17e397a28033c1717756c4744cc76921495651a119bee157946e6
Instruction Fuzzy Hash: A6117F517106546CFF14E7E7D8482FE36BDEB62B88F521215DF0A17AABDF348504A304

Function 0000022E660F4C80 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 234COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 0000022E660F4CF2

Strings

(Connector::NewConnect) Close socket failed : wsaerror=, xrefs: 0000022E660F4D29
- , xrefs: 0000022E660F4D3A

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: closesocket
String ID: - $(Connector::NewConnect) Close socket failed : wsaerror=
API String ID: 2781271927-707741259
Opcode ID: 529f6e05fe6abb8548e5b7cd2e16f0fcbe25e8b479908f2ff8c42762b98f8b6f
Instruction ID: ce972f0b81f3302187744fa94a1a643b76b181670b0eb382c42035f5f4d3f395
Opcode Fuzzy Hash: 529f6e05fe6abb8548e5b7cd2e16f0fcbe25e8b479908f2ff8c42762b98f8b6f
Instruction Fuzzy Hash: DD91D3A1B21644BAFF98EBE1C15C3BE7269A7A4784F121421DE2D13FCBDB7C88516350

Function 0000022E6612AFD4 Relevance: 3.8, APIs: 3, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022E6612AFE3
SetLastError.KERNEL32 ref: 0000022E6612B04D
SetLastError.KERNEL32 ref: 0000022E6612B057

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 4538e96ac102df2a0a4a3850ba9e438ae23e103c080f92d35dfd0de32189700d
Instruction ID: 98da8d1cf54a541a8dab133542e34222cc65b1b20c8ea66bf2643c2eec57e850
Opcode Fuzzy Hash: 4538e96ac102df2a0a4a3850ba9e438ae23e103c080f92d35dfd0de32189700d
Instruction Fuzzy Hash: B81161A0B3174062FE5957E1A65D33E21BD9B64B94F060528A92E47BD6EE2CC8C26324

Function 0000022E65CA6000 Relevance: 3.6, APIs: 2, Instructions: 629memorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0000022E65CA64F2

Part of subcall function 0000022E65CA9480: VirtualProtect.KERNELBASE ref: 0000022E65CA94B8
Part of subcall function 0000022E65CA9480: VirtualProtect.KERNELBASE ref: 0000022E65CA94E9

LoadLibraryExW.KERNELBASE ref: 0000022E65CA6769

Memory Dump Source

Source File: 00000003.00000002.4171229611.0000022E65CA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022E65CA6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65ca6000_rundll32.jbxd

Similarity

API ID: Virtual$Protect$AllocLibraryLoad
String ID:
API String ID: 3316853933-0
Opcode ID: 445d55ed005dda75094cae88cc0beaea78e21e98f820be56d745cd47ff622a99
Instruction ID: 497189b57af417b55e1e8d25700a97a26ed0e8d04ab55d524c4b212f29a77ea4
Opcode Fuzzy Hash: 445d55ed005dda75094cae88cc0beaea78e21e98f820be56d745cd47ff622a99
Instruction Fuzzy Hash: 64320E34618A488FEB94EF6CD85CBA6B7E5F7A8301F40452EE44AC7270DB78D984CB41

Function 0000022E65CA9480 Relevance: 3.0, APIs: 2, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0000022E65CA94B8
VirtualProtect.KERNELBASE ref: 0000022E65CA94E9

Memory Dump Source

Source File: 00000003.00000002.4171229611.0000022E65CA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022E65CA6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65ca6000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f5be49bc1e8f111891236fe2a6516531c999dc70acdc53698341252282824d56
Instruction ID: d506a01172fe78cde27aea5e74f7902d595cc501687d47d12c10d422a7301d58
Opcode Fuzzy Hash: f5be49bc1e8f111891236fe2a6516531c999dc70acdc53698341252282824d56
Instruction Fuzzy Hash: E801FF30118B488FD744EB59D84475AB7E0FBD8315F500A5EB88DE3264DB74D985C746

Function 0000022E66117364 Relevance: 3.0, APIs: 2, Instructions: 45threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022E6612AF40: GetLastError.KERNEL32 ref: 0000022E6612AF4A
Part of subcall function 0000022E6612AF40: SetLastError.KERNEL32 ref: 0000022E6612AFC8
Part of subcall function 0000022E6612AF40: abort.LIBCMT ref: 0000022E6612AFCE

GetLastError.KERNEL32 ref: 0000022E6611738E
ExitThread.KERNEL32 ref: 0000022E66117396

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLast$ExitThreadabort
String ID:
API String ID: 648126024-0
Opcode ID: 480519acdbb6fd96c0385158b1c8a62a61d946c4adb0e674378ef05f7c04e450
Instruction ID: 171a618d188c3a510eab87b27468551fcf16f5b852de4f04569e1f982b3792e1
Opcode Fuzzy Hash: 480519acdbb6fd96c0385158b1c8a62a61d946c4adb0e674378ef05f7c04e450
Instruction Fuzzy Hash: CF018495E2174092EF18ABF2E45D2BD126CEB68B54F0A14259E4947797DE3CC885D320

Function 0000022E65FD6627 Relevance: 3.0, APIs: 2, Instructions: 24threadCOMMON

Download Yara Rule

APIs

DisableThreadLibraryCalls.KERNEL32 ref: 0000022E65FD663A
CreateEventW.KERNEL32 ref: 0000022E65FD664C

Part of subcall function 0000022E661174C8: _invalid_parameter_noinfo.LIBCMT ref: 0000022E661174EC

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: CallsCreateDisableEventLibraryThread_invalid_parameter_noinfo
String ID:
API String ID: 3949789577-0
Opcode ID: c060f208cb0bbe6f208b8bd4b0522e4ad3be3426b3f852664e5414bad9ab7e77
Instruction ID: 3bd4d2fbf9f8ca2fb2efa93a06f83e556b05e14bffeb071ca1ba45faf6bd4a86
Opcode Fuzzy Hash: c060f208cb0bbe6f208b8bd4b0522e4ad3be3426b3f852664e5414bad9ab7e77
Instruction Fuzzy Hash: 3BF0BE73A24A41A6EB249BE0F85AB7E37ACE3A5304F924025D24D42A60CF3DC5489B50

Function 0000022E66005360 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE ref: 0000022E6600539D

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 66d0c6b530d1cb0d629dcb88f45c78fd13adcd2f395eed6dca26daddc573beee
Instruction ID: e0ccc8fd3dca653be506c3e0df87ef146f6ea28420a474d341989f23744b246d
Opcode Fuzzy Hash: 66d0c6b530d1cb0d629dcb88f45c78fd13adcd2f395eed6dca26daddc573beee
Instruction Fuzzy Hash: 003148B4A25B90B5FFA99BD1B9483B832ADB774344F560435C50E432A0DF7CC564A361

Function 0000022E65FD4F80 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

std::_Deallocate.LIBCONCRT ref: 0000022E65FD4FF2

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_
String ID:
API String ID: 1323251999-0
Opcode ID: e290778eb7132fc90cd88f2335ffca8553cd0bc116a22de2dedf3b9c9af34201
Instruction ID: d0cc014b4802c4cf3491ca28569ddd932dee24621015e45e62bafe04228e2c2a
Opcode Fuzzy Hash: e290778eb7132fc90cd88f2335ffca8553cd0bc116a22de2dedf3b9c9af34201
Instruction Fuzzy Hash: 7C018063F106009DFB0087B5C45D3BD7AB4E326738F191714CB792AAD6CBB981858340

Function 0000022E65FC5AC8 Relevance: 1.5, APIs: 1, Instructions: 14networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022E660F32EC: _onexit.LIBCMT ref: 0000022E660F32F0

WSAStartup.WS2_32 ref: 0000022E65FC5AF7

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Startup_onexit
String ID:
API String ID: 3012808385-0
Opcode ID: b5b183b6b7cfdb3312c0507edf6124ff7aaf5dfed1bf1cfdf3e5dd1730554345
Instruction ID: 8a678b7c29cbea3b068cbe7f748791576134b57d992aa159f23b3574ec398fb5
Opcode Fuzzy Hash: b5b183b6b7cfdb3312c0507edf6124ff7aaf5dfed1bf1cfdf3e5dd1730554345
Instruction Fuzzy Hash: 61E086B1D641A0A6FF50DBD5E48C3B83368F760715F834021C11D82050DE5DC94ADB90

Function 0000022E6612253C Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 0000022E66122591

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 7f9ccc44af7d954cf5240f277ab545f5db75ef3b3c30c7d800823b666a2b9ef7
Instruction ID: 5cfb28ec0647cae70d61153515df35b40eb88595755b9ee3ee375c2eac37ddff
Opcode Fuzzy Hash: 7f9ccc44af7d954cf5240f277ab545f5db75ef3b3c30c7d800823b666a2b9ef7
Instruction Fuzzy Hash: D8F090D0B3260472FE645BE6656D3FD529C5B79B80F4E8831490E963DADE1CC8C17270

Function 0000022E65FF59B7 Relevance: 1.3, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

_CxxThrowException.LIBVCRUNTIME ref: 0000022E65FF5A13

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExceptionThrow
String ID:
API String ID: 432778473-0
Opcode ID: fb3a51a595a2477156cc3895975fa3fa8f2a5d3f030891b67057c71804bb0d45
Instruction ID: bd7732ee8acf7e3c5422c160cf156b413db7e7afbc345b249191d4641cf2ff0c
Opcode Fuzzy Hash: fb3a51a595a2477156cc3895975fa3fa8f2a5d3f030891b67057c71804bb0d45
Instruction Fuzzy Hash: FFF0A972715700A6EF60DF96E04417A7768E7E5BC4F554122AB4C43B6ADF3CC552DB00

Function 0000022E66122D00 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 0000022E66122D3E

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: e9d90c9a42adbd79a37ac591c907afc828a66ae06a86c502181772668621fe1c
Instruction ID: 11cf0f84df2fb62e70cc649391fae67ea99c05eebd28915886beaddb62a4b655
Opcode Fuzzy Hash: e9d90c9a42adbd79a37ac591c907afc828a66ae06a86c502181772668621fe1c
Instruction Fuzzy Hash: 4AF082E0F3124861FE641BE2584C3BD519C8F757A0F0A06205C2E862E1DA2C88C1B630

Non-executed Functions

Function 0000022E65FF0110 Relevance: 87.9, APIs: 38, Strings: 12, Instructions: 439memorycomlibraryCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 0000022E65FF0168
GetModuleHandleW.KERNEL32 ref: 0000022E65FF01D5
GetProcAddress.KERNEL32 ref: 0000022E65FF01E5
SysAllocString.OLEAUT32 ref: 0000022E65FF0240
SysAllocString.OLEAUT32 ref: 0000022E65FF0250
SysAllocString.OLEAUT32 ref: 0000022E65FF0260
VariantInit.OLEAUT32 ref: 0000022E65FF0370

Part of subcall function 0000022E65FEAB6C: new.LIBCMT ref: 0000022E65FEAB90
Part of subcall function 0000022E65FEAB6C: _com_util::ConvertStringToBSTR.COMSUPP ref: 0000022E65FEABB1
Part of subcall function 0000022E65FEAB6C: _com_issue_error.COMSUPP ref: 0000022E65FEABCA

new.LIBCMT ref: 0000022E65FF03BC
SysAllocString.OLEAUT32 ref: 0000022E65FF03E0
_com_issue_error.COMSUPP ref: 0000022E65FF03F3
_com_issue_error.COMSUPP ref: 0000022E65FF040B
VariantInit.OLEAUT32 ref: 0000022E65FF043A
VariantInit.OLEAUT32 ref: 0000022E65FF046F
VariantInit.OLEAUT32 ref: 0000022E65FF04A4
VariantClear.OLEAUT32 ref: 0000022E65FF0520
VariantClear.OLEAUT32 ref: 0000022E65FF052A
VariantClear.OLEAUT32 ref: 0000022E65FF0534
VariantClear.OLEAUT32 ref: 0000022E65FF053E
SysFreeString.OLEAUT32 ref: 0000022E65FF0547
SysFreeString.OLEAUT32 ref: 0000022E65FF0550
SysFreeString.OLEAUT32 ref: 0000022E65FF0559

Strings

ReturnValue, xrefs: 0000022E65FF05D3
CreateFlags, xrefs: 0000022E65FF0461
ROOT\CIMV2, xrefs: 0000022E65FF019D
Create, xrefs: 0000022E65FF0239
CoSetProxyBlanket, xrefs: 0000022E65FF01DB
CommandLine, xrefs: 0000022E65FF03D9
Win32_ProcessStartup, xrefs: 0000022E65FF0259
ProcessStartupInformation, xrefs: 0000022E65FF04D0
ProcessId, xrefs: 0000022E65FF0657
ShowWindow, xrefs: 0000022E65FF0496
ole32.dll, xrefs: 0000022E65FF01CE
Win32_Process, xrefs: 0000022E65FF0249

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: StringVariant$AllocClearInit$Free_com_issue_error$AddressConvertCreateHandleInstanceModuleProc_com_util::
String ID: CoSetProxyBlanket$CommandLine$Create$CreateFlags$ProcessId$ProcessStartupInformation$ROOT\CIMV2$ReturnValue$ShowWindow$Win32_Process$Win32_ProcessStartup$ole32.dll
API String ID: 3377340112-2140978212
Opcode ID: 019faab4ca756a4454f4dcdad14ff8bb2236d960ff94240162f85fba8c5a6577
Instruction ID: 75318a2471d7ab02cb347cc1cd7d8a9a3b93b3fbee619f695d2b58b9207cd1ec
Opcode Fuzzy Hash: 019faab4ca756a4454f4dcdad14ff8bb2236d960ff94240162f85fba8c5a6577
Instruction Fuzzy Hash: 8B227976710B84A6EF00DFA6E8983AD77B8F798B88F121411DA4E43BA8DF78C544D710

Function 0000022E65FE7198 Relevance: 78.1, Strings: 61, Instructions: 1856COMMON

Download Yara Rule

Strings

binary_db, xrefs: 0000022E65FE95A5
vmware_devices, xrefs: 0000022E65FE878C
vmware_firmware_smbios, xrefs: 0000022E65FE88F7
vbox_req_key, xrefs: 0000022E65FE780E
vbox_check_mac, xrefs: 0000022E65FE79C7
check_xen, xrefs: 0000022E65FE7516
vbox_eventlog_wmi, xrefs: 0000022E65FE7D9C
vmware_files, xrefs: 0000022E65FE84BC
msmv, xrefs: 0000022E65FE936A
num_of_procs, xrefs: 0000022E65FE9425
qemu_firmware_acpi, xrefs: 0000022E65FE8F42
vbox_firmware_acpi, xrefs: 0000022E65FE7F0B
vbox_bus_wmi, xrefs: 0000022E65FE7FC1
vbox_dirs, xrefs: 0000022E65FE7934
vbox_pnpentity_controllers_wmi, xrefs: 0000022E65FE81E2
vbox_files, xrefs: 0000022E65FE78A1
vbox_devices, xrefs: 0000022E65FE7A68
parallels_process, xrefs: 0000022E65FE91F4
vmware_reg_keys, xrefs: 0000022E65FE8402
qemu_dir, xrefs: 0000022E65FE8E92
proc_list, xrefs: 0000022E65FE953D
qemu_processes, xrefs: 0000022E65FE8DE1
vbox_mac_wmi, xrefs: 0000022E65FE7CEE
wine_req, xrefs: 0000022E65FE76E8
virtual_pc_reg_keys, xrefs: 0000022E65FE8B18
qemu_firmware_smbios, xrefs: 0000022E65FE8FE9
isfromdesc, xrefs: 0000022E65FE93A8
vbox_req_val, xrefs: 0000022E65FE777B
vmware_firmware_ACPI, xrefs: 0000022E65FE89AC
vbox_firmware_smbios, xrefs: 0000022E65FE7E51
vbox_process, xrefs: 0000022E65FE7C4C
parallels_check_mac, xrefs: 0000022E65FE9232
cpu_fan_wmi, xrefs: 0000022E65FE8C80
kvm_dir, xrefs: 0000022E65FE91B6
vmware_processes, xrefs: 0000022E65FE8842
known_u, xrefs: 0000022E65FE92ED
psexp_running, xrefs: 0000022E65FE75BE
virtual_pc_process, xrefs: 0000022E65FE8A62
dsks, xrefs: 0000022E65FE92AF
vmware_mac, xrefs: 0000022E65FE8623
uuid, xrefs: 0000022E65FE73C6
wine_exports, xrefs: 0000022E65FE7651
mod_comp, xrefs: 0000022E65FE9270
vmware_reg_key_value, xrefs: 0000022E65FE834C
vbox_window_class, xrefs: 0000022E65FE7B05
kvm_files, xrefs: 0000022E65FE9136
vm_driver_services, xrefs: 0000022E65FE8BCA
vbox_network_class, xrefs: 0000022E65FE7BA6
known_files, xrefs: 0000022E65FE93E6
vbox_pnpentity_pcideviceid_wmi, xrefs: 0000022E65FE812C
vmware_adapter_name, xrefs: 0000022E65FE86D7
client_id, xrefs: 0000022E65FE7257
vmware_dir, xrefs: 0000022E65FE8571
kvm_reg_keys, xrefs: 0000022E65FE9090
vbox_pnpentity_vboxname_wmi, xrefs: 0000022E65FE8297
req_disk_enum, xrefs: 0000022E65FE9463
qemu_reg_key_value, xrefs: 0000022E65FE8D30
user, xrefs: 0000022E65FE746D
vbox_baseborad_wmi, xrefs: 0000022E65FE8076
mems, xrefs: 0000022E65FE932C
sess, xrefs: 0000022E65FE730A

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeallocateEnumerateFreeMemoryProcessesstd::_
String ID: binary_db$check_xen$client_id$cpu_fan_wmi$dsks$isfromdesc$known_files$known_u$kvm_dir$kvm_files$kvm_reg_keys$mems$mod_comp$msmv$num_of_procs$parallels_check_mac$parallels_process$proc_list$psexp_running$qemu_dir$qemu_firmware_acpi$qemu_firmware_smbios$qemu_processes$qemu_reg_key_value$req_disk_enum$sess$user$uuid$vbox_baseborad_wmi$vbox_bus_wmi$vbox_check_mac$vbox_devices$vbox_dirs$vbox_eventlog_wmi$vbox_files$vbox_firmware_acpi$vbox_firmware_smbios$vbox_mac_wmi$vbox_network_class$vbox_pnpentity_controllers_wmi$vbox_pnpentity_pcideviceid_wmi$vbox_pnpentity_vboxname_wmi$vbox_process$vbox_req_key$vbox_req_val$vbox_window_class$virtual_pc_process$virtual_pc_reg_keys$vm_driver_services$vmware_adapter_name$vmware_devices$vmware_dir$vmware_files$vmware_firmware_ACPI$vmware_firmware_smbios$vmware_mac$vmware_processes$vmware_reg_key_value$vmware_reg_keys$wine_exports$wine_req
API String ID: 2429326555-4171219946
Opcode ID: 3fd9c0fe147a1205d6390c03746200aa51bb6bcb6ea1cb68d0a79f3ad297916e
Instruction ID: a0f006445821463ff46c8d4b68e836059e56b039ccba98b72378f99febc41523
Opcode Fuzzy Hash: 3fd9c0fe147a1205d6390c03746200aa51bb6bcb6ea1cb68d0a79f3ad297916e
Instruction Fuzzy Hash: B123E0B2215BC19DDBB0DF74EC413EA33A8F759348F50152AA68C9BB69EF348258C714

Function 0000022E65FF0E00 Relevance: 66.9, APIs: 29, Strings: 9, Instructions: 405memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 0000022E65FF0E5C
CoSetProxyBlanket.OLE32 ref: 0000022E65FF0EE0
SysAllocString.OLEAUT32 ref: 0000022E65FF0F0A
SysAllocString.OLEAUT32 ref: 0000022E65FF0F1A
SysAllocString.OLEAUT32 ref: 0000022E65FF0F2A
new.LIBCMT ref: 0000022E65FF1040
_com_util::ConvertStringToBSTR.COMSUPP ref: 0000022E65FF105F
_com_issue_error.COMSUPP ref: 0000022E65FF107A
SysFreeString.OLEAUT32 ref: 0000022E65FF1099
VariantClear.OLEAUT32 ref: 0000022E65FF1190
VariantClear.OLEAUT32 ref: 0000022E65FF119A
VariantClear.OLEAUT32 ref: 0000022E65FF11A4
SysFreeString.OLEAUT32 ref: 0000022E65FF11AD
SysFreeString.OLEAUT32 ref: 0000022E65FF11B6
SysFreeString.OLEAUT32 ref: 0000022E65FF11BF

Strings

ReturnValue, xrefs: 0000022E65FF124A
CreateFlags, xrefs: 0000022E65FF1109
ROOT\CIMV2, xrefs: 0000022E65FF0E94
Create, xrefs: 0000022E65FF0F03
CommandLine, xrefs: 0000022E65FF10DB
Win32_ProcessStartup, xrefs: 0000022E65FF0F23
ProcessStartupInformation, xrefs: 0000022E65FF113B
ProcessId, xrefs: 0000022E65FF12CB
Win32_Process, xrefs: 0000022E65FF0F13

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: String$Free$AllocClearVariant$BlanketConvertCreateInstanceProxy_com_issue_error_com_util::
String ID: CommandLine$Create$CreateFlags$ProcessId$ProcessStartupInformation$ROOT\CIMV2$ReturnValue$Win32_Process$Win32_ProcessStartup
API String ID: 3425408570-2022159726
Opcode ID: 3175596cad473eb6e64dc97ed313adc46f0e0233b010c1d0d24b80d48aa0ec13
Instruction ID: fc97cc0162edd84fc6799d715e4c772ed284b85b99ff5757eefe4ab1db3f1419
Opcode Fuzzy Hash: 3175596cad473eb6e64dc97ed313adc46f0e0233b010c1d0d24b80d48aa0ec13
Instruction Fuzzy Hash: 09125876710B8496EB10DFA6E8583AE77B8F798B98F114125DE8E47B68CF38C548D700

Function 0000022E65FF1D10 Relevance: 42.1, APIs: 6, Strings: 18, Instructions: 139COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32 ref: 0000022E65FF1E3D
Wow64DisableWow64FsRedirection.KERNEL32 ref: 0000022E65FF1E51
PathCombineW.SHLWAPI ref: 0000022E65FF1E70
GetFileAttributesW.KERNEL32 ref: 0000022E65FF1EAA
GetCurrentProcess.KERNEL32 ref: 0000022E65FF1F2F
Wow64RevertWow64FsRedirection.KERNEL32 ref: 0000022E65FF1F4B

Strings

System32\VBoxControl.exe, xrefs: 0000022E65FF1E09
System32\drivers\VBoxSF.sys, xrefs: 0000022E65FF1D67
System32\vboxoglarrayspu.dll, xrefs: 0000022E65FF1DAF
System32\vboxdisp.dll, xrefs: 0000022E65FF1D7F
System32\vboxtray.exe, xrefs: 0000022E65FF1DFE
System32\drivers\VBoxGuest.sys, xrefs: 0000022E65FF1D55
System32\vboxservice.exe, xrefs: 0000022E65FF1DF3
System32\vboxoglcrutil.dll, xrefs: 0000022E65FF1DBB
System32\vboxoglpassthroughspu.dll, xrefs: 0000022E65FF1DE8
System32\drivers\VBoxMouse.sys, xrefs: 0000022E65FF1D40
System32\vboxogl.dll, xrefs: 0000022E65FF1DA3
System32\vboxmrxnp.dll, xrefs: 0000022E65FF1D97
System32\vboxhook.dll, xrefs: 0000022E65FF1D8B
System32\vboxoglerrorspu.dll, xrefs: 0000022E65FF1DC7
Checking file %s , xrefs: 0000022E65FF1E93
System32\vboxoglpackspu.dll, xrefs: 0000022E65FF1DDD
System32\drivers\VBoxVideo.sys, xrefs: 0000022E65FF1D73
System32\vboxoglfeedbackspu.dll, xrefs: 0000022E65FF1DD2

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Wow64$Redirection$AttributesCombineCurrentDirectoryDisableFilePathProcessRevertWindows
String ID: Checking file %s $System32\VBoxControl.exe$System32\drivers\VBoxGuest.sys$System32\drivers\VBoxMouse.sys$System32\drivers\VBoxSF.sys$System32\drivers\VBoxVideo.sys$System32\vboxdisp.dll$System32\vboxhook.dll$System32\vboxmrxnp.dll$System32\vboxogl.dll$System32\vboxoglarrayspu.dll$System32\vboxoglcrutil.dll$System32\vboxoglerrorspu.dll$System32\vboxoglfeedbackspu.dll$System32\vboxoglpackspu.dll$System32\vboxoglpassthroughspu.dll$System32\vboxservice.exe$System32\vboxtray.exe
API String ID: 2137468328-1036852472
Opcode ID: 19f1c621f6e112c317721e5d1c740a0029c6832e1d5a7042bee00aafde7e8dc2
Instruction ID: 0944c60c8bf907ee815e94ed8eb518dffdb8af82d3d8ede6042367652e335f8d
Opcode Fuzzy Hash: 19f1c621f6e112c317721e5d1c740a0029c6832e1d5a7042bee00aafde7e8dc2
Instruction Fuzzy Hash: F361B2B1B10B80A9FF10CB91E8482EA77ACF7A4784F920126DA8D47BA4DF3CC545D790

Function 0000022E65FF2160 Relevance: 38.7, APIs: 14, Strings: 8, Instructions: 191memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022E65FF4EC0: CoInitializeEx.OLE32 ref: 0000022E65FF4ED9
Part of subcall function 0000022E65FF4EC0: CoInitializeSecurity.OLE32 ref: 0000022E65FF4F06
Part of subcall function 0000022E65FF4EC0: CoCreateInstance.OLE32 ref: 0000022E65FF4F25
Part of subcall function 0000022E65FF4EC0: CoUninitialize.OLE32 ref: 0000022E65FF4F2F

SysAllocString.OLEAUT32 ref: 0000022E65FF21E7
SysAllocString.OLEAUT32 ref: 0000022E65FF21F7
CoUninitialize.OLE32 ref: 0000022E65FF2251
SysFreeString.OLEAUT32 ref: 0000022E65FF225A
SysFreeString.OLEAUT32 ref: 0000022E65FF2268
StrCmpIW.SHLWAPI ref: 0000022E65FF230B
VariantClear.OLEAUT32 ref: 0000022E65FF231D
SafeArrayAccessData.OLEAUT32 ref: 0000022E65FF2350
SafeArrayGetLBound.OLEAUT32 ref: 0000022E65FF2369
SafeArrayGetUBound.OLEAUT32 ref: 0000022E65FF237A
SafeArrayGetElement.OLEAUT32 ref: 0000022E65FF239B
SafeArrayUnaccessData.OLEAUT32 ref: 0000022E65FF23E2
VariantClear.OLEAUT32 ref: 0000022E65FF23EC
CoUninitialize.OLE32 ref: 0000022E65FF2431

Strings

vboxvideo, xrefs: 0000022E65FF2183
SELECT * FROM Win32_NTEventlogFile, xrefs: 0000022E65FF21ED
System, xrefs: 0000022E65FF2304
WQL, xrefs: 0000022E65FF21D0
VBoxVideoW8, xrefs: 0000022E65FF2192
Sources, xrefs: 0000022E65FF2330
VBoxWddm, xrefs: 0000022E65FF21A5
FileName, xrefs: 0000022E65FF22CD

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: ArraySafe$String$Uninitialize$AllocBoundClearDataFreeInitializeVariant$AccessCreateElementInstanceSecurityUnaccess
String ID: FileName$SELECT * FROM Win32_NTEventlogFile$Sources$System$VBoxVideoW8$VBoxWddm$WQL$vboxvideo
API String ID: 3465144543-1865646205
Opcode ID: 441cb62044896833126615da1cec528b37880cbdc4505c74feca0024acaa52e3
Instruction ID: 56de049a3774964cfd3da968bb40ab2f501521a2d083f0bb99d57ce45095aa98
Opcode Fuzzy Hash: 441cb62044896833126615da1cec528b37880cbdc4505c74feca0024acaa52e3
Instruction Fuzzy Hash: 31913CB2B10B91AAEF10CFA2E8486AC33B8F758B88F415511CE4E57B58DF39C549D350

Function 0000022E65FF4650 Relevance: 35.1, APIs: 4, Strings: 16, Instructions: 103serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 0000022E65FF470F

Part of subcall function 0000022E65FF4850: EnumServicesStatusExW.ADVAPI32 ref: 0000022E65FF48F7

StrCmpIW.SHLWAPI ref: 0000022E65FF47A9
CloseServiceHandle.ADVAPI32 ref: 0000022E65FF4801
CloseServiceHandle.ADVAPI32 ref: 0000022E65FF481A

Strings

vmx86, xrefs: 0000022E65FF4704
Failed to get SCM handle., xrefs: 0000022E65FF4822
VBoxGuest, xrefs: 0000022E65FF46A1
vmxnet, xrefs: 0000022E65FF46F9
vmhgfs, xrefs: 0000022E65FF46B7
vmusbmouse, xrefs: 0000022E65FF46E3
VBoxWddm, xrefs: 0000022E65FF466E
Failed to get services list., xrefs: 0000022E65FF480B
vmx_svga, xrefs: 0000022E65FF46EE
vmusb, xrefs: 0000022E65FF46D8
ServicesActive, xrefs: 0000022E65FF4680
VBoxMouse, xrefs: 0000022E65FF4695
VBoxSF, xrefs: 0000022E65FF4687
vmmouse, xrefs: 0000022E65FF46C2
vmmemctl, xrefs: 0000022E65FF46CD
vmci, xrefs: 0000022E65FF46AC

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService$EnumManagerOpenServicesStatus
String ID: Failed to get SCM handle.$Failed to get services list.$ServicesActive$VBoxGuest$VBoxMouse$VBoxSF$VBoxWddm$vmci$vmhgfs$vmmemctl$vmmouse$vmusb$vmusbmouse$vmx86$vmx_svga$vmxnet
API String ID: 3747942150-804508089
Opcode ID: 386779f08c4d84eaf10b284d34603d7e7f4b6b2dfa2085a4d07eb0263c571e5e
Instruction ID: 8aeb003b2260b9718c19ba3d2f9a98cbf296cf929b84f49fe2de048994115502
Opcode Fuzzy Hash: 386779f08c4d84eaf10b284d34603d7e7f4b6b2dfa2085a4d07eb0263c571e5e
Instruction Fuzzy Hash: F3515D72715B80A5EF209F82F44C3AA7BA8F758780F821226DA8D47B64EF3CC545E750

Function 0000022E65FF2F00 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 174memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022E65FF4EC0: CoInitializeEx.OLE32 ref: 0000022E65FF4ED9
Part of subcall function 0000022E65FF4EC0: CoInitializeSecurity.OLE32 ref: 0000022E65FF4F06
Part of subcall function 0000022E65FF4EC0: CoCreateInstance.OLE32 ref: 0000022E65FF4F25
Part of subcall function 0000022E65FF4EC0: CoUninitialize.OLE32 ref: 0000022E65FF4F2F

SysAllocString.OLEAUT32 ref: 0000022E65FF2F4E
SysAllocString.OLEAUT32 ref: 0000022E65FF2F5E
CoUninitialize.OLE32 ref: 0000022E65FF2FBB
SysFreeString.OLEAUT32 ref: 0000022E65FF2FC4
SysFreeString.OLEAUT32 ref: 0000022E65FF2FD7
wcsstr.LIBVCRUNTIME ref: 0000022E65FF3072
VariantClear.OLEAUT32 ref: 0000022E65FF3082
wcsstr.LIBVCRUNTIME ref: 0000022E65FF30C7
VariantClear.OLEAUT32 ref: 0000022E65FF30D7
wcsstr.LIBVCRUNTIME ref: 0000022E65FF311C
VariantClear.OLEAUT32 ref: 0000022E65FF312C
CoUninitialize.OLE32 ref: 0000022E65FF316D

Strings

VBOX, xrefs: 0000022E65FF306B, 0000022E65FF30C0
SELECT * FROM Win32_PnPDevice, xrefs: 0000022E65FF2F54
Caption, xrefs: 0000022E65FF3095
PNPDeviceID, xrefs: 0000022E65FF30EA
WQL, xrefs: 0000022E65FF2F38
VEN_VBOX, xrefs: 0000022E65FF3115
Name, xrefs: 0000022E65FF3040

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: String$ClearUninitializeVariantwcsstr$AllocFreeInitialize$CreateInstanceSecurity
String ID: Caption$Name$PNPDeviceID$SELECT * FROM Win32_PnPDevice$VBOX$VEN_VBOX$WQL
API String ID: 3295136966-607120894
Opcode ID: c291bffffa07478fd836a497020b2e208a28a2d4463ff92d044e135b7f9c6f2d
Instruction ID: 32b40c7c3bda0733242f1ad8146ee6ec606226596b25c64b14bb6386ea2ce456
Opcode Fuzzy Hash: c291bffffa07478fd836a497020b2e208a28a2d4463ff92d044e135b7f9c6f2d
Instruction Fuzzy Hash: 96818D72710B50A6EF10DFA6E8482AC37A8F794B88F451116EE4E43FA8DF39C985D310

Function 0000022E65FF3C10 Relevance: 33.3, APIs: 1, Strings: 18, Instructions: 89COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 0000022E65FF3D29

Strings

sand box, xrefs: 0000022E65FF3CC0
Sandbox, xrefs: 0000022E65FF3C46
Johnson, xrefs: 0000022E65FF3C82
malware, xrefs: 0000022E65FF3CCE
Emily, xrefs: 0000022E65FF3C52
HAPUBWS, xrefs: 0000022E65FF3C5E
Peter Wilson, xrefs: 0000022E65FF3CA6
virus, xrefs: 0000022E65FF3CF8
Checking if username matches : %s , xrefs: 0000022E65FF3D85
test user, xrefs: 0000022E65FF3CEA
Miller, xrefs: 0000022E65FF3C8E
IT-ADMIN, xrefs: 0000022E65FF3C76
CurrentUser, xrefs: 0000022E65FF3C2D
maltest, xrefs: 0000022E65FF3CDC
John Doe, xrefs: 0000022E65FF3D06
Hong Lee, xrefs: 0000022E65FF3C6A
timmy, xrefs: 0000022E65FF3CB2
milozs, xrefs: 0000022E65FF3C9A

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: NameUser
String ID: Checking if username matches : %s $CurrentUser$Emily$HAPUBWS$Hong Lee$IT-ADMIN$John Doe$Johnson$Miller$Peter Wilson$Sandbox$maltest$malware$milozs$sand box$test user$timmy$virus
API String ID: 2645101109-2358638013
Opcode ID: cd5de68b56669a9d0272e00acef36d7b312e5858eda286ea6a1e19b1a615369a
Instruction ID: b7a31201e677b27bafd1e818b74212b59b36c4221b1045447d79536077e1421c
Opcode Fuzzy Hash: cd5de68b56669a9d0272e00acef36d7b312e5858eda286ea6a1e19b1a615369a
Instruction Fuzzy Hash: 60411875625B80A5EE10CB91F48C3EA7BB8F758780F420226DA8C0BB65EF3DC546D750

Function 0000022E65FF41F0 Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 143registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000022E65FF42C2
RegQueryInfoKeyW.ADVAPI32 ref: 0000022E65FF430C
RegCloseKey.ADVAPI32 ref: 0000022E65FF431A
RegCloseKey.ADVAPI32 ref: 0000022E65FF4344

Strings

qemu, xrefs: 0000022E65FF4245
vbox, xrefs: 0000022E65FF426D
System\CurrentControlSet\Enum\IDE, xrefs: 0000022E65FF4224
VMW, xrefs: 0000022E65FF4283
System\CurrentControlSet\Enum\SCSI, xrefs: 0000022E65FF4233
virtio, xrefs: 0000022E65FF4257
xen, xrefs: 0000022E65FF4278
Virtual, xrefs: 0000022E65FF428E
vmware, xrefs: 0000022E65FF4262

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Close$InfoOpenQuery
String ID: System\CurrentControlSet\Enum\IDE$System\CurrentControlSet\Enum\SCSI$VMW$Virtual$qemu$vbox$virtio$vmware$xen
API String ID: 796878624-373962024
Opcode ID: 66d27574bf8490147d9661f5dcad80fd1134433e16cd29cc104d66086d3bf0ac
Instruction ID: 33c7fd5dbdc4f98ea65cf21bac6d1a3ce5f75ba83ab100841f40dba49fa90bed
Opcode Fuzzy Hash: 66d27574bf8490147d9661f5dcad80fd1134433e16cd29cc104d66086d3bf0ac
Instruction Fuzzy Hash: DE614B72B14B40A9EB10CFA2E8483AD77B9F758788F511126DE8E13B68DF38C516E740

Function 0000022E65FDA6E8 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 287timeCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000022E65FDA73B
SetWaitableTimer.KERNEL32 ref: 0000022E65FDA812
LeaveCriticalSection.KERNEL32 ref: 0000022E65FDA866
SetLastError.KERNEL32 ref: 0000022E65FDA881
GetQueuedCompletionStatus.KERNEL32 ref: 0000022E65FDA8A5
GetLastError.KERNEL32 ref: 0000022E65FDA8AE
__ExceptionPtrCopy.LIBCPMT ref: 0000022E65FDA9EE
__ExceptionPtrCopy.LIBCPMT ref: 0000022E65FDA9FD
PostQueuedCompletionStatus.KERNEL32 ref: 0000022E65FDAA65
GetLastError.KERNEL32 ref: 0000022E65FDAA6F

Part of subcall function 0000022E65FD76E4: _Init_thread_footer.LIBCMT ref: 0000022E65FD7759

Strings

pqcs, xrefs: 0000022E65FDAA8A

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLast$CompletionCopyCriticalExceptionQueuedSectionStatus$EnterInit_thread_footerLeavePostTimerWaitable
String ID: pqcs
API String ID: 2677216780-2559862021
Opcode ID: ee932694cd8f86d815e17b7a4b261ff25cd91e729fac6a5c64c4f1b8fbde0530
Instruction ID: ae66ae2378dd0ba83360b662643844b4b60ff2b762dae7644e370d83b873faf5
Opcode Fuzzy Hash: ee932694cd8f86d815e17b7a4b261ff25cd91e729fac6a5c64c4f1b8fbde0530
Instruction Fuzzy Hash: 18D19E72704B809AEB61CFA6E8443AD77B8F7AAB54F115225DB8E87B54DF38C441D300

Function 0000022E65FCFC4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 148networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022E65FD2594: Concurrency::cancel_current_task.LIBCPMT ref: 0000022E65FD260C
Part of subcall function 0000022E65FD2594: new.LIBCMT ref: 0000022E65FD2612

InternetOpenA.WININET ref: 0000022E65FCFD40
InternetOpenUrlA.WININET ref: 0000022E65FCFD77
InternetReadFile.WININET ref: 0000022E65FCFDB1
InternetCloseHandle.WININET ref: 0000022E65FCFDC7
InternetCloseHandle.WININET ref: 0000022E65FCFDD0
InternetCloseHandle.WININET ref: 0000022E65FCFDE5
InternetCloseHandle.WININET ref: 0000022E65FCFDEE
std::_Deallocate.LIBCONCRT ref: 0000022E65FCFE61

Strings

IP retriever, xrefs: 0000022E65FCFD39
https://api.ipify.org/, xrefs: 0000022E65FCFCA5
http://myexternalip.com/raw, xrefs: 0000022E65FCFCD4

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$Open$Concurrency::cancel_current_taskDeallocateFileReadstd::_
String ID: IP retriever$http://myexternalip.com/raw$https://api.ipify.org/
API String ID: 3644404261-3426027295
Opcode ID: 09be6dc9282f5756e1107aa8f59317cb4e0320d1d3353bc14e850a782783f2b7
Instruction ID: fd0bcd300feea3f79ba5ffcb72283343192acfcc9ec322794929e1d6a721a780
Opcode Fuzzy Hash: 09be6dc9282f5756e1107aa8f59317cb4e0320d1d3353bc14e850a782783f2b7
Instruction Fuzzy Hash: FA61C173718B80ABEB10CBA6E8446AEB7B8F391B94F510515EF8903B58CF78C551EB10

Function 0000022E65FF4EC0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 85commemoryCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 0000022E65FF4ED9
CoInitializeSecurity.OLE32 ref: 0000022E65FF4F06
CoCreateInstance.OLE32 ref: 0000022E65FF4F25
CoUninitialize.OLE32 ref: 0000022E65FF4F2F
SysAllocString.OLEAUT32 ref: 0000022E65FF4F53
SysFreeString.OLEAUT32 ref: 0000022E65FF4F97
CoUninitialize.OLE32 ref: 0000022E65FF4FE7

Strings

ROOT\CIMV2, xrefs: 0000022E65FF4F47

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: InitializeStringUninitialize$AllocCreateFreeInstanceSecurity
String ID: ROOT\CIMV2
API String ID: 3548430535-2786109267
Opcode ID: 630a26aa946af55944c0e0a5a59d3c64d14703e70f69e1f3ab729343518a6ab3
Instruction ID: 046c021cfc4c1b3109a15aaa534edadc11c14703e2cfdc9644851341620fd4bd
Opcode Fuzzy Hash: 630a26aa946af55944c0e0a5a59d3c64d14703e70f69e1f3ab729343518a6ab3
Instruction Fuzzy Hash: 3331A072614B8196EB10CF66F80862EB7A8F798B84F054215EB8E83B54DF3CC505DB00

Function 0000022E65FF4CD0 Relevance: 15.1, APIs: 10, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000022E65FF4CEC
HeapAlloc.KERNEL32 ref: 0000022E65FF4CFD
GetAdaptersInfo.IPHLPAPI ref: 0000022E65FF4D25
GetProcessHeap.KERNEL32 ref: 0000022E65FF4D30
HeapFree.KERNEL32 ref: 0000022E65FF4D3E
GetProcessHeap.KERNEL32 ref: 0000022E65FF4D48
HeapAlloc.KERNEL32 ref: 0000022E65FF4D56
GetAdaptersInfo.IPHLPAPI ref: 0000022E65FF4D6C
GetProcessHeap.KERNEL32 ref: 0000022E65FF4DBA
HeapFree.KERNEL32 ref: 0000022E65FF4DC8

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Heap$Process$AdaptersAllocFreeInfo
String ID:
API String ID: 2824440793-0
Opcode ID: 4950bd5bdeacdfdccbc7802f447cea47fcd7c090d79a4788ba921cd69a7babce
Instruction ID: 8b99dc6ea9b0a47d2cc676ba2414ea3c19bcc76255f27ca9943dd3d4f82b5184
Opcode Fuzzy Hash: 4950bd5bdeacdfdccbc7802f447cea47fcd7c090d79a4788ba921cd69a7babce
Instruction Fuzzy Hash: 59310821715680A2EF548BA7B40C27D77E5EBA9B90F095034DF8E43B69DF3CC8819750

Function 0000022E65FDB25C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 123filepipeCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022E65FDB0F4: GetCurrentProcessId.KERNEL32 ref: 0000022E65FDB148
Part of subcall function 0000022E65FDB0F4: _Init_thread_footer.LIBCMT ref: 0000022E65FDB197
Part of subcall function 0000022E65FDB0F4: std::_Deallocate.LIBCONCRT ref: 0000022E65FDB1CF
Part of subcall function 0000022E65FDB0F4: std::_Deallocate.LIBCONCRT ref: 0000022E65FDB230

Part of subcall function 0000022E65FDE130: EnterCriticalSection.KERNEL32 ref: 0000022E65FDE21C
Part of subcall function 0000022E65FDE130: LeaveCriticalSection.KERNEL32 ref: 0000022E65FDE247

CreateNamedPipeA.KERNEL32 ref: 0000022E65FDB2E2
_CxxThrowException.LIBVCRUNTIME ref: 0000022E65FDB365
CreateFileA.KERNEL32 ref: 0000022E65FDB3A0
_CxxThrowException.LIBVCRUNTIME ref: 0000022E65FDB3EE
std::_Deallocate.LIBCONCRT ref: 0000022E65FDB41B

Strings

create_named_pipe(, xrefs: 0000022E65FDB2F5
create_file() failed, xrefs: 0000022E65FDB3C2
) failed, xrefs: 0000022E65FDB306

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_$CreateCriticalExceptionSectionThrow$CurrentEnterFileInit_thread_footerLeaveNamedPipeProcess
String ID: ) failed$create_file() failed$create_named_pipe(
API String ID: 1707646108-456399844
Opcode ID: 4f1e8f0a353e28c85b607ea10eb05727bac05d1834282eb899e924ae328a4506
Instruction ID: dafbf03b277b5fe73c2a323a8f5f9b828548860b1be8a5ab37a13d7b047bc12d
Opcode Fuzzy Hash: 4f1e8f0a353e28c85b607ea10eb05727bac05d1834282eb899e924ae328a4506
Instruction Fuzzy Hash: B851EF72614B80AAEF00DFA6E8482ED7764F3A57A0F414321EB5D43BA9DF38C545D700

Function 0000022E65FCCFA0 Relevance: 13.9, APIs: 9, Instructions: 415COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 0000022E65FCCFF2
new.LIBCMT ref: 0000022E65FCD07A
new.LIBCMT ref: 0000022E65FCD119
new.LIBCMT ref: 0000022E65FCD193
new.LIBCMT ref: 0000022E65FCD22E
new.LIBCMT ref: 0000022E65FCD2BC
new.LIBCMT ref: 0000022E65FCD357
new.LIBCMT ref: 0000022E65FCD3F4
new.LIBCMT ref: 0000022E65FCD491

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b652138081822217982cd22338e72b9852c0c5ce673a08e299d18ca0e452ed9a
Instruction ID: 4d085d19c13a13e4b158f0db8ef0b674696d21666436123ca5030f72f88c2664
Opcode Fuzzy Hash: b652138081822217982cd22338e72b9852c0c5ce673a08e299d18ca0e452ed9a
Instruction Fuzzy Hash: 74022732346B859ADF70DFA6E45423EB3B8F364B44B524526C79E83B51EF38E4529340

Function 0000022E65FF4DE0 Relevance: 12.1, APIs: 8, Instructions: 57processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0000022E65FF4E15
Process32FirstW.KERNEL32 ref: 0000022E65FF4E34
StrCmpIW.SHLWAPI ref: 0000022E65FF4E46
CloseHandle.KERNEL32 ref: 0000022E65FF4E53
Process32NextW.KERNEL32 ref: 0000022E65FF4E64
StrCmpIW.SHLWAPI ref: 0000022E65FF4E78
Process32NextW.KERNEL32 ref: 0000022E65FF4E8A
CloseHandle.KERNEL32 ref: 0000022E65FF4E97

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleNext$CreateFirstSnapshotToolhelp32
String ID:
API String ID: 3656348920-0
Opcode ID: 8acb61856b03c74a8c73c64066d62b0e70953c267da559444172a3bef2378ea4
Instruction ID: a915e553cae33e5143641c92d0bd203ea77fcaa7bda4f1d737866efdfcbf50d9
Opcode Fuzzy Hash: 8acb61856b03c74a8c73c64066d62b0e70953c267da559444172a3bef2378ea4
Instruction Fuzzy Hash: 5921D761314680A6EF60CB62E54C77A73A4F7A8FD4F4642208AAD876D4EF3DC909D710

Function 0000022E66131F78 Relevance: 10.7, APIs: 7, Instructions: 174COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000022E6612AF40: GetLastError.KERNEL32 ref: 0000022E6612AF4A
Part of subcall function 0000022E6612AF40: SetLastError.KERNEL32 ref: 0000022E6612AFC8
Part of subcall function 0000022E6612AF40: abort.LIBCMT ref: 0000022E6612AFCE

Part of subcall function 0000022E6612AF40: SetLastError.KERNEL32 ref: 0000022E6612AFB2

EnumSystemLocalesW.KERNEL32 ref: 0000022E661320CF
GetUserDefaultLCID.KERNEL32 ref: 0000022E661320E8
ProcessCodePage.LIBCMT ref: 0000022E66132112
IsValidCodePage.KERNEL32 ref: 0000022E66132133
IsValidLocale.KERNEL32 ref: 0000022E66132149
GetLocaleInfoW.KERNEL32 ref: 0000022E661321A5
GetLocaleInfoW.KERNEL32 ref: 0000022E661321C1

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$CodeInfoPageValid$DefaultEnumLocalesProcessSystemUserabort
String ID:
API String ID: 3941709727-0
Opcode ID: e1fd24d0581ce7a047bb9014cd37ef04ee026e3d2b986cde5182990ae1c8caa3
Instruction ID: 0c2bcfc4e4a0d21dc89b2d779d5c59311cabd3d07738588e114110577dbcb992
Opcode Fuzzy Hash: e1fd24d0581ce7a047bb9014cd37ef04ee026e3d2b986cde5182990ae1c8caa3
Instruction Fuzzy Hash: 86719DB2F20740A9FF10ABA1D8587BC33B8B774744F4640258E0E676A5DB3D8949E3A0

Function 0000022E65FD9F18 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 172timeCOMMON

Download Yara Rule

APIs

SetWaitableTimer.KERNEL32 ref: 0000022E65FD9F61
PostQueuedCompletionStatus.KERNEL32 ref: 0000022E65FD9F90
GetLastError.KERNEL32 ref: 0000022E65FD9F9A
CloseHandle.KERNEL32 ref: 0000022E65FD9FE1
GetQueuedCompletionStatus.KERNEL32 ref: 0000022E65FDA0E1

Strings

pqcs, xrefs: 0000022E65FD9FB5

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: CompletionQueuedStatus$CloseErrorHandleLastPostTimerWaitable
String ID: pqcs
API String ID: 3092740338-2559862021
Opcode ID: c60b755a3fa73338e78e0d8a0922e16ef7380b5e9b52552ea72652d36805b5a0
Instruction ID: 9670215ad87974817829006a4890e3baaf206288a083df5b80608d03611ae7c5
Opcode Fuzzy Hash: c60b755a3fa73338e78e0d8a0922e16ef7380b5e9b52552ea72652d36805b5a0
Instruction Fuzzy Hash: 0A712632701B40AAEB64CFB6E5943AC33B8F759B48F15422AAB4D97B84DF34C426D740

Function 0000022E6613158C Relevance: 9.2, APIs: 6, Instructions: 208COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000022E6612AF40: GetLastError.KERNEL32 ref: 0000022E6612AF4A
Part of subcall function 0000022E6612AF40: SetLastError.KERNEL32 ref: 0000022E6612AFC8
Part of subcall function 0000022E6612AF40: abort.LIBCMT ref: 0000022E6612AFCE

TranslateName.LIBCMT ref: 0000022E661315F6
TranslateName.LIBCMT ref: 0000022E66131631
IsValidCodePage.KERNEL32 ref: 0000022E6613168E
wcschr.LIBVCRUNTIME ref: 0000022E66131721
wcschr.LIBVCRUNTIME ref: 0000022E66131731

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLastNameTranslatewcschr$CodePageValidabort
String ID:
API String ID: 4237316620-0
Opcode ID: bc390fcc964dcb77d1e5c2fb1dc2a8eeb8c4d5e1149440121b8afb41b159e969
Instruction ID: fe9b3be2f1de39a6e2d14a791685528266d6e247ac38d5a6267d30cefb9d93be
Opcode Fuzzy Hash: bc390fcc964dcb77d1e5c2fb1dc2a8eeb8c4d5e1149440121b8afb41b159e969
Instruction Fuzzy Hash: 9E81D6B2A20740A1EF209F91D40A7B933ACF7B4B84F4A4121DB5E577A5DB7CC541E760

Function 0000022E66115D8C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 0000022E66115E05
RtlLookupFunctionEntry.KERNEL32 ref: 0000022E66115E1D
RtlVirtualUnwind.KERNEL32 ref: 0000022E66115E58
IsDebuggerPresent.KERNEL32 ref: 0000022E66115E91
SetUnhandledExceptionFilter.KERNEL32 ref: 0000022E66115E9B
UnhandledExceptionFilter.KERNEL32 ref: 0000022E66115EA6

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 458ed2804a41ba25c9061f679611f881ffa7e40ef83040f5a1897f1bbc151955
Instruction ID: 95389edd12a75cdf706c18e941045c7c1e35f65f2a54c873ce9bb91ce16140ce
Opcode Fuzzy Hash: 458ed2804a41ba25c9061f679611f881ffa7e40ef83040f5a1897f1bbc151955
Instruction Fuzzy Hash: AB31A3B2624F80A6DF60CF65E8483AE73A8F798754F510125EA8D47B94DF3CC556CB10

Function 0000022E65FEF23C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 130libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000022E65FEF2A0
GetProcAddress.KERNEL32 ref: 0000022E65FEF2B0

Strings

ntdll.dll, xrefs: 0000022E65FEF299
ZwQueryInformationProcess, xrefs: 0000022E65FEF2A9

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: ZwQueryInformationProcess$ntdll.dll
API String ID: 1646373207-132032222
Opcode ID: bcc60d8edaf1c71ffae8ee34be7ebbff2edeef94103e3c030f6d9e12e1c3fa26
Instruction ID: 632822f097c5a857a7850f6fa95591957a1240b982bf5fc58fcb2466f3b181c9
Opcode Fuzzy Hash: bcc60d8edaf1c71ffae8ee34be7ebbff2edeef94103e3c030f6d9e12e1c3fa26
Instruction Fuzzy Hash: 0F511271721B40A2EF65CB92F4043A963A8FBA8BC4F4640369E5D53B98DF3CC602D760

Function 0000022E65FF4850 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95serviceCOMMON

Download Yara Rule

APIs

EnumServicesStatusExW.ADVAPI32 ref: 0000022E65FF48F7
GetLastError.KERNEL32 ref: 0000022E65FF490E
EnumServicesStatusExW.ADVAPI32 ref: 0000022E65FF497C

Strings

ERROR: %u, xrefs: 0000022E65FF4992

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLast
String ID: ERROR: %u
API String ID: 1500475886-3825433098
Opcode ID: 30e6fa4fc0fc0a398d6cd09b5f113e1fd6298f65ea8726ef9f357e7766e51079
Instruction ID: 1ce85faf597e88e34c424a060a961f960911647d8ef6ac8c509d492ae6838a8b
Opcode Fuzzy Hash: 30e6fa4fc0fc0a398d6cd09b5f113e1fd6298f65ea8726ef9f357e7766e51079
Instruction Fuzzy Hash: A4414D32714B809ADB60CF52F80836AB7A9F798B90F594425EECD47B58EF39C495DB00

Function 0000022E65FF2470 Relevance: 6.4, Strings: 5, Instructions: 145COMMON

Download Yara Rule

Strings

vbox, xrefs: 0000022E65FF25A3
VBOX, xrefs: 0000022E65FF25C5
VirtualBox, xrefs: 0000022E65FF257B
IPCA, xrefs: 0000022E65FF2510
IPCA, xrefs: 0000022E65FF2548

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: IPCA$IPCA$VBOX$VirtualBox$vbox
API String ID: 0-3852232254
Opcode ID: f72550421a20e4bfa76ee953408b8eb82890fb2b56499b727df43f9623c43fc2
Instruction ID: 6e68e4f755f208401138c9cb4b2208cfdd64b317da43bb16fe29958f07d26b90
Opcode Fuzzy Hash: f72550421a20e4bfa76ee953408b8eb82890fb2b56499b727df43f9623c43fc2
Instruction Fuzzy Hash: 695138B27116C45AEE15C7D79C2837967D9F7A4B90F1A1421DF0E47B91DB3EC882A700

Function 0000022E66122288 Relevance: 6.2, APIs: 4, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

_Wcsftime.LIBCMT ref: 0000022E661222D8
_Wcsftime.LIBCMT ref: 0000022E66122311

Part of subcall function 0000022E66120A48: _invalid_parameter_noinfo.LIBCMT ref: 0000022E66120A73

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Wcsftime$_invalid_parameter_noinfo
String ID:
API String ID: 4239037671-0
Opcode ID: 671d3d929c3f5de04b62b184aedfc7bc5fd528498d2adc415f59486259b6cc80
Instruction ID: 2455e02e974451fdf73928b514273cf92451e7b9ebac37af04fd59ec17d97405
Opcode Fuzzy Hash: 671d3d929c3f5de04b62b184aedfc7bc5fd528498d2adc415f59486259b6cc80
Instruction Fuzzy Hash: E57126A2A3078052EF689BB5A04937E629CF7A8794F154225EF9E47FD5CF3CC4819720

Function 0000022E65FEAB40 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

RpcMgmtStopServerListening.RPCRT4 ref: 0000022E65FEAB46
RpcServerUnregisterIf.RPCRT4 ref: 0000022E65FEAB5B

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Server$ListeningMgmtStopUnregister
String ID:
API String ID: 3697950855-0
Opcode ID: 0c77d112ef31bffd8d83861e9d7c19ca5bfb867fe1feabc1652df6b8b4b496b2
Instruction ID: d13f0382eea86dcbe1a3cf6e087546285497bc26c6d6a9f3860284d8084318a8
Opcode Fuzzy Hash: 0c77d112ef31bffd8d83861e9d7c19ca5bfb867fe1feabc1652df6b8b4b496b2
Instruction Fuzzy Hash: 88D0A750B2225072FF5C2B73085E337029EAB51700FA5541C460682280CE1DC1066510

Function 0000022E65FEA9F4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

RpcBindingFree.RPCRT4 ref: 0000022E65FEAA52

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: BindingFree
String ID:
API String ID: 3284907940-0
Opcode ID: 39c437bc65d0c6fe3b9c0f26e31c815dce4a8d102d3196e772f3e180d517cb4f
Instruction ID: 7a726a6e863e70d8f79eba03c41f761e28a2263835025ea14b45573b2d3ee6e1
Opcode Fuzzy Hash: 39c437bc65d0c6fe3b9c0f26e31c815dce4a8d102d3196e772f3e180d517cb4f
Instruction Fuzzy Hash: 82F0C2E1721B80F5EF40CF95E84D37962A4EB28B41F525025D69D43311DB3CC4919780

Function 0000022E65FEA908 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

RpcBindingFree.RPCRT4 ref: 0000022E65FEA966

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: BindingFree
String ID:
API String ID: 3284907940-0
Opcode ID: edbb4f16a4d90ac1f152923a6712b6dd56f2400c020450ff33e4ece259cb0413
Instruction ID: c06ec45c0db3ba7d78e4034071072185f6fbddc0016ce325820dfca2d3ded338
Opcode Fuzzy Hash: edbb4f16a4d90ac1f152923a6712b6dd56f2400c020450ff33e4ece259cb0413
Instruction Fuzzy Hash: 12F0C2E1725A80A5EF40CB95F84C3BD63B5EB28741F925021965D83310DB3CC4919780

Function 0000022E65FEA894 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

RpcBindingFree.RPCRT4 ref: 0000022E65FEA8F2

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: BindingFree
String ID:
API String ID: 3284907940-0
Opcode ID: 128418ccb044278a4ad303cc0ddc6d9724c84b0e0090fceed704ba11e3e187a8
Instruction ID: 656354fcf6f2a14a6f908bc303fd81eb7e675cdf189e2adc4fe8eab709a66ebf
Opcode Fuzzy Hash: 128418ccb044278a4ad303cc0ddc6d9724c84b0e0090fceed704ba11e3e187a8
Instruction Fuzzy Hash: CBF062F1A25B40E5EF40CB95F84C37962B4EB28781F524125D65D47315DB3CC591E780

Function 0000022E65FEA97C Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

RpcBindingFree.RPCRT4 ref: 0000022E65FEA9E0

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: BindingFree
String ID:
API String ID: 3284907940-0
Opcode ID: 782cdc6fe03ab50c9a9155f34b52d4867ccd057917633eb0578ce3aa3b59e779
Instruction ID: c6e83899e60ffad93a12e0a73227d8118857d3ad443ae2ed726d43f4e40739e8
Opcode Fuzzy Hash: 782cdc6fe03ab50c9a9155f34b52d4867ccd057917633eb0578ce3aa3b59e779
Instruction Fuzzy Hash: 890181F1A20A40A6EF508B95F88C37D73B9EB68741F524021E64D46315DF3CC490E790

Function 0000022E65FEDCF0 Relevance: 1.3, APIs: 1, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000022E65FEDD04

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 14b52df1aa1af65d0f8922f4835bc1d0091d635f9217b4acff120a0806aa9cf6
Instruction ID: 43eded02dcb41795f087271b84b256424f3ddd6e8a039ac1b5570cbcaa33eedd
Opcode Fuzzy Hash: 14b52df1aa1af65d0f8922f4835bc1d0091d635f9217b4acff120a0806aa9cf6
Instruction Fuzzy Hash: 07E08CA0B22B41A2FF694BDAA44973422E8E779750E590028CA1C02760EB2C4896A350

Function 0000022E65FDBA68 Relevance: 35.5, APIs: 16, Strings: 4, Instructions: 493networksynchronizationCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 0000022E65FDBA73
new.LIBCMT ref: 0000022E65FDBACD

Part of subcall function 0000022E65FD76E4: _Init_thread_footer.LIBCMT ref: 0000022E65FD7759

Part of subcall function 0000022E65FD90C0: __std_exception_copy.LIBVCRUNTIME ref: 0000022E65FD9139
Part of subcall function 0000022E65FD90C0: std::_Deallocate.LIBCONCRT ref: 0000022E65FD9161

std::_Deallocate.LIBCONCRT ref: 0000022E65FDBEA6
std::_Deallocate.LIBCONCRT ref: 0000022E65FDBFBE
std::_Deallocate.LIBCONCRT ref: 0000022E65FDC004

Part of subcall function 0000022E65FE2B84: GetCurrentThreadId.KERNEL32 ref: 0000022E65FE2C60

Part of subcall function 0000022E65FDA184: PostQueuedCompletionStatus.KERNEL32 ref: 0000022E65FDA1DB
Part of subcall function 0000022E65FDA184: GetLastError.KERNEL32 ref: 0000022E65FDA1E5

__std_exception_copy.LIBVCRUNTIME ref: 0000022E65FDC21D
std::_Deallocate.LIBCONCRT ref: 0000022E65FDC24E
WaitForSingleObject.KERNEL32 ref: 0000022E65FDC2FD
GetLastError.KERNEL32 ref: 0000022E65FDC317
GetExitCodeProcess.KERNEL32 ref: 0000022E65FDC343
GetLastError.KERNEL32 ref: 0000022E65FDC35D
CloseHandle.KERNEL32 ref: 0000022E65FDC39D
_CxxThrowException.LIBVCRUNTIME ref: 0000022E65FDC407
std::_Deallocate.LIBCONCRT ref: 0000022E65FDC4A4
std::_Deallocate.LIBCONCRT ref: 0000022E65FDC517
WSACleanup.WS2_32 ref: 0000022E65FDC540

Strings

;', xrefs: 0000022E65FDBF94
wait error, xrefs: 0000022E65FDC3CC
~5, xrefs: 0000022E65FDBC6D
winsock, xrefs: 0000022E65FDBAB3

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_$ErrorLast$__std_exception_copy$CleanupCloseCodeCompletionCurrentExceptionExitHandleInit_thread_footerObjectPostProcessQueuedSingleStartupStatusThreadThrowWait
String ID: wait error$winsock$;'$~5
API String ID: 1372613006-3302331494
Opcode ID: acd9ad1e5966a5bea6a155be71fe17c0c05faff9d9e14f245ff23c2fd5b5276f
Instruction ID: 4275a951870ce39d4e4e1df47f90e8556008057ebc465637faf04771706e4058
Opcode Fuzzy Hash: acd9ad1e5966a5bea6a155be71fe17c0c05faff9d9e14f245ff23c2fd5b5276f
Instruction Fuzzy Hash: CC420472609BC4A5DA71CB55F8843EAB3A8F7DA780F415226DBCD43A59EF38C194DB00

Function 0000022E65FF3190 Relevance: 35.1, APIs: 6, Strings: 14, Instructions: 130COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32 ref: 0000022E65FF3291
Wow64DisableWow64FsRedirection.KERNEL32 ref: 0000022E65FF32A5
PathCombineW.SHLWAPI ref: 0000022E65FF32C0
GetFileAttributesW.KERNEL32 ref: 0000022E65FF32FA
GetCurrentProcess.KERNEL32 ref: 0000022E65FF337F
Wow64RevertWow64FsRedirection.KERNEL32 ref: 0000022E65FF339B

Strings

System32\drivers\vm3dmp.sys, xrefs: 0000022E65FF31F3
System32\drivers\vmusb.sys, xrefs: 0000022E65FF31E7
System32\drivers\vmnetuserif.sys, xrefs: 0000022E65FF3252
System32\drivers\vmhgfs.sys, xrefs: 0000022E65FF320B
System32\drivers\vmmouse.sys, xrefs: 0000022E65FF31D5
System32\drivers\vmusbmouse.sys, xrefs: 0000022E65FF323B
System32\drivers\vmnetadapter.sys, xrefs: 0000022E65FF325D
System32\drivers\vmci.sys, xrefs: 0000022E65FF31FF
System32\drivers\vmmemctl.sys, xrefs: 0000022E65FF3217
System32\drivers\vmnet.sys, xrefs: 0000022E65FF31C0
Checking file %s , xrefs: 0000022E65FF32E3
System32\drivers\vmrawdsk.sys, xrefs: 0000022E65FF322F
System32\drivers\vmx86.sys, xrefs: 0000022E65FF3223
System32\drivers\vmkdb.sys, xrefs: 0000022E65FF3247

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Wow64$Redirection$AttributesCombineCurrentDirectoryDisableFilePathProcessRevertWindows
String ID: Checking file %s $System32\drivers\vm3dmp.sys$System32\drivers\vmci.sys$System32\drivers\vmhgfs.sys$System32\drivers\vmkdb.sys$System32\drivers\vmmemctl.sys$System32\drivers\vmmouse.sys$System32\drivers\vmnet.sys$System32\drivers\vmnetadapter.sys$System32\drivers\vmnetuserif.sys$System32\drivers\vmrawdsk.sys$System32\drivers\vmusb.sys$System32\drivers\vmusbmouse.sys$System32\drivers\vmx86.sys
API String ID: 2137468328-73234479
Opcode ID: 9417b62189eae95cf3fee40aa5efdfeb15f3d303e414f987d350ef9f12dca044
Instruction ID: 4ff0773956e50eb2d695a98c942b8617b2e2a849097770c7f1160fc3cc180d6d
Opcode Fuzzy Hash: 9417b62189eae95cf3fee40aa5efdfeb15f3d303e414f987d350ef9f12dca044
Instruction Fuzzy Hash: E251C172B20B80A9EF10CB96E8583EA77ACF7A4784F460122DA4D47BA4DF3CC545D750

Function 0000022E65FF2840 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 141memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022E65FF4EC0: CoInitializeEx.OLE32 ref: 0000022E65FF4ED9
Part of subcall function 0000022E65FF4EC0: CoInitializeSecurity.OLE32 ref: 0000022E65FF4F06
Part of subcall function 0000022E65FF4EC0: CoCreateInstance.OLE32 ref: 0000022E65FF4F25
Part of subcall function 0000022E65FF4EC0: CoUninitialize.OLE32 ref: 0000022E65FF4F2F

SysAllocString.OLEAUT32 ref: 0000022E65FF2883
SysAllocString.OLEAUT32 ref: 0000022E65FF2893
CoUninitialize.OLE32 ref: 0000022E65FF28EB
SysFreeString.OLEAUT32 ref: 0000022E65FF28F4
SysFreeString.OLEAUT32 ref: 0000022E65FF2907
wcsstr.LIBVCRUNTIME ref: 0000022E65FF29A4
wcsstr.LIBVCRUNTIME ref: 0000022E65FF29B9
wcsstr.LIBVCRUNTIME ref: 0000022E65FF29CE
wcsstr.LIBVCRUNTIME ref: 0000022E65FF29E3
VariantClear.OLEAUT32 ref: 0000022E65FF29F3
CoUninitialize.OLE32 ref: 0000022E65FF2A30

Strings

OpenHCD, xrefs: 0000022E65FF29DC
WQL, xrefs: 0000022E65FF2872
82371SB, xrefs: 0000022E65FF29C7
SELECT * FROM Win32_PnPEntity, xrefs: 0000022E65FF2889
82441FX, xrefs: 0000022E65FF29B2
82801FB, xrefs: 0000022E65FF299D
Name, xrefs: 0000022E65FF2972

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Stringwcsstr$Uninitialize$AllocFreeInitialize$ClearCreateInstanceSecurityVariant
String ID: 82371SB$82441FX$82801FB$Name$OpenHCD$SELECT * FROM Win32_PnPEntity$WQL
API String ID: 411316520-1350769890
Opcode ID: ef3ef85b2817ed31e82152c3327c49ac498b9ea8620bfc31cdd3e8f090d8b04d
Instruction ID: a62d6844385cc1c92b608c7a3f38663f92c25d26762517f4769d49a32fe543d9
Opcode Fuzzy Hash: ef3ef85b2817ed31e82152c3327c49ac498b9ea8620bfc31cdd3e8f090d8b04d
Instruction Fuzzy Hash: 26516F72710B459AEF108FA6E8482AC77A8F7A8B98F461112EF4E43B68DF39C545D310

Function 0000022E65FF3FF0 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 130memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022E65FF4EC0: CoInitializeEx.OLE32 ref: 0000022E65FF4ED9
Part of subcall function 0000022E65FF4EC0: CoInitializeSecurity.OLE32 ref: 0000022E65FF4F06
Part of subcall function 0000022E65FF4EC0: CoCreateInstance.OLE32 ref: 0000022E65FF4F25
Part of subcall function 0000022E65FF4EC0: CoUninitialize.OLE32 ref: 0000022E65FF4F2F

SysAllocString.OLEAUT32 ref: 0000022E65FF4033
SysAllocString.OLEAUT32 ref: 0000022E65FF4043
CoUninitialize.OLE32 ref: 0000022E65FF409B
SysFreeString.OLEAUT32 ref: 0000022E65FF40A4
SysFreeString.OLEAUT32 ref: 0000022E65FF40B7
StrStrIW.SHLWAPI ref: 0000022E65FF414D
StrStrIW.SHLWAPI ref: 0000022E65FF4163
StrStrIW.SHLWAPI ref: 0000022E65FF4179
VariantClear.OLEAUT32 ref: 0000022E65FF4188
VariantClear.OLEAUT32 ref: 0000022E65FF41AB
CoUninitialize.OLE32 ref: 0000022E65FF41DE

Strings

HVM domU, xrefs: 0000022E65FF415C
Model, xrefs: 0000022E65FF4122
WQL, xrefs: 0000022E65FF4022
VMWare, xrefs: 0000022E65FF4172
VirtualBox, xrefs: 0000022E65FF4146
SELECT * FROM Win32_ComputerSystem, xrefs: 0000022E65FF4039

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: String$Uninitialize$AllocClearFreeInitializeVariant$CreateInstanceSecurity
String ID: HVM domU$Model$SELECT * FROM Win32_ComputerSystem$VMWare$VirtualBox$WQL
API String ID: 2296585391-4167877488
Opcode ID: 9cde83bbbcd28c803077783c89919f3d6436b3b66b97434dded9bf5af39e063f
Instruction ID: 2cd110039e3cb1c8252cefb45929b2a5d632ec4f198744f213f6812547d48efc
Opcode Fuzzy Hash: 9cde83bbbcd28c803077783c89919f3d6436b3b66b97434dded9bf5af39e063f
Instruction Fuzzy Hash: D9513C76711B41AAEF11CFA2E8482AC37A8F7A8F98F455125DE4E43B58DF38C549D310

Function 0000022E65FF3740 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 125COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32 ref: 0000022E65FF3820
Wow64DisableWow64FsRedirection.KERNEL32 ref: 0000022E65FF3834
PathCombineW.SHLWAPI ref: 0000022E65FF3850
GetFileAttributesW.KERNEL32 ref: 0000022E65FF388A
GetCurrentProcess.KERNEL32 ref: 0000022E65FF390F
Wow64RevertWow64FsRedirection.KERNEL32 ref: 0000022E65FF392B

Strings

System32\drivers\viorng.sys, xrefs: 0000022E65FF37C7
System32\drivers\netkvm.sys, xrefs: 0000022E65FF3785
System32\drivers\viofs.sys, xrefs: 0000022E65FF37A3
System32\drivers\balloon.sys, xrefs: 0000022E65FF3770
System32\drivers\viogpudo.sys, xrefs: 0000022E65FF37AF
System32\drivers\pvpanic.sys, xrefs: 0000022E65FF3797
System32\drivers\viostor.sys, xrefs: 0000022E65FF37EB
System32\drivers\vioser.sys, xrefs: 0000022E65FF37DF
Checking file %s , xrefs: 0000022E65FF3873
System32\drivers\vioinput.sys, xrefs: 0000022E65FF37BB
System32\drivers\vioscsi.sys, xrefs: 0000022E65FF37D3

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Wow64$Redirection$AttributesCombineCurrentDirectoryDisableFilePathProcessRevertWindows
String ID: Checking file %s $System32\drivers\balloon.sys$System32\drivers\netkvm.sys$System32\drivers\pvpanic.sys$System32\drivers\viofs.sys$System32\drivers\viogpudo.sys$System32\drivers\vioinput.sys$System32\drivers\viorng.sys$System32\drivers\vioscsi.sys$System32\drivers\vioser.sys$System32\drivers\viostor.sys
API String ID: 2137468328-3181514389
Opcode ID: 13fc9bd882d0352bad5dd1aa1d27485b42f4cd5d7e33db5c04d8b1f0c0470a2c
Instruction ID: c6bbdb8d5a0541d457a1827b28147657943b3422c2768445b31c50f3af15939a
Opcode Fuzzy Hash: 13fc9bd882d0352bad5dd1aa1d27485b42f4cd5d7e33db5c04d8b1f0c0470a2c
Instruction Fuzzy Hash: AA51C672714B40AAEF20CB96E8583EA77A9F7A4784F860122DA8D43BA4DF3CC545D750

Function 0000022E65FF2C70 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022E65FF4EC0: CoInitializeEx.OLE32 ref: 0000022E65FF4ED9
Part of subcall function 0000022E65FF4EC0: CoInitializeSecurity.OLE32 ref: 0000022E65FF4F06
Part of subcall function 0000022E65FF4EC0: CoCreateInstance.OLE32 ref: 0000022E65FF4F25
Part of subcall function 0000022E65FF4EC0: CoUninitialize.OLE32 ref: 0000022E65FF4F2F

SysAllocString.OLEAUT32 ref: 0000022E65FF2CC9
SysAllocString.OLEAUT32 ref: 0000022E65FF2CD9
CoUninitialize.OLE32 ref: 0000022E65FF2D36
SysFreeString.OLEAUT32 ref: 0000022E65FF2D3F
SysFreeString.OLEAUT32 ref: 0000022E65FF2D55
wcsstr.LIBVCRUNTIME ref: 0000022E65FF2E01
VariantClear.OLEAUT32 ref: 0000022E65FF2E11
wcsstr.LIBVCRUNTIME ref: 0000022E65FF2E7D
VariantClear.OLEAUT32 ref: 0000022E65FF2E8D
CoUninitialize.OLE32 ref: 0000022E65FF2ECE

Strings

Oracle Corporation, xrefs: 0000022E65FF2E76
Product, xrefs: 0000022E65FF2DD0
WQL, xrefs: 0000022E65FF2CB0
SELECT * FROM Win32_BaseBoard, xrefs: 0000022E65FF2CCF
VirtualBox, xrefs: 0000022E65FF2DFA
Manufacturer, xrefs: 0000022E65FF2E2A

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: String$Uninitialize$AllocClearFreeInitializeVariantwcsstr$CreateInstanceSecurity
String ID: Manufacturer$Oracle Corporation$Product$SELECT * FROM Win32_BaseBoard$VirtualBox$WQL
API String ID: 1677851102-1142199694
Opcode ID: 71325753381b062dfe9f22e382b6f96eceae306c31ec024c4a8a303219fc17d9
Instruction ID: dfd2f54158e3e2783a8271e80ee8f9bf34e20d106efaeaea8101e9ff2cedb8b9
Opcode Fuzzy Hash: 71325753381b062dfe9f22e382b6f96eceae306c31ec024c4a8a303219fc17d9
Instruction Fuzzy Hash: 28813272701B80AAEB10CFB6E8583AD33A8FB94B88F115426DE4D47B68DF39C559D310

Function 0000022E65FF2A60 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 142memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022E65FF4EC0: CoInitializeEx.OLE32 ref: 0000022E65FF4ED9
Part of subcall function 0000022E65FF4EC0: CoInitializeSecurity.OLE32 ref: 0000022E65FF4F06
Part of subcall function 0000022E65FF4EC0: CoCreateInstance.OLE32 ref: 0000022E65FF4F25
Part of subcall function 0000022E65FF4EC0: CoUninitialize.OLE32 ref: 0000022E65FF4F2F

SysAllocString.OLEAUT32 ref: 0000022E65FF2AA8
SysAllocString.OLEAUT32 ref: 0000022E65FF2AB8
CoUninitialize.OLE32 ref: 0000022E65FF2B15
SysFreeString.OLEAUT32 ref: 0000022E65FF2B1E
SysFreeString.OLEAUT32 ref: 0000022E65FF2B2C
wcsstr.LIBVCRUNTIME ref: 0000022E65FF2BC3
wcsstr.LIBVCRUNTIME ref: 0000022E65FF2BD8
wcsstr.LIBVCRUNTIME ref: 0000022E65FF2BED
VariantClear.OLEAUT32 ref: 0000022E65FF2BFD
CoUninitialize.OLE32 ref: 0000022E65FF2C45

Strings

ACPIBus_BUS_0, xrefs: 0000022E65FF2BBC
WQL, xrefs: 0000022E65FF2A92
PNP_BUS_0, xrefs: 0000022E65FF2BE6
PCI_BUS_0, xrefs: 0000022E65FF2BD1
SELECT * FROM Win32_Bus, xrefs: 0000022E65FF2AAE
Name, xrefs: 0000022E65FF2B8F

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: String$Uninitializewcsstr$AllocFreeInitialize$ClearCreateInstanceSecurityVariant
String ID: ACPIBus_BUS_0$Name$PCI_BUS_0$PNP_BUS_0$SELECT * FROM Win32_Bus$WQL
API String ID: 721339888-2399075642
Opcode ID: a0a0edbca1b239832c5567b5d01ee201a0486bb9b2a4b095e197fb82ea787f9b
Instruction ID: ec330d1624a44e5e22bca3dff36f31811d7e656b276ae9966362477189ffa30d
Opcode Fuzzy Hash: a0a0edbca1b239832c5567b5d01ee201a0486bb9b2a4b095e197fb82ea787f9b
Instruction Fuzzy Hash: F4515E72700B4096EF109F66D8842AC77A8FBA8B98F165116DF4E43F68DF39C545D300

Function 0000022E65FDDA00 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 118synchronizationCOMMON

Download Yara Rule

APIs

new.LIBCMT ref: 0000022E65FDDA2F
CreateEventW.KERNEL32 ref: 0000022E65FDDA6E
GetLastError.KERNEL32 ref: 0000022E65FDDA80

Part of subcall function 0000022E65FD76E4: _Init_thread_footer.LIBCMT ref: 0000022E65FD7759

Part of subcall function 0000022E65FD90C0: __std_exception_copy.LIBVCRUNTIME ref: 0000022E65FD9139
Part of subcall function 0000022E65FD90C0: std::_Deallocate.LIBCONCRT ref: 0000022E65FD9161

CreateEventW.KERNEL32 ref: 0000022E65FDDAC4
GetLastError.KERNEL32 ref: 0000022E65FDDAD9
GetLastError.KERNEL32 ref: 0000022E65FDDB48
CloseHandle.KERNEL32 ref: 0000022E65FDDB64
CloseHandle.KERNEL32 ref: 0000022E65FDDB73
WaitForSingleObject.KERNEL32 ref: 0000022E65FDDBA9
CloseHandle.KERNEL32 ref: 0000022E65FDDBB2

Strings

thread.entry_event, xrefs: 0000022E65FDDAA8
thread, xrefs: 0000022E65FDDB8D
thread.exit_event, xrefs: 0000022E65FDDB01

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast$CreateEvent$DeallocateInit_thread_footerObjectSingleWait__std_exception_copystd::_
String ID: thread$thread.entry_event$thread.exit_event
API String ID: 2962460297-3017686385
Opcode ID: cf8ba38e9baeeb78dc4d38b3d433cb89bbbd7952847ddaffff5848a23655a87d
Instruction ID: 3945d7e1b6fca54403923e946895910c420db21cd4c5fe1498c38c845b719c7a
Opcode Fuzzy Hash: cf8ba38e9baeeb78dc4d38b3d433cb89bbbd7952847ddaffff5848a23655a87d
Instruction Fuzzy Hash: 9D51C472711B80AAEF10DBA2E8583BD33A8F7A5B94F018625AA1E47795DF3CC516D300

Function 0000022E65FF3A40 Relevance: 22.8, APIs: 3, Strings: 10, Instructions: 97COMMON

Download Yara Rule

APIs

PathFindFileNameW.SHLWAPI ref: 0000022E65FF3B09
StrCmpIW.SHLWAPI ref: 0000022E65FF3B54
PathRemoveExtensionW.SHLWAPI ref: 0000022E65FF3B66

Strings

klavme.exe, xrefs: 0000022E65FF3A95
test.exe, xrefs: 0000022E65FF3A89
Checking if process file name looks like a hash: %s , xrefs: 0000022E65FF3B6F
sandbox.exe, xrefs: 0000022E65FF3A71
bot.exe, xrefs: 0000022E65FF3A65
sample.exe, xrefs: 0000022E65FF3A59
Checking if process file name contains: %s , xrefs: 0000022E65FF3B35
testapp.exe, xrefs: 0000022E65FF3AAD
malware.exe, xrefs: 0000022E65FF3A7D
myapp.exe, xrefs: 0000022E65FF3AA1

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Path$ExtensionFileFindNameRemove
String ID: Checking if process file name contains: %s $Checking if process file name looks like a hash: %s $bot.exe$klavme.exe$malware.exe$myapp.exe$sample.exe$sandbox.exe$test.exe$testapp.exe
API String ID: 583738052-4190982602
Opcode ID: 190950c614020018430969553ce8939ee10bc21674c72cb395e33e65cd0b9073
Instruction ID: 720a75ce400dbf5fe3a750ce734c081e558374ca14ac0ad93d853ae16ffadb5c
Opcode Fuzzy Hash: 190950c614020018430969553ce8939ee10bc21674c72cb395e33e65cd0b9073
Instruction Fuzzy Hash: 8B41B375714B84A5EE609B42F4AD3BA77A8F7A8790F450222CA8D43BA4DF3CC055D750

Function 0000022E65FEB8F0 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 185COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0000022E65FEB9BD
std::_Deallocate.LIBCONCRT ref: 0000022E65FEBA0A
std::_Deallocate.LIBCONCRT ref: 0000022E65FEBA2F
CoUninitialize.OLE32 ref: 0000022E65FEBB15
std::_Deallocate.LIBCONCRT ref: 0000022E65FEBB30
std::_Deallocate.LIBCONCRT ref: 0000022E65FEBB5F
std::_Deallocate.LIBCONCRT ref: 0000022E65FEBB84

Strings

" -Force, xrefs: 0000022E65FEBA6F
powershell, xrefs: 0000022E65FEB9AC
-Command "Wait-Process -Id , xrefs: 0000022E65FEB9D2
-Recurse", xrefs: 0000022E65FEBA8E
; Remove-Item -Path ", xrefs: 0000022E65FEBA46

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_$CurrentProcessUninitialize
String ID: -Command "Wait-Process -Id $ -Recurse"$" -Force$; Remove-Item -Path "$powershell
API String ID: 707173123-1183931778
Opcode ID: 04d861c4d53275a9c9e28dada9498484e8ae7043484da7a97280d41dd142acaa
Instruction ID: 439ed26ce0ebfc2ccf18bb27df325676a0e17223843202988c69f43b444bf345
Opcode Fuzzy Hash: 04d861c4d53275a9c9e28dada9498484e8ae7043484da7a97280d41dd142acaa
Instruction Fuzzy Hash: A7818A62B00B80AAEF10CBB6D8446EE377AE711B88F514516DF5D23BAADF30C515E784

Function 0000022E65FF1F80 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 130memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022E65FF4EC0: CoInitializeEx.OLE32 ref: 0000022E65FF4ED9
Part of subcall function 0000022E65FF4EC0: CoInitializeSecurity.OLE32 ref: 0000022E65FF4F06
Part of subcall function 0000022E65FF4EC0: CoCreateInstance.OLE32 ref: 0000022E65FF4F25
Part of subcall function 0000022E65FF4EC0: CoUninitialize.OLE32 ref: 0000022E65FF4F2F

SysAllocString.OLEAUT32 ref: 0000022E65FF1FCE
SysAllocString.OLEAUT32 ref: 0000022E65FF1FDE
CoUninitialize.OLE32 ref: 0000022E65FF203B
SysFreeString.OLEAUT32 ref: 0000022E65FF2044
SysFreeString.OLEAUT32 ref: 0000022E65FF2057
wcsstr.LIBVCRUNTIME ref: 0000022E65FF20EE
VariantClear.OLEAUT32 ref: 0000022E65FF20FE
CoUninitialize.OLE32 ref: 0000022E65FF213F

Strings

SELECT * FROM Win32_NetworkAdapterConfiguration, xrefs: 0000022E65FF1FD4
08:00:27, xrefs: 0000022E65FF20E7
WQL, xrefs: 0000022E65FF1FB8
MACAddress, xrefs: 0000022E65FF20BC

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: String$Uninitialize$AllocFreeInitialize$ClearCreateInstanceSecurityVariantwcsstr
String ID: 08:00:27$MACAddress$SELECT * FROM Win32_NetworkAdapterConfiguration$WQL
API String ID: 2560539382-232164535
Opcode ID: 0b05267085d69751576c5fa1df170cba9ecff2f103616c55038b08c3985cf6bb
Instruction ID: e7fae62f2ccbf5fb5baaa7cb44c619da1eb07d737d02cd3a541dd0312dae0819
Opcode Fuzzy Hash: 0b05267085d69751576c5fa1df170cba9ecff2f103616c55038b08c3985cf6bb
Instruction Fuzzy Hash: 71513A72700B909AEF109F66E8882AD67A8F798F98F055115EF4E43F58CF39C885D314

Function 0000022E65FF2660 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022E65FF4EC0: CoInitializeEx.OLE32 ref: 0000022E65FF4ED9
Part of subcall function 0000022E65FF4EC0: CoInitializeSecurity.OLE32 ref: 0000022E65FF4F06
Part of subcall function 0000022E65FF4EC0: CoCreateInstance.OLE32 ref: 0000022E65FF4F25
Part of subcall function 0000022E65FF4EC0: CoUninitialize.OLE32 ref: 0000022E65FF4F2F

SysAllocString.OLEAUT32 ref: 0000022E65FF26AE
SysAllocString.OLEAUT32 ref: 0000022E65FF26BE
CoUninitialize.OLE32 ref: 0000022E65FF271B
SysFreeString.OLEAUT32 ref: 0000022E65FF2724
SysFreeString.OLEAUT32 ref: 0000022E65FF2737
wcsstr.LIBVCRUNTIME ref: 0000022E65FF27C7
VariantClear.OLEAUT32 ref: 0000022E65FF27D7
CoUninitialize.OLE32 ref: 0000022E65FF2816

Strings

PCI\VEN_80EE&DEV_CAFE, xrefs: 0000022E65FF27C0
DeviceId, xrefs: 0000022E65FF279C
WQL, xrefs: 0000022E65FF2698
SELECT * FROM Win32_PnPEntity, xrefs: 0000022E65FF26B4

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: String$Uninitialize$AllocFreeInitialize$ClearCreateInstanceSecurityVariantwcsstr
String ID: DeviceId$PCI\VEN_80EE&DEV_CAFE$SELECT * FROM Win32_PnPEntity$WQL
API String ID: 2560539382-342862491
Opcode ID: cf660a0d0e485e3e0821f4ea76faae67b610638f70d5b1c20fa5aab47c590efa
Instruction ID: bf4c52f5adbffc755c2b2e21d9ff55abf4c34ef2c5acd83dfcbeea1ce24bc510
Opcode Fuzzy Hash: cf660a0d0e485e3e0821f4ea76faae67b610638f70d5b1c20fa5aab47c590efa
Instruction Fuzzy Hash: 00517B77700B909AEB109F62E84826D77A8F794F98F061515EE4E43F58DF39C485D700

Function 0000022E65FD3F84 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000022E65FD3F91
GetProcAddress.KERNEL32 ref: 0000022E65FD3FAD
GetProcAddress.KERNEL32 ref: 0000022E65FD3FC9
GetProcAddress.KERNEL32 ref: 0000022E65FD3FE5
GetProcAddress.KERNEL32 ref: 0000022E65FD4001
GetProcAddress.KERNEL32 ref: 0000022E65FD401D

Strings

ntdll.dll, xrefs: 0000022E65FD3F8A
ZwSetContextThread, xrefs: 0000022E65FD4013
ZwAllocateVirtualMemory, xrefs: 0000022E65FD3FA3
ZwGetContextThread, xrefs: 0000022E65FD3FF7
ZwWriteVirtualMemory, xrefs: 0000022E65FD3FBF
ZwReadVirtualMemory, xrefs: 0000022E65FD3FDB

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: ZwAllocateVirtualMemory$ZwGetContextThread$ZwReadVirtualMemory$ZwSetContextThread$ZwWriteVirtualMemory$ntdll.dll
API String ID: 667068680-1731939869
Opcode ID: 4a81ed012dcd6642a0233e0a904d07027e8350104a5ef464071741b95219fc56
Instruction ID: 75ffe7f8f240b4381de454b75cbce423b116da5426f27d5048fc0fa5f48d2df4
Opcode Fuzzy Hash: 4a81ed012dcd6642a0233e0a904d07027e8350104a5ef464071741b95219fc56
Instruction Fuzzy Hash: 4C1100A8B22B01B5FE05DB86B85C33427ADAB69751F4B10248D5E03361FF7CD555E320

Function 0000022E65FD34DA Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 202COMMON

Download Yara Rule

APIs

std::_Deallocate.LIBCONCRT ref: 0000022E65FD34E5
std::_Deallocate.LIBCONCRT ref: 0000022E65FD350F
std::_Deallocate.LIBCONCRT ref: 0000022E65FD361A
std::_Deallocate.LIBCONCRT ref: 0000022E65FD3642
std::_Deallocate.LIBCONCRT ref: 0000022E65FD36A7
std::_Deallocate.LIBCONCRT ref: 0000022E65FD3702
std::_Deallocate.LIBCONCRT ref: 0000022E65FD3729
std::_Deallocate.LIBCONCRT ref: 0000022E65FD378F
std::_Deallocate.LIBCONCRT ref: 0000022E65FD37C9

Strings

Command : , xrefs: 0000022E65FD366A

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_
String ID: Command :
API String ID: 1323251999-3275149113
Opcode ID: ef60ed1ce797cf69ca36319ecbba45193d77b362b60c0371bf6d77b4f903318d
Instruction ID: 4450d87cb4216c31afbd23e4392ab0e5cd68b35d73fe813e3435c8bee550a2d4
Opcode Fuzzy Hash: ef60ed1ce797cf69ca36319ecbba45193d77b362b60c0371bf6d77b4f903318d
Instruction Fuzzy Hash: FE916A72718B909AEB00CBA6E8445AE77B9F352B84F511515EF9913FAECF34C050EB14

Function 0000022E65FF3DF0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022E65FF4EC0: CoInitializeEx.OLE32 ref: 0000022E65FF4ED9
Part of subcall function 0000022E65FF4EC0: CoInitializeSecurity.OLE32 ref: 0000022E65FF4F06
Part of subcall function 0000022E65FF4EC0: CoCreateInstance.OLE32 ref: 0000022E65FF4F25
Part of subcall function 0000022E65FF4EC0: CoUninitialize.OLE32 ref: 0000022E65FF4F2F

SysAllocString.OLEAUT32 ref: 0000022E65FF3E3D
SysAllocString.OLEAUT32 ref: 0000022E65FF3E4D
CoUninitialize.OLE32 ref: 0000022E65FF3EA7
SysFreeString.OLEAUT32 ref: 0000022E65FF3EB0
SysFreeString.OLEAUT32 ref: 0000022E65FF3EC3
VariantClear.OLEAUT32 ref: 0000022E65FF3F7F
CoUninitialize.OLE32 ref: 0000022E65FF3FC0

Strings

WQL, xrefs: 0000022E65FF3E2C
SELECT * FROM Win32_LogicalDisk, xrefs: 0000022E65FF3E43
Size, xrefs: 0000022E65FF3F23

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: String$Uninitialize$AllocFreeInitialize$ClearCreateInstanceSecurityVariant
String ID: SELECT * FROM Win32_LogicalDisk$Size$WQL
API String ID: 1983726959-274750787
Opcode ID: 5c6d1d1d7cc69962b546d2afd02027d6d62ab293970e714a47473fc973cdad8c
Instruction ID: 21feea30e099aaa520d0d024927e4c1a476702d53910a5a2506ed02181cbe42d
Opcode Fuzzy Hash: 5c6d1d1d7cc69962b546d2afd02027d6d62ab293970e714a47473fc973cdad8c
Instruction Fuzzy Hash: 5F516C72710A50AAEF14CFA2E4486AC37B8FB94F98F465111EE4E03B94CF38C485D300

Function 0000022E65FEF574 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

NtQueueApcThread, xrefs: 0000022E65FEF797
ntdll.dll, xrefs: 0000022E65FEF782
is program cannot be run in DOS mode.$, xrefs: 0000022E65FEF5DF

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: NtQueueApcThread$is program cannot be run in DOS mode.$$ntdll.dll
API String ID: 0-1695160815
Opcode ID: 9be1b87c1db1c18c7ce90f72536bf3e48b619575d7ae131a9198b1d767078c00
Instruction ID: e27b6fbb3f6d607b1e80ed9fee7643741d4dbfc4d2d5a0bb78f5dba0eb3d94a5
Opcode Fuzzy Hash: 9be1b87c1db1c18c7ce90f72536bf3e48b619575d7ae131a9198b1d767078c00
Instruction Fuzzy Hash: 4A81D162B10B41AAEF41CFA6E8486BC27B8F768B88F129211CF1C53755EF34C582D300

Function 0000022E65FCF8A8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0000022E65FCF97B
std::_Deallocate.LIBCONCRT ref: 0000022E65FCF9CE
std::_Deallocate.LIBCONCRT ref: 0000022E65FCF9F3
std::_Deallocate.LIBCONCRT ref: 0000022E65FCFA89
std::_Deallocate.LIBCONCRT ref: 0000022E65FCFAAE

Strings

" -Force, xrefs: 0000022E65FCFA34
powershell, xrefs: 0000022E65FCF96A
-Command "Wait-Process -Id , xrefs: 0000022E65FCF990
; Remove-Item -Path ", xrefs: 0000022E65FCFA0A

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_$CurrentProcess
String ID: -Command "Wait-Process -Id $" -Force$; Remove-Item -Path "$powershell
API String ID: 1011286393-2725262429
Opcode ID: 4e514233196b107d0873afa56756a74ac3cebf1d3976237dd14b49c3fe5f25d8
Instruction ID: ccae2578177d05c3a5eb96e75f3dc53b21340033c2c87327535c81a7b6468444
Opcode Fuzzy Hash: 4e514233196b107d0873afa56756a74ac3cebf1d3976237dd14b49c3fe5f25d8
Instruction Fuzzy Hash: 6C51C172700A80AAEF10CFA5D8842EE37B9E711798F514229DF5963BEACF30C516E744

Function 0000022E65FD9D1C Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32 ref: 0000022E65FD9D82
GetLastError.KERNEL32 ref: 0000022E65FD9D8D

Part of subcall function 0000022E65FD76E4: _Init_thread_footer.LIBCMT ref: 0000022E65FD7759

Part of subcall function 0000022E65FD90C0: __std_exception_copy.LIBVCRUNTIME ref: 0000022E65FD9139
Part of subcall function 0000022E65FD90C0: std::_Deallocate.LIBCONCRT ref: 0000022E65FD9161

CloseHandle.KERNEL32 ref: 0000022E65FD9DDB
CloseHandle.KERNEL32 ref: 0000022E65FD9E06
DeleteCriticalSection.KERNEL32 ref: 0000022E65FD9E76
CloseHandle.KERNEL32 ref: 0000022E65FD9E86
CloseHandle.KERNEL32 ref: 0000022E65FD9E9A
CloseHandle.KERNEL32 ref: 0000022E65FD9EB6

Strings

pqcs, xrefs: 0000022E65FD9DAC

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle$CompletionCriticalDeallocateDeleteErrorInit_thread_footerLastPostQueuedSectionStatus__std_exception_copystd::_
String ID: pqcs
API String ID: 2229371356-2559862021
Opcode ID: d9236eaaddc4e12c8e375aa211b7f544d910b76fdf75790bee41a16bd9ef96c2
Instruction ID: fc1b53ddd8bf4a3404b67d49a39dcaa0b5016b9e1a0375b48ab94d9fcc9786aa
Opcode Fuzzy Hash: d9236eaaddc4e12c8e375aa211b7f544d910b76fdf75790bee41a16bd9ef96c2
Instruction Fuzzy Hash: 9751E272311B40AAEF54CFA2D5587BA73A8F7AAF94F0A52258B4E43390DF38C855D310

Function 0000022E65FCFEB4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 0000022E65FCFF0A
inet_addr.WS2_32 ref: 0000022E65FCFF29
htons.WS2_32 ref: 0000022E65FCFF36
connect.WS2_32 ref: 0000022E65FCFF4B
getsockname.WS2_32 ref: 0000022E65FCFF67
inet_ntop.WS2_32 ref: 0000022E65FCFF8B
closesocket.WS2_32 ref: 0000022E65FCFFC2
std::_Deallocate.LIBCONCRT ref: 0000022E65FCFFFA

Strings

8.8.8.8, xrefs: 0000022E65FCFF22

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocateclosesocketconnectgetsocknamehtonsinet_addrinet_ntopsocketstd::_
String ID: 8.8.8.8
API String ID: 2991815363-3817307869
Opcode ID: c2ae4e2aa8a317cf68590252c03d98a9c6f3b48ecdf20f8d262c5a68fab716fa
Instruction ID: 9c83e06d354758001e61793d555e4b36d4d5d9907fb99cb95bdff13464649eae
Opcode Fuzzy Hash: c2ae4e2aa8a317cf68590252c03d98a9c6f3b48ecdf20f8d262c5a68fab716fa
Instruction Fuzzy Hash: C4417F72B14B80EAEB10CFB5E4446ED37BAF714BA8F420225CE5927B98DB34C51AD750

Function 0000022E65FEFE44 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 96libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000022E65FEFE95
GetProcAddress.KERNEL32 ref: 0000022E65FEFEA8
GetProcAddress.KERNEL32 ref: 0000022E65FEFEBB
GetProcAddress.KERNEL32 ref: 0000022E65FEFECE
GetCurrentProcess.KERNEL32 ref: 0000022E65FEFF21

Part of subcall function 0000022E65FEFD14: GetModuleHandleW.KERNEL32 ref: 0000022E65FEFD47
Part of subcall function 0000022E65FEFD14: GetProcAddress.KERNEL32 ref: 0000022E65FEFD5A
Part of subcall function 0000022E65FEFD14: GetProcAddress.KERNEL32 ref: 0000022E65FEFD6D

Strings

ZwClose, xrefs: 0000022E65FEFEC1
ntdll.dll, xrefs: 0000022E65FEFE8A
NtCreateSection, xrefs: 0000022E65FEFE9E
RtlNtStatusToDosError, xrefs: 0000022E65FEFEAE

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule$CurrentProcess
String ID: NtCreateSection$RtlNtStatusToDosError$ZwClose$ntdll.dll
API String ID: 1077269151-4126113578
Opcode ID: d2089462babfbfc65f65bb6324dea4aecb6801d4324b3ef86f1eb5f1e07f0e31
Instruction ID: 34ae6f7305abb527cd5b8b5aca80326dc51aaedfea3051503858efe676870bfe
Opcode Fuzzy Hash: d2089462babfbfc65f65bb6324dea4aecb6801d4324b3ef86f1eb5f1e07f0e31
Instruction Fuzzy Hash: 1C41B676B10B51A9EB10CFA2F8486AD37B8F759B88F160126EE0D93B18DF38C446D350

Function 0000022E65FEF44C Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 65COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000022E65FEF48B
GetModuleHandleW.KERNEL32 ref: 0000022E65FEF4A4

Strings

RtlAnsiStringToUnicodeString, xrefs: 0000022E65FEF508
ZwProtectVirtualMemory, xrefs: 0000022E65FEF4ED
LdrLoadDll, xrefs: 0000022E65FEF4B3
ntdll.dll, xrefs: 0000022E65FEF47F
LdrGetProcedureAddress, xrefs: 0000022E65FEF4D2
RtlFreeUnicodeString, xrefs: 0000022E65FEF523
kernel32.dll, xrefs: 0000022E65FEF49D

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: HandleModule
String ID: LdrGetProcedureAddress$LdrLoadDll$RtlAnsiStringToUnicodeString$RtlFreeUnicodeString$ZwProtectVirtualMemory$kernel32.dll$ntdll.dll
API String ID: 4139908857-3936008073
Opcode ID: 726f2060fe50d068fdc7436a815b9bcc23a41317b0fb675c7f355f9fb0802a07
Instruction ID: 2dc07c7552454182a9897f00983986a5895fcc33b0116b003e7f67324d3b87a7
Opcode Fuzzy Hash: 726f2060fe50d068fdc7436a815b9bcc23a41317b0fb675c7f355f9fb0802a07
Instruction Fuzzy Hash: FA31A461A15B8078FE91CFC6B84933423ECEBB4790F5755249A6E06352EF7CD481B360

Function 0000022E65FEDA78 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000022E65FEDAD3
GetProcAddress.KERNEL32 ref: 0000022E65FEDAE6

Part of subcall function 0000022E65FEF23C: GetModuleHandleA.KERNEL32 ref: 0000022E65FEF2A0
Part of subcall function 0000022E65FEF23C: GetProcAddress.KERNEL32 ref: 0000022E65FEF2B0

GetProcAddress.KERNEL32 ref: 0000022E65FEDB05
VirtualProtectEx.KERNEL32 ref: 0000022E65FEDB2A
VirtualProtectEx.KERNEL32 ref: 0000022E65FEDB62

Strings

SleepEx, xrefs: 0000022E65FEDADC
WriteProcessMemory, xrefs: 0000022E65FEDAF8
kernel32.dll, xrefs: 0000022E65FEDA97
UD3", xrefs: 0000022E65FEDAC1

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModuleProtectVirtual
String ID: SleepEx$UD3"$WriteProcessMemory$kernel32.dll
API String ID: 2492872976-2122506030
Opcode ID: 3adca6a6eb40ca33ac78abbbaa9f5f44ddec007e8028c110e727a6e9d6522140
Instruction ID: 8e8248d47c9fbbdd430bad7734ef9e4abf1fd495ef9d8d571a809b6f6cc2e5bb
Opcode Fuzzy Hash: 3adca6a6eb40ca33ac78abbbaa9f5f44ddec007e8028c110e727a6e9d6522140
Instruction Fuzzy Hash: CD21B1B6B10B40AAEB10CFA2E8086AD3779F359BD8F410125DE5D17B08DF38C546C790

Function 0000022E65FE01B4 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 279processCOMMON

Download Yara Rule

APIs

_CxxThrowException.LIBVCRUNTIME ref: 0000022E65FE02B6
SetHandleInformation.KERNEL32 ref: 0000022E65FE02FD
CreateProcessA.KERNEL32 ref: 0000022E65FE03D8
CloseHandle.KERNEL32 ref: 0000022E65FE0474
CloseHandle.KERNEL32 ref: 0000022E65FE047E
_CxxThrowException.LIBVCRUNTIME ref: 0000022E65FE061B

Strings

CreateProcess failed, xrefs: 0000022E65FE05F0
Empty Environment, xrefs: 0000022E65FE028A

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Handle$CloseExceptionThrow$CreateInformationProcess
String ID: CreateProcess failed$Empty Environment
API String ID: 4279034346-2749440396
Opcode ID: 47022ba870feab8762dd125be17dba9ed1689e8227e944009d4fcf252f15e241
Instruction ID: 852e964c07639d05803d36d46d47e8cdae47aea3d53413b2a1fd53b2fb4bf7e5
Opcode Fuzzy Hash: 47022ba870feab8762dd125be17dba9ed1689e8227e944009d4fcf252f15e241
Instruction Fuzzy Hash: B6E1BF33A00B80A9EB10CFA6E8487AD77B8F7A5B94F624216DBAC57754EF74C481D340

Function 0000022E65FECD74 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 136registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32 ref: 0000022E65FECDE6
RegCreateKeyW.ADVAPI32 ref: 0000022E65FECE05
RegSetValueExW.ADVAPI32 ref: 0000022E65FECEA4
RegSetValueExW.ADVAPI32 ref: 0000022E65FECF08
RegCloseKey.ADVAPI32 ref: 0000022E65FECF16
RegCloseKey.ADVAPI32 ref: 0000022E65FECF26

Strings

SOFTWARE\UnknownDB, xrefs: 0000022E65FECDB9
size, xrefs: 0000022E65FECEFD

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseValue$CreateOpen
String ID: SOFTWARE\UnknownDB$size
API String ID: 2738932338-2725006514
Opcode ID: f37ad5af245a9fbd4f0c2841d37080ec202a735c3d1fd5d1a9e6a6567b779846
Instruction ID: 9570c19b720682c6f452da7b1c737e1cbf5cdcd00fa06752c20a88c33f149c95
Opcode Fuzzy Hash: f37ad5af245a9fbd4f0c2841d37080ec202a735c3d1fd5d1a9e6a6567b779846
Instruction Fuzzy Hash: B551B362710A80A9EF20DFA6D8447ED2BA9F754BE8F650125EE1D87B98DF38C446D300

Function 0000022E65FEAE40 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 0000022E65FEAC4C: std::_Deallocate.LIBCONCRT ref: 0000022E65FEAD44

Part of subcall function 0000022E65FC84BC: std::_Deallocate.LIBCONCRT ref: 0000022E65FC84F1

std::_Deallocate.LIBCONCRT ref: 0000022E65FEAEB5
std::_Deallocate.LIBCONCRT ref: 0000022E65FEAF14
std::_Deallocate.LIBCONCRT ref: 0000022E65FEAF75
std::_Deallocate.LIBCONCRT ref: 0000022E65FEAF9A
std::_Deallocate.LIBCONCRT ref: 0000022E65FEAFE0
std::_Deallocate.LIBCONCRT ref: 0000022E65FEB005

Strings

schtasks.exe /F /create /sc minute /mo 4 /TN ", xrefs: 0000022E65FEAEDB
/ST 04:00 /TR "wscript /nologo , xrefs: 0000022E65FEAF28

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_
String ID: /ST 04:00 /TR "wscript /nologo $schtasks.exe /F /create /sc minute /mo 4 /TN "
API String ID: 1323251999-4088562580
Opcode ID: 60821cd9d649be53d51c44833d2c351444a2ba3bf7763e0e731f4f620a153907
Instruction ID: bbcc3c1ad8b1dd865a278a2807279f1f294464709cd3d9ca3dceb5ccd5bb53fe
Opcode Fuzzy Hash: 60821cd9d649be53d51c44833d2c351444a2ba3bf7763e0e731f4f620a153907
Instruction Fuzzy Hash: F8516C72710A80ADFB00CFB6D8481ED377AE7657C8B414116EB6A63BAADF30C515D384

Function 0000022E65FD9B58 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 0000022E65FD9BE2
VerifyVersionInfoW.KERNEL32 ref: 0000022E65FD9BF2

Part of subcall function 0000022E65FD95F4: InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 0000022E65FD95FD
Part of subcall function 0000022E65FD95F4: GetLastError.KERNEL32 ref: 0000022E65FD9607

Part of subcall function 0000022E65FD76E4: _Init_thread_footer.LIBCMT ref: 0000022E65FD7759

Part of subcall function 0000022E65FD90C0: __std_exception_copy.LIBVCRUNTIME ref: 0000022E65FD9139
Part of subcall function 0000022E65FD90C0: std::_Deallocate.LIBCONCRT ref: 0000022E65FD9161

CreateIoCompletionPort.KERNEL32 ref: 0000022E65FD9C76
GetLastError.KERNEL32 ref: 0000022E65FD9C85
new.LIBCMT ref: 0000022E65FD9CC0
CloseHandle.KERNEL32 ref: 0000022E65FD9CEB

Strings

iocp, xrefs: 0000022E65FD9CA1
mutex, xrefs: 0000022E65FD9C35

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLast$CloseCompletionConditionCountCreateCriticalDeallocateHandleInfoInit_thread_footerInitializeMaskPortSectionSpinVerifyVersion__std_exception_copystd::_
String ID: iocp$mutex
API String ID: 896490569-1266449624
Opcode ID: c010a2ec616b73aff491db2663431c0d959f51054d50780293b131bbfb3e82e2
Instruction ID: 8e20ced66b5598533b133f611cec71bb28d7fe7da19cb36bb063bfc4e69b2b3f
Opcode Fuzzy Hash: c010a2ec616b73aff491db2663431c0d959f51054d50780293b131bbfb3e82e2
Instruction Fuzzy Hash: 6741F172301B80AAEF14DFA9E8883A973A8F755B60F5583299B5D437D1EF38D526D300

Function 0000022E65FE380C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

std::_Deallocate.LIBCONCRT ref: 0000022E65FE39D6

Part of subcall function 0000022E660CF158: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0000022E660CF164
Part of subcall function 0000022E660CF158: _CxxThrowException.LIBVCRUNTIME ref: 0000022E660CF175

Concurrency::cancel_current_task.LIBCPMT ref: 0000022E65FE38CD

Part of subcall function 0000022E660F3F74: std::bad_alloc::bad_alloc.LIBCMT ref: 0000022E660F3F7D
Part of subcall function 0000022E660F3F74: _CxxThrowException.LIBVCRUNTIME ref: 0000022E660F3F8E

Concurrency::cancel_current_task.LIBCPMT ref: 0000022E65FE38EC
new.LIBCMT ref: 0000022E65FE38F5
new.LIBCMT ref: 0000022E65FE3908
std::_Deallocate.LIBCONCRT ref: 0000022E65FE3995

Strings

vector<T> too long, xrefs: 0000022E65FE3882

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_taskDeallocateExceptionThrowstd::_$std::bad_alloc::bad_allocstd::invalid_argument::invalid_argument
String ID: vector<T> too long
API String ID: 766625294-3788999226
Opcode ID: 9bb2e9ceaecc9d08049c032bdd5cfe5ebdea079d3173516be4eb89fddc204784
Instruction ID: 5040b9d92db418870bcf44b1de59578a610a01ace35a9729a6eca95444e2fbb9
Opcode Fuzzy Hash: 9bb2e9ceaecc9d08049c032bdd5cfe5ebdea079d3173516be4eb89fddc204784
Instruction Fuzzy Hash: 1861E262711684B6EE20DFA7E44D37966AAE764BD0F224115CFBD07BE5CF38E481A300

Function 0000022E65FCF6C8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022E65FEAC4C: std::_Deallocate.LIBCONCRT ref: 0000022E65FEAD44

std::_Deallocate.LIBCONCRT ref: 0000022E65FCF778
std::_Deallocate.LIBCONCRT ref: 0000022E65FCF7A2
SHGetSpecialFolderPathA.SHELL32 ref: 0000022E65FCF7C3
lstrcatA.KERNEL32 ref: 0000022E65FCF7DE
CopyFileA.KERNEL32 ref: 0000022E65FCF7F8
std::_Deallocate.LIBCONCRT ref: 0000022E65FCF842

Strings

.exe, xrefs: 0000022E65FCF74D

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_$CopyFileFolderPathSpeciallstrcat
String ID: .exe
API String ID: 956675264-4119554291
Opcode ID: cea737a5c3560cd50e02a513239cba0acf317eb2d53bbbcee1ce1bc318ebd73d
Instruction ID: 49895b7a50fd8cc461a5b5a888082cf9c2c7987bb88e558966974da7892e962c
Opcode Fuzzy Hash: cea737a5c3560cd50e02a513239cba0acf317eb2d53bbbcee1ce1bc318ebd73d
Instruction Fuzzy Hash: 6F410472314A40A9EF10CB66E8483AEBB75F395BC8F514125DB4D03AE9CF39C586DB40

Function 0000022E65FD0458 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 101COMMON

Download Yara Rule

APIs

std::_Deallocate.LIBCONCRT ref: 0000022E65FD0562

Part of subcall function 0000022E65FD0AFC: std::_Deallocate.LIBCONCRT ref: 0000022E65FD0BC7
Part of subcall function 0000022E65FD0AFC: std::_Deallocate.LIBCONCRT ref: 0000022E65FD0BF1
Part of subcall function 0000022E65FD0AFC: std::_Deallocate.LIBCONCRT ref: 0000022E65FD0C1B

std::_Deallocate.LIBCONCRT ref: 0000022E65FD05AF

Strings

Leave PreConnect, xrefs: 0000022E65FD05C5
Enter PreConnect, xrefs: 0000022E65FD047E
Failed to connect , xrefs: 0000022E65FD0526
active_connection if false : , xrefs: 0000022E65FD0573
Host is active, xrefs: 0000022E65FD04A5

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_
String ID: Enter PreConnect$Failed to connect $Host is active$Leave PreConnect$active_connection if false :
API String ID: 1323251999-2787713250
Opcode ID: 2dc6a6b313be61b288e0f685bf221c82afd92e9f5219b53c085fd8048c2cac3c
Instruction ID: dec65fd5841d1794a1785ed59d21118355186e1d99292d374ab895fd436a1c5b
Opcode Fuzzy Hash: 2dc6a6b313be61b288e0f685bf221c82afd92e9f5219b53c085fd8048c2cac3c
Instruction Fuzzy Hash: C5419B62710A41A8FF00EBA2E8087FC3769E362B84F465212DE191B3DAEF78C145E310

Function 0000022E65FCA2E0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000022E65FCA2FF
std::_Lockit::_Lockit.LIBCPMT ref: 0000022E65FCA322
std::_Lockit::~_Lockit.LIBCPMT ref: 0000022E65FCA34C
_CxxThrowException.LIBVCRUNTIME ref: 0000022E65FCA3EA
std::_Facet_Register.LIBCPMT ref: 0000022E65FCA407
std::_Lockit::~_Lockit.LIBCPMT ref: 0000022E65FCA411

Strings

bad cast, xrefs: 0000022E65FCA3C9

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow
String ID: bad cast
API String ID: 1824299764-3145022300
Opcode ID: 4798a8e7d30c8bb7c778a1dbe6bab799c65b2e68f0a292906d61265ed57fc931
Instruction ID: 4f115599f774d4dbba4ec93193d6e0f84e6098650fa3edd2f1f943fbe1763e7d
Opcode Fuzzy Hash: 4798a8e7d30c8bb7c778a1dbe6bab799c65b2e68f0a292906d61265ed57fc931
Instruction Fuzzy Hash: DE419262760A10AAFF51DBE6D8482BD33ACF7607A4F1A1231DE5D137E5DB38C845A310

Function 0000022E65FCA5A0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000022E65FCA5BF
std::_Lockit::_Lockit.LIBCPMT ref: 0000022E65FCA5E2
std::_Lockit::~_Lockit.LIBCPMT ref: 0000022E65FCA60C
_CxxThrowException.LIBVCRUNTIME ref: 0000022E65FCA6AA
std::_Facet_Register.LIBCPMT ref: 0000022E65FCA6C7
std::_Lockit::~_Lockit.LIBCPMT ref: 0000022E65FCA6D1

Strings

bad cast, xrefs: 0000022E65FCA689

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow
String ID: bad cast
API String ID: 1824299764-3145022300
Opcode ID: 5e05aef1ebe370ac35ee6bc66840cbd5ac3a6dec5b278f096a06f91e789afb4d
Instruction ID: 2ffe97615c95e3eba21dd2fa283cc78a4fd3600cbb101a5855f7e3b90be26191
Opcode Fuzzy Hash: 5e05aef1ebe370ac35ee6bc66840cbd5ac3a6dec5b278f096a06f91e789afb4d
Instruction Fuzzy Hash: E0419366721A10A9EF11DFE6D8482BD33ACE764BA4F161232DA5D037E5DF38C881E300

Function 0000022E65FDD30C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000022E65FDD32B
std::_Lockit::_Lockit.LIBCPMT ref: 0000022E65FDD34E
std::_Lockit::~_Lockit.LIBCPMT ref: 0000022E65FDD378
_CxxThrowException.LIBVCRUNTIME ref: 0000022E65FDD416
std::_Facet_Register.LIBCPMT ref: 0000022E65FDD433
std::_Lockit::~_Lockit.LIBCPMT ref: 0000022E65FDD43D

Strings

bad cast, xrefs: 0000022E65FDD3F5

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow
String ID: bad cast
API String ID: 1824299764-3145022300
Opcode ID: e55b296b51b1a49406912f3423f41d1818cf255f20798f0af81bea34bdc0c0b2
Instruction ID: 2851a598f08f4afa91372fd67a11cfdd0a9f11962aaf282ea60bff90a0162d8d
Opcode Fuzzy Hash: e55b296b51b1a49406912f3423f41d1818cf255f20798f0af81bea34bdc0c0b2
Instruction Fuzzy Hash: 29419F62761A50AAEF11DFA6D8482BC336DE765BA4F1613229E1D537A9DB38C841A300

Function 0000022E65FEFD14 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000022E65FEFD47
GetProcAddress.KERNEL32 ref: 0000022E65FEFD5A
GetProcAddress.KERNEL32 ref: 0000022E65FEFD6D

Strings

@, xrefs: 0000022E65FEFD73
ntdll.dll, xrefs: 0000022E65FEFD34
NtMapViewOfSection, xrefs: 0000022E65FEFD50
RtlNtStatusToDosError, xrefs: 0000022E65FEFD60

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: @$NtMapViewOfSection$RtlNtStatusToDosError$ntdll.dll
API String ID: 667068680-1608534789
Opcode ID: 9fd6bcc10a810e17ad7610d687c6c7ed26af0f6ac59edeca4d1013363b507bc9
Instruction ID: 68dcaf266c9988215712af19983346fe697d7d0aff7bde58bafe9553de590a45
Opcode Fuzzy Hash: 9fd6bcc10a810e17ad7610d687c6c7ed26af0f6ac59edeca4d1013363b507bc9
Instruction Fuzzy Hash: 5E117676624B409AEB109B12F84CBA977A8F388BE4F564125DE5C83715DB7DC54ACB00

Function 0000022E65FD9934 Relevance: 12.1, APIs: 8, Instructions: 62synchronizationthreadinjectionCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32 ref: 0000022E65FD995F
CloseHandle.KERNEL32 ref: 0000022E65FD9969
TerminateThread.KERNEL32 ref: 0000022E65FD9983
QueueUserAPC.KERNEL32 ref: 0000022E65FD9999
WaitForSingleObject.KERNEL32 ref: 0000022E65FD99A6
SetEvent.KERNEL32 ref: 0000022E65FD99D4
SetEvent.KERNEL32 ref: 0000022E65FD99FD
SleepEx.KERNEL32 ref: 0000022E65FD9A0B

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: EventWait$CloseHandleMultipleObjectObjectsQueueSingleSleepTerminateThreadUser
String ID:
API String ID: 499322454-0
Opcode ID: 7176941899f37e76fcf79a9e4b018e461708093eb06a4753ec9b4d6ee94773ab
Instruction ID: 8d9129fa7c263fd0f472ca2c8e0044ae267aa4a60bfbe5eabdb0bad88864d27f
Opcode Fuzzy Hash: 7176941899f37e76fcf79a9e4b018e461708093eb06a4753ec9b4d6ee94773ab
Instruction Fuzzy Hash: 8B21BD36620A4092EB108F6AE85832A7374F799FA8F594311DBAE477E4CF3DC856C740

Function 0000022E65FEC5A4 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 278COMMON

Download Yara Rule

APIs

Part of subcall function 0000022E65FF5E20: _CxxThrowException.LIBVCRUNTIME ref: 0000022E65FF5EC2
Part of subcall function 0000022E65FF5E20: _CxxThrowException.LIBVCRUNTIME ref: 0000022E65FF5EFD

Part of subcall function 0000022E65FF6050: _CxxThrowException.LIBVCRUNTIME ref: 0000022E65FF60B4
Part of subcall function 0000022E65FF6050: _CxxThrowException.LIBVCRUNTIME ref: 0000022E65FF6123

std::_Deallocate.LIBCONCRT ref: 0000022E65FEC87F
std::_Deallocate.LIBCONCRT ref: 0000022E65FEC8BD
std::_Deallocate.LIBCONCRT ref: 0000022E65FECA28
std::_Deallocate.LIBCONCRT ref: 0000022E65FECA5A

Strings

SELECT * FROM serverinfo, xrefs: 0000022E65FEC5CD
channels, xrefs: 0000022E65FEC6E7

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeallocateExceptionThrowstd::_
String ID: SELECT * FROM serverinfo$channels
API String ID: 1220337477-48552841
Opcode ID: 674631c6f81ab3fd7475041a037d412325999a5b3ee0907353b81d48a2a285bc
Instruction ID: b7dbf1ffc2d8642515f41a9a84d807592c297bd98fccbf1f1a2fb8cbd0f63e61
Opcode Fuzzy Hash: 674631c6f81ab3fd7475041a037d412325999a5b3ee0907353b81d48a2a285bc
Instruction Fuzzy Hash: 2CC18D72208BC0A5DA70DB66E8447EBBBA8F791780F519115EBD953BA9CF38C445EB00

Function 0000022E65FD7FE0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 128COMMON

Download Yara Rule

APIs

sprintf.LEGACY_STDIO_DEFINITIONS ref: 0000022E65FD8092
sprintf.LEGACY_STDIO_DEFINITIONS ref: 0000022E65FD80D3
std::_Deallocate.LIBCONCRT ref: 0000022E65FD817A

Strings

in function ', xrefs: 0000022E65FD8106
:%ld, xrefs: 0000022E65FD8087, 0000022E65FD80C8
(unknown source location), xrefs: 0000022E65FD802D

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: sprintf$Deallocatestd::_
String ID: in function '$(unknown source location)$:%ld
API String ID: 4155924254-763319163
Opcode ID: 26b804918a37ce5829ce286cf1798866ed6a7ad2605e9ad207c4c321110f78e2
Instruction ID: 35b39caa25c172eecee32d6ae7363cd4b9eb32dbc2d18e78c1818ca86050515b
Opcode Fuzzy Hash: 26b804918a37ce5829ce286cf1798866ed6a7ad2605e9ad207c4c321110f78e2
Instruction Fuzzy Hash: 6E518E63B247A0ADEF10CBA6D8441EC37BCF322B98F425615DF2923AA9CB34C555D700

Function 0000022E65FE3040 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 0000022E65FE30E1
new.LIBCMT ref: 0000022E65FE30F4
std::_Deallocate.LIBCONCRT ref: 0000022E65FE31AF
Concurrency::cancel_current_task.LIBCPMT ref: 0000022E65FE31D9
Concurrency::cancel_current_task.LIBCPMT ref: 0000022E65FE31DF

Strings

deque<T> too long, xrefs: 0000022E65FE31E5

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task$Deallocatestd::_
String ID: deque<T> too long
API String ID: 4267064421-309773918
Opcode ID: a8371790d31e61ca2179988caa23beae1e989b7851626b5beca36ad8092389eb
Instruction ID: d1ff7208f003cd6de8ffe4374b36b2f1ebd8677da0855486eeed908d43f27102
Opcode Fuzzy Hash: a8371790d31e61ca2179988caa23beae1e989b7851626b5beca36ad8092389eb
Instruction Fuzzy Hash: 34411452710680B6EE14DFE6E80C3B9A325E765BE4F164A25AF3D0BBD6CE38C142D340

Function 0000022E65FDA184 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32 ref: 0000022E65FDA1DB
GetLastError.KERNEL32 ref: 0000022E65FDA1E5

Part of subcall function 0000022E65FD76E4: _Init_thread_footer.LIBCMT ref: 0000022E65FD7759

Part of subcall function 0000022E65FD90C0: __std_exception_copy.LIBVCRUNTIME ref: 0000022E65FD9139
Part of subcall function 0000022E65FD90C0: std::_Deallocate.LIBCONCRT ref: 0000022E65FD9161

TlsGetValue.KERNEL32 ref: 0000022E65FDA276
TlsSetValue.KERNEL32 ref: 0000022E65FDA28A
TlsSetValue.KERNEL32 ref: 0000022E65FDA2C2

Strings

pqcs, xrefs: 0000022E65FDA200

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Value$CompletionDeallocateErrorInit_thread_footerLastPostQueuedStatus__std_exception_copystd::_
String ID: pqcs
API String ID: 2595774183-2559862021
Opcode ID: 67126a693f1b547c11f55c1c97bd62aedbe8987d0e7e89e82c71c6f7f739cb94
Instruction ID: 5aaf50f3ab1129e4773f041298d6eeaecaaf1387425498f656586b84bb8dd94f
Opcode Fuzzy Hash: 67126a693f1b547c11f55c1c97bd62aedbe8987d0e7e89e82c71c6f7f739cb94
Instruction Fuzzy Hash: F8416E72B10B40AEEF10DBA6D8483AC33B9E765B98F0647258A5D53794DF39C94AD340

Function 0000022E65FCF0F8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022E65FEAC4C: std::_Deallocate.LIBCONCRT ref: 0000022E65FEAD44

std::_Deallocate.LIBCONCRT ref: 0000022E65FCF191
std::_Deallocate.LIBCONCRT ref: 0000022E65FCF1C2
SHGetSpecialFolderPathA.SHELL32 ref: 0000022E65FCF1E4
lstrcatA.KERNEL32 ref: 0000022E65FCF1FF
std::_Deallocate.LIBCONCRT ref: 0000022E65FCF259

Strings

.exe, xrefs: 0000022E65FCF166

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_$FolderPathSpeciallstrcat
String ID: .exe
API String ID: 2033018779-4119554291
Opcode ID: 86f50675cec375b1e420dad1b05f22a17f0365dd77e04f05d47e760de14c97b4
Instruction ID: f8a091d5b6de89df107c7db8064e8f16e5df6c77dcecf43a644366e2f0792894
Opcode Fuzzy Hash: 86f50675cec375b1e420dad1b05f22a17f0365dd77e04f05d47e760de14c97b4
Instruction Fuzzy Hash: 6641F772314A8096EF10CB66E8483AEB769F3947C4F514126EB9E43BA9DF38C545CB40

Function 0000022E660D11EC Relevance: 10.6, APIs: 7, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000022E660D120C
std::_Lockit::_Lockit.LIBCPMT ref: 0000022E660D1231
std::_Lockit::~_Lockit.LIBCPMT ref: 0000022E660D125B
messages.LIBCPMT ref: 0000022E660D12BA
_CxxThrowException.LIBVCRUNTIME ref: 0000022E660D12DB
std::_Facet_Register.LIBCPMT ref: 0000022E660D1304
std::_Lockit::~_Lockit.LIBCPMT ref: 0000022E660D130F

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowmessages
String ID:
API String ID: 3662767126-0
Opcode ID: 1f150c765907ab37a94505b30b5c99ffad3960d40301666794f5b7568a6fc05a
Instruction ID: fe8a6dda13c7ab60ef6f2edcdf225204be6ede0e48c4455c118d1cbb045ae160
Opcode Fuzzy Hash: 1f150c765907ab37a94505b30b5c99ffad3960d40301666794f5b7568a6fc05a
Instruction Fuzzy Hash: 4A31E9A1624A40A1FE60DBA5E5482BD7379E7B47E4F1A0322DA5D437E5CF3DC852D300

Function 0000022E65FC7D7C Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 70COMMON

Download Yara Rule

APIs

_CxxThrowException.LIBVCRUNTIME ref: 0000022E65FC7DA7

Part of subcall function 0000022E66114DA0: RtlPcToFileHeader.KERNEL32 ref: 0000022E66114E1D
Part of subcall function 0000022E66114DA0: RaiseException.KERNEL32 ref: 0000022E66114E5C

_CxxThrowException.LIBVCRUNTIME ref: 0000022E65FC7DF5
_CxxThrowException.LIBVCRUNTIME ref: 0000022E65FC7E43
_CxxThrowException.LIBVCRUNTIME ref: 0000022E65FC7E8D

Strings

ios_base::failbit set, xrefs: 0000022E65FC7E18
ios_base::eofbit set, xrefs: 0000022E65FC7E62
ios_base::badbit set, xrefs: 0000022E65FC7DCA

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Exception$Throw$FileHeaderRaise
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3102897148-1866435925
Opcode ID: a872ada0f591cf5e7bd9b635ff7d56a81b1e54baaee857d1449e850a8b39a782
Instruction ID: 14994aaadcb04c34e3cf5a0a079ddd82f2a8ddb6b5abd53686c52528e29fb6db
Opcode Fuzzy Hash: a872ada0f591cf5e7bd9b635ff7d56a81b1e54baaee857d1449e850a8b39a782
Instruction Fuzzy Hash: 2A3153B2B10A11ADFF00DBF5E8492FC2378F76071CF654229DA59269AAEB348546D310

Function 0000022E65FF5010 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0000022E65FF503B
SysAllocString.OLEAUT32 ref: 0000022E65FF5047
CoUninitialize.OLE32 ref: 0000022E65FF509C
SysFreeString.OLEAUT32 ref: 0000022E65FF50A5
SysFreeString.OLEAUT32 ref: 0000022E65FF50B3

Strings

WQL, xrefs: 0000022E65FF502E

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: String$AllocFree$Uninitialize
String ID: WQL
API String ID: 3194604352-1249411209
Opcode ID: 5186d0499027583f7b472d7d03f282dcf75d9b96859b3fc5490b072ca91c77a5
Instruction ID: 613e820c0e05b48b45d1aea6f7e2022cb4aeb7fce3917505b0b25c5e9709aceb
Opcode Fuzzy Hash: 5186d0499027583f7b472d7d03f282dcf75d9b96859b3fc5490b072ca91c77a5
Instruction Fuzzy Hash: 0E113A76710B5196EE009F93E848329A7A8F7A8FD0F0A8421DE4D47B64DF3DC9469700

Function 0000022E65FEF82C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022E65FEFE44: GetModuleHandleW.KERNEL32 ref: 0000022E65FEFE95
Part of subcall function 0000022E65FEFE44: GetProcAddress.KERNEL32 ref: 0000022E65FEFEA8
Part of subcall function 0000022E65FEFE44: GetProcAddress.KERNEL32 ref: 0000022E65FEFEBB
Part of subcall function 0000022E65FEFE44: GetProcAddress.KERNEL32 ref: 0000022E65FEFECE
Part of subcall function 0000022E65FEFE44: GetCurrentProcess.KERNEL32 ref: 0000022E65FEFF21

GetModuleHandleW.KERNEL32 ref: 0000022E65FEF896
GetProcAddress.KERNEL32 ref: 0000022E65FEF8AB
CloseHandle.KERNEL32 ref: 0000022E65FEF8C7
CloseHandle.KERNEL32 ref: 0000022E65FEF8D2

Part of subcall function 0000022E65FEFD14: GetModuleHandleW.KERNEL32 ref: 0000022E65FEFD47
Part of subcall function 0000022E65FEFD14: GetProcAddress.KERNEL32 ref: 0000022E65FEFD5A
Part of subcall function 0000022E65FEFD14: GetProcAddress.KERNEL32 ref: 0000022E65FEFD6D

Strings

NtQueueApcThread, xrefs: 0000022E65FEF8A1
ntdll.dll, xrefs: 0000022E65FEF88F

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: AddressProc$Handle$Module$Close$CurrentProcess
String ID: NtQueueApcThread$ntdll.dll
API String ID: 2093435054-3385522575
Opcode ID: 7f032f0d48ae3e64864103df712840d2cf7fc0e8f16d6bb5a43478fb4a3f51a2
Instruction ID: 120350f6cadcca1c2f9c65de3a0c80e0af28482aef3b1d1778d7302abebe6741
Opcode Fuzzy Hash: 7f032f0d48ae3e64864103df712840d2cf7fc0e8f16d6bb5a43478fb4a3f51a2
Instruction Fuzzy Hash: 4411E2A6720A40A2EF009B93E91D3BAA725F7A4FD4F458111CE1C477A5CF2CC946C750

Function 0000022E65FEFDD0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000022E65FEFDF1
GetProcAddress.KERNEL32 ref: 0000022E65FEFE04
GetProcAddress.KERNEL32 ref: 0000022E65FEFE17

Strings

NtUnmapViewOfSection, xrefs: 0000022E65FEFDFA
ntdll.dll, xrefs: 0000022E65FEFDEA
RtlNtStatusToDosError, xrefs: 0000022E65FEFE0A

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: NtUnmapViewOfSection$RtlNtStatusToDosError$ntdll.dll
API String ID: 667068680-3998908438
Opcode ID: e0aa5472596f5f32d49513fb463fc4f582576f06c8c37e8ee9cb00e150da1779
Instruction ID: 676cba359842a78321b3f2310f18266286883612195b335632efefb88b622f7b
Opcode Fuzzy Hash: e0aa5472596f5f32d49513fb463fc4f582576f06c8c37e8ee9cb00e150da1779
Instruction Fuzzy Hash: C5F04965B24A40A5DE009B83F84C0696365B798FC0F495031EE4D47729DE3CC5468700

Function 0000022E65FEFCB0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000022E65FEFCC9
GetProcAddress.KERNEL32 ref: 0000022E65FEFCDC
GetProcAddress.KERNEL32 ref: 0000022E65FEFCEF

Strings

ntdll.dll, xrefs: 0000022E65FEFCC2
RtlNtStatusToDosError, xrefs: 0000022E65FEFCD2
NtResumeProcess, xrefs: 0000022E65FEFCE2

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: NtResumeProcess$RtlNtStatusToDosError$ntdll.dll
API String ID: 667068680-1717905385
Opcode ID: 11b0c411877281e22652e16a8483be49ccdcc867d6f72d8b07fcf97c78a7b95c
Instruction ID: 0c46d82329044f1940831295a37e8acf4c11f0c85413d26576c41be0a7e1fd66
Opcode Fuzzy Hash: 11b0c411877281e22652e16a8483be49ccdcc867d6f72d8b07fcf97c78a7b95c
Instruction Fuzzy Hash: F7F08C64B24A80A1EE009B93F84C1696775B798FC0F095021DE1E43B29EE7CC546C310

Function 0000022E661330E4 Relevance: 9.2, APIs: 6, Instructions: 223COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000022E66133140

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: b2bd66561fac364b2ae2c1b4f2f42412bc550c34227a761e41759ee0444a93d7
Instruction ID: 034340115d6bcbfd782524de1b5bbbda548c102f154e1f26a43b78519c37fa5f
Opcode Fuzzy Hash: b2bd66561fac364b2ae2c1b4f2f42412bc550c34227a761e41759ee0444a93d7
Instruction Fuzzy Hash: 8D91C6B2B21780A5FE60CBA1944837D76A8B770BA4F168215DD5E276E4DB3CCC43E324

Function 0000022E65FD01B0 Relevance: 9.2, APIs: 6, Instructions: 152COMMON

Download Yara Rule

APIs

Part of subcall function 0000022E660F4C80: closesocket.WS2_32 ref: 0000022E660F4CF2

std::_Deallocate.LIBCONCRT ref: 0000022E65FD01FB

Part of subcall function 0000022E65FD1810: std::_Deallocate.LIBCONCRT ref: 0000022E65FD1860

std::_Deallocate.LIBCONCRT ref: 0000022E65FD0244
std::_Deallocate.LIBCONCRT ref: 0000022E65FD0277
std::_Deallocate.LIBCONCRT ref: 0000022E65FD02AA
std::_Deallocate.LIBCONCRT ref: 0000022E65FD02DD
std::_Deallocate.LIBCONCRT ref: 0000022E65FD0337

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_$closesocket
String ID:
API String ID: 994200374-0
Opcode ID: 0561ed39c85825e9bb87e89ae23672d6bbcd30d4c277c7e54fd37c21627b54c2
Instruction ID: 77aa4cf5e3bdf2497c910620a99ca7c600b11293db9ebe04143d4a5d35919e31
Opcode Fuzzy Hash: 0561ed39c85825e9bb87e89ae23672d6bbcd30d4c277c7e54fd37c21627b54c2
Instruction Fuzzy Hash: B651BD32301E40A5DF11CFA6D4892ADB3A8F366F94F458A11CF99433AAEF38C5A1D344

Function 0000022E65FEFAF0 Relevance: 9.1, APIs: 6, Instructions: 124fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 0000022E65FEFB2D
GetLastError.KERNEL32 ref: 0000022E65FEFB66
CreateFileW.KERNEL32 ref: 0000022E65FEFC2A
SetFilePointer.KERNEL32 ref: 0000022E65FEFC44
ReadFile.KERNEL32 ref: 0000022E65FEFC6C
CloseHandle.KERNEL32 ref: 0000022E65FEFC8D

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastModuleNamePointerRead
String ID:
API String ID: 1442449144-0
Opcode ID: 70087b9f50779772a424654cc62f1befcafd84ed2900bc4389a32baa85ad7cc9
Instruction ID: 99afc53da891a7b073ec06316124b083c993fb1259f17d47b40104465edef834
Opcode Fuzzy Hash: 70087b9f50779772a424654cc62f1befcafd84ed2900bc4389a32baa85ad7cc9
Instruction Fuzzy Hash: 3B412872B212927BEEA0DB97A41C7796399F764BD4F2641209E5D03BD0DF3CC805A780

Function 0000022E65FD8B40 Relevance: 9.1, APIs: 6, Instructions: 72COMMON

Download Yara Rule

APIs

std::locale::_Init.LIBCPMT ref: 0000022E65FD8B6E

Part of subcall function 0000022E660CF464: std::_Lockit::_Lockit.LIBCPMT ref: 0000022E660CF485
Part of subcall function 0000022E660CF464: std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 0000022E660CF499
Part of subcall function 0000022E660CF464: std::locale::_Setgloballocale.LIBCPMT ref: 0000022E660CF4A4
Part of subcall function 0000022E660CF464: _Yarn.LIBCPMT ref: 0000022E660CF4BB
Part of subcall function 0000022E660CF464: std::_Lockit::~_Lockit.LIBCPMT ref: 0000022E660CF508

new.LIBCMT ref: 0000022E65FD8B80

Part of subcall function 0000022E65FD6D1C: _Getcvt.LIBCPMT ref: 0000022E65FD6D77

std::_Lockit::_Lockit.LIBCPMT ref: 0000022E65FD8BC4
std::_Lockit::~_Lockit.LIBCPMT ref: 0000022E65FD8BF0
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 0000022E65FD8C09
_Yarn.LIBCPMT ref: 0000022E65FD8C2B

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Lockitstd::_std::locale::_$Locimp::_Lockit::_Lockit::~_Yarn$AddfacGetcvtInitLocimpLocimp_New_Setgloballocale
String ID:
API String ID: 61045713-0
Opcode ID: 4c3028ac7e398b8816de5e83c1fe999bfaeee2871c6fbf99ca2e1ebf952b730d
Instruction ID: 0fd3427b3ed8848d76dbb1fb2813cb89c8719f11f9bd98d2af1743e6c8d4a090
Opcode Fuzzy Hash: 4c3028ac7e398b8816de5e83c1fe999bfaeee2871c6fbf99ca2e1ebf952b730d
Instruction Fuzzy Hash: A431ADB2621B40A6EF40DBA2E8483AC73ADF7A5B90F065225DA5D437A5DFBCC001E350

Function 0000022E65FF6050 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

_CxxThrowException.LIBVCRUNTIME ref: 0000022E65FF60B4

Part of subcall function 0000022E66114DA0: RtlPcToFileHeader.KERNEL32 ref: 0000022E66114E1D
Part of subcall function 0000022E66114DA0: RaiseException.KERNEL32 ref: 0000022E66114E5C

_CxxThrowException.LIBVCRUNTIME ref: 0000022E65FF6123

Part of subcall function 0000022E65FC6F94: __std_exception_copy.LIBVCRUNTIME ref: 0000022E65FC6FD2

_CxxThrowException.LIBVCRUNTIME ref: 0000022E65FF616B

Strings

Column index out of range., xrefs: 0000022E65FF6136
No row to get a column from. executeStep() was not called, or returned false., xrefs: 0000022E65FF6083
Statement was destroyed, xrefs: 0000022E65FF60F1

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Exception$Throw$FileHeaderRaise__std_exception_copy
String ID: Column index out of range.$No row to get a column from. executeStep() was not called, or returned false.$Statement was destroyed
API String ID: 2289031373-174481179
Opcode ID: 88fcb73628eed5202e7f42a324fee51f7fe743eeb002616fe24686c73a8f5db8
Instruction ID: 77a08d0a2b846862f1a83c13e94d10e6e9ebd36499ea1fb923014729bb59d4e2
Opcode Fuzzy Hash: 88fcb73628eed5202e7f42a324fee51f7fe743eeb002616fe24686c73a8f5db8
Instruction Fuzzy Hash: 1F31AEB2610B40AAEF50CF95E4482A977B8F364BB0F515322E6BC076E5EF38C546D740

Function 0000022E65FD114C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

APIs

std::_Deallocate.LIBCONCRT ref: 0000022E65FD175A
Concurrency::cancel_current_task.LIBCPMT ref: 0000022E65FD17AC
new.LIBCMT ref: 0000022E65FD17B2

Part of subcall function 0000022E65FD32A0: std::_Deallocate.LIBCONCRT ref: 0000022E65FD32D5
Part of subcall function 0000022E65FD32A0: std::_Deallocate.LIBCONCRT ref: 0000022E65FD330B

new.LIBCMT ref: 0000022E65FD17C8

Strings

vector<T> too long, xrefs: 0000022E65FD1789

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_$Concurrency::cancel_current_task
String ID: vector<T> too long
API String ID: 3736559806-3788999226
Opcode ID: 0a0be4103b1978126765374103ef4b33d2a043021e5525de07dc89810cefceb0
Instruction ID: 8ac9f899270f140735242d6ca1e31bf6e3457bce82108f5b9d3085befbf965ae
Opcode Fuzzy Hash: 0a0be4103b1978126765374103ef4b33d2a043021e5525de07dc89810cefceb0
Instruction Fuzzy Hash: 8061D466B11A5055EFA0DBAAD608B7D7369E322FF4F164311DB3A07BD9DB35C841A300

Function 0000022E65FDF60C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 0000022E65FDF67E

Part of subcall function 0000022E65FDD898: __std_exception_copy.LIBVCRUNTIME ref: 0000022E65FDD8D9
Part of subcall function 0000022E65FDD898: _CxxThrowException.LIBVCRUNTIME ref: 0000022E65FDD945

EnterCriticalSection.KERNEL32 ref: 0000022E65FDF6AB
__std_exception_copy.LIBVCRUNTIME ref: 0000022E65FDF73C

Strings

Invalid service owner., xrefs: 0000022E65FDF667
Service already exists., xrefs: 0000022E65FDF725

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: __std_exception_copy$CriticalEnterExceptionSectionThrow
String ID: Invalid service owner.$Service already exists.
API String ID: 3092455130-4115445021
Opcode ID: 86ad789e0fd6aec2be38bee938845d304a9da5695a803fd61c6178b9766b7b56
Instruction ID: 367548ebc4b30655f625ac6792d47ad30d324cb203daaddf7116b83de7579aa7
Opcode Fuzzy Hash: 86ad789e0fd6aec2be38bee938845d304a9da5695a803fd61c6178b9766b7b56
Instruction Fuzzy Hash: D9517C32B11B50A9EF50CBA2D8446EC37B8F725758F260226DF4D63BA4EB34C592D310

Function 0000022E65FC6D20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0000022E65FC6DB1

Part of subcall function 0000022E660F3F74: std::bad_alloc::bad_alloc.LIBCMT ref: 0000022E660F3F7D
Part of subcall function 0000022E660F3F74: _CxxThrowException.LIBVCRUNTIME ref: 0000022E660F3F8E

new.LIBCMT ref: 0000022E65FC6DB9
new.LIBCMT ref: 0000022E65FC6DCC
std::_Deallocate.LIBCONCRT ref: 0000022E65FC6E29

Strings

ios_base::eofbit set, xrefs: 0000022E65FC6D31

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_taskDeallocateExceptionThrowstd::_std::bad_alloc::bad_alloc
String ID: ios_base::eofbit set
API String ID: 1457901767-2405381885
Opcode ID: a4b39844b71adbc7767de6ab859328425fd0181e19a85b0f0299402ca315afc1
Instruction ID: d525149f5bf14ba80cffd9f23fe4da81b8c74b1bea80535333ddc922f8470f2b
Opcode Fuzzy Hash: a4b39844b71adbc7767de6ab859328425fd0181e19a85b0f0299402ca315afc1
Instruction Fuzzy Hash: 3531B332718B50A4EF288BAAD00837E66A9E325FE4F524631EB69073D9DB74C451A784

Function 0000022E65FDB0F4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0000022E65FDB148
_Init_thread_footer.LIBCMT ref: 0000022E65FDB197

Part of subcall function 0000022E660F3484: EnterCriticalSection.KERNEL32 ref: 0000022E660F3494
Part of subcall function 0000022E660F3484: LeaveCriticalSection.KERNEL32 ref: 0000022E660F34D4

std::_Deallocate.LIBCONCRT ref: 0000022E65FDB1CF
std::_Deallocate.LIBCONCRT ref: 0000022E65FDB230

Part of subcall function 0000022E660F34E4: EnterCriticalSection.KERNEL32 ref: 0000022E660F34F4

Strings

\\.\pipe\boost_process_auto_pipe_, xrefs: 0000022E65FDB134

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: CriticalSection$DeallocateEnterstd::_$CurrentInit_thread_footerLeaveProcess
String ID: \\.\pipe\boost_process_auto_pipe_
API String ID: 144793568-1684064621
Opcode ID: b16f77a33fdc30109715addf748f0b269f37aab1b50396508796ea2602faeed9
Instruction ID: 8481cf1f55f2fd9231326ea7bec9bdbfd63c3fa3db8de793f949d7ffcc9f8ce7
Opcode Fuzzy Hash: b16f77a33fdc30109715addf748f0b269f37aab1b50396508796ea2602faeed9
Instruction Fuzzy Hash: CE41DE72720A50A9FF00CBAAD8083AD23A9E355BA8F121325DE29177E6CF7DC841D740

Function 0000022E65FE57BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000022E65FE582C
LoadLibraryW.KERNEL32 ref: 0000022E65FE583E
GetProcAddress.KERNEL32 ref: 0000022E65FE584E

Strings

CryptProtectData, xrefs: 0000022E65FE5844
crypt32.dll, xrefs: 0000022E65FE5825, 0000022E65FE5837

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: CryptProtectData$crypt32.dll
API String ID: 310444273-2924557332
Opcode ID: 9c0b4bc447bd5f447888d05fa2d84f75dec9a56fd1a03af58a2373d4b4558085
Instruction ID: 5268763a9ffaf05847170e21492b33a7d6a507c653adcc8ba09d868d46f3b7c5
Opcode Fuzzy Hash: 9c0b4bc447bd5f447888d05fa2d84f75dec9a56fd1a03af58a2373d4b4558085
Instruction Fuzzy Hash: 2C21FAB2B14B00A6EF14CF65E08832E73A5F394B80F41402ADA4E83B54DF38C9A6CB00

Function 0000022E65FC70AC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000022E65FC70CC
__std_exception_copy.LIBVCRUNTIME ref: 0000022E65FC7138
_CxxThrowException.LIBVCRUNTIME ref: 0000022E65FC7156

Part of subcall function 0000022E66114DA0: RtlPcToFileHeader.KERNEL32 ref: 0000022E66114E1D
Part of subcall function 0000022E66114DA0: RaiseException.KERNEL32 ref: 0000022E66114E5C

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0000022E65FC7162

Strings

bad locale name, xrefs: 0000022E65FC711D

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Exceptionstd::_$FileHeaderLocinfo::_Locinfo_ctorLockitLockit::_RaiseThrow__std_exception_copy
String ID: bad locale name
API String ID: 1909641974-1405518554
Opcode ID: fd220552ea68447b8fe0d7988643a14d5efe78e4841a94f98ab2ae03669cf649
Instruction ID: 769f984879bfa7bcacb8a75ab700863318626782bc6f83a6d6313af628ceaf9e
Opcode Fuzzy Hash: fd220552ea68447b8fe0d7988643a14d5efe78e4841a94f98ab2ae03669cf649
Instruction Fuzzy Hash: DB21C072115F8099CB90CF64F88425977B9F7A87A4F244229E7DD83BA9EF38C590C740

Function 0000022E65FCA268 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

new.LIBCMT ref: 0000022E65FCA29B
new.LIBCMT ref: 0000022E65FCA2AE
Concurrency::cancel_current_task.LIBCPMT ref: 0000022E65FCA2BE
Concurrency::cancel_current_task.LIBCPMT ref: 0000022E65FCA2C4

Strings

invalid string position, xrefs: 0000022E65FCA2D0

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: invalid string position
API String ID: 118556049-1799206989
Opcode ID: b7d51165b27c2500199997ca42b89082d0f54f44b5824a66e2d52bb8224a6c63
Instruction ID: 000b9450c39c80b4a3c217ebf393aeb6ba34a25cf78f280e2881b745218d27cc
Opcode Fuzzy Hash: b7d51165b27c2500199997ca42b89082d0f54f44b5824a66e2d52bb8224a6c63
Instruction Fuzzy Hash: 4CF0C2A531255464ED6CE7E1945D3BA22A8D778770FA20F309B3F0A7C1EE3DA481A701

Function 0000022E65FD78D8 Relevance: 7.7, APIs: 5, Instructions: 154windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32 ref: 0000022E65FD7929
WideCharToMultiByte.KERNEL32 ref: 0000022E65FD7972
LocalFree.KERNEL32 ref: 0000022E65FD7AE8

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: ByteCharFormatFreeLocalMessageMultiWide
String ID:
API String ID: 2906450291-0
Opcode ID: 1d2b23c2b42cad0e4b68ae70a886e0294ddc027701faf9ec0a8aa6c164b286db
Instruction ID: 1d9078cccd20038bf1ef15ab420ba0b4dc0d356d8147ef8faf5d0f7c7fdc7f63
Opcode Fuzzy Hash: 1d2b23c2b42cad0e4b68ae70a886e0294ddc027701faf9ec0a8aa6c164b286db
Instruction Fuzzy Hash: 8251DE33724B90A9FF108FA6D8447AE37FAF355B98F514A15EE5A17AA8CB38C140D710

Function 0000022E66132DB8 Relevance: 7.6, APIs: 5, Instructions: 133COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000022E66132E09

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7586c9cfc4ae4b9dcebee4a1ec3557b899ebc17ff4bc7e9080ca8ea35c4b88d0
Instruction ID: 4e784e9442c9dc85f2bb56bfa66345c31f4debe4c0c15db1cea500fa02de5d0e
Opcode Fuzzy Hash: 7586c9cfc4ae4b9dcebee4a1ec3557b899ebc17ff4bc7e9080ca8ea35c4b88d0
Instruction Fuzzy Hash: 3151DBB2620780A5EF60AF61944837977ACEB75BA0F264325DE6E137E5DB3CC441E360

Function 0000022E65FEBD34 Relevance: 7.6, APIs: 5, Instructions: 95COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0000022E65FEBD76
Concurrency::cancel_current_task.LIBCPMT ref: 0000022E65FEBD96
new.LIBCMT ref: 0000022E65FEBD9F
std::_Deallocate.LIBCONCRT ref: 0000022E65FEBE3F

Part of subcall function 0000022E65FD6ACC: std::_Deallocate.LIBCONCRT ref: 0000022E65FD6B0D
Part of subcall function 0000022E65FD6ACC: std::_Deallocate.LIBCONCRT ref: 0000022E65FD6B44
Part of subcall function 0000022E65FD6ACC: std::_Deallocate.LIBCONCRT ref: 0000022E65FD6B76
Part of subcall function 0000022E65FD6ACC: std::_Deallocate.LIBCONCRT ref: 0000022E65FD6BA4

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_$Concurrency::cancel_current_task
String ID:
API String ID: 3736559806-0
Opcode ID: 15e2d2b5bc711eec4bfe962cf45fe94f84895686142c26674b28f7d0ae7a3191
Instruction ID: 9c280a5cb3e7f190c8e951ef29ca6523aee317e9011dbf9550585731d01fcf53
Opcode Fuzzy Hash: 15e2d2b5bc711eec4bfe962cf45fe94f84895686142c26674b28f7d0ae7a3191
Instruction Fuzzy Hash: 4531E262711B44A6EE64CFA7E8483696268F368BE0F268622DFBD073D4DF79D4459300

Function 0000022E65FD3DB4 Relevance: 7.6, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0000022E65FD3DF1
Concurrency::cancel_current_task.LIBCPMT ref: 0000022E65FD3E10
new.LIBCMT ref: 0000022E65FD3E19
std::_Deallocate.LIBCONCRT ref: 0000022E65FD3E85

Part of subcall function 0000022E65FD32A0: std::_Deallocate.LIBCONCRT ref: 0000022E65FD32D5
Part of subcall function 0000022E65FD32A0: std::_Deallocate.LIBCONCRT ref: 0000022E65FD330B

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_$Concurrency::cancel_current_task
String ID:
API String ID: 3736559806-0
Opcode ID: 463b037edc2dcbe36ce37e6f0b8548f7a509a6b87c2ee5235351eff244e4d616
Instruction ID: b3f9ed0ad4d02874d1a4a91faab7163fe6d92e7e15e9b5845671155d6263dda0
Opcode Fuzzy Hash: 463b037edc2dcbe36ce37e6f0b8548f7a509a6b87c2ee5235351eff244e4d616
Instruction Fuzzy Hash: 29210062B11A90A5EE60DBA6E84C3796268F765BF0F2783319F79037C9DF34C845A300

Function 0000022E65FF5F20 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

_CxxThrowException.LIBVCRUNTIME ref: 0000022E65FF5FA7
_CxxThrowException.LIBVCRUNTIME ref: 0000022E65FF5FFC
_CxxThrowException.LIBVCRUNTIME ref: 0000022E65FF6037

Strings

Statement needs to be reseted, xrefs: 0000022E65FF6002
exec() does not expect results. Use executeStep., xrefs: 0000022E65FF5F75

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExceptionThrow
String ID: Statement needs to be reseted$exec() does not expect results. Use executeStep.
API String ID: 432778473-1345787505
Opcode ID: 4f71b60c34c7c9045c5340f61057f7e30ae9e58c79299773b36be9b2c07d2dc5
Instruction ID: 26055862da771ea259632b8216285636c875a2c68e2a97391d971acfca0fb02a
Opcode Fuzzy Hash: 4f71b60c34c7c9045c5340f61057f7e30ae9e58c79299773b36be9b2c07d2dc5
Instruction Fuzzy Hash: DF3106B2214600A5DF70CF55E44827977B8E7A4BA8F664322E2AC476EADF3CC545DB00

Function 0000022E65FDF52C Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0000022E65FDF565
Concurrency::cancel_current_task.LIBCPMT ref: 0000022E65FDF584
new.LIBCMT ref: 0000022E65FDF58D
std::_Deallocate.LIBCONCRT ref: 0000022E65FDF5E4

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task$Deallocatestd::_
String ID:
API String ID: 4267064421-0
Opcode ID: d6bdae19e5daffabb756c2c3ff64b18f1def94cd183c01262e483f929ee4f026
Instruction ID: 38bc6c0bff752d0e63d3d5c98bd2293b1fc5c6bd7ce298bf8e915e8b695fd691
Opcode Fuzzy Hash: d6bdae19e5daffabb756c2c3ff64b18f1def94cd183c01262e483f929ee4f026
Instruction Fuzzy Hash: CB21CC62311A80A5EEA8DFA6E4883ADB368F7557F0F1587269B7D03BC4DF74C0619300

Function 0000022E65FF4B90 Relevance: 7.6, APIs: 5, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000022E65FF4BF6
RegQueryValueExW.ADVAPI32 ref: 0000022E65FF4C22
StrStrIW.SHLWAPI ref: 0000022E65FF4C34
RegCloseKey.ADVAPI32 ref: 0000022E65FF4C44
RegCloseKey.ADVAPI32 ref: 0000022E65FF4C56

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Close$OpenQueryValue
String ID:
API String ID: 1607946009-0
Opcode ID: 3dd8ee0e9e93cd8856ba4965595d66238e7f40e6a33a5eefd3cb574f3246a3c4
Instruction ID: 3eca0fdb3a5e5135a7b4de6bd9ff94162a114c6ec6925f10524df200307ce485
Opcode Fuzzy Hash: 3dd8ee0e9e93cd8856ba4965595d66238e7f40e6a33a5eefd3cb574f3246a3c4
Instruction Fuzzy Hash: AA216972734A8052FF609B52F85C76BA3A4F794B84F415125AE9E47B58DF3CC405DB00

Function 0000022E65FEDBB8 Relevance: 7.5, APIs: 5, Instructions: 40threadprocessCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0000022E65FEDBDA
Thread32First.KERNEL32 ref: 0000022E65FEDBF3
Thread32Next.KERNEL32 ref: 0000022E65FEDC07
OpenThread.KERNEL32 ref: 0000022E65FEDC1D
CloseHandle.KERNEL32 ref: 0000022E65FEDC30

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Thread32$CloseCreateFirstHandleNextOpenSnapshotThreadToolhelp32
String ID:
API String ID: 3985273147-0
Opcode ID: 93be8e0c88490778be0c92312af6e2efe6eba5c616a11f5a80ae02ce5170ca47
Instruction ID: 6781155a53004ec8cd9d2334f417d79a3b9b10709ff0b315a5571d2d1b7cf8d3
Opcode Fuzzy Hash: 93be8e0c88490778be0c92312af6e2efe6eba5c616a11f5a80ae02ce5170ca47
Instruction Fuzzy Hash: 02015E72604B4096EB20CF66F844269B7E5F398BD8F198125DA9D83B18DF3CC946DB00

Function 0000022E661173F4 Relevance: 7.5, APIs: 5, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022E6612AFD4: GetLastError.KERNEL32 ref: 0000022E6612AFE3
Part of subcall function 0000022E6612AFD4: SetLastError.KERNEL32 ref: 0000022E6612B04D

ExitThread.KERNEL32 ref: 0000022E6611740C
ExitThread.KERNEL32 ref: 0000022E66117421
CloseHandle.KERNEL32 ref: 0000022E66117441
FreeLibraryAndExitThread.KERNEL32 ref: 0000022E66117457
ExitThread.KERNEL32 ref: 0000022E66117460

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitThread$ErrorLast$CloseFreeHandleLibrary
String ID:
API String ID: 3508756349-0
Opcode ID: e15ae21a8a18bcc2b930c4a319b40fcc73a9dc491c2968bdd934ce05f2659c28
Instruction ID: 171ef8eb7f45fac660b11729ac76212452437a0da66cccb5202ced65b238ebd1
Opcode Fuzzy Hash: e15ae21a8a18bcc2b930c4a319b40fcc73a9dc491c2968bdd934ce05f2659c28
Instruction Fuzzy Hash: 740184A0B2064072EE199BA1D44C37C667DA760778F111B29823E07FD5DF3CDC599350

Function 0000022E65FCE9E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

WTSEnumerateProcessesA.WTSAPI32 ref: 0000022E65FCEA3D
std::_Deallocate.LIBCONCRT ref: 0000022E65FCEB36
WTSFreeMemory.WTSAPI32 ref: 0000022E65FCEB68

Strings

, xrefs: 0000022E65FCEB1A

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeallocateEnumerateFreeMemoryProcessesstd::_
String ID:
API String ID: 2429326555-3916222277
Opcode ID: 85ba2b6409ce62d508e3f391be98cee882a190c7d40caf25bb7d2bfde22906bc
Instruction ID: 1d77e8063e644b1f0b6d6b6f29726dcca5677e70b058e126e29f98b9b9ec1c50
Opcode Fuzzy Hash: 85ba2b6409ce62d508e3f391be98cee882a190c7d40caf25bb7d2bfde22906bc
Instruction Fuzzy Hash: 0B51AC33700B50A9EF16CFB6D8852AE3778F714BA8F154225DF6A27A98CB35C855E700

Function 0000022E65FD72B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

std::_Winerror_message.LIBCPMT ref: 0000022E65FD7328

Part of subcall function 0000022E660CF950: FormatMessageW.KERNEL32 ref: 0000022E660CF9C2
Part of subcall function 0000022E660CF950: WideCharToMultiByte.KERNEL32 ref: 0000022E660CF9F8

std::_Deallocate.LIBCONCRT ref: 0000022E65FD73E5
std::_Deallocate.LIBCONCRT ref: 0000022E65FD7424

Strings

unknown error, xrefs: 0000022E65FD7340

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: std::_$Deallocate$ByteCharFormatMessageMultiWideWinerror_message
String ID: unknown error
API String ID: 2107170572-3078798498
Opcode ID: 88b32cfccce5052b2f55df36540d0f31b330fe9b5efb206eefcf9fea99a5b008
Instruction ID: 14f87546c8ced86f53fc6873fb215dc1887a77f1324ce30ffe997cf625c9ebd8
Opcode Fuzzy Hash: 88b32cfccce5052b2f55df36540d0f31b330fe9b5efb206eefcf9fea99a5b008
Instruction Fuzzy Hash: 27419A33B20BA0DEEB00CBB5D8841AD3BB9F715798B515218DF1927EA9CB30C452E314

Function 0000022E65FD2594 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0000022E65FD260C
new.LIBCMT ref: 0000022E65FD2612

Part of subcall function 0000022E660CF158: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0000022E660CF164
Part of subcall function 0000022E660CF158: _CxxThrowException.LIBVCRUNTIME ref: 0000022E660CF175

new.LIBCMT ref: 0000022E65FD2628

Strings

vector<T> too long, xrefs: 0000022E65FD25E9

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_taskExceptionThrowstd::invalid_argument::invalid_argument
String ID: vector<T> too long
API String ID: 2276022355-3788999226
Opcode ID: 5a92d5f79bd58181269240381f31fc661458601ccb65d19c01fdb0e76da80781
Instruction ID: ab6a1b940903655f0e806ee286b823c7095a16a46fb129e21419020fd5554571
Opcode Fuzzy Hash: 5a92d5f79bd58181269240381f31fc661458601ccb65d19c01fdb0e76da80781
Instruction Fuzzy Hash: EB21AE72301B8094DE54DB62E8483A972A8F7A8BB0F2A47259B7D477D4DF79C461D340

Function 0000022E65FDAF04 Relevance: 6.3, APIs: 5, Instructions: 73COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 0000022E65FDAF3A
EnterCriticalSection.KERNEL32 ref: 0000022E65FDAF59
LeaveCriticalSection.KERNEL32 ref: 0000022E65FDAFA1
EnterCriticalSection.KERNEL32 ref: 0000022E65FDAFCE
LeaveCriticalSection.KERNEL32 ref: 0000022E65FDAFFA

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$CloseHandle
String ID:
API String ID: 3705054111-0
Opcode ID: 2c37a996d734f629d91e6c84f66c54cfe9d81139f993bae3e97031818cbaa19c
Instruction ID: 8346e0d71b20d551b8f37cebb3d17b432034fe7af1c4b5b59addd546a6d21aee
Opcode Fuzzy Hash: 2c37a996d734f629d91e6c84f66c54cfe9d81139f993bae3e97031818cbaa19c
Instruction Fuzzy Hash: E2310472611B8096DB14CF66D448368B3A8F355FB8F194315DBB947BE4CB78C8A6C340

Function 0000022E65FE064C Relevance: 6.3, APIs: 4, Instructions: 258COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 0000022E65FE06AE
std::_Deallocate.LIBCONCRT ref: 0000022E65FE097F
std::_Deallocate.LIBCONCRT ref: 0000022E65FE09A1
std::_Deallocate.LIBCONCRT ref: 0000022E65FE09BF

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_
String ID:
API String ID: 1323251999-0
Opcode ID: f49c163fa423588da7f9fd3d18ff416694b86adbb217ffe7fbe2fa6e62dc2433
Instruction ID: 4c080054032e703e171f508eabf8e2a76b5e8b8bd9c28bb10a5cd98b8700a784
Opcode Fuzzy Hash: f49c163fa423588da7f9fd3d18ff416694b86adbb217ffe7fbe2fa6e62dc2433
Instruction Fuzzy Hash: 77C17B22B15B84A9EF10CFA2D0487AD23B9F794B84F264626EF5D17B88DF78C545D340

Function 0000022E65FEE974 Relevance: 6.2, APIs: 4, Instructions: 182COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0000022E65FEEBBB

Part of subcall function 0000022E660F3F74: std::bad_alloc::bad_alloc.LIBCMT ref: 0000022E660F3F7D
Part of subcall function 0000022E660F3F74: _CxxThrowException.LIBVCRUNTIME ref: 0000022E660F3F8E

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_taskExceptionThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 1680350287-0
Opcode ID: d34af0750bb8bc9719f042571b7f1aa4814627277b0438237578a011b15e10b7
Instruction ID: 18578877c6f24d93c8e862be6f2a7ac7fce2c0fd027644aa36ef227cfbb7782f
Opcode Fuzzy Hash: d34af0750bb8bc9719f042571b7f1aa4814627277b0438237578a011b15e10b7
Instruction Fuzzy Hash: 4C714972301B49A9EF158F6AE05832C37A9F764F98F668516CF2E077A8DB39C845D300

Function 0000022E660D0CC0 Relevance: 6.1, APIs: 4, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_Getcvt.LIBCPMT ref: 0000022E660D0D47
MultiByteToWideChar.KERNEL32 ref: 0000022E660D0DC5
MultiByteToWideChar.KERNEL32 ref: 0000022E660D0E47
MultiByteToWideChar.KERNEL32 ref: 0000022E660D0E81

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$Getcvt
String ID:
API String ID: 3195005509-0
Opcode ID: 7adaa3d958d29a92fa2c94e6f9395a0f42db61a05c6e577489d62077db8cc84f
Instruction ID: efa0e391342e3cb999d47084e62cee2ad8faa65f7472c32068243f1788e7692b
Opcode Fuzzy Hash: 7adaa3d958d29a92fa2c94e6f9395a0f42db61a05c6e577489d62077db8cc84f
Instruction Fuzzy Hash: 495118B22287C496EBB0CF64D04437D77A8F765B94F0A8326DA8A47B95DB3CD480E750

Function 0000022E65FE2B84 Relevance: 6.1, APIs: 4, Instructions: 122threadfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022E65FD9490: TlsGetValue.KERNEL32 ref: 0000022E65FD94AD
Part of subcall function 0000022E65FD9490: new.LIBCMT ref: 0000022E65FDD764

GetCurrentThreadId.KERNEL32 ref: 0000022E65FE2C60
GetCurrentThreadId.KERNEL32 ref: 0000022E65FE2C6B
WriteFile.KERNEL32 ref: 0000022E65FE2CD3
GetLastError.KERNEL32 ref: 0000022E65FE2CDB

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentThread$ErrorFileLastValueWrite
String ID:
API String ID: 686749581-0
Opcode ID: 934b2965bae07f834eaef9839a084c303d522f22f2033665c6e078be66c1c80e
Instruction ID: e3c4c89d2a3da12fca5a27d01038890feb8bd1cee090ca0282f22971c81906fd
Opcode Fuzzy Hash: 934b2965bae07f834eaef9839a084c303d522f22f2033665c6e078be66c1c80e
Instruction Fuzzy Hash: 7A518132700B41AAEB208FB6E9446AD33B8F768BA4F215325DF6953B94DF34D4A1D300

Function 0000022E65FED200 Relevance: 6.1, APIs: 4, Instructions: 115stringCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32 ref: 0000022E65FED285
lstrcatA.KERNEL32 ref: 0000022E65FED29D
std::_Deallocate.LIBCONCRT ref: 0000022E65FED30D
std::_Deallocate.LIBCONCRT ref: 0000022E65FED36B

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_$FolderPathSpeciallstrcat
String ID:
API String ID: 2033018779-0
Opcode ID: c68129ede5369ce08f79bccd0fc5440d4860236a617001d94200c6921c91ddb0
Instruction ID: 1db1d75f51be498d2b915578ecb11f748547ef6aa03bb68a36de928146cdd8dc
Opcode Fuzzy Hash: c68129ede5369ce08f79bccd0fc5440d4860236a617001d94200c6921c91ddb0
Instruction Fuzzy Hash: E051C373714B80A6DB10CBA6E44459EB7B9F3D5790F514215EBAD43BA9CF38C841DB00

Function 0000022E65FE2D34 Relevance: 6.1, APIs: 4, Instructions: 112threadfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022E65FD9490: TlsGetValue.KERNEL32 ref: 0000022E65FD94AD
Part of subcall function 0000022E65FD9490: new.LIBCMT ref: 0000022E65FDD764

GetCurrentThreadId.KERNEL32 ref: 0000022E65FE2DEF
GetCurrentThreadId.KERNEL32 ref: 0000022E65FE2DFA
ReadFile.KERNEL32 ref: 0000022E65FE2E50
GetLastError.KERNEL32 ref: 0000022E65FE2E58

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentThread$ErrorFileLastReadValue
String ID:
API String ID: 979376781-0
Opcode ID: 267104820d307a4ddfdc2358ebb8ee6fd51f9385a0f75cf88359fc67cce020d0
Instruction ID: 6a3872a8d3d4ca80d66cc54e3688a22456e67c823ec150ce9e4ed6995c8d0d15
Opcode Fuzzy Hash: 267104820d307a4ddfdc2358ebb8ee6fd51f9385a0f75cf88359fc67cce020d0
Instruction Fuzzy Hash: 1E41A832700B50BAEB249FA2E9446AD3778F328BA8F154315CF6903B94DF35C5A5E340

Function 0000022E65FDB578 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 0000022E65FD7538: _Init_thread_footer.LIBCMT ref: 0000022E65FD75CE

TerminateProcess.KERNEL32 ref: 0000022E65FDB607
CloseHandle.KERNEL32 ref: 0000022E65FDB636

Part of subcall function 0000022E65FD7614: GetLastError.KERNEL32 ref: 0000022E65FD7634

CloseHandle.KERNEL32 ref: 0000022E65FDB685
CloseHandle.KERNEL32 ref: 0000022E65FDB690

Part of subcall function 0000022E65FDB6A4: GetExitCodeProcess.KERNEL32 ref: 0000022E65FDB70F

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle$Process$CodeErrorExitInit_thread_footerLastTerminate
String ID:
API String ID: 946619146-0
Opcode ID: 22f9b41419a6b0b5ec3a4d04a61f6470e3dfffa107d8143ce1d17c5bf773d9cc
Instruction ID: 8498866ae438c87754b4a1240539fe0d613cf8a73e0b778dc3d646b6f56868e3
Opcode Fuzzy Hash: 22f9b41419a6b0b5ec3a4d04a61f6470e3dfffa107d8143ce1d17c5bf773d9cc
Instruction Fuzzy Hash: 28318C32704A409AEF209F66D44833C73A4E7A6BB9F165740DBAE032E5CF39C885DB04

Function 0000022E65FD6ACC Relevance: 6.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

std::_Deallocate.LIBCONCRT ref: 0000022E65FD6B0D
std::_Deallocate.LIBCONCRT ref: 0000022E65FD6B44
std::_Deallocate.LIBCONCRT ref: 0000022E65FD6B76
std::_Deallocate.LIBCONCRT ref: 0000022E65FD6BA4

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_
String ID:
API String ID: 1323251999-0
Opcode ID: 448e2b55cafe125ada8ede9de306a49477015d297b2fc3406885904841c163be
Instruction ID: 95e41c1e3b4f8cd1f144a8c5363c078a081e4399427ef001cc7cdf421df10d0e
Opcode Fuzzy Hash: 448e2b55cafe125ada8ede9de306a49477015d297b2fc3406885904841c163be
Instruction Fuzzy Hash: 77315C73310B4099EF048F6AC2483A93766F31ABD4F445206DB68177EACBB4D2B1D384

Function 0000022E65FCE8C8 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Deallocate.LIBCONCRT ref: 0000022E65FCE90B
std::_Deallocate.LIBCONCRT ref: 0000022E65FCE94D
std::_Deallocate.LIBCONCRT ref: 0000022E65FCE984
std::_Deallocate.LIBCONCRT ref: 0000022E65FCE9B2

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_
String ID:
API String ID: 1323251999-0
Opcode ID: 8ef5515b4e3ca16f6176b5b35771366b5af94d6baf4accb1dfc1b5910d6077ca
Instruction ID: 385ee32885c3b6f12cf18aeb83b29c5a966179f3a60586359a51bce5f271f0ac
Opcode Fuzzy Hash: 8ef5515b4e3ca16f6176b5b35771366b5af94d6baf4accb1dfc1b5910d6077ca
Instruction Fuzzy Hash: DD318962310B4099EF048F66C1483BD6766F325B94F099626CB6D1B7EACBB4C1A5D740

Function 0000022E65FD4D64 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0000022E65FD4DA0
new.LIBCMT ref: 0000022E65FD4DA6
std::_Deallocate.LIBCONCRT ref: 0000022E65FD4DF8

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_taskDeallocatestd::_
String ID:
API String ID: 4012121645-0
Opcode ID: b0d8da76a29f6d8e8d285b19a0cd70461e08551b4907bfaaf8fdce44c3033219
Instruction ID: 551d3cb287914267a6f4aa6e7dbab9854c4e6d73f0dfa3a4ae7d4228a641e670
Opcode Fuzzy Hash: b0d8da76a29f6d8e8d285b19a0cd70461e08551b4907bfaaf8fdce44c3033219
Instruction Fuzzy Hash: 88119D76311A8099EE24CFAAE4483AEB368E7697A0F1543259BED03BD9DF78C0419340

Function 0000022E65FD4B2D Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

std::_Deallocate.LIBCONCRT ref: 0000022E65FD4B4E
std::_Deallocate.LIBCONCRT ref: 0000022E65FD4B7B
std::_Deallocate.LIBCONCRT ref: 0000022E65FD4BA4
std::_Deallocate.LIBCONCRT ref: 0000022E65FD4BD0

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_
String ID:
API String ID: 1323251999-0
Opcode ID: f899393879d5d1f1c25558110d52cd8498eb707fac25ef8fff013d507200782b
Instruction ID: 17e3a6f48d04c3a0c3797ce2de6cfcbde193fff6e92fa6fa6d0b8832fa05102b
Opcode Fuzzy Hash: f899393879d5d1f1c25558110d52cd8498eb707fac25ef8fff013d507200782b
Instruction Fuzzy Hash: 2C215E63304BC088DB218F66E8487EEB76AE356BC8F108116DF9907B1ACB35C191E304

Function 0000022E65FED1F4 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

_CxxThrowException.LIBVCRUNTIME ref: 0000022E65FF5DD7

Part of subcall function 0000022E66114DA0: RtlPcToFileHeader.KERNEL32 ref: 0000022E66114E1D
Part of subcall function 0000022E66114DA0: RaiseException.KERNEL32 ref: 0000022E66114E5C

_CxxThrowException.LIBVCRUNTIME ref: 0000022E65FF5E0F

Part of subcall function 0000022E65FC6F94: __std_exception_copy.LIBVCRUNTIME ref: 0000022E65FC6FD2

Strings

Statement was not prepared., xrefs: 0000022E65FF5DDD
channels_hash, xrefs: 0000022E65FED1F4

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Exception$Throw$FileHeaderRaise__std_exception_copy
String ID: Statement was not prepared.$channels_hash
API String ID: 2289031373-2674109973
Opcode ID: cc515a89af39116f28b5e90d235b0e7ef64b6aa7d1fcb99bee0d0e83cca05615
Instruction ID: 2d6ce75d80f8d1b0dae8beb26ec58b6352394919032341168b0b5aa4b04dbae4
Opcode Fuzzy Hash: cc515a89af39116f28b5e90d235b0e7ef64b6aa7d1fcb99bee0d0e83cca05615
Instruction Fuzzy Hash: A121C2B1624640A2DF60CF95E8482BAB764EBA07B0F511321B6BE465EADF3CC045DB00

Function 0000022E65FF3960 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 0000022E65FF39C1
VerSetConditionMask.KERNEL32 ref: 0000022E65FF39D0
VerSetConditionMask.KERNEL32 ref: 0000022E65FF39DF
VerifyVersionInfoW.KERNEL32 ref: 0000022E65FF3A00

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: ed517d1c89aaf24c3d38c1ea0b443ae0b58a417ed588da2f2be5e6e45499a0e1
Instruction ID: d3386074dd99f07cace58c94209b555f9f5bd6cb2b9614e11a0aa75773b8aaf0
Opcode Fuzzy Hash: ed517d1c89aaf24c3d38c1ea0b443ae0b58a417ed588da2f2be5e6e45499a0e1
Instruction Fuzzy Hash: 7C114C7251578096EA34CF62F8443EAB3A4F78CB44F414225EB8E47B58DB3CD606DB50

Function 0000022E6612AF40 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022E6612AF4A
SetLastError.KERNEL32 ref: 0000022E6612AFB2
SetLastError.KERNEL32 ref: 0000022E6612AFC8
abort.LIBCMT ref: 0000022E6612AFCE

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: 00411179ad6fac4d56f9e037d918aea51f230ba50e64b4a2e5b3754ed19e40fa
Instruction ID: ce655baa606aa88b486136b4bf75c4a0fc6ce27b9c288c585b67806f908606a9
Opcode Fuzzy Hash: 00411179ad6fac4d56f9e037d918aea51f230ba50e64b4a2e5b3754ed19e40fa
Instruction Fuzzy Hash: D8015EE0B3174167FF5867F2A55D37E21AD9B64780F060528A91E07BD6ED2CC8C16320

Function 0000022E65FC60F0 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 0000022E65FC612C
Concurrency::cancel_current_task.LIBCPMT ref: 0000022E65FC614F

Part of subcall function 0000022E660F3F74: std::bad_alloc::bad_alloc.LIBCMT ref: 0000022E660F3F7D
Part of subcall function 0000022E660F3F74: _CxxThrowException.LIBVCRUNTIME ref: 0000022E660F3F8E

Concurrency::cancel_current_task.LIBCPMT ref: 0000022E65FC6155

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task$ExceptionThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 2386360001-0
Opcode ID: 64d5bc389b5e37fc960923369a40d85aadef4152f469a040f7cee82ad72a139b
Instruction ID: adb08a1e4254e8e6281da3e69b79bdd2623e7e79c91460dfb012cf629a9c0cf6
Opcode Fuzzy Hash: 64d5bc389b5e37fc960923369a40d85aadef4152f469a040f7cee82ad72a139b
Instruction Fuzzy Hash: 8AF030507266447CFDACE2FA546E77B615C87B4BB6F531F30BB3E027D2EA2984416A00

Function 0000022E65FD2E40 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 204COMMON

Download Yara Rule

APIs

std::_Deallocate.LIBCONCRT ref: 0000022E65FD2E97
std::_Deallocate.LIBCONCRT ref: 0000022E65FD2EC4

Strings

map/set<T> too long, xrefs: 0000022E65FD2EC9

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_
String ID: map/set<T> too long
API String ID: 1323251999-1285458680
Opcode ID: ac8a71247d372f009445a94f35bb3340ad4d9868760bc952dea1f5f91629738d
Instruction ID: 71f5cf8781bd5c1cb121e7b79bdd6dccfaeb9b194e3519c02daf1de9dd2e0fdb
Opcode Fuzzy Hash: ac8a71247d372f009445a94f35bb3340ad4d9868760bc952dea1f5f91629738d
Instruction Fuzzy Hash: 13A1F872305B88D4DF54CF5AD48822CB7A9F3A5F88B66C615CB9C473A5DB72C8A1D380

Function 0000022E66119F80 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000022E66119FB2
_invalid_parameter_noinfo.LIBCMT ref: 0000022E6611A1FD

Strings

*, xrefs: 0000022E6611A0C2

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: *
API String ID: 3215553584-163128923
Opcode ID: d27e2628b12ae6239cd04aaaaa6be6c1cddb7cb5e1b3272398801f44e9903c2b
Instruction ID: 69094f39b13d5400504d4992f0f66c899b13c20cf124b05ef350cb3fd419b056
Opcode Fuzzy Hash: d27e2628b12ae6239cd04aaaaa6be6c1cddb7cb5e1b3272398801f44e9903c2b
Instruction Fuzzy Hash: E18175F692065097EF698F65805C23CBFB8F325F48F26111ADB0E42298D739CC89E761

Function 0000022E65FD840C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMON

Download Yara Rule

APIs

std::_Deallocate.LIBCONCRT ref: 0000022E65FD8602

Strings

:%d, xrefs: 0000022E65FD84AD, 0000022E65FD8596
std:, xrefs: 0000022E65FD8469

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_
String ID: :%d$std:
API String ID: 1323251999-2791438976
Opcode ID: 230f99e8dbca8509400028c7a52ffecfa0f97af031d665380dc316a808301170
Instruction ID: d37ef06e37f20f07f288026fd841ddb1087be189f1bff4290c0d02e6da7590da
Opcode Fuzzy Hash: 230f99e8dbca8509400028c7a52ffecfa0f97af031d665380dc316a808301170
Instruction Fuzzy Hash: CE619163710790AAEF10CBB6D8442EC3BB8F722BA8F555619CF6927BA9CB34C511D310

Function 0000022E65FECAA8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

Part of subcall function 0000022E65FF5E20: _CxxThrowException.LIBVCRUNTIME ref: 0000022E65FF5EC2
Part of subcall function 0000022E65FF5E20: _CxxThrowException.LIBVCRUNTIME ref: 0000022E65FF5EFD

Part of subcall function 0000022E65FF6050: _CxxThrowException.LIBVCRUNTIME ref: 0000022E65FF60B4
Part of subcall function 0000022E65FF6050: _CxxThrowException.LIBVCRUNTIME ref: 0000022E65FF6123

std::_Deallocate.LIBCONCRT ref: 0000022E65FECCC9

Strings

SELECT * FROM serverinfo, xrefs: 0000022E65FECAC8
channels_hash, xrefs: 0000022E65FECBDC

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExceptionThrow$Deallocatestd::_
String ID: SELECT * FROM serverinfo$channels_hash
API String ID: 3765642668-1575216166
Opcode ID: 4e4f18a0f930c5979e3b7ec6fb7c403b2075f8937bdb12412208826e2eecd391
Instruction ID: 8dad9b165216a84afd196b1766e96dbb7d4a5c91afebd2e9ca1a2d6bc84827b4
Opcode Fuzzy Hash: 4e4f18a0f930c5979e3b7ec6fb7c403b2075f8937bdb12412208826e2eecd391
Instruction Fuzzy Hash: A261F522314AC0A9EF609F56E4483AE67A4F3A1B90F555221EBAE53B95CF3CC444DB00

Function 0000022E66119B04 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000022E66119B2B
_invalid_parameter_noinfo.LIBCMT ref: 0000022E66119CFD

Strings

%02x, xrefs: 0000022E66119B0E

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: %02x
API String ID: 3215553584-560843007
Opcode ID: 8c3b55c9941bb200c853d7375962b284c8d710a8b6bc53abf22da6628e2d66ac
Instruction ID: 4cbeea79d5acee8e7f3169637501283807f1b15129589750fe43cb65e7aa6973
Opcode Fuzzy Hash: 8c3b55c9941bb200c853d7375962b284c8d710a8b6bc53abf22da6628e2d66ac
Instruction Fuzzy Hash: 6E51A5F29246409AEF648FA4C06C37CBBF9F325B58F161915CAAA41299C72DCC81F725

Function 0000022E660F3F94 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 0000022E660F3F9D
_CxxThrowException.LIBVCRUNTIME ref: 0000022E660F3FAE

Part of subcall function 0000022E66114DA0: RtlPcToFileHeader.KERNEL32 ref: 0000022E66114E1D
Part of subcall function 0000022E66114DA0: RaiseException.KERNEL32 ref: 0000022E66114E5C

Strings

ios_base::eofbit set, xrefs: 0000022E660F3FBE

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Exception$FileHeaderRaiseThrowstd::bad_alloc::bad_alloc
String ID: ios_base::eofbit set
API String ID: 3561508498-2405381885
Opcode ID: 1e2eef473c856727ca323241a9cd124ef27d85607caf739c7e2944a5cba9e514
Instruction ID: e14e69d9029509ac7d08a681844f2c9da393e0baa82c9b71a2a371b27fc12bbc
Opcode Fuzzy Hash: 1e2eef473c856727ca323241a9cd124ef27d85607caf739c7e2944a5cba9e514
Instruction Fuzzy Hash: 6251F7F2A302006AFFA4CFA5E9893BE3AE4F374354F42642DDD0987A96C77C85509B10

Function 0000022E65FD8630 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 0000022E65FD840C: std::_Deallocate.LIBCONCRT ref: 0000022E65FD8602

std::_Deallocate.LIBCONCRT ref: 0000022E65FD86B3
std::_Deallocate.LIBCONCRT ref: 0000022E65FD872D

Strings

at , xrefs: 0000022E65FD86D6

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_
String ID: at
API String ID: 1323251999-3093187855
Opcode ID: 3b443643fa4f95bc16a56912a063915ccc46b9b039a654e28d1d4fac87ed4df4
Instruction ID: fefd056d121f8b6f4aa2d01f8c1681f305f4df4d8706c9f2669d486eac1fbd76
Opcode Fuzzy Hash: 3b443643fa4f95bc16a56912a063915ccc46b9b039a654e28d1d4fac87ed4df4
Instruction Fuzzy Hash: 8A318062720650A8FF009BA6D8083AD2679F756BE8F456320DF3917AD6CF79C1009704

Function 0000022E65FDC708 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

CreateIoCompletionPort.KERNEL32 ref: 0000022E65FDC75F
GetLastError.KERNEL32 ref: 0000022E65FDC76A

Part of subcall function 0000022E65FDDD98: _Init_thread_footer.LIBCMT ref: 0000022E65FDDE13

Strings

assign, xrefs: 0000022E65FDC7F2

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: CompletionCreateErrorInit_thread_footerLastPort
String ID: assign
API String ID: 559391843-1914874273
Opcode ID: 593cac7035701f23012c518991db8277ce13db33d040785137ddabf58c11eb63
Instruction ID: b40128a4b7c19d3fc38e612cc40a38ccfad4518f2d8dabef90e1211d4bb0ad2b
Opcode Fuzzy Hash: 593cac7035701f23012c518991db8277ce13db33d040785137ddabf58c11eb63
Instruction Fuzzy Hash: BF315932B10F6099EB40CBB5E8452AD37B8F729798F059715DF8827A89EF34C191D300

Function 0000022E65FEC3C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

std::_Deallocate.LIBCONCRT ref: 0000022E65FEC489

Strings

UPDATE serverinfo SET value=", xrefs: 0000022E65FEC3FF
" WHERE key='channels', xrefs: 0000022E65FEC445

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_
String ID: " WHERE key='channels'$UPDATE serverinfo SET value="
API String ID: 1323251999-2643526983
Opcode ID: 0efb5280d855707d35698efb959b4db4528dc0fe23f59be7926e335717638585
Instruction ID: 4991bc86d0b2f627f660b3f5104e0fe717a3eeba0fdeb653bd3f7a38a7a0e28b
Opcode Fuzzy Hash: 0efb5280d855707d35698efb959b4db4528dc0fe23f59be7926e335717638585
Instruction Fuzzy Hash: 4D212562328A40A5FF008B2AD0483BE6B65F3A2BA4F616310E775077D6CF7EC084DB00

Function 0000022E65FEC4B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

std::_Deallocate.LIBCONCRT ref: 0000022E65FEC579

Strings

" WHERE key='channels_hash', xrefs: 0000022E65FEC535
UPDATE serverinfo SET value=", xrefs: 0000022E65FEC4EF

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Deallocatestd::_
String ID: " WHERE key='channels_hash'$UPDATE serverinfo SET value="
API String ID: 1323251999-3826795247
Opcode ID: ff1909b77fdac0da13a733e15060ff5e8ff774f55b775bf702affc4b917d6f56
Instruction ID: 5842adcfa5218a5554a0d48aaf1749f816623420d8e749a153b22d0d9c91b755
Opcode Fuzzy Hash: ff1909b77fdac0da13a733e15060ff5e8ff774f55b775bf702affc4b917d6f56
Instruction Fuzzy Hash: 7A210322328A40A9FF008B1AD04C3BE6B65F3A2BA4F615310E775076DACF79C485DB40

Function 0000022E661313D4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32 ref: 0000022E66131472

Strings

OCP, xrefs: 0000022E66131405
ACP, xrefs: 0000022E661313F5

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: d65709d502787347c32c6ecbb2c6a0bb65157b947c2a4920554ba3b85816e9f6
Instruction ID: 3813f4bb613359fd36b2f40ab60e25433ddc08aa32755d8644b3003bb5dda2d4
Opcode Fuzzy Hash: d65709d502787347c32c6ecbb2c6a0bb65157b947c2a4920554ba3b85816e9f6
Instruction Fuzzy Hash: 41115BA1B30781B2FF94D7E1E5497BA7358AB74788F410011EA4FA31A5DB2CC841E360

Function 0000022E65FDCAC4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32 ref: 0000022E65FDCB08
GetLastError.KERNEL32 ref: 0000022E65FDCB13

Part of subcall function 0000022E65FD76E4: _Init_thread_footer.LIBCMT ref: 0000022E65FD7759

Part of subcall function 0000022E65FD90C0: __std_exception_copy.LIBVCRUNTIME ref: 0000022E65FD9139
Part of subcall function 0000022E65FD90C0: std::_Deallocate.LIBCONCRT ref: 0000022E65FD9161

Strings

pqcs, xrefs: 0000022E65FDCB32

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: CompletionDeallocateErrorInit_thread_footerLastPostQueuedStatus__std_exception_copystd::_
String ID: pqcs
API String ID: 2774852394-2559862021
Opcode ID: e3492e10febf3ddcead5f9aa4df7940327e0caae7cc55a6af79b8d364ea46598
Instruction ID: b8545b716e55ad490a9fd9abff5d70b5e43d3b596dd7f30ff10408577c7c0743
Opcode Fuzzy Hash: e3492e10febf3ddcead5f9aa4df7940327e0caae7cc55a6af79b8d364ea46598
Instruction Fuzzy Hash: 5701DB63B146415AEF6097BED8593396264E7F2778F215321977E872E0DF25C817CB00

Function 0000022E65FEC2B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 0000022E65FF5F20: _CxxThrowException.LIBVCRUNTIME ref: 0000022E65FF5FA7
Part of subcall function 0000022E65FF5F20: _CxxThrowException.LIBVCRUNTIME ref: 0000022E65FF5FFC
Part of subcall function 0000022E65FF5F20: _CxxThrowException.LIBVCRUNTIME ref: 0000022E65FF6037

Part of subcall function 0000022E65FED1F4: _CxxThrowException.LIBVCRUNTIME ref: 0000022E65FF5DD7
Part of subcall function 0000022E65FED1F4: _CxxThrowException.LIBVCRUNTIME ref: 0000022E65FF5E0F

Part of subcall function 0000022E65FEC0D0: std::_Deallocate.LIBCONCRT ref: 0000022E65FEC12B
Part of subcall function 0000022E65FEC0D0: std::_Deallocate.LIBCONCRT ref: 0000022E65FEC17C

std::_Deallocate.LIBCONCRT ref: 0000022E65FEC319
std::_Deallocate.LIBCONCRT ref: 0000022E65FEC345

Strings

INSERT INTO serverinfo VALUES (?, NULL), xrefs: 0000022E65FEC2BD

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExceptionThrow$Deallocatestd::_
String ID: INSERT INTO serverinfo VALUES (?, NULL)
API String ID: 3765642668-945103988
Opcode ID: 8efafe475aa132f993af1a95ca24dd936d19c17f6ca64a56cb237dcd80d394d1
Instruction ID: 12321c5aee6e6b3ad94304093c1e34625e629b12aac552b4f18d528e15e47fcb
Opcode Fuzzy Hash: 8efafe475aa132f993af1a95ca24dd936d19c17f6ca64a56cb237dcd80d394d1
Instruction Fuzzy Hash: F5119B62318580B5EE10DB55E4442EEA718F7E5780F915012F7AD83FAADB29C941DF00

Function 0000022E65FC5DF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0000022E65FC5E09
GetLastError.KERNEL32 ref: 0000022E65FC5E16

Part of subcall function 0000022E65FD76E4: _Init_thread_footer.LIBCMT ref: 0000022E65FD7759

Strings

tss, xrefs: 0000022E65FC5E71

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocErrorInit_thread_footerLast
String ID: tss
API String ID: 1086260276-1638339373
Opcode ID: 8f9e7136197db633b5f4265ace896fa666562d166ba8fc6613dc730da491a0f5
Instruction ID: 626830f837c542e13c70fdeccc731033d1627df6eed0658777a84b4a2661b1e9
Opcode Fuzzy Hash: 8f9e7136197db633b5f4265ace896fa666562d166ba8fc6613dc730da491a0f5
Instruction Fuzzy Hash: F911C472A14B8096DB608B96B44822EB3B8F7A47B0F164325EAAE877D4DF3CC455D700

Function 0000022E65FC5D3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0000022E65FC5D55
GetLastError.KERNEL32 ref: 0000022E65FC5D62

Part of subcall function 0000022E65FD76E4: _Init_thread_footer.LIBCMT ref: 0000022E65FD7759

Strings

tss, xrefs: 0000022E65FC5DBD

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocErrorInit_thread_footerLast
String ID: tss
API String ID: 1086260276-1638339373
Opcode ID: 6c0bab18e97e6e242f506272a8f334a17637a292bca1145f9cfbffc087ac02a3
Instruction ID: bfb8bb72ba593112396f0985cdb9544469f18153a616210c5a2a5a9a35be9d4a
Opcode Fuzzy Hash: 6c0bab18e97e6e242f506272a8f334a17637a292bca1145f9cfbffc087ac02a3
Instruction Fuzzy Hash: DA11A772A18B8096DB509BA6F44822EB3B8F7947B0F154325EA9E877D8DF7CC445D700

Function 0000022E65FC5EA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0000022E65FC5EBD
GetLastError.KERNEL32 ref: 0000022E65FC5ECA

Part of subcall function 0000022E65FD76E4: _Init_thread_footer.LIBCMT ref: 0000022E65FD7759

Strings

tss, xrefs: 0000022E65FC5F25

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocErrorInit_thread_footerLast
String ID: tss
API String ID: 1086260276-1638339373
Opcode ID: 49c328d6a76975803143d1a3ff2a4e3df8e1512095aa24e68517796a5146f870
Instruction ID: aa72c5f482ba711ea19ae15aebd82b65e4c81768029e1d7f706e656773a3947c
Opcode Fuzzy Hash: 49c328d6a76975803143d1a3ff2a4e3df8e1512095aa24e68517796a5146f870
Instruction Fuzzy Hash: 0911C472A14B8096DB609B96B44822EB3B8F7987B0F054321EB9E877D4EF3CC445D700

Function 0000022E65FD9ADC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32 ref: 0000022E65FD9B15
GetLastError.KERNEL32 ref: 0000022E65FD9B20

Part of subcall function 0000022E65FD76E4: _Init_thread_footer.LIBCMT ref: 0000022E65FD7759

Part of subcall function 0000022E65FD90C0: __std_exception_copy.LIBVCRUNTIME ref: 0000022E65FD9139
Part of subcall function 0000022E65FD90C0: std::_Deallocate.LIBCONCRT ref: 0000022E65FD9161

Strings

pqcs, xrefs: 0000022E65FD9B3F

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: CompletionDeallocateErrorInit_thread_footerLastPostQueuedStatus__std_exception_copystd::_
String ID: pqcs
API String ID: 2774852394-2559862021
Opcode ID: e08c1fd89f315d01e51fe32e1eebff560f3a7b1aaf15f8b23e3f497d1b5d90e7
Instruction ID: 0b03f63d87b7efe4e43fb4e49a399ae3fa12937e41ea3033213b43091151b28d
Opcode Fuzzy Hash: e08c1fd89f315d01e51fe32e1eebff560f3a7b1aaf15f8b23e3f497d1b5d90e7
Instruction Fuzzy Hash: BC01F762B006016AEFA197FA98597692264E7B67B4F226311D62D832E1EF25C907D700

Function 0000022E6610E040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 0000022E6610E0C6
_CxxThrowException.LIBVCRUNTIME ref: 0000022E6610E0E3

Strings

Plaintext length must be divisible by , xrefs: 0000022E6610E07E

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExceptionThrow__std_exception_copy
String ID: Plaintext length must be divisible by
API String ID: 1552479455-1679265635
Opcode ID: 4e3dee2babd7a04a632c232a0d6e571bc77ded9b2bcf010085783eec98cffdc4
Instruction ID: 2bfed6dc9c381eb3e7a7b57e2f090ea180af606954d932ac359498828aa0a598
Opcode Fuzzy Hash: 4e3dee2babd7a04a632c232a0d6e571bc77ded9b2bcf010085783eec98cffdc4
Instruction Fuzzy Hash: F6117072628B81A1EF20CB54F4883AAB768F3A5354F510225B2DD83AF9DF3CC645D710

Function 0000022E65FEDA10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 0000022E65FEDA38
CloseHandle.KERNEL32 ref: 0000022E65FEDA63

Strings

AdjustTokenPrivileges, xrefs: 0000022E65FEDA19

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: AddressCloseHandleProc
String ID: AdjustTokenPrivileges
API String ID: 1969799054-233039311
Opcode ID: 74ccd240bff611db08523fc19544953063ccf4100b545113b3f9ab49f544c999
Instruction ID: fbef272a3ebb6ea0e21a9affd11ea65c09129c5d1e7f3be82e0df3e624cd68f1
Opcode Fuzzy Hash: 74ccd240bff611db08523fc19544953063ccf4100b545113b3f9ab49f544c999
Instruction Fuzzy Hash: 02F03A72728B4096DB508F86F88475AF3A5F7C8B94F041015EA9E83B69DFBCC5458B00

Function 0000022E660CF17C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMONLIBRARYCODE

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 0000022E660CF188

Part of subcall function 0000022E660CF0EC: __std_exception_copy.LIBVCRUNTIME ref: 0000022E660CF11E

_CxxThrowException.LIBVCRUNTIME ref: 0000022E660CF199

Part of subcall function 0000022E66114DA0: RtlPcToFileHeader.KERNEL32 ref: 0000022E66114E1D
Part of subcall function 0000022E66114DA0: RaiseException.KERNEL32 ref: 0000022E66114E5C

Strings

bad function call, xrefs: 0000022E660CF1A0

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: Exception$FileHeaderRaiseThrow__std_exception_copystd::invalid_argument::invalid_argument
String ID: bad function call
API String ID: 1897909357-3612616537
Opcode ID: 6d2eb04cb2dc6af71bd1b3b8d03db339e6ef23591d3f27a82a33139da0af2a3b
Instruction ID: 411c0e2fc39d0e8b2b758ff001b8d165cf4af93f95d885dde684a7c793fce452
Opcode Fuzzy Hash: 6d2eb04cb2dc6af71bd1b3b8d03db339e6ef23591d3f27a82a33139da0af2a3b
Instruction Fuzzy Hash: AFD023D1730540B1DD30D780E44C2E8633DFBF0344FD14411914C47975DA2CC609D301

Function 0000022E65FD968C Relevance: 5.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000022E65FD96B7
LeaveCriticalSection.KERNEL32 ref: 0000022E65FD9714
EnterCriticalSection.KERNEL32 ref: 0000022E65FD9738
LeaveCriticalSection.KERNEL32 ref: 0000022E65FD97B7

Memory Dump Source

Source File: 00000003.00000002.4171458964.0000022E65FC0000.00000040.10000000.00040000.00000000.sdmp, Offset: 0000022E65FC0000, based on PE: true

Associated: 00000003.00000002.4171458964.0000022E661DB000.00000040.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_22e65fc0000_rundll32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 637b46d9d8bd5ee121bf3d9b21d41341a45bb9cad426556bd981ae4efd046239
Instruction ID: 8188805682363f17c96cb658dbc48b753f74559422943cf67830193179702d17
Opcode Fuzzy Hash: 637b46d9d8bd5ee121bf3d9b21d41341a45bb9cad426556bd981ae4efd046239
Instruction Fuzzy Hash: B1419D62711B4496EFA48F93961836963A9FBA6FD0F0A4624CF4D03B80DF38D451D300

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Acrobat_DC_x64_VIP_v10.12.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: BumbleBee

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\411fe1.rbs

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\close_200.png

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\gray_button_200.png

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\info_icon_100.png

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\progressbar_blue_active_100.png

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\progressbar_blue_active_125.png

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\progressbar_blue_active_150.png

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\progressbar_blue_active_200.png

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\progressbar_darkgray_base_100.png

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\progressbar_darkgray_base_200.png

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\progressbar_pole_null_100.png

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\progressbar_pole_null_125.png

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\progressbar_pole_null_150.png

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\progressbar_pole_null_200.png

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\status_icon_caution_100.png

C:\Users\user\AppData\Local\Adobe\4D3DE8A2-92B2-441D-867B-15BB2ED7620E\status_icon_caution_125.png

Windows Analysis Report
Acrobat_DC_x64_VIP_v10.12.msi

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre