Edit tour

Windows Analysis Report
45c62e.msi

Overview

General Information

Sample name:	45c62e.msi
Analysis ID:	1576719
MD5:	eaf9453f96d44bbc8fb4fb72a6508755
SHA1:	2c0833c92e9b0f0191056bdbd72ef0b65ab85418
SHA256:	11836eb77068d13a1bb7e457f707234340c4a1093c9881aa20b1ab783295d8a0
Tags:	bruteratelmsiuser-smica83
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

AI detected suspicious sample

Contains functionality to compare user and computer (likely to detect sandboxes)

Modifies the context of a thread in another process (thread injection)

Sets debug register (to hijack the execution of another thread)

Checks for available system drives (often done to infect USB drives)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 2700 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\45c62e.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 1164 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 1248 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 46E8AC0904175A2A4C7DC07B8073B258 MD5: 9D09DC1EDA745A5F87553048E57620CF)

rundll32.exe (PID: 2508 cmdline: C:/Windows/System32/rundll32.exe avdapi.dll, nViewCmd MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Code function: 4_2_00007FF8A7A8D460 CreateMutexW,GetLastError,WaitForSingleObject,CreateProcessAsUserW,CloseHandle,CloseHandle,ReleaseMutex,CloseHandle,_invalid_parameter_noinfo_noreturn,RegSetValueExW,RegCloseKey,SendMessageW,RegQueryValueExW,RegCloseKey,

4_2_00007FF8A7A8D460

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5cd2d1.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID3EA.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID458.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID4C7.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID4F7.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{4C0A4C04-B78F-4D97-A68D-084ABF0CFF9C}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID594.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSID3EA.tmp

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7AC7CA4	4_2_00007FF8A7AC7CA4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A96800	4_2_00007FF8A7A96800
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7AC679C	4_2_00007FF8A7AC679C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A8E750	4_2_00007FF8A7A8E750
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A9E67C	4_2_00007FF8A7A9E67C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A78510	4_2_00007FF8A7A78510
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7B10500	4_2_00007FF8A7B10500
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7AE0498	4_2_00007FF8A7AE0498
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A80490	4_2_00007FF8A7A80490
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A844E5	4_2_00007FF8A7A844E5
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A96460	4_2_00007FF8A7A96460
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7B4E430	4_2_00007FF8A7B4E430
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7B44380	4_2_00007FF8A7B44380
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7B2A3B0	4_2_00007FF8A7B2A3B0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A821B0	4_2_00007FF8A7A821B0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7B581E0	4_2_00007FF8A7B581E0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A6E110	4_2_00007FF8A7A6E110
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A84ED0	4_2_00007FF8A7A84ED0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A82E60	4_2_00007FF8A7A82E60
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A7EE50	4_2_00007FF8A7A7EE50
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A74D30	4_2_00007FF8A7A74D30
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7B4ECE0	4_2_00007FF8A7B4ECE0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7AF0C00	4_2_00007FF8A7AF0C00
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7AB2BA0	4_2_00007FF8A7AB2BA0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7ADEB98	4_2_00007FF8A7ADEB98
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7AC6B40	4_2_00007FF8A7AC6B40
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7B54AD0	4_2_00007FF8A7B54AD0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A70A40	4_2_00007FF8A7A70A40
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7AC6994	4_2_00007FF8A7AC6994
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7AC69F4	4_2_00007FF8A7AC69F4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7AB3888	4_2_00007FF8A7AB3888
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7B4B880	4_2_00007FF8A7B4B880
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A838F0	4_2_00007FF8A7A838F0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A8F7B0	4_2_00007FF8A7A8F7B0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7AC9790	4_2_00007FF8A7AC9790
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7AC7720	4_2_00007FF8A7AC7720
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A8B5B0	4_2_00007FF8A7A8B5B0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A8F5E0	4_2_00007FF8A7A8F5E0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7AC7560	4_2_00007FF8A7AC7560
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A8D460	4_2_00007FF8A7A8D460
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7AC7248	4_2_00007FF8A7AC7248
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7B4D1E0	4_2_00007FF8A7B4D1E0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A91150	4_2_00007FF8A7A91150
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A87150	4_2_00007FF8A7A87150
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A83F90	4_2_00007FF8A7A83F90
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A81F50	4_2_00007FF8A7A81F50
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7AC5EC0	4_2_00007FF8A7AC5EC0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7AE1D98	4_2_00007FF8A7AE1D98
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A8BD20	4_2_00007FF8A7A8BD20
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7AC1AE4	4_2_00007FF8A7AC1AE4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A73AC0	4_2_00007FF8A7A73AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7B659E0	4_2_00007FF8A7B659E0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A7F920	4_2_00007FF8A7A7F920
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018004437C	4_2_000000018004437C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180037788	4_2_0000000180037788
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002600C	4_2_000000018002600C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002A01C	4_2_000000018002A01C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180019020	4_2_0000000180019020
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180013078	4_2_0000000180013078
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018003D08C	4_2_000000018003D08C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800330A8	4_2_00000001800330A8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001B138	4_2_000000018001B138
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018003713C	4_2_000000018003713C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180033278	4_2_0000000180033278
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001F28C	4_2_000000018001F28C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018003B294	4_2_000000018003B294
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800462C4	4_2_00000001800462C4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000A314	4_2_000000018000A314
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800193F0	4_2_00000001800193F0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800423EC	4_2_00000001800423EC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001A47C	4_2_000000018001A47C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018003B508	4_2_000000018003B508
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180012550	4_2_0000000180012550
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018003A554	4_2_000000018003A554
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018004363C	4_2_000000018004363C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800176E4	4_2_00000001800176E4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018003E704	4_2_000000018003E704
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180016744	4_2_0000000180016744
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800097A8	4_2_00000001800097A8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800197C0	4_2_00000001800197C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800147EC	4_2_00000001800147EC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180047834	4_2_0000000180047834
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180026890	4_2_0000000180026890
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800158A0	4_2_00000001800158A0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018003A904	4_2_000000018003A904
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018003D91C	4_2_000000018003D91C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001B924	4_2_000000018001B924
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800329B4	4_2_00000001800329B4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800279B8	4_2_00000001800279B8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180042A10	4_2_0000000180042A10
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180045A60	4_2_0000000180045A60
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001FA9C	4_2_000000018001FA9C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180013BA0	4_2_0000000180013BA0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180008D6C	4_2_0000000180008D6C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180029D90	4_2_0000000180029D90
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180032E14	4_2_0000000180032E14
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180048E5A	4_2_0000000180048E5A
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180036E70	4_2_0000000180036E70
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180015EA0	4_2_0000000180015EA0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002FF50	4_2_000000018002FF50
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180024F60	4_2_0000000180024F60
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000AF74	4_2_000000018000AF74
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000001D6C6A59D40	4_2_000001D6C6A59D40
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000001D6C6A63524	4_2_000001D6C6A63524
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000001D6C6A7AD64	4_2_000001D6C6A7AD64

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000000018002CC54 appears 39 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180007B1C appears 38 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FF8A7A87E10 appears 61 times

Source: 45c62e.msi

Binary or memory string: OriginalFilenameAICustAct.dllF vs 45c62e.msi

Source: classification engine

Classification label: mal72.evad.winMSI@6/24@4/2

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_00007FF8A7A87720 GetLastError,FormatMessageW,LocalFree,

4_2_00007FF8A7A87720

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_00007FF8A7B53010 CoInitialize,CoCreateInstance,

4_2_00007FF8A7B53010

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CMLD5FD.tmp

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Mutant created: NULL

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DFED9D7AC097B0F001.TMP

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\System32\rundll32.exe C:/Windows/System32/rundll32.exe avdapi.dll, nViewCmd

Source: 45c62e.msi

ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\45c62e.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 46E8AC0904175A2A4C7DC07B8073B258
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\rundll32.exe C:/Windows/System32/rundll32.exe avdapi.dll, nViewCmd
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 46E8AC0904175A2A4C7DC07B8073B258	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\rundll32.exe C:/Windows/System32/rundll32.exe avdapi.dll, nViewCmd	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: 45c62e.msi

Static file information: File size 2159104 > 1048576

Source:	Binary string: iew\v200\_out\x64-Release\nView64.pdb source: rundll32.exe, 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmp, avdapi.dll.1.dr
Source:	Binary string: D:\workspace\workspace\nViewBranchBcDQ%ag&CC(NuA9u@W@o$iew\v200\_out\x64-Release\nView64.pdbU source: rundll32.exe, 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmp, avdapi.dll.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 45c62e.msi, 5cd2d1.msi.1.dr, MSID458.tmp.1.dr, MSID3EA.tmp.1.dr, MSID4F7.tmp.1.dr, MSID4C7.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: 45c62e.msi, 5cd2d1.msi.1.dr, MSID458.tmp.1.dr, MSID3EA.tmp.1.dr, MSID4F7.tmp.1.dr, MSID4C7.tmp.1.dr

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_00007FF8A7B6ADC0 LoadLibraryW,GetProcAddress,FreeLibrary,GetDC,GetDeviceCaps,ReleaseDC,

4_2_00007FF8A7B6ADC0

Source: avdapi.dll.1.dr

Static PE information: real checksum: 0x259992 should be: 0x2f8529

Source: avdapi.dll.1.dr

Static PE information: section name: _RDATA

Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002CF10 push rsp; iretd		4_2_000000018002CF11
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000001D6C6A68D98 push ebp; iretd		4_2_000001D6C6A68D9C

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID458.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\vgruntime\avdapi.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID3EA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID4F7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID4C7.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID458.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID3EA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID4F7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID4C7.tmp	Jump to dropped file

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_00007FF8A7A8E750 MessageBoxW,lstrlenW,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetForegroundWindow,PostMessageW,MessageBoxW,ShellExecuteW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendMessageW,

4_2_00007FF8A7A8E750

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_00000001800329B4 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_00000001800329B4

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\rundll32.exe

Code function: GetCurrentProcessId,GetCommandLineW,GetModuleFileNameW,CharLowerW,GetCommandLineW,CommandLineToArgvW,LocalFree,StrStrIW,GetFileVersionInfoSizeW,GetFileVersionInfoW,VerQueryValueW,_invalid_parameter_noinfo_noreturn,StrStrIW,

4_2_00007FF8A7A84ED0

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSID458.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSID3EA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSID4F7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSID4C7.tmp	Jump to dropped file

Source: C:\Windows\System32\rundll32.exe

API coverage: 1.5 %

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A844E5 GetCommandLineW,CommandLineToArgvW,lstrcmpW,lstrcmpW,GetCurrentProcess,IsWow64Process,MessageBoxW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrlenW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindFirstFileW,FindClose,GetTempFileNameW,CopyFileW,lstrcmpW,lstrcmpW,FindWindowW,SendMessageW,IsWindow,PostMessageW,SHDeleteKeyW,lstrcmpW,lstrlenW,lstrcmpW,lstrcmpW,LocalFree,	4_2_00007FF8A7A844E5
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A90EC0 FindFirstFileW,FindClose,	4_2_00007FF8A7A90EC0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A90B20 FindFirstFileW,lstrcmpW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,	4_2_00007FF8A7A90B20
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7A8BD20 RegOpenKeyExW,RegQueryValueExW,RegCloseKey,MessageBoxW,ShellExecuteW,GetSystemDirectoryW,wsprintfW,FindFirstFileW,MessageBoxW,ShellExecuteW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	4_2_00007FF8A7A8BD20

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_00007FF8A7A70760 RegQueryValueExW,RegCloseKey,GetSystemInfo,MapViewOfFileEx,CloseHandle,CloseHandle,

4_2_00007FF8A7A70760

Source: rundll32.exe, 00000004.00000002.4530700291.000001D6C5028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: rundll32.exe, 00000004.00000003.2589169443.000001D6C509E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C5081000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\rundll32.exe

API call chain: ExitProcess graph end node

graph_4-88114

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_00007FF8A7B0BAA0 RtlCaptureContext,VirtualAlloc,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_00007FF8A7B0BAA0

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_000000018003EEEC EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

4_2_000000018003EEEC

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_00007FF8A7B6ADC0 LoadLibraryW,GetProcAddress,FreeLibrary,GetDC,GetDeviceCaps,ReleaseDC,

4_2_00007FF8A7B6ADC0

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_0000000180047394 _lseeki64_nolock,_lseeki64_nolock,GetProcessHeap,HeapAlloc,_errno,_errno,_setmode_nolock,_write_nolock,__doserrno,_errno,_setmode_nolock,GetProcessHeap,HeapFree,_lseeki64_nolock,_get_osfhandle,SetEndOfFile,_errno,__doserrno,GetLastError,_lseeki64_nolock,

4_2_0000000180047394

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\System32\rundll32.exe C:/Windows/System32/rundll32.exe avdapi.dll, nViewCmd

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FF8A7B0BAA0 RtlCaptureContext,VirtualAlloc,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		4_2_00007FF8A7B0BAA0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180032DD8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		4_2_0000000180032DD8

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 94.232.46.11 8817			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 94.232.40.41 8817			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 1248			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 1248			Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\rundll32.exe

Thread register set: 1248 1

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_00007FF8A7A704D0 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,LocalFree,CreateFileMappingW,GetLastError,FreeSid,LocalFree,LocalFree,

4_2_00007FF8A7A704D0

Source: C:\Windows\System32\rundll32.exe

4_2_00007FF8A7A704D0

Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoEx,	4_2_00007FF8A7AC5624
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoEx,__crtDownlevelLocaleNameToLCID,GetLocaleInfoW,	4_2_00000001800354AC
Source: C:\Windows\System32\rundll32.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,free,free,free,free,	4_2_00000001800400E0
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,TestDefaultLanguage,	4_2_0000000180043100
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_000000018004324C
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,GetLocaleInfoW,	4_2_00000001800432FC
Source: C:\Windows\System32\rundll32.exe	Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,free,free,free,free,free,free,free,free,free,	4_2_000000018002E394
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,_getptd,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,_getptd,EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,__crtDownlevelLCIDToLocaleName,__crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,_itow_s,	4_2_00000001800433A4
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	4_2_00000001800353EC
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,TestDefaultCountry,__crtGetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,__crtGetLocaleInfoEx,_invoke_watson,	4_2_00000001800423EC
Source: C:\Windows\System32\rundll32.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,__crtGetLocaleInfoEx,_calloc_crt,__crtGetLocaleInfoEx,free,__crtGetLocaleInfoEx,_invoke_watson,	4_2_00000001800384A0
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,__lc_wcstolc,__get_qualified_locale_downlevel,__get_qualified_locale,__lc_lctowcs,__crtGetLocaleInfoEx,GetACP,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,	4_2_000000018003B508
Source: C:\Windows\System32\rundll32.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,free,free,free,	4_2_000000018004064C
Source: C:\Windows\System32\rundll32.exe	Code function: __crtGetLocaleInfoEx,__crtGetLocaleInfoEx,GetACP,	4_2_0000000180042858
Source: C:\Windows\System32\rundll32.exe	Code function: ___lc_locale_name_func,__crtGetLocaleInfoEx,	4_2_00000001800298D8
Source: C:\Windows\System32\rundll32.exe	Code function: __crtGetLocaleInfoEx,	4_2_000000018004290C
Source: C:\Windows\System32\rundll32.exe	Code function: __crtGetLocaleInfoEx,malloc,__crtGetLocaleInfoEx,WideCharToMultiByte,free,	4_2_00000001800419E8
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,__crtGetUserDefaultLocaleName,_invoke_watson,_invoke_watson,_getptd,_getptd,LcidFromHexString,GetLocaleInfoW,	4_2_0000000180042A10
Source: C:\Windows\System32\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_0000000180041B54
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,EnumSystemLocalesW,	4_2_0000000180042D88
Source: C:\Windows\System32\rundll32.exe	Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,	4_2_0000000180040DB0
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,EnumSystemLocalesW,	4_2_0000000180042E3C
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,TestDefaultLanguage,	4_2_0000000180042ED0

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_0000000180039844 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_0000000180039844

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_000000018003E704 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,_malloc_crt,_invoke_watson,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,

4_2_000000018003E704

Source: C:\Windows\System32\rundll32.exe

Code function: 4_2_00007FF8A7A867D0 GetModuleHandleA,GetProcAddress,GetVersionExW,

4_2_00007FF8A7A867D0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	11 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	1 Replication Through Removable Media	Scheduled Task/Job	1 Valid Accounts	1 Valid Accounts	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	11 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	31 Process Injection	1 DLL Side-Loading	NTDS	25 System Information Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Masquerading	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	31 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Rundll32	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
45c62e.msi	16%	ReversingLabs	Win32.Trojan.Seheq

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\vgruntime\avdapi.dll	5%	ReversingLabs	Win64.Trojan.Seheq
C:\Windows\Installer\MSID3EA.tmp	0%	ReversingLabs
C:\Windows\Installer\MSID458.tmp	0%	ReversingLabs
C:\Windows\Installer\MSID4C7.tmp	0%	ReversingLabs
C:\Windows\Installer\MSID4F7.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://muuxxu.com:8817/intel.phpqAb	0%	Avira URL Cloud	safe
https://cronoze.com/	0%	Avira URL Cloud	safe
https://muuxxu.com:8817/	0%	Avira URL Cloud	safe
https://muuxxu.com:8817/pentium.php	0%	Avira URL Cloud	safe
https://muuxxu.com/	0%	Avira URL Cloud	safe
https://muuxxu.com:8817/pentium.php8	0%	Avira URL Cloud	safe
https://muuxxu.com:8817/intel.php	0%	Avira URL Cloud	safe
http://r11.o.lencr.org0#	0%	Avira URL Cloud	safe
https://muuxxu.com:8817/intel.phpXAy	0%	Avira URL Cloud	safe
https://muuxxu.com:8817/pentium.phpY	0%	Avira URL Cloud	safe
https://www.advancedinstaller.com	0%	Avira URL Cloud	safe
https://muuxxu.com:8817/intel.phptAm	0%	Avira URL Cloud	safe
https://muuxxu.com:8817/intel.php4	0%	Avira URL Cloud	safe
https://cronoze.com:8817/pentium.php	0%	Avira URL Cloud	safe
https://muuxxu.com:8817/pentium.php2	0%	Avira URL Cloud	safe
https://muuxxu.com:8817/pentium.phph	0%	Avira URL Cloud	safe
https://muuxxu.com:8817/pentium.phpi	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cronoze.com	94.232.40.41	true	true		unknown
muuxxu.com	94.232.46.11	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://muuxxu.com:8817/intel.phpqAb	rundll32.exe, 00000004.00000002.4530700291.000001D6C5081000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://muuxxu.com/	rundll32.exe, 00000004.00000002.4530700291.000001D6C5081000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://muuxxu.com:8817/intel.phpXAy	rundll32.exe, 00000004.00000002.4530700291.000001D6C5081000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://r11.o.lencr.org0#	rundll32.exe, 00000004.00000003.3205730297.000001D6C50EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589118897.000001D6C50EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047431332.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589169443.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3205730297.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047431332.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047401761.000001D6C50FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50F9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C5028000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C5081000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589118897.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3205730297.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.thawte.com/cps0/	45c62e.msi, 5cd2d1.msi.1.dr, MSID458.tmp.1.dr, MSID3EA.tmp.1.dr, MSID4F7.tmp.1.dr, MSID4C7.tmp.1.dr	false		high
https://cronoze.com/	rundll32.exe, 00000004.00000003.4047431332.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3205730297.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://muuxxu.com:8817/intel.php	rundll32.exe, 00000004.00000002.4530700291.000001D6C5028000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C5081000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://muuxxu.com:8817/pentium.php	rundll32.exe, 00000004.00000002.4530700291.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	rundll32.exe, 00000004.00000003.3205730297.000001D6C50EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589118897.000001D6C50EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047431332.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589169443.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3205730297.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047431332.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047401761.000001D6C50FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50F9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589156153.000001D6C50F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047431332.000001D6C50B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C5028000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C5081000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589118897.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	rundll32.exe, 00000004.00000003.3205730297.000001D6C50EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589118897.000001D6C50EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047431332.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589169443.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3205730297.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047431332.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047401761.000001D6C50FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50F9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589156153.000001D6C50F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047431332.000001D6C50B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C5028000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C5081000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589118897.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.thawte.com/repository0W	45c62e.msi, 5cd2d1.msi.1.dr, MSID458.tmp.1.dr, MSID3EA.tmp.1.dr, MSID4F7.tmp.1.dr, MSID4C7.tmp.1.dr	false		high
https://muuxxu.com:8817/pentium.php8	rundll32.exe, 00000004.00000002.4530700291.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://muuxxu.com:8817/pentium.phpY	rundll32.exe, 00000004.00000003.2589169443.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://muuxxu.com:8817/	rundll32.exe, 00000004.00000003.4047431332.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.advancedinstaller.com	45c62e.msi, 5cd2d1.msi.1.dr, MSID458.tmp.1.dr, MSID3EA.tmp.1.dr, MSID4F7.tmp.1.dr, MSID4C7.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://cronoze.com:8817/pentium.php	rundll32.exe, 00000004.00000003.3205730297.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://muuxxu.com:8817/intel.phptAm	rundll32.exe, 00000004.00000002.4530700291.000001D6C5081000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://muuxxu.com:8817/intel.php4	rundll32.exe, 00000004.00000002.4530700291.000001D6C5028000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://muuxxu.com:8817/pentium.php2	rundll32.exe, 00000004.00000003.4047431332.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589169443.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3205730297.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://r11.i.lencr.org/0	rundll32.exe, 00000004.00000003.3205730297.000001D6C50EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589118897.000001D6C50EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047431332.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589169443.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3205730297.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047431332.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047401761.000001D6C50FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50F9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C5028000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C5081000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589118897.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3205730297.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://muuxxu.com:8817/pentium.phph	rundll32.exe, 00000004.00000003.4047431332.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://muuxxu.com:8817/pentium.phpi	rundll32.exe, 00000004.00000003.4047431332.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.232.46.11	muuxxu.com	Russian Federation		44477	WELLWEBNL	true
94.232.40.41	cronoze.com	Russian Federation		44477	WELLWEBNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576719
Start date and time:	2024-12-17 13:09:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	45c62e.msi
Detection:	MAL
Classification:	mal72.evad.winMSI@6/24@4/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 8 Number of non-executed functions: 123
Cookbook Comments:	Found application associated with file extension: .msi Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 45c62e.msi

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
94.232.46.11	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse
94.232.46.11	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse
94.232.40.41	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse
94.232.40.41	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
muuxxu.com	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse	94.232.46.11
muuxxu.com	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse	94.232.46.11
cronoze.com	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse	94.232.40.41
cronoze.com	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse	94.232.40.41

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WELLWEBNL	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse	94.232.40.41
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse	94.232.40.41
	avutil.dll.dll	Get hash	malicious	BruteRatel	Browse	94.232.43.224
	fes.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse	94.232.43.224
	wait.dll.dll	Get hash	malicious	BruteRatel, Latrodectus	Browse	94.232.43.224
	sqx.dll.dll	Get hash	malicious	Unknown	Browse	94.232.40.38
	merd.msi	Get hash	malicious	Unknown	Browse	94.232.40.38
	sqx.dll.dll	Get hash	malicious	Unknown	Browse	94.232.40.38
	mesh.exe	Get hash	malicious	MeshAgent	Browse	94.232.43.185
	mesh.exe	Get hash	malicious	MeshAgent	Browse	94.232.43.185
WELLWEBNL	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse	94.232.40.41
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse	94.232.40.41
	avutil.dll.dll	Get hash	malicious	BruteRatel	Browse	94.232.43.224
	fes.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse	94.232.43.224
	wait.dll.dll	Get hash	malicious	BruteRatel, Latrodectus	Browse	94.232.43.224
	sqx.dll.dll	Get hash	malicious	Unknown	Browse	94.232.40.38
	merd.msi	Get hash	malicious	Unknown	Browse	94.232.40.38
	sqx.dll.dll	Get hash	malicious	Unknown	Browse	94.232.40.38
	mesh.exe	Get hash	malicious	MeshAgent	Browse	94.232.43.185
	mesh.exe	Get hash	malicious	MeshAgent	Browse	94.232.43.185

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Installer\MSID3EA.tmp	Doc_21-04-53.js	Get hash	malicious	Matanbuchus	Browse
	klog.php.msi	Get hash	malicious	Matanbuchus	Browse
	Doc_21-04-53.js	Get hash	malicious	Matanbuchus	Browse
	fes.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse
	zdi.txt.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse
	merd.msi	Get hash	malicious	Unknown	Browse
	medk.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse
	lavi.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse
	Document-v09-42-38.js	Get hash	malicious	BruteRatel	Browse
	Document-v05-53-20.js	Get hash	malicious	BruteRatel, Latrodectus	Browse

Created / dropped Files

C:\Config.Msi\5cd2d3.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	1368
Entropy (8bit):	5.697785653263688
Encrypted:	false
SSDEEP:	24:MlOgj0fG6k//bL//L/MRpUzFPt1DhiSt8li+EQs6F:MgO0Jk//bL//L/MbmPt1D8SmjE36F
MD5:	98DB00037B48617B8AFCFB498C26AA3E
SHA1:	9B6043837C46295C86E599DE4F543478DE3DCF8C
SHA-256:	1CDA9765FE33523B55B114FDB382D0B5F6D0E10505139F624D772F2D0280A632
SHA-512:	BE7B79F3C800D6E84D7C3F2ED4FB4E24862B67BC325EA3B98CD678475A00A299EDA461F45A0A1CFA34E6A43BA30D7767B494CC46F8CDC9ACE3F224B6BFE31F2B
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@D9.Y.@.....@.....@.....@.....@.....@......&.{4C0A4C04-B78F-4D97-A68D-084ABF0CFF9C}..IInlimited..45c62e.msi.@.....@.....@.....@........&.{C6D77FA2-AA69-491D-B464-EE0A4DAA19FE}.....@.....@.....@.....@.......@.....@.....@.......@......IInlimited......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{B48CC27C-9823-4256-8235-834BFD2D0DBB}&.{4C0A4C04-B78F-4D97-A68D-084ABF0CFF9C}.@......&.{4A323D5F-6D73-4C26-8E39-BE8928DA13EB}&.{4C0A4C04-B78F-4D97-A68D-084ABF0CFF9C}.@......&.{E1A0AE30-67F1-4CEA-BFAD-F8B5724D00D8}&.{4C0A4C04-B78F-4D97-A68D-084ABF0CFF9C}.@........CreateFolders..Creating folders..Folder: [1]#.:.C:\Users\user\AppData\Roaming\IInlimited INC\IInlimited\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..*.C:\Users\user\AppData\Roaming\vgruntime\....4.C:\Users\user\AppData\Roaming\vgruntime\avdapi.dll....WriteRegistryValues..Writing system

C:\Users\user\AppData\Roaming\vgruntime\avdapi.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3112960
Entropy (8bit):	7.017969386306067
Encrypted:	false
SSDEEP:	49152:1x4R6f1w6HKPwqliTUERW+e46IwdKMmMxSp:1+R+wlPwHgEofIwRmyS
MD5:	E5EC8B7CF88C66F78D607F76A2095FDA
SHA1:	FDA7752C604FF7673AE31DC45A8F0A9DD0A3A6AC
SHA-256:	1552C43ECF6EEB5E2FE13CC1C25E6BDACF227222AFAA9A523D996B6331945505
SHA-512:	80DDBEF4E3E8912B15B2A41A9416041159C305DD24D5E06C62008708E8CF4C307981CE0C96690B9B1FB7DC72634C3F172993AB73B82AC53CCE9995B64ADDB1D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Reputation:	low
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$..........xUis+Uis+Uis+..p_is+..v.is+3..+Tis+..wDis+..p_is+..v.is+..z]is+..w@is+\..+Wis+\..+Tis+..rBis+Uir+.hs+..v~is+..sTis+...+Tis+Ui.+Tis+..qTis+RichUis+........PE..d......f.........." ................$b....................................... 0.......%...`.................................................x...........0.......X....,%..L....0.....p...T.......................(......8............................................text............................... ..`.rdata...3.......4..................@..@.data.......@...8..."..............@....pdata..X............Z..............@..@_RDATA...............V..............@..@.rsrc...0............X..............@..@.reloc........0......p/.............@..B............................................................................................................................yIjO8$aSPtIb+rv5J&Fq1MJ%UqT9XrJ@sG.

C:\Users\user\NTUSER.DAT.Not

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	112
Entropy (8bit):	5.238052471787967
Encrypted:	false
SSDEEP:	3:BJU3WCwlzdGmTEnMg8nBLoVcPBHQ9QaiuEKMcypPV:BJuWCwpYBM5BBBHkQaiuEXcQt
MD5:	267F243C17224B78BCAE6B6973DEB0FB
SHA1:	BB657EFFA4763D4869A2672343E3EE3155B704DD
SHA-256:	58701BB95F26FEC16E8C680322057FD6C8509E2615EB06E54C6D4003A3806324
SHA-512:	A62C870F0AED5223A7C22BDDBA4C3F9BAA3D3B8160354D07E7E0D05BB735F3727D89C7EB16E9B83C732649BD798ED8269D07E81FC3AE1DE95188BA1650EB01D5
Malicious:	false
Reputation:	low
Preview:	{YXZkYXBpLmRsbA==, IkM6XFVzZXJzXGFsZm9uc1xBcHBEYXRhXFJvYW1pbmdcdmdydW50aW1lXGF2ZGFwaS5kbGwi, MQ==, blZpZXdDbWQ=}

C:\Windows\Installer\5cd2d1.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {C6D77FA2-AA69-491D-B464-EE0A4DAA19FE}, Number of Words: 10, Subject: IInlimited, Author: IInlimited INC, Name of Creating Application: IInlimited, Template: ;1033, Comments: Create database IInlimited, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	2159104
Entropy (8bit):	7.684407174686371
Encrypted:	false
SSDEEP:	49152:w82TYBZKumZr7AkYwlxnlLcGWXfyZ+longOKNziyjvNKMBMxIh:MYnK/AkVBZc5XKZ4o9KNbvhByI
MD5:	EAF9453F96D44BBC8FB4FB72A6508755
SHA1:	2C0833C92E9B0F0191056BDBD72EF0B65AB85418
SHA-256:	11836EB77068D13A1BB7E457F707234340C4A1093C9881AA20B1AB783295D8A0
SHA-512:	9DE4E541FAA98F05658C364F6C67F4104E41C5ACC4821112FA3974CFCE783D3F147B6CA7A2599B04DCAEDB5CCC4A4F9C6C5C2A9D6D0AE9E63D2F6A573A5AED68
Malicious:	false
Reputation:	low
Preview:	......................>...................!...................................D.......`......................................./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...............................................................................................................................................................................................................................................................................................................................;...........!...3............................................................................................... ...+..."...#...$...%...&...'...(...)...*...1...,...-......./...0...4...2...:...?...5...6...7...8...9...>...<.......=...........@...A...B...C...........F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSID3EA.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Doc_21-04-53.js, Detection: malicious, Browse Filename: klog.php.msi, Detection: malicious, Browse Filename: Doc_21-04-53.js, Detection: malicious, Browse Filename: fes.msi, Detection: malicious, Browse Filename: zdi.txt.msi, Detection: malicious, Browse Filename: merd.msi, Detection: malicious, Browse Filename: medk.msi, Detection: malicious, Browse Filename: lavi.msi, Detection: malicious, Browse Filename: Document-v09-42-38.js, Detection: malicious, Browse Filename: Document-v05-53-20.js, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSID458.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSID4C7.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSID4F7.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSID594.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1744
Entropy (8bit):	5.5383134265291
Encrypted:	false
SSDEEP:	24:MlTgj0f0u6SkoLu0ttcypUUFP3Xw9QPl7lcc1SDhiSftlMxin:MxO0Q6Lth/P3XwOF8D8S1l0i
MD5:	A00FA60F28BC7A24A58727729BCDE2EA
SHA1:	B53CB3262FC28452E2398220DB910500D934350F
SHA-256:	E21EB7C12575AF6B9CA3A1F4ED2C6238C1AB734C06DA06CCBD82CE38994DD265
SHA-512:	CEFE89DCA2654A15D7D531E6F37DAF9E00ED8EC33EE04A13E88B74C8DA73AB176C4A6CC3FDC3DDECA464B1D9A9C18A85D8DD873873552A9DE097DA67367CA266
Malicious:	false
Preview:	...@IXOS.@.....@D9.Y.@.....@.....@.....@.....@.....@......&.{4C0A4C04-B78F-4D97-A68D-084ABF0CFF9C}..IInlimited..45c62e.msi.@.....@.....@.....@........&.{C6D77FA2-AA69-491D-B464-EE0A4DAA19FE}.....@.....@.....@.....@.......@.....@.....@.......@......IInlimited......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{B48CC27C-9823-4256-8235-834BFD2D0DBB}:.C:\Users\user\AppData\Roaming\IInlimited INC\IInlimited\.@.......@.....@.....@......&.{4A323D5F-6D73-4C26-8E39-BE8928DA13EB}..01:\Software\IInlimited INC\IInlimited\Version.@.......@.....@.....@......&.{E1A0AE30-67F1-4CEA-BFAD-F8B5724D00D8}4.C:\Users\user\AppData\Roaming\vgruntime\avdapi.dll.@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]".:.C:\Users\user\AppData\Roaming\IInlimited INC\IInlimited\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]...@..

C:\Windows\Installer\SourceHash{4C0A4C04-B78F-4D97-A68D-084ABF0CFF9C}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1624245437908256
Encrypted:	false
SSDEEP:	12:JSbX72FjyaAGiLIlHVRpth/7777777777777777777777777vDHFMpSl0i8Q:JbQI5poF
MD5:	15481EE4563E0399C635603EF5BEF77E
SHA1:	12823156E7A351F869D56FFC8D102294400B3A55
SHA-256:	DD0AC63931484DF512BE0A53D065FB71A8EF7ABCCB9965A98B50E21F47837718
SHA-512:	4523166BBDA7053A4E20301CFE6BACD889EBFB47FC20B8AAC96CBEFBBFC2D15FA3E0E536E548FCEE69CA9E7C5689B7F02180F12E39F31DCE684FD9E130935FA1
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5404433939301025
Encrypted:	false
SSDEEP:	48:O8PhquRc06WXJenT5ZPuwFkzSxtAErCy7vzSxBTV:Bhq11nTX2wFwNwCYw
MD5:	92FBABEC461B6E732C7092E285BE9AA0
SHA1:	64DC9997F2A45BA88F61622F55F17B2D53C5564F
SHA-256:	57F72FA91518C8624E78BE2708BD1C143DEF42C9D81ABD8C73328EF07B7926C0
SHA-512:	518AD56DE51642B04E01C2F3380F0BFE04542954CD7E49706179EC2F5B325B55BF3355CA5AFC98645628E1C7FDD53D5075FA1935A9F07CEE5CE8C4D629CE5DB6
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	364484
Entropy (8bit):	5.365490807036593
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaux:zTtbmkExhMJCIpE2
MD5:	CB9928A8CCAD0EF76866B9778D5A2908
SHA1:	EAC10D5FE5E9B2A6C144536372065714E2DEF87D
SHA-256:	39A8D7B6E19B92ED85DA2960D4625821B261E1C5F20148A06F2ED3722848CF54
SHA-512:	611B46AA1A143BE2BBECEF93B2913D1A430B142EC81F93437EF2C6AE092DFA917D083F2855FA03D805AAEA3345A7D4B547AF94032584CC5BDC1FA0422A6FEB5F
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF3C2E41AA06136370.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5F64832CD71B2EC1.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2369319061396764
Encrypted:	false
SSDEEP:	48:rziuvM+CFXJ9T5xPuwFkzSxtAErCy7vzSxBTV:XiJVT/2wFwNwCYw
MD5:	9A306B22209DF2B82C0BC12E54B618AC
SHA1:	43885CA7848263050AC51F049E3B586B21A0CB38
SHA-256:	D01ED6A21F4E3000C1D27EAFB05F996CADD3976FBD0327FAAC6E096AA7E79BB1
SHA-512:	C2F72AE83627A3F14B744D0762AA965AF93150584DB6130D78D61B8931D7F6BB3C1E6F1705CB13710BFDCAE3F9A9947079AD20184FEADFDB619768300441A369
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7C7D267F3BE97AB0.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF879783CA8456C4B6.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2369319061396764
Encrypted:	false
SSDEEP:	48:rziuvM+CFXJ9T5xPuwFkzSxtAErCy7vzSxBTV:XiJVT/2wFwNwCYw
MD5:	9A306B22209DF2B82C0BC12E54B618AC
SHA1:	43885CA7848263050AC51F049E3B586B21A0CB38
SHA-256:	D01ED6A21F4E3000C1D27EAFB05F996CADD3976FBD0327FAAC6E096AA7E79BB1
SHA-512:	C2F72AE83627A3F14B744D0762AA965AF93150584DB6130D78D61B8931D7F6BB3C1E6F1705CB13710BFDCAE3F9A9947079AD20184FEADFDB619768300441A369
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF990042BC864CFA63.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07001777091928756
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOB/QVky6lS:2F0i8n0itFzDHFtS
MD5:	7F4CFFC7877F8E86CBBFC3CBEF311CE6
SHA1:	094DC38E956DBCBB9DACCDA135C380F12F119463
SHA-256:	DFAC563F0019927B6DC294C562D9BC339DFB5CDC4ACB8834D6C5DDC4DA274B13
SHA-512:	D9000F1CAE37C59EAA738A61E87102D7487403EBD49B9E6C2CC0D11CB2885F6C04FD1ADC7B8A6FA006AFB600FA589A3EDD8E9FCEFC1615A1B3E00920A8E050D3
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9CFD100E0F8B6B5E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5404433939301025
Encrypted:	false
SSDEEP:	48:O8PhquRc06WXJenT5ZPuwFkzSxtAErCy7vzSxBTV:Bhq11nTX2wFwNwCYw
MD5:	92FBABEC461B6E732C7092E285BE9AA0
SHA1:	64DC9997F2A45BA88F61622F55F17B2D53C5564F
SHA-256:	57F72FA91518C8624E78BE2708BD1C143DEF42C9D81ABD8C73328EF07B7926C0
SHA-512:	518AD56DE51642B04E01C2F3380F0BFE04542954CD7E49706179EC2F5B325B55BF3355CA5AFC98645628E1C7FDD53D5075FA1935A9F07CEE5CE8C4D629CE5DB6
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFCD6E206639A8CBFF.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFED9D7AC097B0F001.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.129097547276746
Encrypted:	false
SSDEEP:	24:/DoqqETx0Y0IipV0Y0S0Y0IipV0Y0KAEV0yjCy7VQwGHs2+XluO:siT1zSxZzSxtAErCy7t2wuO
MD5:	FDA13B4771421CBFF91AB019C4CFDCBB
SHA1:	F0E39EE5D248266B41200A9D16EBC052FFF13214
SHA-256:	2F76E416B43477657F586A1F01B318F055F3794B347F6177A2588799B71333AC
SHA-512:	02BB4DDA540A15CA83BA0B1E6ABA36F87467853EFA4B5F6EA210B94790FCD160926BE6AEB029B48D74FB0AB35283668E400A6D9E7DDB46FCCA8F576538F0E65A
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF788403CC86B8F41.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFFB14D25889712E8F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFFBB7046A24FE3B82.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2369319061396764
Encrypted:	false
SSDEEP:	48:rziuvM+CFXJ9T5xPuwFkzSxtAErCy7vzSxBTV:XiJVT/2wFwNwCYw
MD5:	9A306B22209DF2B82C0BC12E54B618AC
SHA1:	43885CA7848263050AC51F049E3B586B21A0CB38
SHA-256:	D01ED6A21F4E3000C1D27EAFB05F996CADD3976FBD0327FAAC6E096AA7E79BB1
SHA-512:	C2F72AE83627A3F14B744D0762AA965AF93150584DB6130D78D61B8931D7F6BB3C1E6F1705CB13710BFDCAE3F9A9947079AD20184FEADFDB619768300441A369
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFFD4E72BF5F15669E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5404433939301025
Encrypted:	false
SSDEEP:	48:O8PhquRc06WXJenT5ZPuwFkzSxtAErCy7vzSxBTV:Bhq11nTX2wFwNwCYw
MD5:	92FBABEC461B6E732C7092E285BE9AA0
SHA1:	64DC9997F2A45BA88F61622F55F17B2D53C5564F
SHA-256:	57F72FA91518C8624E78BE2708BD1C143DEF42C9D81ABD8C73328EF07B7926C0
SHA-512:	518AD56DE51642B04E01C2F3380F0BFE04542954CD7E49706179EC2F5B325B55BF3355CA5AFC98645628E1C7FDD53D5075FA1935A9F07CEE5CE8C4D629CE5DB6
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {C6D77FA2-AA69-491D-B464-EE0A4DAA19FE}, Number of Words: 10, Subject: IInlimited, Author: IInlimited INC, Name of Creating Application: IInlimited, Template: ;1033, Comments: Create database IInlimited, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Entropy (8bit):	7.684407174686371
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	45c62e.msi
File size:	2'159'104 bytes
MD5:	eaf9453f96d44bbc8fb4fb72a6508755
SHA1:	2c0833c92e9b0f0191056bdbd72ef0b65ab85418
SHA256:	11836eb77068d13a1bb7e457f707234340c4a1093c9881aa20b1ab783295d8a0
SHA512:	9de4e541faa98f05658c364f6c67f4104e41c5acc4821112fa3974cfce783d3f147b6ca7a2599b04dcaedb5ccc4a4f9c6c5c2a9d6d0ae9e63d2f6a573a5aed68
SSDEEP:	49152:w82TYBZKumZr7AkYwlxnlLcGWXfyZ+longOKNziyjvNKMBMxIh:MYnK/AkVBZc5XKZ4o9KNbvhByI
TLSH:	36A501223386CA3BC96E42703519979F2068FDA7077180D7A3C9291EEDB44D06B7DF96
File Content Preview:	........................>...................!...................................D.......`......................................./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B..................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 13:10:14.632539988 CET	49704	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:10:14.752476931 CET	8817	49704	94.232.46.11	192.168.2.5
Dec 17, 2024 13:10:14.752592087 CET	49704	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:10:14.762377024 CET	49704	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:10:14.882220984 CET	8817	49704	94.232.46.11	192.168.2.5
Dec 17, 2024 13:10:17.646866083 CET	8817	49704	94.232.46.11	192.168.2.5
Dec 17, 2024 13:10:17.646893978 CET	8817	49704	94.232.46.11	192.168.2.5
Dec 17, 2024 13:10:17.646905899 CET	8817	49704	94.232.46.11	192.168.2.5
Dec 17, 2024 13:10:17.646974087 CET	49704	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:10:17.647021055 CET	49704	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:10:17.691750050 CET	49704	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:10:17.811616898 CET	8817	49704	94.232.46.11	192.168.2.5
Dec 17, 2024 13:10:18.118307114 CET	8817	49704	94.232.46.11	192.168.2.5
Dec 17, 2024 13:10:18.118465900 CET	49704	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:10:18.130120039 CET	49704	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:10:18.250093937 CET	8817	49704	94.232.46.11	192.168.2.5
Dec 17, 2024 13:10:25.001492023 CET	8817	49704	94.232.46.11	192.168.2.5
Dec 17, 2024 13:10:25.001578093 CET	49704	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:10:25.003091097 CET	49708	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:10:25.122801065 CET	8817	49708	94.232.46.11	192.168.2.5
Dec 17, 2024 13:10:25.123186111 CET	49708	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:10:25.123828888 CET	49708	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:10:25.243521929 CET	8817	49708	94.232.46.11	192.168.2.5
Dec 17, 2024 13:10:27.520348072 CET	8817	49708	94.232.46.11	192.168.2.5
Dec 17, 2024 13:10:27.520411968 CET	8817	49708	94.232.46.11	192.168.2.5
Dec 17, 2024 13:10:27.520423889 CET	8817	49708	94.232.46.11	192.168.2.5
Dec 17, 2024 13:10:27.520493984 CET	49708	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:10:27.523675919 CET	49708	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:10:27.643383026 CET	8817	49708	94.232.46.11	192.168.2.5
Dec 17, 2024 13:10:27.950129032 CET	8817	49708	94.232.46.11	192.168.2.5
Dec 17, 2024 13:10:27.950424910 CET	49708	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:10:27.951208115 CET	49708	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:10:28.071118116 CET	8817	49708	94.232.46.11	192.168.2.5
Dec 17, 2024 13:11:00.015819073 CET	49708	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:11:55.006484032 CET	8817	49704	94.232.46.11	192.168.2.5
Dec 17, 2024 13:11:55.007332087 CET	49704	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:11:55.836250067 CET	49920	8817	192.168.2.5	94.232.40.41
Dec 17, 2024 13:11:55.956032991 CET	8817	49920	94.232.40.41	192.168.2.5
Dec 17, 2024 13:11:55.956171989 CET	49920	8817	192.168.2.5	94.232.40.41
Dec 17, 2024 13:11:55.956666946 CET	49920	8817	192.168.2.5	94.232.40.41
Dec 17, 2024 13:11:56.076415062 CET	8817	49920	94.232.40.41	192.168.2.5
Dec 17, 2024 13:11:58.342233896 CET	8817	49920	94.232.40.41	192.168.2.5
Dec 17, 2024 13:11:58.342257977 CET	8817	49920	94.232.40.41	192.168.2.5
Dec 17, 2024 13:11:58.342268944 CET	8817	49920	94.232.40.41	192.168.2.5
Dec 17, 2024 13:11:58.342482090 CET	49920	8817	192.168.2.5	94.232.40.41
Dec 17, 2024 13:11:58.351641893 CET	49920	8817	192.168.2.5	94.232.40.41
Dec 17, 2024 13:11:58.471492052 CET	8817	49920	94.232.40.41	192.168.2.5
Dec 17, 2024 13:12:01.690097094 CET	49704	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:12:01.809906960 CET	8817	49704	94.232.46.11	192.168.2.5
Dec 17, 2024 13:12:05.833933115 CET	8817	49920	94.232.40.41	192.168.2.5
Dec 17, 2024 13:12:05.833998919 CET	49920	8817	192.168.2.5	94.232.40.41
Dec 17, 2024 13:12:05.834635019 CET	49920	8817	192.168.2.5	94.232.40.41
Dec 17, 2024 13:12:05.954400063 CET	8817	49920	94.232.40.41	192.168.2.5
Dec 17, 2024 13:12:21.333091974 CET	8817	49920	94.232.40.41	192.168.2.5
Dec 17, 2024 13:12:21.333215952 CET	49920	8817	192.168.2.5	94.232.40.41
Dec 17, 2024 13:12:52.352633953 CET	49977	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:12:52.472512007 CET	8817	49977	94.232.46.11	192.168.2.5
Dec 17, 2024 13:12:52.472640991 CET	49977	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:12:52.473113060 CET	49977	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:12:52.592835903 CET	8817	49977	94.232.46.11	192.168.2.5
Dec 17, 2024 13:12:53.781819105 CET	8817	49977	94.232.46.11	192.168.2.5
Dec 17, 2024 13:12:53.781953096 CET	49977	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:12:53.784192085 CET	49977	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:12:53.785289049 CET	49977	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:12:53.904077053 CET	8817	49977	94.232.46.11	192.168.2.5
Dec 17, 2024 13:12:53.905298948 CET	8817	49977	94.232.46.11	192.168.2.5
Dec 17, 2024 13:13:25.843910933 CET	49977	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:13:51.350404978 CET	8817	49920	94.232.40.41	192.168.2.5
Dec 17, 2024 13:13:51.350553036 CET	49920	8817	192.168.2.5	94.232.40.41
Dec 17, 2024 13:13:51.641230106 CET	49920	8817	192.168.2.5	94.232.40.41
Dec 17, 2024 13:13:51.761317968 CET	8817	49920	94.232.40.41	192.168.2.5
Dec 17, 2024 13:14:09.901134014 CET	49978	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:14:10.021756887 CET	8817	49978	94.232.46.11	192.168.2.5
Dec 17, 2024 13:14:10.021848917 CET	49978	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:14:10.022260904 CET	49978	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:14:10.142915010 CET	8817	49978	94.232.46.11	192.168.2.5
Dec 17, 2024 13:14:13.009218931 CET	8817	49978	94.232.46.11	192.168.2.5
Dec 17, 2024 13:14:13.009454012 CET	49978	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:14:13.010308981 CET	49978	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:14:13.011509895 CET	49978	8817	192.168.2.5	94.232.46.11
Dec 17, 2024 13:14:13.130038023 CET	8817	49978	94.232.46.11	192.168.2.5
Dec 17, 2024 13:14:13.131146908 CET	8817	49978	94.232.46.11	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 13:10:11.676570892 CET	57095	53	192.168.2.5	1.1.1.1
Dec 17, 2024 13:10:12.687915087 CET	57095	53	192.168.2.5	1.1.1.1
Dec 17, 2024 13:10:13.703990936 CET	57095	53	192.168.2.5	1.1.1.1
Dec 17, 2024 13:10:14.626669884 CET	53	57095	1.1.1.1	192.168.2.5
Dec 17, 2024 13:10:14.626687050 CET	53	57095	1.1.1.1	192.168.2.5
Dec 17, 2024 13:10:14.626696110 CET	53	57095	1.1.1.1	192.168.2.5
Dec 17, 2024 13:11:55.074875116 CET	63313	53	192.168.2.5	1.1.1.1
Dec 17, 2024 13:11:55.834964991 CET	53	63313	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 17, 2024 13:10:11.676570892 CET	192.168.2.5	1.1.1.1	0x9544	Standard query (0)	muuxxu.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:10:12.687915087 CET	192.168.2.5	1.1.1.1	0x9544	Standard query (0)	muuxxu.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:10:13.703990936 CET	192.168.2.5	1.1.1.1	0x9544	Standard query (0)	muuxxu.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:11:55.074875116 CET	192.168.2.5	1.1.1.1	0x9984	Standard query (0)	cronoze.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 17, 2024 13:10:14.626669884 CET	1.1.1.1	192.168.2.5	0x9544	No error (0)	muuxxu.com	94.232.46.11	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:10:14.626687050 CET	1.1.1.1	192.168.2.5	0x9544	No error (0)	muuxxu.com	94.232.46.11	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:10:14.626696110 CET	1.1.1.1	192.168.2.5	0x9544	No error (0)	muuxxu.com	94.232.46.11	A (IP address)	IN (0x0001)	false
Dec 17, 2024 13:11:55.834964991 CET	1.1.1.1	192.168.2.5	0x9984	No error (0)	cronoze.com	94.232.40.41	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	07:10:05
Start date:	17/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\45c62e.msi"
Imagebase:	0x7ff688d10000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:10:05
Start date:	17/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff688d10000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	07:10:05
Start date:	17/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 46E8AC0904175A2A4C7DC07B8073B258
Imagebase:	0x690000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:10:06
Start date:	17/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:/Windows/System32/rundll32.exe avdapi.dll, nViewCmd
Imagebase:	0x7ff72dad0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	99.1%
Signature Coverage:	19.7%
Total number of Nodes:	229
Total number of Limit Nodes:	5

Executed Functions

Function 00007FF8A7AC7CA4 Relevance: 24.0, APIs: 1, Strings: 2, Instructions: 19536
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,=, xrefs: 00007FF8A7AC8B99
+=, xrefs: 00007FF8A7AC8C45

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID:
String ID: +=$,=
API String ID: 0-3116756818
Opcode ID: 86d877f4bfbdb9dbd774ef72c11f05b79659dfa0d66e50673e85384098f5fb92
Instruction ID: ff46ae8ed18ad4eb2a685835a970e84fc398f12590997750a6080f6d811e0a85
Opcode Fuzzy Hash: 86d877f4bfbdb9dbd774ef72c11f05b79659dfa0d66e50673e85384098f5fb92
Instruction Fuzzy Hash: 4D242B52F7569C06EE59C1720AA17FA40C65FB6BE9F64F73AFC0A26BE0D91E54834080

Function 00007FF8A7AC9790 Relevance: 18.7, APIs: 1, Instructions: 17454
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 00007FF8A7AD0878

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cf5cb5571d315598206a8790c9a41924e950f52808e5ddc8a3697dcb9696509b
Instruction ID: 039fa94fe106eecb8ad3e666d3c5e47ccdc6243e80a86d859cee7c3cc0c1295b
Opcode Fuzzy Hash: cf5cb5571d315598206a8790c9a41924e950f52808e5ddc8a3697dcb9696509b
Instruction Fuzzy Hash: 68142B52F7569C06EE59C1720AA17FA80C65FB67E9F64F73AFC0A26BE0DD1E54834080

Function 000001D6C89DD270 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.2099458989.000001D6C89A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D6C89A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_1d6c89a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e753f29fc521fa2d0b6c7a6994e588844e22f1070003091da851a212630d82
Instruction ID: f561606d4e09c391892503e7dea2cf664831d15274f3beb9d1b44122a519f1b8
Opcode Fuzzy Hash: d7e753f29fc521fa2d0b6c7a6994e588844e22f1070003091da851a212630d82
Instruction Fuzzy Hash: 24F0D1B0A28B408BE3449F18848923577E1FB98715F20052FE88987361CB3598428B43

Function 000001D6C89DD2E0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.2099458989.000001D6C89A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D6C89A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_1d6c89a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c03d8a45eb9b0d3ccc835ff03553e770b46152858ebd01b16508ffef1a6f20c3
Instruction ID: 40776f4ef9c3fb990b405aa523aeb7957367379a431657f3923a4c2e1a27dd5d
Opcode Fuzzy Hash: c03d8a45eb9b0d3ccc835ff03553e770b46152858ebd01b16508ffef1a6f20c3
Instruction Fuzzy Hash: FFF05470A24F444BD704AF2C888A67577D1F7A8755F54452FA488C7361DB35E4428B87

Function 00000001800026C0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 269
stringCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000180002CB0: GetModuleFileNameW.KERNEL32 ref: 0000000180002CFC

GetModuleFileNameW.KERNEL32 ref: 000000018000276F
SHGetSpecialFolderPathW.SHELL32 ref: 0000000180002786
lstrcatW.KERNEL32 ref: 000000018000279A
lstrcatW.KERNEL32 ref: 00000001800027AE
lstrcatW.KERNEL32 ref: 00000001800027C2
lstrcatW.KERNEL32 ref: 00000001800027D6
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0000000180002B4F

Strings

\NTUSER.DAT.Not, xrefs: 000000018000278C
nViewCmd, xrefs: 0000000180002A43

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: lstrcat$FileModuleName$FolderIos_base_dtorPathSpecialstd::ios_base::_
String ID: \NTUSER.DAT.Not$nViewCmd
API String ID: 2606783807-1926657965
Opcode ID: a946bae1627097ab7b73f61163b0859f0a6ae39e4bd01eb7db3eba8b1cf675f5
Instruction ID: 3dd1c745be193ef327f8b6b82ef9b9860cbb876b441ce7f55bb8257e988bbc7a
Opcode Fuzzy Hash: a946bae1627097ab7b73f61163b0859f0a6ae39e4bd01eb7db3eba8b1cf675f5
Instruction Fuzzy Hash: 7FE15B32224B8989EBA1DF24D8943DD3761FB897C8F809126F64E47AA9DF74C64DC740

Function 000001D6C6A50B00 Relevance: 4.1, APIs: 3, Instructions: 371
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 000001D6C6A50C5E
VirtualAlloc.KERNEL32 ref: 000001D6C6A50CCC

Memory Dump Source

Source File: 00000004.00000002.4530940374.000001D6C6A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D6C6A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d6c6a50000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7479d515978b8398c8f18a7fbb8c6ce0b9f2a044b6e8d29228c90f9ede51720f
Instruction ID: 3fe2732d4675c6ffe5ffbd08d36eef6a507d8037b1addea2ddda49699e376d3a
Opcode Fuzzy Hash: 7479d515978b8398c8f18a7fbb8c6ce0b9f2a044b6e8d29228c90f9ede51720f
Instruction Fuzzy Hash: C0E10D30218B489FE794EB58C098B6AB7E0FB9C359F50495EE4CAC7261D774E881CB06

Function 000001D6C89DBE60 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

, xrefs: 000001D6C89DC0CA

Memory Dump Source

Source File: 00000004.00000003.2099458989.000001D6C89A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D6C89A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_1d6c89a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 493f5e9feb3bc185952b791932f3846df56847a002a59b7567bfb59bfa631270
Instruction ID: b17d10263b64f393fd009f54148f10ec51794631805174ab5ea2ab2d255807ea
Opcode Fuzzy Hash: 493f5e9feb3bc185952b791932f3846df56847a002a59b7567bfb59bfa631270
Instruction Fuzzy Hash: 28B1773121CB088FDB64EF1CD885B9AB7E1FBA8310F51456EE48AC7255DB34E845CB82

Function 0000000180002C30 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocExNuma.KERNEL32 ref: 0000000180002C56

Strings

@, xrefs: 0000000180002C4E

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: AllocNumaVirtual
String ID: @
API String ID: 4233825816-2766056989
Opcode ID: dbe35d2df203950de36ddcf7fe5b798376a89fd65d5bb236196afd6b07239e44
Instruction ID: 34f6e7e5ba55535552e86dfb8aea1c9c237241a7d285d051a1eb680f4a1854f4
Opcode Fuzzy Hash: dbe35d2df203950de36ddcf7fe5b798376a89fd65d5bb236196afd6b07239e44
Instruction Fuzzy Hash: E5F0F03231A1C585E7918B75A811B896EA0A7867A8F698305EB7C427D0DA3D8309CB00

Non-executed Functions

Function 00007FF8A7A844E5 Relevance: 86.1, APIs: 33, Strings: 16, Instructions: 382
stringwindowfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32 ref: 00007FF8A7A8450D
CommandLineToArgvW.SHELL32 ref: 00007FF8A7A84523
lstrcmpW.KERNEL32 ref: 00007FF8A7A84592
lstrcmpW.KERNEL32 ref: 00007FF8A7A845A6
GetCurrentProcess.KERNEL32 ref: 00007FF8A7A845B9
IsWow64Process.KERNEL32 ref: 00007FF8A7A845C7
MessageBoxW.USER32 ref: 00007FF8A7A8461D
lstrcmpW.KERNEL32 ref: 00007FF8A7A84664
lstrcmpW.KERNEL32 ref: 00007FF8A7A84686
lstrcmpW.KERNEL32 ref: 00007FF8A7A8469A
lstrcmpW.KERNEL32 ref: 00007FF8A7A84834
lstrcmpW.KERNEL32 ref: 00007FF8A7A848BB
lstrcmpW.KERNEL32 ref: 00007FF8A7A8494B
FindFirstFileW.KERNEL32 ref: 00007FF8A7A84981
FindClose.KERNEL32 ref: 00007FF8A7A84994
GetTempFileNameW.KERNEL32 ref: 00007FF8A7A849F0
CopyFileW.KERNEL32 ref: 00007FF8A7A84A21
lstrcmpW.KERNEL32 ref: 00007FF8A7A84A55
lstrcmpW.KERNEL32 ref: 00007FF8A7A84A84
FindWindowW.USER32 ref: 00007FF8A7A84A97
SendMessageW.USER32 ref: 00007FF8A7A84AAF
IsWindow.USER32 ref: 00007FF8A7A84AC0
PostMessageW.USER32 ref: 00007FF8A7A84ADF
SHDeleteKeyW.SHLWAPI ref: 00007FF8A7A84AFE
lstrcmpW.KERNEL32 ref: 00007FF8A7A84B10
lstrlenW.KERNEL32 ref: 00007FF8A7A84B1D
lstrcmpW.KERNEL32 ref: 00007FF8A7A84B31
lstrcmpW.KERNEL32 ref: 00007FF8A7A84B4C

Part of subcall function 00007FF8A7A8D910: RegCloseKey.ADVAPI32 ref: 00007FF8A7A8D954
Part of subcall function 00007FF8A7A8D910: RegCloseKey.ADVAPI32 ref: 00007FF8A7A8D9A6
Part of subcall function 00007FF8A7A8D910: PostMessageW.USER32 ref: 00007FF8A7A8D9D4
Part of subcall function 00007FF8A7A8D910: PostMessageW.USER32 ref: 00007FF8A7A8D9EF

LocalFree.KERNEL32 ref: 00007FF8A7A84B5E

Strings

off, xrefs: 00007FF8A7A84B45
desktop, xrefs: 00007FF8A7A8482D
Software\NVIDIA Corporation\Global\nView, xrefs: 00007FF8A7A84AF7
saveprofile, xrefs: 00007FF8A7A8459F, 00007FF8A7A846C9, 00007FF8A7A84A4E
all, xrefs: 00007FF8A7A8467F, 00007FF8A7A846B5
Please use %s to run this command, xrefs: 00007FF8A7A845F4
Error, xrefs: 00007FF8A7A8460D
dmflags, xrefs: 00007FF8A7A8475A
loadprofile, xrefs: 00007FF8A7A84583, 00007FF8A7A84693, 00007FF8A7A84944
nViewCmd, xrefs: 00007FF8A7A84543
reset, xrefs: 00007FF8A7A84A7D
nView64.dll, xrefs: 00007FF8A7A845E8
import, xrefs: 00007FF8A7A849E2
help, xrefs: 00007FF8A7A84B09
NVIDIA RTX Desktop Manager, xrefs: 00007FF8A7A84A8E
apps, xrefs: 00007FF8A7A8465D

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: lstrcmp$Message$CloseFileFindPost$CommandLineProcessWindow$ArgvCopyCurrentDeleteFirstFreeLocalNameSendTempWow64lstrlen
String ID: Error$NVIDIA RTX Desktop Manager$Please use %s to run this command$Software\NVIDIA Corporation\Global\nView$all$apps$desktop$dmflags$help$import$loadprofile$nView64.dll$nViewCmd$off$reset$saveprofile
API String ID: 845202311-658622161
Opcode ID: af96e32e7e3f32490f36427dad863ff3c901b93d2b8c288b0a39f5eb28aba3da
Instruction ID: e2edf42c80c2599bd013be49c66e40f7d2f8907c9665f4a7aa9c5bbf30c60613
Opcode Fuzzy Hash: af96e32e7e3f32490f36427dad863ff3c901b93d2b8c288b0a39f5eb28aba3da
Instruction Fuzzy Hash: 8F024B72A1AA82B5FB609F21E8557BD2360FF84BC8F445136DA0E46694EF3CF645E700

Function 00007FF8A7A8E750 Relevance: 42.3, APIs: 13, Strings: 11, Instructions: 276windowstringCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF8A7A8E8A7
lstrlenW.KERNEL32 ref: 00007FF8A7A8E8FF
FindWindowW.USER32 ref: 00007FF8A7A8E916
IsIconic.USER32 ref: 00007FF8A7A8E927
ShowWindow.USER32 ref: 00007FF8A7A8E939
SetForegroundWindow.USER32 ref: 00007FF8A7A8E942
GetForegroundWindow.USER32 ref: 00007FF8A7A8E948
MessageBoxW.USER32 ref: 00007FF8A7A8EA93

Part of subcall function 00007FF8A7A7DA30: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF8A7A7DB70

PostMessageW.USER32 ref: 00007FF8A7A8E964

Part of subcall function 00007FF8A7A87E10: GetCurrentThreadId.KERNEL32 ref: 00007FF8A7A87ECD
Part of subcall function 00007FF8A7A87E10: GetCurrentProcessId.KERNEL32 ref: 00007FF8A7A87ED5

Part of subcall function 00007FF8A7A85BB0: LoadStringW.USER32 ref: 00007FF8A7A85BCF

ShellExecuteW.SHELL32 ref: 00007FF8A7A8EBB2

Part of subcall function 00007FF8A7A87E10: OutputDebugStringW.KERNEL32 ref: 00007FF8A7A87FC7

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF8A7A8EBE5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF8A7A8EBEB
SendMessageW.USER32 ref: 00007FF8A7A8EC1A

Strings

D:\workspace\workspace\nViewBranchBuilder_3S_Agent\sw\nview\v200\nView\API\api.cpp, xrefs: 00007FF8A7A8E79A, 00007FF8A7A8E981, 00007FF8A7A8EB57
nvwdmcpl.exe, xrefs: 00007FF8A7A8EB26
open, xrefs: 00007FF8A7A8EBAB
NVRunControlPanel, xrefs: 00007FF8A7A8E7B2, 00007FF8A7A8E999, 00007FF8A7A8EB6D
Unsupported hardware, xrefs: 00007FF8A7A8E7A1
I, xrefs: 00007FF8A7A8EA44
Unsupported OS, xrefs: 00007FF8A7A8E988
%s\%s, xrefs: 00007FF8A7A8EB3E
NVIDIA RTX Desktop Manager, xrefs: 00007FF8A7A8E90D
launching nViewUI: %s, xrefs: 00007FF8A7A8EB74
-NVIDIA RTX / Quadro GPU -NVIDIA display driver -Windows 10 and above, xrefs: 00007FF8A7A8E839, 00007FF8A7A8E861, 00007FF8A7A8EA25, 00007FF8A7A8EA4D

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: MessageWindow$_invalid_parameter_noinfo_noreturn$CurrentForegroundString$DebugExecuteFindIconicLoadOutputPostProcessSendShellShowThreadlstrlen
String ID: -NVIDIA RTX / Quadro GPU -NVIDIA display driver -Windows 10 and above$%s\%s$D:\workspace\workspace\nViewBranchBuilder_3S_Agent\sw\nview\v200\nView\API\api.cpp$I$NVIDIA RTX Desktop Manager$NVRunControlPanel$Unsupported OS$Unsupported hardware$launching nViewUI: %s$nvwdmcpl.exe$open
API String ID: 2858304055-2235191580
Opcode ID: 3b7aaa0a93482d8f6ad9bb87dc17b7584b97f12eecb72b208f21b382525c2294
Instruction ID: 57336f390f51edf938fdef9d41690f762a856d03d9996f4b220201d69de46da4
Opcode Fuzzy Hash: 3b7aaa0a93482d8f6ad9bb87dc17b7584b97f12eecb72b208f21b382525c2294
Instruction Fuzzy Hash: E1C18D72A0EB86B1EB109F11E4453AE6361FB847D4F400232EA9D47B99EF7CE506D740

Function 00007FF8A7A9E67C Relevance: 33.3, APIs: 22, Instructions: 331COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF8A7A9E6C9
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF8A7A9E6F2
_Getctype.LIBCPMT ref: 00007FF8A7A9E726
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF8A7A9E762
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF8A7A9E78B
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF8A7A9E7D2
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF8A7A9E7FB
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF8A7A9E84C
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF8A7A9E875
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF8A7A9E8C6
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF8A7A9E8EF
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF8A7A9E948
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF8A7A9E971
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF8A7A9E9A5
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF8A7A9E9CE
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF8A7A9EA02
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF8A7A9EA2B
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF8A7A9EA6F
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF8A7A9EA98
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF8A7A9EAD6
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF8A7A9EAFF
_Yarn.LIBCPMT ref: 00007FF8A7A9EB69

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$GetctypeYarn
String ID:
API String ID: 3181430533-0
Opcode ID: 40d908191ac89458b9bd64ae39b4a4ce898169b569b4ff879f9e6d1f2ef22ad1
Instruction ID: d8da09ba6319c90b8688c389f4ed05ded6b022904d4a24cead31aebe524b57c8
Opcode Fuzzy Hash: 40d908191ac89458b9bd64ae39b4a4ce898169b569b4ff879f9e6d1f2ef22ad1
Instruction Fuzzy Hash: D0E15E72A0BE42B5EB65DF2698411BD33A1EF58BD0F048435EA0D53796EE3CB562A340

Function 00000001800330A8 Relevance: 29.1, APIs: 19, Instructions: 555COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00000001800341D7

Part of subcall function 000000018002F34C: _getptd.LIBCMT ref: 000000018002F362
Part of subcall function 000000018002F34C: __updatetlocinfo.LIBCMT ref: 000000018002F397
Part of subcall function 000000018002F34C: __updatetmbcinfo.LIBCMT ref: 000000018002F3BE

_malloc_crt.LIBCMT ref: 00000001800341FE

Part of subcall function 0000000180031B68: malloc.LIBCMT ref: 0000000180031B93
Part of subcall function 0000000180031B68: Sleep.KERNEL32(?,?,00000000,00000001800302E4,?,?,00000000,00000001800301E3,?,?,00000000,0000000180038B02,?,?,00000000,0000000180038A6E), ref: 0000000180031BA6

_invoke_watson.LIBCMT ref: 0000000180034821
_invoke_watson.LIBCMT ref: 0000000180034837
_invoke_watson.LIBCMT ref: 000000018003484D
_invoke_watson.LIBCMT ref: 0000000180034863
_invoke_watson.LIBCMT ref: 0000000180034879
_invoke_watson.LIBCMT ref: 000000018003488F
_invoke_watson.LIBCMT ref: 00000001800348A5
_invoke_watson.LIBCMT ref: 00000001800348BB
_invoke_watson.LIBCMT ref: 00000001800348D1
_invoke_watson.LIBCMT ref: 00000001800348E7
_invoke_watson.LIBCMT ref: 00000001800348FD
_invoke_watson.LIBCMT ref: 0000000180034913
_invoke_watson.LIBCMT ref: 0000000180034929
_invoke_watson.LIBCMT ref: 000000018003493F
_invoke_watson.LIBCMT ref: 0000000180034955
_invoke_watson.LIBCMT ref: 000000018003496B
_invoke_watson.LIBCMT ref: 0000000180034981

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: _invoke_watson$Locale$SleepUpdateUpdate::___updatetlocinfo__updatetmbcinfo_getptd_malloc_crtmalloc
String ID:
API String ID: 3294838543-0
Opcode ID: 521078f5cd82ac0f084921f5033d007348db3b2902225dc428b05784ca17b11c
Instruction ID: 084eb429915106ff2183acdcc5e5956807c1a06688872eada26f31bf39ac8827
Opcode Fuzzy Hash: 521078f5cd82ac0f084921f5033d007348db3b2902225dc428b05784ca17b11c
Instruction Fuzzy Hash: C8220332320A4882EBA7DA65E51A3EF2391F7497C4F45D126EF4E8E695DF38D6098300

Function 00007FF8A7A70760 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 131registryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A7A86150: RegOpenCurrentUser.ADVAPI32(?,?,?,?,00080000,00007FF8A7A707A7), ref: 00007FF8A7A86181
Part of subcall function 00007FF8A7A86150: RegOpenKeyExW.ADVAPI32(?,?,?,?,00080000,00007FF8A7A707A7), ref: 00007FF8A7A8619A
Part of subcall function 00007FF8A7A86150: RegCloseKey.ADVAPI32(?,?,?,?,00080000,00007FF8A7A707A7), ref: 00007FF8A7A861A7

RegQueryValueExW.ADVAPI32 ref: 00007FF8A7A707E3
RegCloseKey.ADVAPI32 ref: 00007FF8A7A707F9
GetSystemInfo.KERNEL32 ref: 00007FF8A7A70818
MapViewOfFileEx.KERNEL32 ref: 00007FF8A7A708BD
CloseHandle.KERNEL32 ref: 00007FF8A7A7095A

Part of subcall function 00007FF8A7A87E10: GetCurrentThreadId.KERNEL32 ref: 00007FF8A7A87ECD
Part of subcall function 00007FF8A7A87E10: GetCurrentProcessId.KERNEL32 ref: 00007FF8A7A87ED5

CloseHandle.KERNEL32 ref: 00007FF8A7A7099A

Strings

Failed to create shared heap memory., xrefs: 00007FF8A7A70973
nView Shared Memory, xrefs: 00007FF8A7A70833
ShareHeapMemoryWithProcess, xrefs: 00007FF8A7A70943, 00007FF8A7A70984
Failed to map shared heap memory., xrefs: 00007FF8A7A70932
Software\NVIDIA Corporation\Global\nView, xrefs: 00007FF8A7A70796
SharedMemorySize, xrefs: 00007FF8A7A707D0
%s %d, xrefs: 00007FF8A7A70842
D:\workspace\workspace\nViewBranchBuilder_3S_Agent\sw\nview\v200\nView\SharedData\MemoryManager.cpp, xrefs: 00007FF8A7A7092B, 00007FF8A7A7096C
*P, xrefs: 00007FF8A7A7083A

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: Close$Current$HandleOpen$FileInfoProcessQuerySystemThreadUserValueView
String ID: %s %d$*P$D:\workspace\workspace\nViewBranchBuilder_3S_Agent\sw\nview\v200\nView\SharedData\MemoryManager.cpp$Failed to create shared heap memory.$Failed to map shared heap memory.$ShareHeapMemoryWithProcess$SharedMemorySize$Software\NVIDIA Corporation\Global\nView$nView Shared Memory
API String ID: 458693518-221517220
Opcode ID: efb547220dbf658a7d25a490300fb5f43486cdb7a754d46d62a50b696b50be32
Instruction ID: 01a8f8bea78a7afbb53bca828081d92ce548d58e4a348c723ce3f117fd8b2658
Opcode Fuzzy Hash: efb547220dbf658a7d25a490300fb5f43486cdb7a754d46d62a50b696b50be32
Instruction Fuzzy Hash: 5C514F7161AB46A6EB609F10E4413AF73A4FF88780F504136EA8D43B55EF3CE105DB40

Function 00000001800176E4 Relevance: 22.1, APIs: 10, Strings: 2, Instructions: 1114COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000F2A8: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F2C9
Part of subcall function 000000018000F2A8: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F2EE

_Mpunct.LIBCPMT ref: 00000001800178AF
_Mpunct.LIBCPMT ref: 0000000180017E71
_Mpunct.LIBCPMT ref: 0000000180017E94
_Mpunct.LIBCPMT ref: 0000000180017F99
_Mpunct.LIBCPMT ref: 0000000180017FFE
_Mpunct.LIBCPMT ref: 0000000180018024
_Mpunct.LIBCPMT ref: 000000018001812B
_Mpunct.LIBCPMT ref: 0000000180018191
_Mpunct.LIBCPMT ref: 00000001800181D6
_Mpunct.LIBCPMT ref: 000000018001821B

Strings

0123456789-, xrefs: 000000018001783F, 00000001800179A1, 0000000180017BCB, 0000000180017DB4
, xrefs: 000000018001850A

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Mpunct$LockitLockit::_std::_
String ID: $0123456789-
API String ID: 491317670-700845222
Opcode ID: bfea4566b3dd4f2453845a7a2c0565e6247bc10b50b38d8d916d4313fb2cf9fb
Instruction ID: a70e222771d2648924d77d9fb61618b5019d1f7d64ecee5f6b6d25d0e3028cf4
Opcode Fuzzy Hash: bfea4566b3dd4f2453845a7a2c0565e6247bc10b50b38d8d916d4313fb2cf9fb
Instruction Fuzzy Hash: 99A26D32704A8885EBA68B65D0503ED27B1FB49BC8F54D016EE4E1BB96DF34CB99D340

Function 0000000180016744 Relevance: 22.1, APIs: 10, Strings: 2, Instructions: 1110COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000F048: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F069
Part of subcall function 000000018000F048: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F08E

_Mpunct.LIBCPMT ref: 000000018001690F
_Mpunct.LIBCPMT ref: 0000000180016ED1
_Mpunct.LIBCPMT ref: 0000000180016EF4
_Mpunct.LIBCPMT ref: 0000000180016FF9
_Mpunct.LIBCPMT ref: 000000018001705E
_Mpunct.LIBCPMT ref: 0000000180017084
_Mpunct.LIBCPMT ref: 000000018001718B
_Mpunct.LIBCPMT ref: 00000001800171F1
_Mpunct.LIBCPMT ref: 0000000180017236
_Mpunct.LIBCPMT ref: 000000018001727B

Strings

, xrefs: 000000018001756A
0123456789-, xrefs: 000000018001689F, 0000000180016A01, 0000000180016C2B, 0000000180016E14

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Mpunct$LockitLockit::_std::_
String ID: $0123456789-
API String ID: 491317670-700845222
Opcode ID: 7023ceb1d819ec1a1cf44c7629e55f05b0496f09250da5da42953131b9d5b64b
Instruction ID: 80943f5e6f8277e2c6515c65fe0f4c286d5afc9ab992b988177440c4078c9487
Opcode Fuzzy Hash: 7023ceb1d819ec1a1cf44c7629e55f05b0496f09250da5da42953131b9d5b64b
Instruction Fuzzy Hash: 3FA26F32B04A8885EBA68B65D4503ED27B1FB49BC8F54D416FE4E17BA5DF34CA99C300

Function 0000000180024F60 Relevance: 22.1, APIs: 10, Strings: 2, Instructions: 1051COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180023DE4: std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023E05
Part of subcall function 0000000180023DE4: std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023E2A

_Mpunct.LIBCPMT ref: 0000000180025125
_Mpunct.LIBCPMT ref: 0000000180025675
_Mpunct.LIBCPMT ref: 0000000180025692
_Mpunct.LIBCPMT ref: 0000000180025784
_Mpunct.LIBCPMT ref: 00000001800257BB
_Mpunct.LIBCPMT ref: 00000001800257DF
_Mpunct.LIBCPMT ref: 00000001800258D3
_Mpunct.LIBCPMT ref: 0000000180025908
_Mpunct.LIBCPMT ref: 0000000180025948
_Mpunct.LIBCPMT ref: 0000000180025988

Strings

, xrefs: 0000000180025C35
0123456789-, xrefs: 00000001800250C1, 0000000180025202, 000000018002540A, 00000001800255C0

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Mpunct$LockitLockit::_std::_
String ID: $0123456789-
API String ID: 491317670-700845222
Opcode ID: 5b1f11ae308e5f978eadb6c2e653d3aa161437b62689c1e79878b92cd71a40da
Instruction ID: 357b8073b20dd1810e5d3b735acf5af2621e0edfda92cd437dcbf710b5a8daa8
Opcode Fuzzy Hash: 5b1f11ae308e5f978eadb6c2e653d3aa161437b62689c1e79878b92cd71a40da
Instruction Fuzzy Hash: 10A2C032604A8889FBA7CB65C4503EC27A1F749BC9F94C516EE8A1B7D6CF79C649C304

Function 00007FF8A7A704D0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 00007FF8A7A70564
SetEntriesInAclW.ADVAPI32 ref: 00007FF8A7A705AA
LocalAlloc.KERNEL32 ref: 00007FF8A7A705BA
InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF8A7A705CE
SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF8A7A705E5
LocalFree.KERNEL32 ref: 00007FF8A7A705F2
CreateFileMappingW.KERNEL32 ref: 00007FF8A7A70621
GetLastError.KERNEL32 ref: 00007FF8A7A7062A
FreeSid.ADVAPI32 ref: 00007FF8A7A70654
LocalFree.KERNEL32 ref: 00007FF8A7A70663
LocalFree.KERNEL32 ref: 00007FF8A7A70671

Strings

S:(ML;;NW;;;LW), xrefs: 00007FF8A7A70630

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: FreeLocal$DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesErrorFileLastMapping
String ID: S:(ML;;NW;;;LW)
API String ID: 3392393586-495562761
Opcode ID: 1bad6f8359a5bfc7530f1a812a5409b517a125bc2b6b65261657b1f3283d3b3c
Instruction ID: aeb3c17907e520b2668d24caa223f84a7c20e7ba9d750239f939a04c7d561847
Opcode Fuzzy Hash: 1bad6f8359a5bfc7530f1a812a5409b517a125bc2b6b65261657b1f3283d3b3c
Instruction Fuzzy Hash: E6516C72B1AB42EAE710CF61E4507AD73B4FB98788F404126EE4D93A58EF78E116D700

Function 00007FF8A7A80490 Relevance: 14.0, APIs: 9, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A7B6ADC0: LoadLibraryW.KERNEL32 ref: 00007FF8A7B6ADDE
Part of subcall function 00007FF8A7B6ADC0: GetProcAddress.KERNEL32 ref: 00007FF8A7B6ADF6
Part of subcall function 00007FF8A7B6ADC0: FreeLibrary.KERNEL32 ref: 00007FF8A7B6AE0F
Part of subcall function 00007FF8A7B6ADC0: GetDC.USER32 ref: 00007FF8A7B6AE1B
Part of subcall function 00007FF8A7B6ADC0: GetDeviceCaps.GDI32 ref: 00007FF8A7B6AE31
Part of subcall function 00007FF8A7B6ADC0: ReleaseDC.USER32 ref: 00007FF8A7B6AE3E

IntersectRect.USER32 ref: 00007FF8A7A80540
IntersectRect.USER32 ref: 00007FF8A7A807E9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF8A7A80899
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF8A7A808A5
IntersectRect.USER32 ref: 00007FF8A7A80972
IntersectRect.USER32 ref: 00007FF8A7A80A74
IntersectRect.USER32 ref: 00007FF8A7A80ACE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF8A7A80B7E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF8A7A80B8A

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: IntersectRect$_invalid_parameter_noinfo_noreturn$Library$AddressCapsDeviceFreeLoadProcRelease
String ID:
API String ID: 4222476805-0
Opcode ID: 5f2a14ffc23a43a4d15a5f7ab3bf804fe6d62dac530410fa36961198e719c33e
Instruction ID: 056e7063bf5cb19b3b0506c271963cf921d37e84e2b7226076531b76b06545c6
Opcode Fuzzy Hash: 5f2a14ffc23a43a4d15a5f7ab3bf804fe6d62dac530410fa36961198e719c33e
Instruction Fuzzy Hash: B122D272F1A642AAFB008F78D4412BD7361EB597D8F108731DE1D27799EE38B4869740

Function 00007FF8A7A867D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 89libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF8A7A86816
GetProcAddress.KERNEL32 ref: 00007FF8A7A86826
GetVersionExW.KERNEL32 ref: 00007FF8A7A8683A

Strings

RtlGetVersion, xrefs: 00007FF8A7A8681F
ntdll, xrefs: 00007FF8A7A86807

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProcVersion
String ID: RtlGetVersion$ntdll
API String ID: 3310240892-2582309562
Opcode ID: 7606234e096adcee02d3d9db7c79f1b1fc690830e42571d938679808d679138d
Instruction ID: 1640336ae1b91cc63d09423999d38ea076444a008159083dbc17bc4bc5c6810d
Opcode Fuzzy Hash: 7606234e096adcee02d3d9db7c79f1b1fc690830e42571d938679808d679138d
Instruction Fuzzy Hash: 02411D70E0F206FAF7648F50A55233D33A1EF98385F248476D55D466A5FE3DB502AB00

Function 000000018001B924 Relevance: 6.5, APIs: 4, Instructions: 543COMMON

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 000000018001BA07
_Mpunct.LIBCPMT ref: 000000018001BB21
_Mpunct.LIBCPMT ref: 000000018001BBAA

Part of subcall function 000000018000F2A8: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F2C9
Part of subcall function 000000018000F2A8: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F2EE

_Mpunct.LIBCPMT ref: 000000018001BB3A

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Mpunct$LockitLockit::_std::_
String ID:
API String ID: 491317670-0
Opcode ID: 32a054681ada761a3f21b934110cbacde2a58451cc4452ceb2e2b32a685144d7
Instruction ID: ae333f1357bb5ac04765cce638402cad7685101a5c7d4aa2e7d208c612dcf27a
Opcode Fuzzy Hash: 32a054681ada761a3f21b934110cbacde2a58451cc4452ceb2e2b32a685144d7
Instruction Fuzzy Hash: 1F32B032604E9885EBA68F25D8453ED63A4F75CBC8F548111FB8957B99EF38CA89C340

Function 000000018001B138 Relevance: 6.5, APIs: 4, Instructions: 543COMMON

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 000000018001B21B
_Mpunct.LIBCPMT ref: 000000018001B335
_Mpunct.LIBCPMT ref: 000000018001B3BE

Part of subcall function 000000018000F048: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F069
Part of subcall function 000000018000F048: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F08E

_Mpunct.LIBCPMT ref: 000000018001B34E

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Mpunct$LockitLockit::_std::_
String ID:
API String ID: 491317670-0
Opcode ID: d8653a78ccc0500016ee3a39bc8ed8050953f96735a7a63760c9342397005fa0
Instruction ID: 4647e442d3bcfc851c9f4701ce4f14d67acf718bc96bb144a9f397481643842c
Opcode Fuzzy Hash: d8653a78ccc0500016ee3a39bc8ed8050953f96735a7a63760c9342397005fa0
Instruction Fuzzy Hash: 9C32B132604E9886EBA29F25D8453ED63A5F758BC8F54C111FF8957B99EF38C689C300

Function 0000000180026890 Relevance: 6.5, APIs: 4, Instructions: 524COMMON

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 000000018002696A
_Mpunct.LIBCPMT ref: 0000000180026AA6
_Mpunct.LIBCPMT ref: 0000000180026B14

Part of subcall function 0000000180023DE4: std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023E05
Part of subcall function 0000000180023DE4: std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023E2A

_Mpunct.LIBCPMT ref: 0000000180026AC2

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Mpunct$LockitLockit::_std::_
String ID:
API String ID: 491317670-0
Opcode ID: 72a7ac2e2c1f111e1b61ae734374779d00f08ed685c08311d7ac3453d226d6ed
Instruction ID: 2589bcd918802237b5c990292f2751727b1abcad383ca43231b0e5c6f6b0472f
Opcode Fuzzy Hash: 72a7ac2e2c1f111e1b61ae734374779d00f08ed685c08311d7ac3453d226d6ed
Instruction Fuzzy Hash: 93324E72A04BC885EB678F25C4503ED6761F399BC8F54C112EA8D57BAADF39C689C340

Function 00000001800147EC Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 962COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000FAF8: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FB19
Part of subcall function 000000018000FAF8: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FB3E

_Mpunct.LIBCPMT ref: 000000018001488A
localeconv.LIBCMT ref: 0000000180014F23

Strings

0123456789ABCDEFabcdef-+XxPp, xrefs: 00000001800148DA, 0000000180014C1B, 0000000180014E4D, 0000000180015096, 00000001800153AC

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: LockitLockit::_std::_$Mpunctlocaleconv
String ID: 0123456789ABCDEFabcdef-+XxPp
API String ID: 3643605086-3606100449
Opcode ID: 94432bfd2f8d95df277d2e9dbc6edac5d8f0baf28bc49a8a7a32c7f5d36230e7
Instruction ID: 5ab51ccc94a7dab44ec95765bb0b019680b649c223dae5af60e6b35ee96dccf9
Opcode Fuzzy Hash: 94432bfd2f8d95df277d2e9dbc6edac5d8f0baf28bc49a8a7a32c7f5d36230e7
Instruction Fuzzy Hash: C8925E37204A88C5EBA68B65C1503FD37A1FB49BC4F54C016EE9A1BBA5DF35CA5AC310

Function 0000000180013BA0 Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 962COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000F9C8: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F9E9
Part of subcall function 000000018000F9C8: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FA0E

_Mpunct.LIBCPMT ref: 0000000180013C3E
localeconv.LIBCMT ref: 00000001800142D7

Strings

0123456789ABCDEFabcdef-+XxPp, xrefs: 0000000180013C8E, 0000000180013FCF, 0000000180014201, 000000018001444A, 0000000180014760

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: LockitLockit::_std::_$Mpunctlocaleconv
String ID: 0123456789ABCDEFabcdef-+XxPp
API String ID: 3643605086-3606100449
Opcode ID: 2b3747df4bcc6815d0ca050ff0a1d26fc9399c5a2f48bb3d04cf2418fda5afce
Instruction ID: 15170c7321f925de93854cd2b60bf2d9794a6949502e19fd89cf563b34aba275
Opcode Fuzzy Hash: 2b3747df4bcc6815d0ca050ff0a1d26fc9399c5a2f48bb3d04cf2418fda5afce
Instruction Fuzzy Hash: 46927E37204A88C5EBA68B66D1503FD27A1FB49BC8F54C415EF5A1B7A1CF35CA9AC310

Function 00000001800097A8 Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 928COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180008330: std::_Lockit::_Lockit.LIBCPMT ref: 0000000180008351
Part of subcall function 0000000180008330: std::_Lockit::_Lockit.LIBCPMT ref: 0000000180008376

_Mpunct.LIBCPMT ref: 0000000180009842
localeconv.LIBCMT ref: 0000000180009E67

Strings

0123456789ABCDEFabcdef-+XxPp, xrefs: 0000000180009892, 0000000180009B91, 0000000180009D26, 0000000180009F44, 000000018000A219

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: LockitLockit::_std::_$Mpunctlocaleconv
String ID: 0123456789ABCDEFabcdef-+XxPp
API String ID: 3643605086-3606100449
Opcode ID: ee78207987aaf8e6898c223f5fdc8bfa83aea163ec8c7af802b6eb0c56abaefe
Instruction ID: 0951dfdd3adb040bfd2425e3f0e5ac157d4fc1802d06d2afbb1654cb7f49c3dd
Opcode Fuzzy Hash: ee78207987aaf8e6898c223f5fdc8bfa83aea163ec8c7af802b6eb0c56abaefe
Instruction Fuzzy Hash: A782B4323096888AFBA6CBA581503FD3BA1F74ABC4F54C115EF9907796CF25CA5AC310

Function 0000000180013078 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 870COMMON

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 0000000180013135

Part of subcall function 00000001800147EC: _Mpunct.LIBCPMT ref: 000000018001488A

Strings

0123456789-+Ee, xrefs: 0000000180013192, 0000000180013383, 00000001800135BC, 0000000180013805, 0000000180013B1B

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Mpunct
String ID: 0123456789-+Ee
API String ID: 4240859931-1347306980
Opcode ID: d972bc5eca4d0b82fe2e94bffa6b7d9434b9e5222b7b794ba326fb571b0aa537
Instruction ID: 7fa30803b5596d2040c40fa2d6deab6b9b1eebdfa1222772e05d0cd440f79c75
Opcode Fuzzy Hash: d972bc5eca4d0b82fe2e94bffa6b7d9434b9e5222b7b794ba326fb571b0aa537
Instruction Fuzzy Hash: E882A032208A8886FBA68B65C1523FD37A1FB49BC4F54C416EF4A17B95DF39CA59C310

Function 0000000180012550 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 870COMMON

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 000000018001260D

Part of subcall function 0000000180013BA0: _Mpunct.LIBCPMT ref: 0000000180013C3E

Strings

0123456789-+Ee, xrefs: 000000018001266A, 000000018001285B, 0000000180012A94, 0000000180012CDD, 0000000180012FF3

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Mpunct
String ID: 0123456789-+Ee
API String ID: 4240859931-1347306980
Opcode ID: 821b9d4d01ecd75d4b1e2aa44c8194800fa5c52a50f71f3b929308d42d9b6223
Instruction ID: 541b46e9ef04b4a6691a8844132f360519d1f98d966391b6e758a932985ee6d9
Opcode Fuzzy Hash: 821b9d4d01ecd75d4b1e2aa44c8194800fa5c52a50f71f3b929308d42d9b6223
Instruction Fuzzy Hash: CF829036204A888AFBA68B65C1503FD37A1FB49BC4F54D416EF4A17795EF34CA69C310

Function 0000000180032E14 Relevance: 6.1, APIs: 4, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000000180032E3E

Part of subcall function 000000018002F34C: _getptd.LIBCMT ref: 000000018002F362
Part of subcall function 000000018002F34C: __updatetlocinfo.LIBCMT ref: 000000018002F397
Part of subcall function 000000018002F34C: __updatetmbcinfo.LIBCMT ref: 000000018002F3BE

_malloc_crt.LIBCMT ref: 0000000180032E7E
_invoke_watson.LIBCMT ref: 0000000180032F3C

Part of subcall function 0000000180035CD8: _call_reportfault.LIBCMT ref: 0000000180035D00

_invoke_watson.LIBCMT ref: 0000000180032F52

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Locale_invoke_watson$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_call_reportfault_getptd_malloc_crt
String ID:
API String ID: 1584724053-0
Opcode ID: bb9541adda1de7d3445963b5d25e419d471c8ff25f1e67a4739099756cf48ec5
Instruction ID: 3aca14fc27a6a15d1b1d6d791e791982332b7847b4ff029bd85a204ab66ebf99
Opcode Fuzzy Hash: bb9541adda1de7d3445963b5d25e419d471c8ff25f1e67a4739099756cf48ec5
Instruction Fuzzy Hash: A331C53232078885EB97DB26D5093DE7795E789BC4F19C135BE8E4BB9ACE38C1068304

Function 0000000180008D6C Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 834COMMON

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 0000000180008E28

Part of subcall function 00000001800097A8: _Mpunct.LIBCPMT ref: 0000000180009842

Strings

0123456789-+Ee, xrefs: 0000000180008E7D, 000000018000903F, 00000001800091D0, 00000001800093E2, 00000001800096B6

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Mpunct
String ID: 0123456789-+Ee
API String ID: 4240859931-1347306980
Opcode ID: e67974f2d9ac711acb042ba2c3b51c72e12c7e8c571ddf96fbd68d540ecca808
Instruction ID: e252262f3d62f599d6f49dd2fa522cb368fb81fbd5ecc78d30e2ce65ba09eaa7
Opcode Fuzzy Hash: e67974f2d9ac711acb042ba2c3b51c72e12c7e8c571ddf96fbd68d540ecca808
Instruction Fuzzy Hash: 9372A23260A68899FB96CBA681503EC3BA1BB49BC8F54C155EF99077D6CF35C65EC300

Function 00007FF8A7A78510 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 506COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF8A7A787DF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF8A7A78ABB

Strings

%, xrefs: 00007FF8A7A78B05

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: %
API String ID: 3668304517-2567322570
Opcode ID: e1c484600b04fc7f895425a5356948795cbabb543350465548e48a692336fa0e
Instruction ID: 84bb01fbdc3a92aedce0301011095894c098c84f7c2806867e82ba189304888e
Opcode Fuzzy Hash: e1c484600b04fc7f895425a5356948795cbabb543350465548e48a692336fa0e
Instruction Fuzzy Hash: 8F123322B09A85AAFB258F65D4513FE67A1EB487C8F448131DE4D97B88EF3CE581D300

Function 00007FF8A7A96800 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32 ref: 00007FF8A7A9683E

Part of subcall function 00007FF8A7A96460: SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00007FF8A7A96854), ref: 00007FF8A7A96494
Part of subcall function 00007FF8A7A96460: lstrlenW.KERNEL32(?,00007FF8A7A96854), ref: 00007FF8A7A964AE
Part of subcall function 00007FF8A7A96460: SetFilePointer.KERNEL32(?,00007FF8A7A96854), ref: 00007FF8A7A964D7
Part of subcall function 00007FF8A7A96460: ReadFile.KERNEL32(?,00007FF8A7A96854), ref: 00007FF8A7A96518
Part of subcall function 00007FF8A7A96460: lstrlenW.KERNEL32(?,00007FF8A7A96854), ref: 00007FF8A7A96521
Part of subcall function 00007FF8A7A96460: lstrcmpW.KERNEL32(?,00007FF8A7A96854), ref: 00007FF8A7A96535
Part of subcall function 00007FF8A7A96460: SetFilePointer.KERNEL32(?,00007FF8A7A96854), ref: 00007FF8A7A96550
Part of subcall function 00007FF8A7A96460: SetFilePointer.KERNEL32(?,00007FF8A7A96854), ref: 00007FF8A7A9659C

Part of subcall function 00007FF8A7A96350: SetFilePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF8A7A964E8,?,00007FF8A7A96854), ref: 00007FF8A7A9638C
Part of subcall function 00007FF8A7A96350: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF8A7A964E8,?,00007FF8A7A96854), ref: 00007FF8A7A9639E
Part of subcall function 00007FF8A7A96350: SetFilePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF8A7A964E8,?,00007FF8A7A96854), ref: 00007FF8A7A963BC
Part of subcall function 00007FF8A7A96350: ReadFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF8A7A964E8,?,00007FF8A7A96854), ref: 00007FF8A7A963E8
Part of subcall function 00007FF8A7A96350: lstrcmpW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF8A7A964E8,?,00007FF8A7A96854), ref: 00007FF8A7A963FA
Part of subcall function 00007FF8A7A96350: SetFilePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF8A7A964E8,?,00007FF8A7A96854), ref: 00007FF8A7A96422

ReadFile.KERNEL32 ref: 00007FF8A7A9689A
SetFilePointer.KERNEL32 ref: 00007FF8A7A968C3

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: File$Pointer$Readlstrlen$lstrcmp
String ID:
API String ID: 75621728-0
Opcode ID: 4628df762a2c9ad44dbe37110d3e9d88100c24f7c384a6aa602117973b6464b4
Instruction ID: a27b4c75d621ce3e868bb1c98d1e924f28abba80600b1d213254b37ad8c98d4b
Opcode Fuzzy Hash: 4628df762a2c9ad44dbe37110d3e9d88100c24f7c384a6aa602117973b6464b4
Instruction Fuzzy Hash: E0218232A18B8192E710CF21E5517AEB361FBDC7C4F505236EE8D83A15DF39E1958B00

Function 00000001800158A0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 467COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000F9C8: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F9E9
Part of subcall function 000000018000F9C8: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FA0E

_Mpunct.LIBCPMT ref: 00000001800158FB

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 0000000180015936, 0000000180015C83

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: LockitLockit::_std::_$Mpunct
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2786813426-2799312399
Opcode ID: 310c16e434c6fb425f377aa5a3344d56e60155a5009237bc210dd0dc5f72e661
Instruction ID: 5fe4dd189a2d79ce61165057c9ebb2e090cd9d14d433b9fec00325c66f72dead
Opcode Fuzzy Hash: 310c16e434c6fb425f377aa5a3344d56e60155a5009237bc210dd0dc5f72e661
Instruction Fuzzy Hash: F0129C36704A88C9FBA28F65D0507ED27A1EB49BC9F54C112EE8A1F789DF35CA49C350

Function 0000000180015EA0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 467COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000FAF8: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FB19
Part of subcall function 000000018000FAF8: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FB3E

_Mpunct.LIBCPMT ref: 0000000180015EFB

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 0000000180015F36, 0000000180016283

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: LockitLockit::_std::_$Mpunct
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2786813426-2799312399
Opcode ID: 7f9bde8d58b3e2620bf608a5cc9520c0ecd61f189b4a8a455c5414453c571840
Instruction ID: 027a829814d0a7af50161521d001647e6a208036f76e6a0cfd0a3acd19813199
Opcode Fuzzy Hash: 7f9bde8d58b3e2620bf608a5cc9520c0ecd61f189b4a8a455c5414453c571840
Instruction Fuzzy Hash: 3312C036B04A8885FBA3CB65C4507ED37A1E749BC8F58C016EE4A1B7A5CF35CA49C340

Function 000000018000A314 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 451COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180008330: std::_Lockit::_Lockit.LIBCPMT ref: 0000000180008351
Part of subcall function 0000000180008330: std::_Lockit::_Lockit.LIBCPMT ref: 0000000180008376

_Mpunct.LIBCPMT ref: 000000018000A36E

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 000000018000A3A5, 000000018000A6A9

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: LockitLockit::_std::_$Mpunct
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2786813426-2799312399
Opcode ID: cc0dd99451e0eb2a4836ac02799361a5a9bcabcee1e262923024bb7c99d54d77
Instruction ID: f7f63c79d1b94fbb45dab63fbf242b30916648d9a31090d02f6495e4854cce8f
Opcode Fuzzy Hash: cc0dd99451e0eb2a4836ac02799361a5a9bcabcee1e262923024bb7c99d54d77
Instruction Fuzzy Hash: B9129036708A8889FB92CA75C4503EC3BB1A74ABD8F58C115EE491B796CF75CA4EC350

Function 0000000180019020 Relevance: 1.8, APIs: 1, Instructions: 283COMMON

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 0000000180019172

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Mpunct
String ID:
API String ID: 4240859931-0
Opcode ID: 63fef931675e363a9749f96429758758dd3006f32cce81dee63d7a14f1cdfd87
Instruction ID: b4b31d92be3c4c8e502b6ea2e0a282e668397faed0ae34e767a83c581478e39b
Opcode Fuzzy Hash: 63fef931675e363a9749f96429758758dd3006f32cce81dee63d7a14f1cdfd87
Instruction Fuzzy Hash: FBC1A232B06A9899FB52CFB5C4013EC63B1BB5DB88F448111EE4967A99DF39C64EC340

Function 00000001800193F0 Relevance: 1.8, APIs: 1, Instructions: 283COMMON

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 0000000180019542

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Mpunct
String ID:
API String ID: 4240859931-0
Opcode ID: 9787ca75ca63df748a1499e8dd1c5abcefd6f6751ff6d03e7f7fc609e9ac6cfc
Instruction ID: 7c40f0623f709e12c7f828199f14d4f1bd29be792234f51f62a64cc8c6a646a4
Opcode Fuzzy Hash: 9787ca75ca63df748a1499e8dd1c5abcefd6f6751ff6d03e7f7fc609e9ac6cfc
Instruction Fuzzy Hash: B2C1A332B06E9889FB52CFB5D4017EC63B1BB59788F448511EE4967A89EF38C64EC340

Function 00000001800353EC Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,?,?,00000001800423DB,?,?,00000140,0000000180042AAB), ref: 000000018003541D

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: ef170b939dcdfe0a6fa8f39585badaf32e39fbe27d88ffb3e5b79058c9fef6a5
Instruction ID: a17f45a68611e7ce09ab532a4d12380a5d0071377e1487d1a7a9af1b51f9b2a3
Opcode Fuzzy Hash: ef170b939dcdfe0a6fa8f39585badaf32e39fbe27d88ffb3e5b79058c9fef6a5
Instruction Fuzzy Hash: 5EE0EC35A05A0C81F7C74B12FCD57C623A0A75D3C6FE19601E44C56A70CE7883DD8B00

Function 0000000180032DD8 Relevance: 1.5, APIs: 1, Instructions: 9COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0000000180032DE3

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8ebd1b43ab214313b2ad0a09dfd0eba3f354677c67a457a5e5e63f9d14e391ab
Instruction ID: 12656fcb5de8b69835b2dd3a9c331cf0c0323df84e8e99bcec695bc93526836d
Opcode Fuzzy Hash: 8ebd1b43ab214313b2ad0a09dfd0eba3f354677c67a457a5e5e63f9d14e391ab
Instruction Fuzzy Hash: 3DC09B33758D0CC2FB6D1BF274953751111D31DB94F0954349D17053508D2C81DD570C

Function 00007FF8A7AC679C Relevance: .8, Instructions: 815COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 254a1a10cbcd3fc84fc19bba0395498d0da72a100f68aacced460330d578e86f
Instruction ID: 184c9a8fd5ea98e1537e19cc633a410fc6eb720559583607a40148ccf3a74c02
Opcode Fuzzy Hash: 254a1a10cbcd3fc84fc19bba0395498d0da72a100f68aacced460330d578e86f
Instruction Fuzzy Hash: 22122B52F7179C06DE19C1720AA57B940C69FB67E9F64BB2AEC0B26BE0C90E50834080

Function 000000018001F28C Relevance: .6, Instructions: 618COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: LockitLockit::_std::_
String ID:
API String ID: 3382485803-0
Opcode ID: 11ca8ba6c9e4bc976ad0728efb636439ff8e0f3983e089c52a7ed5c8f874d3e2
Instruction ID: 84605ef311baa56bc5b68e2491e6a8dcf644c937c9e5222fdf1f18ce1bf163ab
Opcode Fuzzy Hash: 11ca8ba6c9e4bc976ad0728efb636439ff8e0f3983e089c52a7ed5c8f874d3e2
Instruction Fuzzy Hash: 0A427A72604A8886FBA68F25D5503BD3361FB89BC8F54D602EF8A17B95DF38C659C300

Function 000000018001FA9C Relevance: .6, Instructions: 618COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: LockitLockit::_std::_
String ID:
API String ID: 3382485803-0
Opcode ID: de02513275ad1c1a37e0096a818261c58a998aecf4f08ba4a5899afd53db8295
Instruction ID: 7802ca9db5044afc23cb1f38c8e105cc531337a4395501fdb7ec6a4e23d2f7b6
Opcode Fuzzy Hash: de02513275ad1c1a37e0096a818261c58a998aecf4f08ba4a5899afd53db8295
Instruction Fuzzy Hash: 3D427C32604B4886FBA68B25D5803BD7361FB89BC8F54C512EF8A17B96DF39C659C300

Function 00000001800279B8 Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: LockitLockit::_std::_$Stollx
String ID:
API String ID: 3628700584-0
Opcode ID: eb53157097b9bda4a8a3cf500f3039b16533609824c5f9a5ce3e351e3c28d2aa
Instruction ID: 42b5d6b38fa8120ab5fcb54182bbeb98c0f4066ebeec1de4c937208e3a875605
Opcode Fuzzy Hash: eb53157097b9bda4a8a3cf500f3039b16533609824c5f9a5ce3e351e3c28d2aa
Instruction Fuzzy Hash: B8428D72704A8885EBA78B29C5403AD3762FB89BC8F14C616EF9D17796DF39C659C300

Function 00007FF8A7B10500 Relevance: .2, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 98797a4ed6df2b2ef2fed60eba7a143dae38721ca92eafd97d56f774b5dbee5b
Instruction ID: 197bb40f9a3825ce8e585027a62b863a7313ec0efbc04f9a4c076461d3dd3022
Opcode Fuzzy Hash: 98797a4ed6df2b2ef2fed60eba7a143dae38721ca92eafd97d56f774b5dbee5b
Instruction Fuzzy Hash: 0971D3B270AA5192EB64CE2AD49137D2360FB84BD8F548636EE2E977C5CF3CD4429740

Function 00007FF8A7AE0498 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 239a3dbec09180cd3c6533b854e040da4f50052b438bebc3e3433ecd8060fee1
Instruction ID: 3c3f2cb70a9dc206e5dce2d33fc7d033fd7fd3158c1977d8462ff98aa57c4d6f
Opcode Fuzzy Hash: 239a3dbec09180cd3c6533b854e040da4f50052b438bebc3e3433ecd8060fee1
Instruction Fuzzy Hash: AF519476B19A65A6E7248F28C04133E23A0EB58B98F348131CE4D07795FB3AF843D740

Function 00007FF8A7B52880 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 224registryCOMMON

Download Yara Rule

APIs

StringFromGUID2.OLE32 ref: 00007FF8A7B52939

Part of subcall function 00007FF8A7A7C160: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF8A7A7C2C8

RegOpenKeyExW.ADVAPI32 ref: 00007FF8A7B529D0
RegQueryValueExW.ADVAPI32 ref: 00007FF8A7B52A15
RegCloseKey.ADVAPI32 ref: 00007FF8A7B52A52
RegCloseKey.ADVAPI32 ref: 00007FF8A7B52A62
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF8A7B52C3C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF8A7B52C42
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF8A7B52C48

Strings

%s %i, xrefs: 00007FF8A7B52AF9
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VirtualDesktops\Desktops, xrefs: 00007FF8A7B5295F
Name, xrefs: 00007FF8A7B52A09
/, xrefs: 00007FF8A7B528E8
(, xrefs: 00007FF8A7B528DF

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Close$FromOpenQueryStringValue
String ID: %s %i$($/$Name$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VirtualDesktops\Desktops
API String ID: 3244184606-1929885721
Opcode ID: 42ce07bacc996f2a0b40e488a38c559ebfaeae40b50968b79c9771a6caeb96a5
Instruction ID: 1cbed3dcb1a74050b07bf98b3ff2d2b95c0b997c629725b650aff9f13269a6a2
Opcode Fuzzy Hash: 42ce07bacc996f2a0b40e488a38c559ebfaeae40b50968b79c9771a6caeb96a5
Instruction Fuzzy Hash: 65A1C8B2A1AB81A6EB108F24E44039E77A1FB847E4F505631EA9D07BE9DF7CD045DB04

Function 00007FF8A7A88480 Relevance: 18.1, APIs: 6, Strings: 6, Instructions: 76stringCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32 ref: 00007FF8A7A88702
lstrcpyW.KERNEL32 ref: 00007FF8A7A88877

Strings

UNKNOWN, xrefs: 00007FF8A7A88885
WM_TWINVIEW, xrefs: 00007FF8A7A88870
WM_USER, xrefs: 00007FF8A7A8889C
WM_EXITSIZEMOVE, xrefs: 00007FF8A7A888B4
WM_SYSCOMMAND, xrefs: 00007FF8A7A886F8
WM_ENTERSIZEMOVE, xrefs: 00007FF8A7A88840

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: lstrcpy
String ID: UNKNOWN$WM_ENTERSIZEMOVE$WM_EXITSIZEMOVE$WM_SYSCOMMAND$WM_TWINVIEW$WM_USER
API String ID: 3722407311-3710089543
Opcode ID: 3a13069f937072d0b233660105284a1f22af0e500dca7f2205eb1b936971c12f
Instruction ID: de0dee43757783598f307d3b4616d0c529dc8e16897ad263059f1ae4dbbbaaed
Opcode Fuzzy Hash: 3a13069f937072d0b233660105284a1f22af0e500dca7f2205eb1b936971c12f
Instruction Fuzzy Hash: 83214FA1F0B201B7F7588F09E4D92BC2211EF887C1F849036DD4D867A4EE3CB59AA310

Function 00000001800368B0 Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,000000018002F067), ref: 00000001800368C1
free.LIBCMT ref: 00000001800368DE

Part of subcall function 000000018002D5F4: HeapFree.KERNEL32(?,?,00000000,0000000180038A82,?,?,00000000,000000018002F2E5,?,?,?,?,000000018002DB16,?,?,00000000), ref: 000000018002D60A
Part of subcall function 000000018002D5F4: _errno.LIBCMT ref: 000000018002D614
Part of subcall function 000000018002D5F4: GetLastError.KERNEL32(?,?,00000000,0000000180038A82,?,?,00000000,000000018002F2E5,?,?,?,?,000000018002DB16,?,?,00000000), ref: 000000018002D61C

free.LIBCMT ref: 00000001800368F3
free.LIBCMT ref: 0000000180036914
free.LIBCMT ref: 0000000180036929
free.LIBCMT ref: 000000018003693D
free.LIBCMT ref: 0000000180036949
free.LIBCMT ref: 0000000180036974
EncodePointer.KERNEL32(?,?,?,000000018002F067), ref: 000000018003697C
free.LIBCMT ref: 0000000180036995
free.LIBCMT ref: 00000001800369AE
free.LIBCMT ref: 00000001800369DF

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
String ID:
API String ID: 4099253644-0
Opcode ID: c236f47fa00f1eb095f464021b61fc5b1928e1c18c896dc44bc4746b0c097f4e
Instruction ID: e2653a9f16c68cd9db8ac6c19f3406fb9b710f8bb8de90df47967776b1696018
Opcode Fuzzy Hash: c236f47fa00f1eb095f464021b61fc5b1928e1c18c896dc44bc4746b0c097f4e
Instruction Fuzzy Hash: 6B314E31601A4C89FED7DB11E9613E563A0BB4D7D4F19C226BA190AAE5DFBCC68D8301

Function 00000001800012F0 Relevance: 15.1, APIs: 10, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000132B

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000000018000136C

Part of subcall function 000000018000775C: setlocale.LIBCMT ref: 0000000180007770
Part of subcall function 000000018000775C: setlocale.LIBCMT ref: 0000000180007799

_Getcvt.LIBCPMT ref: 0000000180001376

Part of subcall function 00000001800073D0: ___lc_codepage_func.LIBCMT ref: 00000001800073F4
Part of subcall function 00000001800073D0: ___mb_cur_max_func.LIBCMT ref: 00000001800073FB
Part of subcall function 00000001800073D0: ___lc_locale_name_func.LIBCMT ref: 0000000180007403

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 000000018000139E

Part of subcall function 00000001800077C8: setlocale.LIBCMT ref: 00000001800077E2

free.LIBCMT ref: 00000001800013AC

Part of subcall function 000000018002D5F4: HeapFree.KERNEL32(?,?,00000000,0000000180038A82,?,?,00000000,000000018002F2E5,?,?,?,?,000000018002DB16,?,?,00000000), ref: 000000018002D60A
Part of subcall function 000000018002D5F4: _errno.LIBCMT ref: 000000018002D614
Part of subcall function 000000018002D5F4: GetLastError.KERNEL32(?,?,00000000,0000000180038A82,?,?,00000000,000000018002F2E5,?,?,?,?,000000018002DB16,?,?,00000000), ref: 000000018002D61C

free.LIBCMT ref: 00000001800013BE
free.LIBCMT ref: 00000001800013D0
free.LIBCMT ref: 00000001800013E2
free.LIBCMT ref: 00000001800013F4
free.LIBCMT ref: 0000000180001406

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: free$setlocalestd::_$Locinfo::_$ErrorFreeGetcvtHeapLastLocinfo_ctorLocinfo_dtorLockitLockit::____lc_codepage_func___lc_locale_name_func___mb_cur_max_func_errno_lock
String ID:
API String ID: 3682056076-0
Opcode ID: ca3fb0b8572f38f04c8e7f887ed93a46820372b37fb06955fdddff351c3b93c0
Instruction ID: 0d852a346218120d3da4cb41429ba606f2c3b38bf25389faa73f1b0c9af31080
Opcode Fuzzy Hash: ca3fb0b8572f38f04c8e7f887ed93a46820372b37fb06955fdddff351c3b93c0
Instruction Fuzzy Hash: 87416B32B45B8889EB52DBB4D4503DC33B9AB687C8F05811AAA4927A9ADE70C659C340

Function 00007FF8A7B2665C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF8A7B2736A), ref: 00007FF8A7B267D8
GetProcAddress.KERNEL32(?,?,?,00007FF8A7B2736A), ref: 00007FF8A7B267E4

Strings

api-ms-, xrefs: 00007FF8A7B26722
ext-ms-, xrefs: 00007FF8A7B26735

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 6436c2138278e838b4396a275288fcfbc5b678e40a56344861f9511c4cfbaea8
Instruction ID: 48fba32acbd3f6f7053a70d83d8afa64e3b4fda3b4b83f2a5cfc954af7aeac87
Opcode Fuzzy Hash: 6436c2138278e838b4396a275288fcfbc5b678e40a56344861f9511c4cfbaea8
Instruction Fuzzy Hash: 8041F3B1B1BA02A1EB16DF16A85067D2391FF55BE4F484539CD0D87B94EE3CE406A380

Function 000000018000E7F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000E819

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000E83E
ctype.LIBCPMT ref: 000000018000E8C1
std::bad_exception::bad_exception.LIBCMT ref: 000000018000E8D8
_CxxThrowException.LIBCMT ref: 000000018000E8E9
std::_Facet_Register.LIBCPMT ref: 000000018000E907

Strings

bad cast, xrefs: 000000018000E8CC

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockctypestd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3320480354-3145022300
Opcode ID: 1518c0a335d86cbaa4542f68ea49f77159dfa4c437a71da536b0f71a588ef4d3
Instruction ID: 903a1047ac448027b450ec25c1a64425b0a144e6aa285fcf7086c7a1e7952437
Opcode Fuzzy Hash: 1518c0a335d86cbaa4542f68ea49f77159dfa4c437a71da536b0f71a588ef4d3
Instruction Fuzzy Hash: 87313D31604A8881FA97DB15E4503D97761F799BE0F58C222FA6E176E9DF38C68AC700

Function 000000018000F048 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F069

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F08E
moneypunct.LIBCPMT ref: 000000018000F111
std::bad_exception::bad_exception.LIBCMT ref: 000000018000F128
_CxxThrowException.LIBCMT ref: 000000018000F139
std::_Facet_Register.LIBCPMT ref: 000000018000F157

Strings

bad cast, xrefs: 000000018000F11C

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3809448442-3145022300
Opcode ID: 72116e41904cd7165d87d3b7b8d6bb6200793e546d858aed617fd641d52c83dc
Instruction ID: 703a4cad84fdcc045a2871730030fa27516cb42ee1b9283c4040bcabb6153e8b
Opcode Fuzzy Hash: 72116e41904cd7165d87d3b7b8d6bb6200793e546d858aed617fd641d52c83dc
Instruction Fuzzy Hash: 50312331604A4881EAA6DB15E4503E97760F798BE4F648322F66D17BE6DF38C68DD700

Function 000000018000F898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F8B9

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F8DE
messages.LIBCPMT ref: 000000018000F961
std::bad_exception::bad_exception.LIBCMT ref: 000000018000F978
_CxxThrowException.LIBCMT ref: 000000018000F989
std::_Facet_Register.LIBCPMT ref: 000000018000F9A7

Strings

bad cast, xrefs: 000000018000F96C

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: 6d24588b9a7590b3b87b70300c70b3292790a8bd1c5b1071349b1aa35c1d1e7e
Instruction ID: ac250751d58bdd5496b533042141eb838cccab87bb5e4a6a326be43682a2c53b
Opcode Fuzzy Hash: 6d24588b9a7590b3b87b70300c70b3292790a8bd1c5b1071349b1aa35c1d1e7e
Instruction Fuzzy Hash: F5312E72604A4891EAA6DB15E4407E97760B79CBE0F148322FA6D13BA5DF28C68AD700

Function 00000001800080D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00000001800080F1

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180008116
messages.LIBCPMT ref: 0000000180008199
std::bad_exception::bad_exception.LIBCMT ref: 00000001800081B0
_CxxThrowException.LIBCMT ref: 00000001800081C1
std::_Facet_Register.LIBCPMT ref: 00000001800081DF

Strings

bad cast, xrefs: 00000001800081A4

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: 0e8088bbc94c94de44c6ead9a77a8b98552ca770167b247603108ec63001514d
Instruction ID: 35d3f142cde19c3a048b0fcb9483086a618d1f742b40768914a1a8e34770720a
Opcode Fuzzy Hash: 0e8088bbc94c94de44c6ead9a77a8b98552ca770167b247603108ec63001514d
Instruction Fuzzy Hash: 2E314131604B4891FA93DB15E8503D973A5FB987E0F588321FAAD076E5DE38C68E9700

Function 0000000180023924 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023945

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018002396A
collate.LIBCPMT ref: 00000001800239ED
std::bad_exception::bad_exception.LIBCMT ref: 0000000180023A04
_CxxThrowException.LIBCMT ref: 0000000180023A15
std::_Facet_Register.LIBCPMT ref: 0000000180023A33

Strings

bad cast, xrefs: 00000001800239F8

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockcollatestd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3240839640-3145022300
Opcode ID: dd54ca0da77a0209b6aeec4e3b00398d8d0106adb950ddbf77bc546178640126
Instruction ID: c2a974b2d7a60a2b086a420e70802605e61706e16da007e4f81136d50c598c2d
Opcode Fuzzy Hash: dd54ca0da77a0209b6aeec4e3b00398d8d0106adb950ddbf77bc546178640126
Instruction Fuzzy Hash: 15316F72605A4C81FAD7DB15E4413D96361F79CBE0F548226FA9D076E5DE38CA8DC700

Function 000000018000E928 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000E949

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000E96E
messages.LIBCPMT ref: 000000018000E9F1
std::bad_exception::bad_exception.LIBCMT ref: 000000018000EA08
_CxxThrowException.LIBCMT ref: 000000018000EA19
std::_Facet_Register.LIBCPMT ref: 000000018000EA37

Strings

bad cast, xrefs: 000000018000E9FC

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: c72775a103d99b6f837bcf2226a3accdb6696da6bb77df867dd2bc43998cf69d
Instruction ID: 32bc1acb226f066091d62a6c54883872f8d60ae5ef2b5e81e47e51f18fae378c
Opcode Fuzzy Hash: c72775a103d99b6f837bcf2226a3accdb6696da6bb77df867dd2bc43998cf69d
Instruction Fuzzy Hash: 62314F32604A8881FAD6DB15E4403D97761F79DBE0F148222F66D636E5DE38C78DC700

Function 000000018000F178 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F199

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F1BE
moneypunct.LIBCPMT ref: 000000018000F241
std::bad_exception::bad_exception.LIBCMT ref: 000000018000F258
_CxxThrowException.LIBCMT ref: 000000018000F269
std::_Facet_Register.LIBCPMT ref: 000000018000F287

Strings

bad cast, xrefs: 000000018000F24C

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3809448442-3145022300
Opcode ID: db4531463fb4ed7b9e84e20dd1357846afa3d7ca33d6adf5fa5f8d6b27529a5f
Instruction ID: b0aa7ca52775649b56220f307fd84676fe4e09e30895342a551203fcddcd03a4
Opcode Fuzzy Hash: db4531463fb4ed7b9e84e20dd1357846afa3d7ca33d6adf5fa5f8d6b27529a5f
Instruction Fuzzy Hash: 67313036604A4881EAA6DB15E4503E97760F79C7E0F548322FA6D03BE9DE38C68EC700

Function 000000018000F9C8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F9E9

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FA0E
numpunct.LIBCPMT ref: 000000018000FA91
std::bad_exception::bad_exception.LIBCMT ref: 000000018000FAA8
_CxxThrowException.LIBCMT ref: 000000018000FAB9
std::_Facet_Register.LIBCPMT ref: 000000018000FAD7

Strings

bad cast, xrefs: 000000018000FA9C

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_locknumpunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 4068408745-3145022300
Opcode ID: ee33bc0723efa5aa4c366d82e68c788871106819f50c989c870ed83f44bc0ef7
Instruction ID: 0ed4759d308908f78153d5154aa8bc73361bf9988d8352dbe00c3883d08f4416
Opcode Fuzzy Hash: ee33bc0723efa5aa4c366d82e68c788871106819f50c989c870ed83f44bc0ef7
Instruction Fuzzy Hash: 84315271704B4881EAA2DB15E4407E97760E79DBE4F148221FA6D17BE9DF38C68EC701

Function 0000000180008200 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180008221

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180008246
messages.LIBCPMT ref: 00000001800082C9
std::bad_exception::bad_exception.LIBCMT ref: 00000001800082E0
_CxxThrowException.LIBCMT ref: 00000001800082F1
std::_Facet_Register.LIBCPMT ref: 000000018000830F

Strings

bad cast, xrefs: 00000001800082D4

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: 0d872b1ba248602230f18a3585586ef29a0b918caca146d4684eaa2802e5b407
Instruction ID: ba173e527248ad616717990ad57c3ea3ffa836c4fcce1a36eb2f310dd1d629a6
Opcode Fuzzy Hash: 0d872b1ba248602230f18a3585586ef29a0b918caca146d4684eaa2802e5b407
Instruction Fuzzy Hash: A5313E31605F4881EA92DB15E4443D977A1FB98BE0F548221FAAD176E9DF38C68ED700

Function 0000000180023A54 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023A75

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023A9A
messages.LIBCPMT ref: 0000000180023B1D
std::bad_exception::bad_exception.LIBCMT ref: 0000000180023B34
_CxxThrowException.LIBCMT ref: 0000000180023B45
std::_Facet_Register.LIBCPMT ref: 0000000180023B63

Strings

bad cast, xrefs: 0000000180023B28

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: 6042c083aaf9d19d0e0f3061719a0287c51729f22326b78e9f0788faf9e04fe2
Instruction ID: 8bbbb137a0339c4dc54c9029d106e5257286d05d285556903a5a2b1fb779c90b
Opcode Fuzzy Hash: 6042c083aaf9d19d0e0f3061719a0287c51729f22326b78e9f0788faf9e04fe2
Instruction Fuzzy Hash: 88316171604A4881EA97DB15E4513D96760F79CBE0F148322F76D136E5DF38C68DC700

Function 000000018000EA58 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000EA79

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000EA9E
messages.LIBCPMT ref: 000000018000EB21
std::bad_exception::bad_exception.LIBCMT ref: 000000018000EB38
_CxxThrowException.LIBCMT ref: 000000018000EB49
std::_Facet_Register.LIBCPMT ref: 000000018000EB67

Strings

bad cast, xrefs: 000000018000EB2C

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: 32b660dc0e0ff8b2840d4f21ec67105e4c0f753b12f06fb9ea139e048b570729
Instruction ID: 0e6cdc202ab0faf405a73aae82ebcdbb06b13299b5b79274f84cc1b9637a6d3e
Opcode Fuzzy Hash: 32b660dc0e0ff8b2840d4f21ec67105e4c0f753b12f06fb9ea139e048b570729
Instruction Fuzzy Hash: 0C315071704B8881FA96DB15E4403DA7361F79DBE0F148222BA6E176E5DF38D68DC700

Function 000000018000F2A8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F2C9

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F2EE
moneypunct.LIBCPMT ref: 000000018000F371
std::bad_exception::bad_exception.LIBCMT ref: 000000018000F388
_CxxThrowException.LIBCMT ref: 000000018000F399
std::_Facet_Register.LIBCPMT ref: 000000018000F3B7

Strings

bad cast, xrefs: 000000018000F37C

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3809448442-3145022300
Opcode ID: 5c641469a2d30daa8160390feef35362dee9b3f3e43551c59d405e4c7c364bf2
Instruction ID: 85f0ddc1fb455183e8826907cb9b5ce322fb28c6acbd3a1f7897a95eead57acb
Opcode Fuzzy Hash: 5c641469a2d30daa8160390feef35362dee9b3f3e43551c59d405e4c7c364bf2
Instruction Fuzzy Hash: 89313032604A4882EAA6DB15E4503E97361E798BE0F548221FA6D437E5DF78C78E9700

Function 000000018000FAF8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FB19

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FB3E
numpunct.LIBCPMT ref: 000000018000FBC1
std::bad_exception::bad_exception.LIBCMT ref: 000000018000FBD8
_CxxThrowException.LIBCMT ref: 000000018000FBE9
std::_Facet_Register.LIBCPMT ref: 000000018000FC07

Strings

bad cast, xrefs: 000000018000FBCC

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_locknumpunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 4068408745-3145022300
Opcode ID: ae0ea46a9ee9c3e86daeac0d3234f15b2964b553704b4edd4ab6e31ed39ad8f6
Instruction ID: 29293d91807841274312c0898b4eab7eb0361c7ebc024cff1c6093db3a856592
Opcode Fuzzy Hash: ae0ea46a9ee9c3e86daeac0d3234f15b2964b553704b4edd4ab6e31ed39ad8f6
Instruction Fuzzy Hash: 7E313071604A4881FAA7DB15E4507E97361E79CBE0F148221FA6E137E9DF38C68ED700

Function 0000000180008330 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180008351

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180008376
numpunct.LIBCPMT ref: 00000001800083F9
std::bad_exception::bad_exception.LIBCMT ref: 0000000180008410
_CxxThrowException.LIBCMT ref: 0000000180008421
std::_Facet_Register.LIBCPMT ref: 000000018000843F

Strings

bad cast, xrefs: 0000000180008404

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_locknumpunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 4068408745-3145022300
Opcode ID: c202a5770c39ab57ed84ceb3e68100b3a73b5e5cfc957b9efda8ad8bf9c3945a
Instruction ID: 93b7f2e2961d43802aa01675c6e34dc0c733fb271d42efec73ddf7d9136c2f33
Opcode Fuzzy Hash: c202a5770c39ab57ed84ceb3e68100b3a73b5e5cfc957b9efda8ad8bf9c3945a
Instruction Fuzzy Hash: F2314F31605A4881FA96DB15E4507DA77A1FB98BE0F148321FAAE036E5DE38C78ED700

Function 0000000180023B84 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023BA5

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023BCA
messages.LIBCPMT ref: 0000000180023C4D
std::bad_exception::bad_exception.LIBCMT ref: 0000000180023C64
_CxxThrowException.LIBCMT ref: 0000000180023C75
std::_Facet_Register.LIBCPMT ref: 0000000180023C93

Strings

bad cast, xrefs: 0000000180023C58

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: 7c5417a85a408d482a06928c82b709df55114473f0ba7bb4651cdaf59540ff60
Instruction ID: 75f7d5b72cde2ed98477708e3d1a4d82b3ea81c6c5906bfc7a9d9a34f9766923
Opcode Fuzzy Hash: 7c5417a85a408d482a06928c82b709df55114473f0ba7bb4651cdaf59540ff60
Instruction Fuzzy Hash: 0E315071604A4C81FAA7DB15E4513E96760F79CBE0F64C322BA5E176E5DE38C68EC700

Function 000000018000EB88 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000EBA9

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000EBCE
messages.LIBCPMT ref: 000000018000EC51
std::bad_exception::bad_exception.LIBCMT ref: 000000018000EC68
_CxxThrowException.LIBCMT ref: 000000018000EC79
std::_Facet_Register.LIBCPMT ref: 000000018000EC97

Strings

bad cast, xrefs: 000000018000EC5C

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: 51d939a1685a2bea652c7bde2fffae8489b2ff6d25f45c1629a8571a2a082665
Instruction ID: 011b7c4e06debffad8918965d35e9ac5ee19e89f5e81af284a0d200ba2a5a2d3
Opcode Fuzzy Hash: 51d939a1685a2bea652c7bde2fffae8489b2ff6d25f45c1629a8571a2a082665
Instruction Fuzzy Hash: 96316132604A8C81FA96DB15E4407D97761F799BE0F14C222FA6E236E5DF39C68EC700

Function 000000018000F3D8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F3F9

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F41E
moneypunct.LIBCPMT ref: 000000018000F4A1
std::bad_exception::bad_exception.LIBCMT ref: 000000018000F4B8
_CxxThrowException.LIBCMT ref: 000000018000F4C9
std::_Facet_Register.LIBCPMT ref: 000000018000F4E7

Strings

bad cast, xrefs: 000000018000F4AC

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3809448442-3145022300
Opcode ID: 13f34df5b8dca6365bf56936fc197be976fcfd57eef588af3eb235ac7314212c
Instruction ID: af194abc5343017d69ccae0d00c3f84e880894c87c78bc69f84cbf70def1933b
Opcode Fuzzy Hash: 13f34df5b8dca6365bf56936fc197be976fcfd57eef588af3eb235ac7314212c
Instruction Fuzzy Hash: 45314331604A4881EAA6DB15E4503EA7760F79CBE4F548222FA6D177E5DF38C68ED700

Function 000000018000E468 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000E489

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000E4AE
codecvt.LIBCPMT ref: 000000018000E531
std::bad_exception::bad_exception.LIBCMT ref: 000000018000E548
_CxxThrowException.LIBCMT ref: 000000018000E559
std::_Facet_Register.LIBCPMT ref: 000000018000E577

Strings

bad cast, xrefs: 000000018000E53C

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockcodecvtstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 2666907392-3145022300
Opcode ID: c388285eeef8162b9337bba61029a55adadbbccc6a3321af76d71b019ff4cab9
Instruction ID: 9f8509df617fee80e8d8dfa9a623ec6440d9e8a68142cbaf352e872acf36d8d2
Opcode Fuzzy Hash: c388285eeef8162b9337bba61029a55adadbbccc6a3321af76d71b019ff4cab9
Instruction Fuzzy Hash: 18316131604E8881EA97DB15E8403D97761E79DBE4F548222FAAD136E5DE38C68DC700

Function 0000000180023CB4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023CD5

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023CFA
messages.LIBCPMT ref: 0000000180023D7D
std::bad_exception::bad_exception.LIBCMT ref: 0000000180023D94
_CxxThrowException.LIBCMT ref: 0000000180023DA5
std::_Facet_Register.LIBCPMT ref: 0000000180023DC3

Strings

bad cast, xrefs: 0000000180023D88

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: 480e9808ded4dd9ce93b9611af4d871cbfd108c73a0c2514d78019fd0e2b9d8d
Instruction ID: d9abbdc1c59c89ecb922db9c6cf2075237f80f35d562cec5bde8faddb7bf7778
Opcode Fuzzy Hash: 480e9808ded4dd9ce93b9611af4d871cbfd108c73a0c2514d78019fd0e2b9d8d
Instruction Fuzzy Hash: A5315271604A4881EAA3DB15F4413D96761F79CBE0F548322FA6D076E9DF38C68DC700

Function 000000018000ECB8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000ECD9

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000ECFE
messages.LIBCPMT ref: 000000018000ED81
std::bad_exception::bad_exception.LIBCMT ref: 000000018000ED98
_CxxThrowException.LIBCMT ref: 000000018000EDA9
std::_Facet_Register.LIBCPMT ref: 000000018000EDC7

Strings

bad cast, xrefs: 000000018000ED8C

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: cc7960cd80689731206c88487c0de69d9e60d2192e2557925d807d75d2f5c5e1
Instruction ID: 7e9a7ef3db8d0513497969ea559276415be1bfe1d386d7b59b03975b12a9fb17
Opcode Fuzzy Hash: cc7960cd80689731206c88487c0de69d9e60d2192e2557925d807d75d2f5c5e1
Instruction Fuzzy Hash: 7D316F32604A8882EA96DB15E8503D97761F798BE0F64C322FA6D176E5DF38C68DC700

Function 000000018000F508 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F529

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F54E
messages.LIBCPMT ref: 000000018000F5D1
std::bad_exception::bad_exception.LIBCMT ref: 000000018000F5E8
_CxxThrowException.LIBCMT ref: 000000018000F5F9
std::_Facet_Register.LIBCPMT ref: 000000018000F617

Strings

bad cast, xrefs: 000000018000F5DC

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: 3587b487d705abe092835c4f5a3cb7e3f979531b66054bbeb9aa7d553986a25e
Instruction ID: 6d09809d2825c675cc3354ec29be6d882d9351c6da2981936af5edb680e291e5
Opcode Fuzzy Hash: 3587b487d705abe092835c4f5a3cb7e3f979531b66054bbeb9aa7d553986a25e
Instruction Fuzzy Hash: 7A316132604B4881EAA6DB15E8403E97760F79CBE0F548222FA5D037E9DF39C68ED700

Function 000000018000E598 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000E5B9

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000E5DE
collate.LIBCPMT ref: 000000018000E661
std::bad_exception::bad_exception.LIBCMT ref: 000000018000E678
_CxxThrowException.LIBCMT ref: 000000018000E689
std::_Facet_Register.LIBCPMT ref: 000000018000E6A7

Strings

bad cast, xrefs: 000000018000E66C

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockcollatestd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3240839640-3145022300
Opcode ID: eda171fb9a849b4f616c3e08da64b58d4c66e3ddf2523fe25397e19311bc49a1
Instruction ID: 71537928979aec7902da3243a871980667c4c30672dd1b9dca4b0184ee6d3b67
Opcode Fuzzy Hash: eda171fb9a849b4f616c3e08da64b58d4c66e3ddf2523fe25397e19311bc49a1
Instruction Fuzzy Hash: 36313E72605A8881FA96DB15E4403D97361F7A9BE0F188222FA6D636E5DF39C68D8700

Function 0000000180023DE4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023E05

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023E2A
moneypunct.LIBCPMT ref: 0000000180023EAD
std::bad_exception::bad_exception.LIBCMT ref: 0000000180023EC4
_CxxThrowException.LIBCMT ref: 0000000180023ED5
std::_Facet_Register.LIBCPMT ref: 0000000180023EF3

Strings

bad cast, xrefs: 0000000180023EB8

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3809448442-3145022300
Opcode ID: 6d32b28b6ca3663ff3abfb41e9471f4c917f2c1054da530c376a0520937a3486
Instruction ID: b60f097be7739bb6dc934a6eb27d4ad299f47afb1e08747a93c7bf12596e6123
Opcode Fuzzy Hash: 6d32b28b6ca3663ff3abfb41e9471f4c917f2c1054da530c376a0520937a3486
Instruction Fuzzy Hash: 7F316C72604A4981EE93DB19E4513D96760F79CBE0F158322BA6E076E5DF38CA8EC700

Function 000000018000EDE8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000EE09

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000EE2E
messages.LIBCPMT ref: 000000018000EEB1
std::bad_exception::bad_exception.LIBCMT ref: 000000018000EEC8
_CxxThrowException.LIBCMT ref: 000000018000EED9
std::_Facet_Register.LIBCPMT ref: 000000018000EEF7

Strings

bad cast, xrefs: 000000018000EEBC

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: 9a938acf533d3934332a6247e24f5e54ece76f8414f260b4929eae246823290b
Instruction ID: 114c17726efd3ac1399dd98c0993eddc8de426ae5a52da213f0347ec5244437b
Opcode Fuzzy Hash: 9a938acf533d3934332a6247e24f5e54ece76f8414f260b4929eae246823290b
Instruction Fuzzy Hash: 55314132604B8C81EA96DB15E8403D97761F79DBE0F14C222F66D236E6DE38CA8DC700

Function 000000018000F638 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F659

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F67E
messages.LIBCPMT ref: 000000018000F701
std::bad_exception::bad_exception.LIBCMT ref: 000000018000F718
_CxxThrowException.LIBCMT ref: 000000018000F729
std::_Facet_Register.LIBCPMT ref: 000000018000F747

Strings

bad cast, xrefs: 000000018000F70C

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: 96317be4258d393e0a29fd177015503871ef1b8472f330f26a4596696f7ded08
Instruction ID: d5a0afbf97bf32ff6c3350b5f01d45652f3842558bd94ec47325ba3e195b39a4
Opcode Fuzzy Hash: 96317be4258d393e0a29fd177015503871ef1b8472f330f26a4596696f7ded08
Instruction Fuzzy Hash: E0314132604A4C91EAA7DB15E4503E97760F7987E0F148222F6AD13BE9DF39C68DC700

Function 0000000180007E70 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180007E91

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180007EB6
messages.LIBCPMT ref: 0000000180007F39
std::bad_exception::bad_exception.LIBCMT ref: 0000000180007F50
_CxxThrowException.LIBCMT ref: 0000000180007F61
std::_Facet_Register.LIBCPMT ref: 0000000180007F7F

Strings

bad cast, xrefs: 0000000180007F44

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: e5bc7bed0252b8b1eac2afdacdede538a10b35561d0a981faa6039916fcc0b90
Instruction ID: fcae424b2c24524ac6a2dc0f7b7d658d6964671266eecf1fc0c25137e3d741c2
Opcode Fuzzy Hash: e5bc7bed0252b8b1eac2afdacdede538a10b35561d0a981faa6039916fcc0b90
Instruction Fuzzy Hash: 77313E31704B4981EA93DB15E4407E97361E7AC7E0F18C321FA6D176E6DE38CA8E8700

Function 000000018000E6C8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000E6E9

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000E70E
collate.LIBCPMT ref: 000000018000E791
std::bad_exception::bad_exception.LIBCMT ref: 000000018000E7A8
_CxxThrowException.LIBCMT ref: 000000018000E7B9
std::_Facet_Register.LIBCPMT ref: 000000018000E7D7

Strings

bad cast, xrefs: 000000018000E79C

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockcollatestd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3240839640-3145022300
Opcode ID: 82d6dfd595e0919862318aaa4c0101f1d4fe4afb7754d539f957bde6888f6d2a
Instruction ID: f8ae8055f2c2bb27548f621051a3e9b0c7ecbe39d78b1a5e4a20972fbb614263
Opcode Fuzzy Hash: 82d6dfd595e0919862318aaa4c0101f1d4fe4afb7754d539f957bde6888f6d2a
Instruction Fuzzy Hash: 14313272608A8881FA96DB25E8403D97761F79DBE0F548322F66D176E5DF38C68EC700

Function 0000000180023F14 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023F35

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023F5A
moneypunct.LIBCPMT ref: 0000000180023FDD
std::bad_exception::bad_exception.LIBCMT ref: 0000000180023FF4
_CxxThrowException.LIBCMT ref: 0000000180024005
std::_Facet_Register.LIBCPMT ref: 0000000180024023

Strings

bad cast, xrefs: 0000000180023FE8

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3809448442-3145022300
Opcode ID: 468e8583f91d548cbd29b93b68de9fe69da34fbf07c94fac8ff66319a34d3499
Instruction ID: 86d7a962d46641e92d15d66fca1501ef3728ada81f482cdfd9b3151a9865967a
Opcode Fuzzy Hash: 468e8583f91d548cbd29b93b68de9fe69da34fbf07c94fac8ff66319a34d3499
Instruction Fuzzy Hash: 7F316F72A04A4C81FAD7DB15E5413D96361F79CBE0F148222FA5D076E5DE38C68DC700

Function 000000018000EF18 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000EF39

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000EF5E
messages.LIBCPMT ref: 000000018000EFE1
std::bad_exception::bad_exception.LIBCMT ref: 000000018000EFF8
_CxxThrowException.LIBCMT ref: 000000018000F009
std::_Facet_Register.LIBCPMT ref: 000000018000F027

Strings

bad cast, xrefs: 000000018000EFEC

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: a97d4a0103f654b4b20c800e4f62322db3453708dd72828d55e479ce89410c5e
Instruction ID: f3f19d9c217fac931ce927225a4939fad5f6d9221ff3f3f816bb9e389d9f9663
Opcode Fuzzy Hash: a97d4a0103f654b4b20c800e4f62322db3453708dd72828d55e479ce89410c5e
Instruction Fuzzy Hash: 7C316171604B4D81FA96DB15E4403E97761E79CBE0F64C222BA6E177E6DE38CA8DC700

Function 000000018000F768 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F789

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F7AE
messages.LIBCPMT ref: 000000018000F831
std::bad_exception::bad_exception.LIBCMT ref: 000000018000F848
_CxxThrowException.LIBCMT ref: 000000018000F859
std::_Facet_Register.LIBCPMT ref: 000000018000F877

Strings

bad cast, xrefs: 000000018000F83C

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: 8e5fefe93561a59ad46ce85a37caf660d85c16939c4905db0fbb578ad49114bb
Instruction ID: 96f0fb2c830b6a1955649fbd0b773edd4971c9b10982643f56ec6eb2397e4fe1
Opcode Fuzzy Hash: 8e5fefe93561a59ad46ce85a37caf660d85c16939c4905db0fbb578ad49114bb
Instruction Fuzzy Hash: A5313F32604B4881EAA6DB15E4403E97760F798BE4F64C322BA5D037E9DF38C68ED700

Function 0000000180007FA0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180007FC1

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180007FE6
ctype.LIBCPMT ref: 0000000180008069
std::bad_exception::bad_exception.LIBCMT ref: 0000000180008080
_CxxThrowException.LIBCMT ref: 0000000180008091
std::_Facet_Register.LIBCPMT ref: 00000001800080AF

Strings

bad cast, xrefs: 0000000180008074

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockctypestd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3320480354-3145022300
Opcode ID: 917c673cf237d7768db5174921dcc6ae41103a5902e4674f2ebf9e3ddd9a3165
Instruction ID: 2949d1dbb2558bb8b0e553727a052f62747b73423eec58154c0806c570db14de
Opcode Fuzzy Hash: 917c673cf237d7768db5174921dcc6ae41103a5902e4674f2ebf9e3ddd9a3165
Instruction Fuzzy Hash: 70311D31604A4C81EA97DB15E8513D977A1FB98BE0F148322FAAD076E5DF39C68E9700

Function 0000000180006940 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180006961

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180006986
std::bad_exception::bad_exception.LIBCMT ref: 0000000180006A21
_CxxThrowException.LIBCMT ref: 0000000180006A32
std::_Facet_Register.LIBCPMT ref: 0000000180006A50

Strings

ios_base::badbit set, xrefs: 0000000180006940
bad cast, xrefs: 0000000180006A15

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast$ios_base::badbit set
API String ID: 1776536810-182444483
Opcode ID: 1f1de01e030e88115448670c1250ec0f749da08e23ff95ccc15e6e7bba8c242b
Instruction ID: 3155b743d34470ed5679d7b64c3638ca01dfa7372a6c5b669332cd991d85d7a9
Opcode Fuzzy Hash: 1f1de01e030e88115448670c1250ec0f749da08e23ff95ccc15e6e7bba8c242b
Instruction Fuzzy Hash: FD315D35600B4881EA97DB15E5403D97361E798BE0F58D222FA6E177F9DE38C68EC701

Function 000000018003BAE0 Relevance: 12.2, APIs: 8, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc_crt.LIBCMT ref: 000000018003BB09

Part of subcall function 0000000180031B68: malloc.LIBCMT ref: 0000000180031B93
Part of subcall function 0000000180031B68: Sleep.KERNEL32(?,?,00000000,00000001800302E4,?,?,00000000,00000001800301E3,?,?,00000000,0000000180038B02,?,?,00000000,0000000180038A6E), ref: 0000000180031BA6

free.LIBCMT ref: 000000018003BC0A
free.LIBCMT ref: 000000018003BC26

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: free$Sleep_malloc_crtmalloc
String ID:
API String ID: 2523592665-0
Opcode ID: 3fbd0b3e35addabc098f64ab091990d7b6a2871f8ac9e4cce4e35d3e8861d74a
Instruction ID: fc16e1660138297f9bb3e8678e6c16cd315b57137c63fc5872edf9e7c8194a9d
Opcode Fuzzy Hash: 3fbd0b3e35addabc098f64ab091990d7b6a2871f8ac9e4cce4e35d3e8861d74a
Instruction Fuzzy Hash: 30619F32301B4892EBA3DB16E94139A73A0F78CBD8F058125AF4D47B51DF78C66AC740

Function 0000000180005730 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 0000000180005A4B
_CxxThrowException.LIBCMT ref: 0000000180005A66
std::exception::exception.LIBCMT ref: 0000000180005AC9
_CxxThrowException.LIBCMT ref: 0000000180005AE4

Part of subcall function 0000000180006440: std::_Xbad_alloc.LIBCPMT ref: 00000001800064CD

Strings

bad conversion, xrefs: 0000000180005A36, 0000000180005AB4
string too long, xrefs: 00000001800059B0, 00000001800059BD, 00000001800059D4, 00000001800059E1

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionThrowstd::exception::exception$Xbad_allocstd::_
String ID: bad conversion$string too long
API String ID: 1519488521-500853860
Opcode ID: bf6df7041d4449f49d10bdcf2d7bbb40e5c4d876ee2b76c3840bffa6f91f8fdb
Instruction ID: fad14312ad47d1d51249c0a7a389eb41bb91f270e5ec6e02dd255712d111446d
Opcode Fuzzy Hash: bf6df7041d4449f49d10bdcf2d7bbb40e5c4d876ee2b76c3840bffa6f91f8fdb
Instruction Fuzzy Hash: D4D17B32704B88C9FB42CBA4E4503ED37B5F7497A8F948626EAA917AD5DF34C649C340

Function 0000000180044B68 Relevance: 10.6, APIs: 7, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000180044B93
_errno.LIBCMT ref: 0000000180044B88

Part of subcall function 000000018002F2DC: _getptd_noexit.LIBCMT ref: 000000018002F2E0

_errno.LIBCMT ref: 0000000180044C36
_invalid_parameter_noinfo.LIBCMT ref: 0000000180044C41

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd_noexit
String ID:
API String ID: 1573762532-0
Opcode ID: 7b47a042eea3f3de49294c888d2e7f7195dfd9dc128bccc2e4caf73cebc8c57f
Instruction ID: f2ef72c2d081a62da6ba206108f7190fcdc76fe894ca0d405d2fc84784ff5a10
Opcode Fuzzy Hash: 7b47a042eea3f3de49294c888d2e7f7195dfd9dc128bccc2e4caf73cebc8c57f
Instruction Fuzzy Hash: 50411677A01A9D81EBE69B1191C03F972A0F7487DDF9AC116FA845B6C4DF38C7498308

Function 00007FF8A7A744E0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 119registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF8A7A744C5), ref: 00007FF8A7A7451F

Part of subcall function 00007FF8A7A861F0: RegQueryValueExW.ADVAPI32 ref: 00007FF8A7A8621E

RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF8A7A744C5), ref: 00007FF8A7A74672

Strings

rcMonitorX, xrefs: 00007FF8A7A745CC
R%d, xrefs: 00007FF8A7A74562, 00007FF8A7A74602
rcMonitorY, xrefs: 00007FF8A7A745E2
GridCount, xrefs: 00007FF8A7A74532

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: GridCount$R%d$rcMonitorX$rcMonitorY
API String ID: 3677997916-3195266059
Opcode ID: d4954fe01bd13cc0e09b9bb97f1a492d31920e10008184fdca9963bf8f21c4a9
Instruction ID: 48ebe890409910e37052cb512d6e5b96d43919d0f62fcfec8cf65c0ac5023f9d
Opcode Fuzzy Hash: d4954fe01bd13cc0e09b9bb97f1a492d31920e10008184fdca9963bf8f21c4a9
Instruction Fuzzy Hash: 0B51C572A1E691B6EA508F15F45127EB7A0FB88BC0F405136EA8E87B56EF3CE011D740

Function 000000018003E554 Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000018003E57A
_errno.LIBCMT ref: 000000018003E56F

Part of subcall function 000000018002F2DC: _getptd_noexit.LIBCMT ref: 000000018002F2E0

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000000018003E5F9
_errno.LIBCMT ref: 000000018003E60A
_invalid_parameter_noinfo.LIBCMT ref: 000000018003E615

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Locale_errno_invalid_parameter_noinfo$UpdateUpdate::__getptd_noexit
String ID:
API String ID: 781512312-0
Opcode ID: 1996f2f9ceac77ac49b72366ba56ab82fbc49c57b1b3130c14664040d3ec86e6
Instruction ID: 8ce04cb9124dd54c6d4ddcc2c6da84841e497bcc28cebf8c8d46b4611f73f4df
Opcode Fuzzy Hash: 1996f2f9ceac77ac49b72366ba56ab82fbc49c57b1b3130c14664040d3ec86e6
Instruction Fuzzy Hash: 28415B72A106E881EBE3AB1180513FE33E0E359BE4F96C225B794076C5EF28CB59C700

Function 0000000180024044 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180024065

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018002408A
std::bad_exception::bad_exception.LIBCMT ref: 0000000180024124
_CxxThrowException.LIBCMT ref: 0000000180024135
std::_Facet_Register.LIBCPMT ref: 0000000180024153

Strings

bad cast, xrefs: 0000000180024118

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1776536810-3145022300
Opcode ID: ab939dc476349fa0fdaab308a684cfe4368de580aaf06aec8b938b68da6e425a
Instruction ID: e37e8b3caca8d6a150532a67f206124a5a8e0b77ae31ba5b87879bce6c6f3b3a
Opcode Fuzzy Hash: ab939dc476349fa0fdaab308a684cfe4368de580aaf06aec8b938b68da6e425a
Instruction Fuzzy Hash: E5314172604A4981EA97DB15E4907D97760E79CBE0F548222BA6D0B7E9DE38C6CDC700

Function 0000000180024174 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180024195

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 00000001800241BA
std::bad_exception::bad_exception.LIBCMT ref: 0000000180024254
_CxxThrowException.LIBCMT ref: 0000000180024265
std::_Facet_Register.LIBCPMT ref: 0000000180024283

Strings

bad cast, xrefs: 0000000180024248

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1776536810-3145022300
Opcode ID: 10cc8910cc85584bd4a3460428c8224b28d9867b334426348c47967f8e79c69e
Instruction ID: 5280669f5cee9c1c10b6307b5616e8497b2b20f45e6c0148fb90ff969be6db11
Opcode Fuzzy Hash: 10cc8910cc85584bd4a3460428c8224b28d9867b334426348c47967f8e79c69e
Instruction Fuzzy Hash: AD315432604A4881EA97DB15E4403D96761F7987E0F549322FA5E576E5DF38CA8DC700

Function 000000018000FC28 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FC49

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FC6E
std::bad_exception::bad_exception.LIBCMT ref: 000000018000FD08
_CxxThrowException.LIBCMT ref: 000000018000FD19
std::_Facet_Register.LIBCPMT ref: 000000018000FD37

Strings

bad cast, xrefs: 000000018000FCFC

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1776536810-3145022300
Opcode ID: 62fdf57a96092745c62a34c7ea652cdc8cbd8a8d616748e806eab291326f5f4d
Instruction ID: 651fb656c3f290362de763b1ee359234d87ce794770dba1f6b2753c03b7c62f2
Opcode Fuzzy Hash: 62fdf57a96092745c62a34c7ea652cdc8cbd8a8d616748e806eab291326f5f4d
Instruction Fuzzy Hash: 3F315232604A4D81FAA6DB15E5417E97361F7987E0F148222BA6D077E5DF38CA8EC700

Function 000000018000FD58 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FD79

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FD9E
std::bad_exception::bad_exception.LIBCMT ref: 000000018000FE38
_CxxThrowException.LIBCMT ref: 000000018000FE49
std::_Facet_Register.LIBCPMT ref: 000000018000FE67

Strings

bad cast, xrefs: 000000018000FE2C

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1776536810-3145022300
Opcode ID: e9c222ff3a7390eeb7995fd0964985c14573391c4c93fb8924965464058be729
Instruction ID: 6ee744d50b30d82c78f3f63e2e17a70b14ef85af489d316716f56745e473c8ac
Opcode Fuzzy Hash: e9c222ff3a7390eeb7995fd0964985c14573391c4c93fb8924965464058be729
Instruction Fuzzy Hash: 50315232604A4C85EAA2DB15E8403E97761F79CBE0F548222F65D077E6DF38C68DC700

Function 000000018000FE88 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FEA9

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FECE
std::bad_exception::bad_exception.LIBCMT ref: 000000018000FF68
_CxxThrowException.LIBCMT ref: 000000018000FF79
std::_Facet_Register.LIBCPMT ref: 000000018000FF97

Strings

bad cast, xrefs: 000000018000FF5C

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1776536810-3145022300
Opcode ID: 7ebc46492d4dac5414eace0dc4bc23cdeb242ea3acaa4deefd90ef76b8116496
Instruction ID: ec51a6cea0b166713f805a236551c1283cd08e0c28255429b56f9ce5f8cbadc2
Opcode Fuzzy Hash: 7ebc46492d4dac5414eace0dc4bc23cdeb242ea3acaa4deefd90ef76b8116496
Instruction Fuzzy Hash: 76316132604B4981EAA6DB15E4407E97760F799BE4F648231F66D077E5DE38C78EC700

Function 000000018000FFB8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FFD9

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FFFE
std::bad_exception::bad_exception.LIBCMT ref: 0000000180010098
_CxxThrowException.LIBCMT ref: 00000001800100A9
std::_Facet_Register.LIBCPMT ref: 00000001800100C7

Strings

bad cast, xrefs: 000000018001008C

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1776536810-3145022300
Opcode ID: 9261657b17084aba6423a854777eb8a9a4c09b6e3969408025c508acd221764b
Instruction ID: ba7f2a953198e62413a15f720fea67b0a98ff4fd57fa2979048f6802ea0a1aa0
Opcode Fuzzy Hash: 9261657b17084aba6423a854777eb8a9a4c09b6e3969408025c508acd221764b
Instruction Fuzzy Hash: 0D313031604E4882FB97DB15E8403D96361F79CBE0F288322B69D176E5DE79DA8EC700

Function 00007FF8A7A94530 Relevance: 10.6, APIs: 7, Instructions: 82registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF8A7A94570
RegQueryValueExW.ADVAPI32 ref: 00007FF8A7A945AE
RegCloseKey.ADVAPI32 ref: 00007FF8A7A945D0
RegOpenKeyExW.ADVAPI32 ref: 00007FF8A7A945FE
RegOpenCurrentUser.ADVAPI32 ref: 00007FF8A7A94658
RegOpenKeyExW.ADVAPI32 ref: 00007FF8A7A9467A
RegCloseKey.ADVAPI32 ref: 00007FF8A7A94687

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: Open$Close$CurrentQueryUserValue
String ID:
API String ID: 384383028-0
Opcode ID: 604bbfb0ae1169e5cea77c79d2654ac51a876ae21c04f2b2698c331749a0c9d9
Instruction ID: 5f718d7388a56574beab7db0557f429031fcc63fbc9cff0ecc431807e3b88925
Opcode Fuzzy Hash: 604bbfb0ae1169e5cea77c79d2654ac51a876ae21c04f2b2698c331749a0c9d9
Instruction Fuzzy Hash: E1318BB261AB81A2EB508F16F44472EB7A0FB887D4F444132EA8E43B68DF7CD055DB00

Function 0000000180007180 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00000001800071A1

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 00000001800071C6
std::bad_exception::bad_exception.LIBCMT ref: 0000000180007261
_CxxThrowException.LIBCMT ref: 0000000180007272
std::_Facet_Register.LIBCPMT ref: 0000000180007290

Strings

bad cast, xrefs: 0000000180007255

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1776536810-3145022300
Opcode ID: 0ac0953fd19857d648c264f06a73748a9098f24d820f7a16771c37c3a699e4c5
Instruction ID: 5c309b77fee12f51d110db927d2fe456d8342975b36495e84ceae0cc68268f47
Opcode Fuzzy Hash: 0ac0953fd19857d648c264f06a73748a9098f24d820f7a16771c37c3a699e4c5
Instruction Fuzzy Hash: 33315031700A4881FA96DB15E4407D97761E7A8BE0F58C321FA6D036E6DE38C68EC740

Function 000000018004772C Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000000180047760

Part of subcall function 000000018002F34C: _getptd.LIBCMT ref: 000000018002F362
Part of subcall function 000000018002F34C: __updatetlocinfo.LIBCMT ref: 000000018002F397
Part of subcall function 000000018002F34C: __updatetmbcinfo.LIBCMT ref: 000000018002F3BE

_errno.LIBCMT ref: 000000018004777B
_invalid_parameter_noinfo.LIBCMT ref: 0000000180047786

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 3191669884-0
Opcode ID: ec2a6dd435b50d5e993b3328a406cbf0fc12b9938289ae1a38fd3c4af6446b14
Instruction ID: 4b6da2c887b896db48c8bf2af78125f2489fc4292198535c1cc227c838a58a5b
Opcode Fuzzy Hash: ec2a6dd435b50d5e993b3328a406cbf0fc12b9938289ae1a38fd3c4af6446b14
Instruction Fuzzy Hash: 2B31CC72704B888AE6A39B5190847EDB7A4F348BE4F668125FE5803B96CF74CA49C704

Function 00000001800023F0 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

_CxxThrowException.LIBCMT ref: 0000000180002442
_CxxThrowException.LIBCMT ref: 000000018000247E
_CxxThrowException.LIBCMT ref: 00000001800024A6
_CxxThrowException.LIBCMT ref: 00000001800024CE

Strings

ios_base::eofbit set, xrefs: 00000001800024AC
ios_base::badbit set, xrefs: 000000018000244F
ios_base::failbit set, xrefs: 0000000180002484

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionThrow
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 432778473-1866435925
Opcode ID: c4755da1f0456530d0fa2dca688d121101a445544884d577615891b101f1b86f
Instruction ID: a05f63984e831ba9eb21b9b46173f67e56e275c27f518e2d554fe2b11f73e329
Opcode Fuzzy Hash: c4755da1f0456530d0fa2dca688d121101a445544884d577615891b101f1b86f
Instruction Fuzzy Hash: 80215E71A11B5D99FB92DB64E8813EC3374B718388F908126F94922A69EF35C74EC340

Function 0000000180001180 Relevance: 10.5, APIs: 7, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 000000018000118D

Part of subcall function 00000001800077C8: setlocale.LIBCMT ref: 00000001800077E2

free.LIBCMT ref: 000000018000119B

Part of subcall function 000000018002D5F4: HeapFree.KERNEL32(?,?,00000000,0000000180038A82,?,?,00000000,000000018002F2E5,?,?,?,?,000000018002DB16,?,?,00000000), ref: 000000018002D60A
Part of subcall function 000000018002D5F4: _errno.LIBCMT ref: 000000018002D614
Part of subcall function 000000018002D5F4: GetLastError.KERNEL32(?,?,00000000,0000000180038A82,?,?,00000000,000000018002F2E5,?,?,?,?,000000018002DB16,?,?,00000000), ref: 000000018002D61C

free.LIBCMT ref: 00000001800011AF
free.LIBCMT ref: 00000001800011C1
free.LIBCMT ref: 00000001800011D3
free.LIBCMT ref: 00000001800011E5
free.LIBCMT ref: 00000001800011F7

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_errnosetlocalestd::_
String ID:
API String ID: 1855319098-0
Opcode ID: 2f9469f7e86d9ed662453ed7390a40d8cb98c28b94d45fdd9a0046f49d435607
Instruction ID: b48272a0fe48caf80c68cbfff6fe37b1983f1ac57bfd09bfec3c9c3905106cea
Opcode Fuzzy Hash: 2f9469f7e86d9ed662453ed7390a40d8cb98c28b94d45fdd9a0046f49d435607
Instruction Fuzzy Hash: 85010831202A9888EF9FDF65D5917EC73A4EF59FC8F188116BA4906A86CE64CD94C740

Function 00000001800312AC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00000001800312CD
_getptd.LIBCMT ref: 00000001800312DB
_getptd.LIBCMT ref: 00000001800312ED

Strings

RCC, xrefs: 00000001800312B3
csm, xrefs: 00000001800312C3
MOC, xrefs: 00000001800312BB

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: _getptd
String ID: MOC$RCC$csm
API String ID: 3186804695-2671469338
Opcode ID: 79c6bdfdf6facc246eee842b2de7a644aa034f1ac0e2309a20206dc5bd345c8d
Instruction ID: cee1693f68b0781dadb7962070319637af549046bf3e62ebc375f9a8a227fa41
Opcode Fuzzy Hash: 79c6bdfdf6facc246eee842b2de7a644aa034f1ac0e2309a20206dc5bd345c8d
Instruction Fuzzy Hash: 6DF0303550814CCAE6DB2B5484053FF2790EB9DB87F8BC1A2A30082382CFBC47989B57

Function 0000000180006DB0 Relevance: 9.3, APIs: 3, Strings: 3, Instructions: 263COMMONLIBRARYCODE

Download Yara Rule

APIs

_CxxThrowException.LIBCMT ref: 00000001800070C2
_CxxThrowException.LIBCMT ref: 00000001800070FB
_CxxThrowException.LIBCMT ref: 0000000180007133

Part of subcall function 0000000180006940: std::_Lockit::_Lockit.LIBCPMT ref: 0000000180006961
Part of subcall function 0000000180006940: std::_Lockit::_Lockit.LIBCPMT ref: 0000000180006986

Strings

ios_base::eofbit set, xrefs: 0000000180007101
ios_base::badbit set, xrefs: 0000000180007094
ios_base::failbit set, xrefs: 00000001800070D2

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionThrow$LockitLockit::_std::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1691487403-1866435925
Opcode ID: 0db30ec67b73ccdcabdd15c275040f157008ca9554cbf0563cdfb27b905dc0a0
Instruction ID: 767f78a192eeebaa216b8aed547a68a7fb289aba9e2ffc4a09429269e94dafed
Opcode Fuzzy Hash: 0db30ec67b73ccdcabdd15c275040f157008ca9554cbf0563cdfb27b905dc0a0
Instruction Fuzzy Hash: 22C17372600B49C5EBA6CF19E0903A9B7A1F788BD4F50C522EB4D437A5DF7AC64AC740

Function 0000000180006A80 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 210COMMONLIBRARYCODE

Download Yara Rule

APIs

_CxxThrowException.LIBCMT ref: 0000000180006CF2
_CxxThrowException.LIBCMT ref: 0000000180006D2B
_CxxThrowException.LIBCMT ref: 0000000180006D63

Strings

ios_base::eofbit set, xrefs: 0000000180006D31
ios_base::badbit set, xrefs: 0000000180006CC4
ios_base::failbit set, xrefs: 0000000180006D02

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionThrow
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 432778473-1866435925
Opcode ID: 8d1da8b0088b82ce8472ecfb309f3f6d6294f4c20df7e85d44d77dd3078eb974
Instruction ID: a8b4bdf90a1f4ad9093596da8dc1c2238f82fb5394a2230a05445288838e8596
Opcode Fuzzy Hash: 8d1da8b0088b82ce8472ecfb309f3f6d6294f4c20df7e85d44d77dd3078eb974
Instruction Fuzzy Hash: B2A15672605B4885EBA6CF19D0903AD77A1F788BC4F50C512EA8E437B5DF3AC68AC700

Function 000000018000702A Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

_CxxThrowException.LIBCMT ref: 00000001800070C2
_CxxThrowException.LIBCMT ref: 00000001800070FB
_CxxThrowException.LIBCMT ref: 0000000180007133

Strings

ios_base::eofbit set, xrefs: 0000000180007101
ios_base::badbit set, xrefs: 0000000180007094
ios_base::failbit set, xrefs: 00000001800070D2

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionThrow
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 432778473-1866435925
Opcode ID: 13b14e47e50a117b45a7778c449b81f96b46451b12d824cac215d1e20a6c26ef
Instruction ID: 749b6e3399a9a358d8b44ea8bf4972b4671ad478281f1e69b97e26da144d3d08
Opcode Fuzzy Hash: 13b14e47e50a117b45a7778c449b81f96b46451b12d824cac215d1e20a6c26ef
Instruction Fuzzy Hash: DF316472604A4891EAA2DB08E4913D973A0F79C7C4F508522F68D53AA6DF3DC74EC740

Function 0000000180006C5A Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

_CxxThrowException.LIBCMT ref: 0000000180006CF2
_CxxThrowException.LIBCMT ref: 0000000180006D2B
_CxxThrowException.LIBCMT ref: 0000000180006D63

Strings

ios_base::eofbit set, xrefs: 0000000180006D31
ios_base::badbit set, xrefs: 0000000180006CC4
ios_base::failbit set, xrefs: 0000000180006D02

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionThrow
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 432778473-1866435925
Opcode ID: 9c7b1aa60feacb23789e46315638fef29d19575f7816bd3068f614c3fe862f5d
Instruction ID: c8b34f633450288d0747754450d333132d257ba904ae0c0c3cccce57b6605a3c
Opcode Fuzzy Hash: 9c7b1aa60feacb23789e46315638fef29d19575f7816bd3068f614c3fe862f5d
Instruction Fuzzy Hash: EE316172615B8891EAA2CB14E4913D973A1F78C7C4F908522FA8D53B65DF39C74EC740

Function 00007FF8A7A7E590 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 218COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF8A7A7E88C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF8A7A7E892
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF8A7A7E898

Strings

false, xrefs: 00007FF8A7A7E66E
true, xrefs: 00007FF8A7A7E72A

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: false$true
API String ID: 118556049-2658103896
Opcode ID: 14bcb6fc04d6207312ac0b71193f476d97310ba2fc694dbaca6b0e73206cd48f
Instruction ID: 22cfc734f4c0f6df97a93cc97bee08810e4e8617cc7748fb1481e5504bbb75ee
Opcode Fuzzy Hash: 14bcb6fc04d6207312ac0b71193f476d97310ba2fc694dbaca6b0e73206cd48f
Instruction Fuzzy Hash: C9919D22B1AB86AAE710DF61D4412AD33B5FB48788F454235DE4C97B89EF38E516D340

Function 0000000180003E60 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

APIs

fgetwc.LIBCMT ref: 0000000180003F1F

Strings

string too long, xrefs: 00000001800040FE, 000000018000410B

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: fgetwc
String ID: string too long
API String ID: 2948136663-2556327735
Opcode ID: 2c54e6a053e8696a3d6b4ce687133d9b1274fd72c1f8f27c02397be768dd15f8
Instruction ID: e9e8eae9dbfed57877077c82a3db96da082da43fa004c8d24fdad90a2db03b72
Opcode Fuzzy Hash: 2c54e6a053e8696a3d6b4ce687133d9b1274fd72c1f8f27c02397be768dd15f8
Instruction Fuzzy Hash: 00912873700A89D9EB62CF25C4903EC33A5F758798F918622EB1D47A99DF35CA68C314

Function 00007FF8A7A948B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF8A7A94928
RegEnumValueW.ADVAPI32 ref: 00007FF8A7A94962
RegQueryValueExW.ADVAPI32 ref: 00007FF8A7A949C1
RegCloseKey.ADVAPI32 ref: 00007FF8A7A94ADA

Strings

Disable_, xrefs: 00007FF8A7A949E5

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: Value$CloseEnumOpenQuery
String ID: Disable_
API String ID: 2924656870-3431196049
Opcode ID: 909549ab4e45b6006d3222f2beee845314a71683d74e0daf326a2a6027938a8b
Instruction ID: ae895ca0f8def84c450f0b6528dc724e6e07bb91ee42051cbbe7b3d7422bf62c
Opcode Fuzzy Hash: 909549ab4e45b6006d3222f2beee845314a71683d74e0daf326a2a6027938a8b
Instruction Fuzzy Hash: D9717D36A0AB81AAE7109F25E4412AFB7B4FB84788F104035EB8D43B54EF7CE555DB44

Function 0000000180034034 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000000180034066

Part of subcall function 000000018002F34C: _getptd.LIBCMT ref: 000000018002F362
Part of subcall function 000000018002F34C: __updatetlocinfo.LIBCMT ref: 000000018002F397
Part of subcall function 000000018002F34C: __updatetmbcinfo.LIBCMT ref: 000000018002F3BE

_malloc_crt.LIBCMT ref: 00000001800340B1
_invoke_watson.LIBCMT ref: 0000000180034199

Part of subcall function 0000000180035CD8: _call_reportfault.LIBCMT ref: 0000000180035D00

_invoke_watson.LIBCMT ref: 00000001800341AE

Strings

:, xrefs: 00000001800340CF

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Locale_invoke_watson$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_call_reportfault_getptd_malloc_crt
String ID: :
API String ID: 1584724053-336475711
Opcode ID: 604a302fabdb042f4ebc9b27cedb385bdeaebfe8a2c90ea295b00d5b5a1e0000
Instruction ID: 6d0e94c2461dd84b0edd1b1838a9f5cfcbcc86ad0ff0a6976e9d1f2ec4836e13
Opcode Fuzzy Hash: 604a302fabdb042f4ebc9b27cedb385bdeaebfe8a2c90ea295b00d5b5a1e0000
Instruction Fuzzy Hash: 5C41D032320B4881EB46DF26A8053DE63A5FB88BC4F4AD025EF5D4B785DE38D616C304

Function 0000000180033EB4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc_crt.LIBCMT ref: 0000000180033F31
_invoke_watson.LIBCMT ref: 0000000180034019

Part of subcall function 0000000180035CD8: _call_reportfault.LIBCMT ref: 0000000180035D00

_invoke_watson.LIBCMT ref: 000000018003402E
_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000000180033EE6

Part of subcall function 000000018002F34C: _getptd.LIBCMT ref: 000000018002F362
Part of subcall function 000000018002F34C: __updatetlocinfo.LIBCMT ref: 000000018002F397
Part of subcall function 000000018002F34C: __updatetmbcinfo.LIBCMT ref: 000000018002F3BE

Strings

:, xrefs: 0000000180033F4F

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Locale_invoke_watson$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_call_reportfault_getptd_malloc_crt
String ID: :
API String ID: 1584724053-336475711
Opcode ID: f6eab2cf8d0451a383fcd1094c8bc586515c01fa06371aa533fca521f759249e
Instruction ID: 3ed635f29bcd3bbc21113fbea3335e451753d90b531e1a175994c922d52f3f57
Opcode Fuzzy Hash: f6eab2cf8d0451a383fcd1094c8bc586515c01fa06371aa533fca521f759249e
Instruction Fuzzy Hash: 8441E03232074881EB46EF26A4453DE63A5FB49BC4F4AD025EF5D47785DE38D61AC304

Function 00000001800311AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 0000000180031203
_getptd.LIBCMT ref: 00000001800311B7

Part of subcall function 00000001800389F4: _getptd_noexit.LIBCMT ref: 00000001800389FA
Part of subcall function 00000001800389F4: _amsg_exit.LIBCMT ref: 0000000180038A0A

_getptd.LIBCMT ref: 0000000180031269
_getptd.LIBCMT ref: 0000000180031275

Strings

csm, xrefs: 0000000180031237

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: _getptd$ExceptionRaise_amsg_exit_getptd_noexit
String ID: csm
API String ID: 2951875022-1018135373
Opcode ID: 19bc60ab7c8d46f879a577fdbd2134b4bea23403eb8b854014e227e093e25ad5
Instruction ID: cbf58d6bb5dae3ded25f47af1c64b690f48564a0522dc2334fd63855ea109656
Opcode Fuzzy Hash: 19bc60ab7c8d46f879a577fdbd2134b4bea23403eb8b854014e227e093e25ad5
Instruction Fuzzy Hash: D52101362046888AE6B2DF56E0407EFB760F78DBA5F058216EF9943795CF38D689C701

Function 00007FF8A7A706B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNEL32 ref: 00007FF8A7A7070C
CloseHandle.KERNEL32 ref: 00007FF8A7A7071A

Strings

*P, xrefs: 00007FF8A7A706E2
nView Shared Memory, xrefs: 00007FF8A7A706DB
%s %d, xrefs: 00007FF8A7A706EA

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: CloseFileHandleMappingOpen
String ID: %s %d$*P$nView Shared Memory
API String ID: 890169576-673546495
Opcode ID: 6687ec36b3b96fc96f6e99804bb1c58a7ae370612d08be84a3efe426ee0ca8dc
Instruction ID: 61954a6c133effaa4a9cd043e08b05cef3aaed6a23f8611a34e7bc60e908715d
Opcode Fuzzy Hash: 6687ec36b3b96fc96f6e99804bb1c58a7ae370612d08be84a3efe426ee0ca8dc
Instruction Fuzzy Hash: 6D018475B1AA81B1FB60EF50E45A3BE6350FFC8785FC04032D65D42755EE3CE106AA00

Function 0000000180038C3C Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000000180038C9E
_isleadbyte_l.LIBCMT ref: 0000000180038CCE
MultiByteToWideChar.KERNEL32 ref: 0000000180038D0D
MultiByteToWideChar.KERNEL32 ref: 0000000180038D5B
_errno.LIBCMT ref: 0000000180038D65

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
String ID:
API String ID: 2998201375-0
Opcode ID: ce750271998e25300b2e646f02fc7aaebec70d68116cdf7c58e233941e4e38ee
Instruction ID: 54a50374dbd1f0619f5f0edc3d7c0374764c2683045a736cdbb11a7d2bf11c8c
Opcode Fuzzy Hash: ce750271998e25300b2e646f02fc7aaebec70d68116cdf7c58e233941e4e38ee
Instruction Fuzzy Hash: D841E53221578486E7A38F15E1403AAB7A1FF99FC0F199165FB8857BD9CF38C6458700

Function 00007FF8A7A86630 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00007FF8A7A7064B), ref: 00007FF8A7A86666
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,?,?,00000000,?,00000000,00007FF8A7A7064B), ref: 00007FF8A7A8668F
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00007FF8A7A7064B), ref: 00007FF8A7A86697
SetSecurityInfo.ADVAPI32(?,?,?,?,?,?,00000000,?,00000000,00007FF8A7A7064B), ref: 00007FF8A7A866C4
LocalFree.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00007FF8A7A7064B), ref: 00007FF8A7A866D1

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: ErrorLastSecurity$DescriptorFreeInfoLocalSacl
String ID:
API String ID: 770883003-0
Opcode ID: 26d171845e726335711b201ca163724500d896e7f63c1369cf58c7af46724ff1
Instruction ID: 1db37017830bbbcd1331111f69adb6250378694c7477806d90f743808296f218
Opcode Fuzzy Hash: 26d171845e726335711b201ca163724500d896e7f63c1369cf58c7af46724ff1
Instruction Fuzzy Hash: 7B119D72A0AB8696E7109FA1F84469D73A1FB88790F044136EB8C83B14DF38D8069B00

Function 000000018002FC18 Relevance: 7.5, APIs: 5, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000000018002FC25

Part of subcall function 00000001800389F4: _getptd_noexit.LIBCMT ref: 00000001800389FA
Part of subcall function 00000001800389F4: _amsg_exit.LIBCMT ref: 0000000180038A0A

_inconsistency.LIBCMT ref: 000000018002FC33

Part of subcall function 000000018003A450: DecodePointer.KERNEL32(?,?,?,?,000000018003A3FD,?,?,?,000000018002F87E), ref: 000000018003A45B

_getptd.LIBCMT ref: 000000018002FC38
_inconsistency.LIBCMT ref: 000000018002FC54
_getptd.LIBCMT ref: 000000018002FC64

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: _getptd$_inconsistency$DecodePointer_amsg_exit_getptd_noexit
String ID:
API String ID: 3669027769-0
Opcode ID: d84545b744132abf258f2739307021ab7867776e2950de2c885c0764620f8872
Instruction ID: 484109b601cdb60bdd28eb5de1a6cf464c0836e84c8d7e2c0ed591a5095a7b89
Opcode Fuzzy Hash: d84545b744132abf258f2739307021ab7867776e2950de2c885c0764620f8872
Instruction Fuzzy Hash: E5F0FE322086CCC1EAE7AB55D2413FD5350AB8DBC4F1DC171BB840738B9E20C6989315

Function 00000001800039C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

string too long, xrefs: 0000000180003C53, 0000000180003C60

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID: string too long
API String ID: 0-2556327735
Opcode ID: 4bcb7b9e46f5ff7cc52432c6c311dcb44bcc844c052dc368eac45e35e3a37bff
Instruction ID: 445ab153e7c438d5d2aafa17d0e773ba3e554981103aaf2981c75933f28ac080
Opcode Fuzzy Hash: 4bcb7b9e46f5ff7cc52432c6c311dcb44bcc844c052dc368eac45e35e3a37bff
Instruction Fuzzy Hash: D0919D72310B8899EB56CF66C0417EC33A5F319B98F818922EB5D67B99DF34CA59C310

Function 00007FF8A7A8E5B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

P, xrefs: 00007FF8A7A8E66D

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: e760891b3d0586f10b0c45491ee25524a262a87b45dc8837c1d53ab325d03245
Instruction ID: b61560cea917720c2c694f6aec2bd663e9b9141b50d631c9c2fd6ec482dbf2a3
Opcode Fuzzy Hash: e760891b3d0586f10b0c45491ee25524a262a87b45dc8837c1d53ab325d03245
Instruction Fuzzy Hash: 8E315B3261AB81EAF3609F15F44176EB3A4FB88780F544135EA8947B94EF3CE4159F40

Function 000000018002EF40 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30COMMONLIBRARYCODE

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 000000018002EF4E
malloc.LIBCMT ref: 000000018002EF5A

Part of subcall function 000000018002DA78: _FF_MSGBANNER.LIBCMT ref: 000000018002DAA8
Part of subcall function 000000018002DA78: _NMSG_WRITE.LIBCMT ref: 000000018002DAB2
Part of subcall function 000000018002DA78: HeapAlloc.KERNEL32(?,?,00000000,000000018002CDB6,?,?,00000001,000000018002CCA4,?,?,?,0000000180007B34), ref: 000000018002DACD
Part of subcall function 000000018002DA78: _callnewh.LIBCMT ref: 000000018002DAE6
Part of subcall function 000000018002DA78: _errno.LIBCMT ref: 000000018002DAF1
Part of subcall function 000000018002DA78: _errno.LIBCMT ref: 000000018002DAFC

_CxxThrowException.LIBCMT ref: 000000018002EFA3

Part of subcall function 000000018002F788: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180007B51), ref: 000000018002F7F6
Part of subcall function 000000018002F788: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180007B51), ref: 000000018002F835

Strings

bad allocation, xrefs: 000000018002EF6A

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Exception_callnewh_errno$AllocFileHeaderHeapRaiseThrowmalloc
String ID: bad allocation
API String ID: 1214304046-2104205924
Opcode ID: 738ca98c6a90698db2108c0c022190bcd32b331751dc6fe347bc8814740b5120
Instruction ID: c34e540c3145ef8f8a06282e5f5fd2721dda0450d804faa98ee3730b4d12842b
Opcode Fuzzy Hash: 738ca98c6a90698db2108c0c022190bcd32b331751dc6fe347bc8814740b5120
Instruction Fuzzy Hash: 3AF09AB1605B8E80EEA79B50A0517E95394E78D3C8F488025FA8D0B7A6EE39C34DCB01

Function 00007FF8A7A94850 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 21registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A7A94530: RegOpenKeyExW.ADVAPI32 ref: 00007FF8A7A94570
Part of subcall function 00007FF8A7A94530: RegQueryValueExW.ADVAPI32 ref: 00007FF8A7A945AE
Part of subcall function 00007FF8A7A94530: RegCloseKey.ADVAPI32 ref: 00007FF8A7A945D0
Part of subcall function 00007FF8A7A94530: RegOpenKeyExW.ADVAPI32 ref: 00007FF8A7A945FE

Part of subcall function 00007FF8A7A948B0: RegOpenKeyExW.ADVAPI32 ref: 00007FF8A7A94928
Part of subcall function 00007FF8A7A948B0: RegEnumValueW.ADVAPI32 ref: 00007FF8A7A94962
Part of subcall function 00007FF8A7A948B0: RegQueryValueExW.ADVAPI32 ref: 00007FF8A7A949C1

Part of subcall function 00007FF8A7A948B0: RegCloseKey.ADVAPI32 ref: 00007FF8A7A94ADA

RegCloseKey.ADVAPI32 ref: 00007FF8A7A948A0

Strings

Software\NVIDIA Corporation\Global\nView, xrefs: 00007FF8A7A94867
Hotkeys, xrefs: 00007FF8A7A9488C
SystemSubMenu, xrefs: 00007FF8A7A94878

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: CloseOpenValue$Query$Enum
String ID: Hotkeys$Software\NVIDIA Corporation\Global\nView$SystemSubMenu
API String ID: 920421334-3017348070
Opcode ID: 582784c8c46b6a3e45548c249fc6da8832204fb5b35df2e6620f96a5510e8c89
Instruction ID: d9bb663298b51bc4d12cdd4702d9084378c247d0d16f160a751aab7ffa6085d6
Opcode Fuzzy Hash: 582784c8c46b6a3e45548c249fc6da8832204fb5b35df2e6620f96a5510e8c89
Instruction Fuzzy Hash: CCF037B192AA87B0EA009F52F8813AE6720EB957C4F402031FA4F47765EE2CE156D740

Function 0000000180010C38 Relevance: 6.3, APIs: 4, Instructions: 332stringCOMMON

Download Yara Rule

APIs

strcspn.LIBCMT ref: 0000000180010CE1
localeconv.LIBCMT ref: 0000000180010CF3
strcspn.LIBCMT ref: 0000000180010D07
_Mpunct.LIBCPMT ref: 0000000180010DD8

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: strcspn$Mpunctlocaleconv
String ID:
API String ID: 2882554788-0
Opcode ID: 58ecd130f00b09f8bef17f7d97753f2651f40aaaca60dedd1df9ae10203089cb
Instruction ID: 98907bd55804cf440550a9984b5626c23124420e0867e0600be7f70ad20b48f8
Opcode Fuzzy Hash: 58ecd130f00b09f8bef17f7d97753f2651f40aaaca60dedd1df9ae10203089cb
Instruction Fuzzy Hash: DFE18E32B04E8889EB529F65C4413ED63B1FB4CB88F658115EE8D57B99DF78C64AC340

Function 00000001800107A4 Relevance: 6.3, APIs: 4, Instructions: 331stringCOMMON

Download Yara Rule

APIs

strcspn.LIBCMT ref: 000000018001084D
localeconv.LIBCMT ref: 000000018001085F
strcspn.LIBCMT ref: 0000000180010873
_Mpunct.LIBCPMT ref: 0000000180010944

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: strcspn$Mpunctlocaleconv
String ID:
API String ID: 2882554788-0
Opcode ID: 224329cea580c2bc9a473805bd80dcfbc8fe358384d0317fe36835c614ca270f
Instruction ID: 0755191b1818215e47aef75f24144b8be0e7d395005ccb8dbfd754ea295aee4c
Opcode Fuzzy Hash: 224329cea580c2bc9a473805bd80dcfbc8fe358384d0317fe36835c614ca270f
Instruction Fuzzy Hash: 44E18E32B04E8889FB529FA5C4513ED63B1FB58B88F648115EE8D57B99DF78C24AC340

Function 0000000180008524 Relevance: 6.3, APIs: 4, Instructions: 302stringCOMMON

Download Yara Rule

APIs

strcspn.LIBCMT ref: 00000001800085CC
localeconv.LIBCMT ref: 00000001800085DF
strcspn.LIBCMT ref: 00000001800085F5
_Mpunct.LIBCPMT ref: 00000001800086C7

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: strcspn$Mpunctlocaleconv
String ID:
API String ID: 2882554788-0
Opcode ID: fce10359bc36b8c483969d2f07a480db227c72c73635d2d78eb5f884875fabf2
Instruction ID: 7cedfd9f43536d940008849a18cc50f9a484f0cb7e860469d92b1f85863b93e9
Opcode Fuzzy Hash: fce10359bc36b8c483969d2f07a480db227c72c73635d2d78eb5f884875fabf2
Instruction Fuzzy Hash: 9DD15B32B05A8889EB52CBB5D4503DD37B1F749BC8F949115EE8967B8ADF38C24AC740

Function 0000000180032F58 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000000180032F82

Part of subcall function 000000018002F34C: _getptd.LIBCMT ref: 000000018002F362
Part of subcall function 000000018002F34C: __updatetlocinfo.LIBCMT ref: 000000018002F397
Part of subcall function 000000018002F34C: __updatetmbcinfo.LIBCMT ref: 000000018002F3BE

_malloc_crt.LIBCMT ref: 0000000180032FC5
_invoke_watson.LIBCMT ref: 000000018003308A

Part of subcall function 0000000180035CD8: _call_reportfault.LIBCMT ref: 0000000180035D00

_invoke_watson.LIBCMT ref: 00000001800330A0

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Locale_invoke_watson$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_call_reportfault_getptd_malloc_crt
String ID:
API String ID: 1584724053-0
Opcode ID: 3daca0f6dc92f9794fddbcc1cdaa0d0f178e51dead4e14673644e8c31eb13f91
Instruction ID: 60c5c1db5c3b6a439df75705f13e8ee1368a37c7c8ec72173617ca3056aafd03
Opcode Fuzzy Hash: 3daca0f6dc92f9794fddbcc1cdaa0d0f178e51dead4e14673644e8c31eb13f91
Instruction Fuzzy Hash: F231C57271064886EB57DB26941539E67A1E789FC4F05C135EF5D0BB9ACF38D2068304

Function 000000018000CF54 Relevance: 6.1, APIs: 4, Instructions: 75COMMONLIBRARYCODE

Download Yara Rule

APIs

_wfsopen.LIBCMT ref: 000000018000CEE9
fclose.LIBCMT ref: 000000018000CEF6
_wfsopen.LIBCMT ref: 000000018000CF0B
fseek.LIBCMT ref: 000000018000CF25

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: _wfsopen$fclosefseek
String ID:
API String ID: 1261181034-0
Opcode ID: 060668c88b56fe38f5c44a18ba7740774a474d3c0946bdb231730e3168279bf2
Instruction ID: ca7f0c424757e16301a012df31de7f28ede8ce03464d2c668ee3546fdfd8efa6
Opcode Fuzzy Hash: 060668c88b56fe38f5c44a18ba7740774a474d3c0946bdb231730e3168279bf2
Instruction Fuzzy Hash: 6921E5327216C885FBE6CB1AD441BE67691A78CBC4F19C134BE0943B95DE35C60A8341

Function 0000000180048310 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000000180048334

Part of subcall function 000000018002F34C: _getptd.LIBCMT ref: 000000018002F362
Part of subcall function 000000018002F34C: __updatetlocinfo.LIBCMT ref: 000000018002F397
Part of subcall function 000000018002F34C: __updatetmbcinfo.LIBCMT ref: 000000018002F3BE

_errno.LIBCMT ref: 0000000180048340

Part of subcall function 000000018002F2DC: _getptd_noexit.LIBCMT ref: 000000018002F2E0

_invalid_parameter_noinfo.LIBCMT ref: 000000018004834B
strchr.LIBCMT ref: 0000000180048361

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
String ID:
API String ID: 4151157258-0
Opcode ID: eb64e8c74a50022202f8ee626fe7dbe8f97126340f84a3ce38f6fe5f0cae3986
Instruction ID: 9616a423f97e3a452b980222ce2d2f9dcf0e870d32183e3c52a82e7da15984e5
Opcode Fuzzy Hash: eb64e8c74a50022202f8ee626fe7dbe8f97126340f84a3ce38f6fe5f0cae3986
Instruction Fuzzy Hash: D0213872204AAC40F7E75E1194D03FD66C0EB88FDAF1AC824FAC6076C5CD28C749A708

Function 00000001800072C0 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00000001800072FF

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 000000018000733C
free.LIBCMT ref: 0000000180007363
malloc.LIBCMT ref: 0000000180007382

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: AddfacLocimp::_Locimp_LockitLockit::__lockfreemallocstd::_std::locale::_
String ID:
API String ID: 2732429687-0
Opcode ID: 4c7c4e4cdeb69145b53e9993b344bfcc5c5a1a68407a660adf776166b3026ff4
Instruction ID: 76cda7fa5ebd9028eb80fcaf77cbf10d53a700b3cb3c5ee5f831434e332e8d90
Opcode Fuzzy Hash: 4c7c4e4cdeb69145b53e9993b344bfcc5c5a1a68407a660adf776166b3026ff4
Instruction Fuzzy Hash: 84213B71604A8881EBA2CF11E4403DAB3A0F7597E0F548216EB9D57BA6CF7CC6998740

Function 00007FF8A7A8A8B0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 251COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF8A7A8AAF6
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF8A7A8AB02

Strings

ios_base::failbit set, xrefs: 00007FF8A7A8AB1A

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: ios_base::failbit set
API String ID: 73155330-3924258884
Opcode ID: 9b6c570c9035688cfefed480fd4f4d797140a035135655b89860c2973c60c9fc
Instruction ID: 390bf1dc20ed344c6c7f2300f0bd00a6940195edb11e625855d31228c9e26edf
Opcode Fuzzy Hash: 9b6c570c9035688cfefed480fd4f4d797140a035135655b89860c2973c60c9fc
Instruction Fuzzy Hash: B291DF23A0AB85A2EA14CF15F54127E6760FB48BD4F198635EEAD07791EF3CE891D340

Function 00007FF8A7B46550 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF8A7B46627

Part of subcall function 00007FF8A7A75130: GetDC.USER32 ref: 00007FF8A7A75192
Part of subcall function 00007FF8A7A75130: EnumDisplayMonitors.USER32 ref: 00007FF8A7A751B5
Part of subcall function 00007FF8A7A75130: ReleaseDC.USER32 ref: 00007FF8A7A751C0

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF8A7B4662D

Strings

vector too long, xrefs: 00007FF8A7B46644

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_taskDisplayEnumMonitorsRelease_invalid_parameter_noinfo_noreturn
String ID: vector too long
API String ID: 3103344671-2873823879
Opcode ID: 00b5893f6815dd50e256614d8bc03589ac8b3f58f2ac44a187f63c999bb3d69f
Instruction ID: 3d333214ae42a71ebfba171d8ae5db498ea1af8310905e68c955c88bbfecd974
Opcode Fuzzy Hash: 00b5893f6815dd50e256614d8bc03589ac8b3f58f2ac44a187f63c999bb3d69f
Instruction Fuzzy Hash: 8351C2B2B0AA42B5EA20EF15E4512BD6360FF48BE8F448631DA5D437DADF3CE4429300

Function 00007FF8A7AB24E8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

_Getvals.LIBCPMT ref: 00007FF8A7AB2649

Strings

false, xrefs: 00007FF8A7AB2587
true, xrefs: 00007FF8A7AB259D

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: Getvals
String ID: false$true
API String ID: 1336808981-2658103896
Opcode ID: fcaa8dee8702df954b53bf384bd75b2644456ebc9bdddcb28530bd4f0760cdf8
Instruction ID: be48f438c6565521ba65a7b8984fa30f49def0ef234a77fca77d028af2f69fb5
Opcode Fuzzy Hash: fcaa8dee8702df954b53bf384bd75b2644456ebc9bdddcb28530bd4f0760cdf8
Instruction Fuzzy Hash: 9F415B32B09B41A9F710CF70E4411ED33B1FB98788B545226EE4E27A59EF38E696D344

Function 00007FF8A7A965D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 00007FF8A7A96632
ReadFile.KERNEL32 ref: 00007FF8A7A966C2

Strings

NVIEW PROFILE LOCK, xrefs: 00007FF8A7A96644

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: FileRead
String ID: NVIEW PROFILE LOCK
API String ID: 2738559852-3082433184
Opcode ID: ab27f8d0231a89b0cb702682be9596c8e9e922d8ba3a70dd5091fb8da4012714
Instruction ID: ce3bf8c443b3a4254031c1dd25370180558fdf37bcef73aa5425d143e60e39ef
Opcode Fuzzy Hash: ab27f8d0231a89b0cb702682be9596c8e9e922d8ba3a70dd5091fb8da4012714
Instruction Fuzzy Hash: 73318D63919BC192E7608F24E4143BEB360FBE9794F409326EB9C02699EF7CD194CB00

Function 00000001800495E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00000001800496A8

Strings

csm, xrefs: 0000000180049664
csm, xrefs: 000000018004960B

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: _getptd
String ID: csm$csm
API String ID: 3186804695-3733052814
Opcode ID: ce9d772766a9f3e407c5664677aefc26ffad84ba179c49f55fff2b9c6189d35d
Instruction ID: f7e595c495de74603a87214bb7ed729c6939f290df5d238fa3d8429b20b6b438
Opcode Fuzzy Hash: ce9d772766a9f3e407c5664677aefc26ffad84ba179c49f55fff2b9c6189d35d
Instruction Fuzzy Hash: 6031A773101B48CADBA18F66C0843993BB5F358B9DF8B5225FA4D1BB64CB75C984C788

Function 00007FF8A7A725C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF8A7A725D7
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF8A7A72616

Part of subcall function 00007FF8A7A98720: _Yarn.LIBCPMT ref: 00007FF8A7A9874E

Strings

bad locale name, xrefs: 00007FF8A7A7262A

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_Yarn
String ID: bad locale name
API String ID: 1838369231-1405518554
Opcode ID: c524e6af0baa67fe1cc82a5cd4aa5f82788b02c5eb321f0c46adb42b5351efdd
Instruction ID: 0283a57625a02ef9b4cbb1bce82799a2c68448af2fca1e1eb6ba4d76b986aa2f
Opcode Fuzzy Hash: c524e6af0baa67fe1cc82a5cd4aa5f82788b02c5eb321f0c46adb42b5351efdd
Instruction Fuzzy Hash: D301A223506B8099C345DF74A84115C77B5FB58BC4B185139CA8C8374AFF38D4A0C354

Function 00000001800496D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 000000018002FC18: _getptd.LIBCMT ref: 000000018002FC25
Part of subcall function 000000018002FC18: _inconsistency.LIBCMT ref: 000000018002FC33
Part of subcall function 000000018002FC18: _getptd.LIBCMT ref: 000000018002FC38
Part of subcall function 000000018002FC18: _inconsistency.LIBCMT ref: 000000018002FC54

_getptd.LIBCMT ref: 000000018004972B
_getptd.LIBCMT ref: 000000018004973E

Part of subcall function 000000018002FCA8: _getptd.LIBCMT ref: 000000018002FCB1

Strings

csm, xrefs: 00000001800496F8

Memory Dump Source

Source File: 00000004.00000002.4529786912.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000004.00000002.4529767390.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529820139.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529839842.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.4529872462.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180000000_rundll32.jbxd

Similarity

API ID: _getptd$_inconsistency
String ID: csm
API String ID: 1773999731-1018135373
Opcode ID: 242ad1541a1665e7e88aaf19789ec1deda19dbf05a08f0dcd3087e0f0a85a81f
Instruction ID: 6596bc08887fd2df5714e5c2ca6ea54ff60e088d84c846dd7f248314ba4ebb2f
Opcode Fuzzy Hash: 242ad1541a1665e7e88aaf19789ec1deda19dbf05a08f0dcd3087e0f0a85a81f
Instruction Fuzzy Hash: 8D01A736115A4989DBA2AF71D4C17FD2394E7497C9F099171FE4946349DE20C6C9C340

Function 00007FF8A7B507A0 Relevance: 5.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?,?,?,00007FF8A7A0127B), ref: 00007FF8A7B507B8
GetLastError.KERNEL32(?,?,?,00007FF8A7A0127B), ref: 00007FF8A7B50840
LocalFree.KERNEL32(?,?,?,00007FF8A7A0127B), ref: 00007FF8A7B5085B
SetLastError.KERNEL32(?,?,?,00007FF8A7A0127B), ref: 00007FF8A7B50879

Memory Dump Source

Source File: 00000004.00000002.4531864440.00007FF8A7A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8A7A00000, based on PE: true

Associated: 00000004.00000002.4531850228.00007FF8A7A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4531968624.00007FF8A7B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532004019.00007FF8A7BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532018219.00007FF8A7BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532031749.00007FF8A7BC7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.4532046182.00007FF8A7BCE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff8a7a00000_rundll32.jbxd

Similarity

API ID: ErrorLast$FreeLocal
String ID:
API String ID: 1627422176-0
Opcode ID: 45d03da843b7eb71680eb8731c5b4906c31a2aa6ec7f343a47b717000f953ddf
Instruction ID: 94268db3ac13c6e4503cde7b364252068efe59ad5ca511f7e31eb6978d928740
Opcode Fuzzy Hash: 45d03da843b7eb71680eb8731c5b4906c31a2aa6ec7f343a47b717000f953ddf
Instruction Fuzzy Hash: 5A21D471F1E58291EB548F26A50457D5250EF88BD0F486231EE5F477D5DE3CE882A740

Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 94.232.46.11:8817
Source: global traffic	TCP traffic: 192.168.2.5:49920 -> 94.232.40.41:8817

Source: Joe Sandbox View	ASN Name: WELLWEBNL WELLWEBNL
Source: Joe Sandbox View	ASN Name: WELLWEBNL WELLWEBNL

Source: global traffic	DNS traffic detected: DNS query: muuxxu.com
Source: global traffic	DNS traffic detected: DNS query: cronoze.com

Source: 45c62e.msi, 5cd2d1.msi.1.dr, MSID458.tmp.1.dr, MSID3EA.tmp.1.dr, MSID4F7.tmp.1.dr, MSID4C7.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 45c62e.msi, 5cd2d1.msi.1.dr, MSID458.tmp.1.dr, MSID3EA.tmp.1.dr, MSID4F7.tmp.1.dr, MSID4C7.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 45c62e.msi, 5cd2d1.msi.1.dr, MSID458.tmp.1.dr, MSID3EA.tmp.1.dr, MSID4F7.tmp.1.dr, MSID4C7.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 45c62e.msi, 5cd2d1.msi.1.dr, MSID458.tmp.1.dr, MSID3EA.tmp.1.dr, MSID4F7.tmp.1.dr, MSID4C7.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 45c62e.msi, 5cd2d1.msi.1.dr, MSID458.tmp.1.dr, MSID3EA.tmp.1.dr, MSID4F7.tmp.1.dr, MSID4C7.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 45c62e.msi, 5cd2d1.msi.1.dr, MSID458.tmp.1.dr, MSID3EA.tmp.1.dr, MSID4F7.tmp.1.dr, MSID4C7.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 45c62e.msi, 5cd2d1.msi.1.dr, MSID458.tmp.1.dr, MSID3EA.tmp.1.dr, MSID4F7.tmp.1.dr, MSID4C7.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 45c62e.msi, 5cd2d1.msi.1.dr, MSID458.tmp.1.dr, MSID3EA.tmp.1.dr, MSID4F7.tmp.1.dr, MSID4C7.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: rundll32.exe, 00000004.00000003.3205730297.000001D6C50EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589118897.000001D6C50EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047431332.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589169443.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3205730297.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047431332.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047401761.000001D6C50FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50F9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C5028000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C5081000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589118897.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3205730297.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0
Source: rundll32.exe, 00000004.00000003.3205730297.000001D6C50EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589118897.000001D6C50EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047431332.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589169443.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3205730297.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50B0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047431332.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047401761.000001D6C50FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50F9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C5028000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C5081000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589118897.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3205730297.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: 45c62e.msi, 5cd2d1.msi.1.dr, MSID458.tmp.1.dr, MSID3EA.tmp.1.dr, MSID4F7.tmp.1.dr, MSID4C7.tmp.1.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: 45c62e.msi, 5cd2d1.msi.1.dr, MSID458.tmp.1.dr, MSID3EA.tmp.1.dr, MSID4F7.tmp.1.dr, MSID4C7.tmp.1.dr	String found in binary or memory: http://t2.symcb.com0
Source: 45c62e.msi, 5cd2d1.msi.1.dr, MSID458.tmp.1.dr, MSID3EA.tmp.1.dr, MSID4F7.tmp.1.dr, MSID4C7.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: 45c62e.msi, 5cd2d1.msi.1.dr, MSID458.tmp.1.dr, MSID3EA.tmp.1.dr, MSID4F7.tmp.1.dr, MSID4C7.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: 45c62e.msi, 5cd2d1.msi.1.dr, MSID458.tmp.1.dr, MSID3EA.tmp.1.dr, MSID4F7.tmp.1.dr, MSID4C7.tmp.1.dr	String found in binary or memory: http://tl.symcd.com0&
Source: 45c62e.msi, 5cd2d1.msi.1.dr, MSID458.tmp.1.dr, MSID3EA.tmp.1.dr, MSID4F7.tmp.1.dr, MSID4C7.tmp.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: rundll32.exe, 00000004.00000003.3205730297.000001D6C50EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589118897.000001D6C50EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047431332.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589169443.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3205730297.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047431332.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047401761.000001D6C50FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50F9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589156153.000001D6C50F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047431332.000001D6C50B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C5028000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C5081000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589118897.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: rundll32.exe, 00000004.00000003.3205730297.000001D6C50EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589118897.000001D6C50EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047431332.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589169443.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3205730297.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047431332.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047401761.000001D6C50FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50F9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589156153.000001D6C50F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.4047431332.000001D6C50B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C5028000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C5081000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589118897.000001D6C50F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: rundll32.exe, 00000004.00000003.4047431332.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3205730297.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronoze.com/
Source: rundll32.exe, 00000004.00000003.3205730297.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronoze.com:8817/pentium.php
Source: rundll32.exe, 00000004.00000002.4530700291.000001D6C5081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com/
Source: rundll32.exe, 00000004.00000003.4047431332.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com:8817/
Source: rundll32.exe, 00000004.00000002.4530700291.000001D6C5028000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C5081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com:8817/intel.php
Source: rundll32.exe, 00000004.00000002.4530700291.000001D6C5028000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com:8817/intel.php4
Source: rundll32.exe, 00000004.00000002.4530700291.000001D6C5081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com:8817/intel.phpXAy
Source: rundll32.exe, 00000004.00000002.4530700291.000001D6C5081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com:8817/intel.phpqAb
Source: rundll32.exe, 00000004.00000002.4530700291.000001D6C5081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com:8817/intel.phptAm
Source: rundll32.exe, 00000004.00000002.4530700291.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com:8817/pentium.php
Source: rundll32.exe, 00000004.00000003.4047431332.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2589169443.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.3205730297.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.4530700291.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com:8817/pentium.php2
Source: rundll32.exe, 00000004.00000002.4530700291.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com:8817/pentium.php8
Source: rundll32.exe, 00000004.00000003.2589169443.000001D6C50B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com:8817/pentium.phpY
Source: rundll32.exe, 00000004.00000003.4047431332.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com:8817/pentium.phph
Source: rundll32.exe, 00000004.00000003.4047431332.000001D6C50C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com:8817/pentium.phpi
Source: 45c62e.msi, 5cd2d1.msi.1.dr, MSID458.tmp.1.dr, MSID3EA.tmp.1.dr, MSID4F7.tmp.1.dr, MSID4C7.tmp.1.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: 45c62e.msi, 5cd2d1.msi.1.dr, MSID458.tmp.1.dr, MSID3EA.tmp.1.dr, MSID4F7.tmp.1.dr, MSID4C7.tmp.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 45c62e.msi, 5cd2d1.msi.1.dr, MSID458.tmp.1.dr, MSID3EA.tmp.1.dr, MSID4F7.tmp.1.dr, MSID4C7.tmp.1.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: 45c62e.msi, 5cd2d1.msi.1.dr, MSID458.tmp.1.dr, MSID3EA.tmp.1.dr, MSID4F7.tmp.1.dr, MSID4C7.tmp.1.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_000001D6C89DD270 NtAllocateVirtualMemory,		4_3_000001D6C89DD270
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_000001D6C89DD2E0 NtProtectVirtualMemory,		4_3_000001D6C89DD2E0

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 45c62e.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\5cd2d3.rbs

C:\Users\user\AppData\Roaming\vgruntime\avdapi.dll

C:\Users\user\NTUSER.DAT.Not

C:\Windows\Installer\5cd2d1.msi

C:\Windows\Installer\MSID3EA.tmp

C:\Windows\Installer\MSID458.tmp

C:\Windows\Installer\MSID4C7.tmp

C:\Windows\Installer\MSID4F7.tmp

C:\Windows\Installer\MSID594.tmp

C:\Windows\Installer\SourceHash{4C0A4C04-B78F-4D97-A68D-084ABF0CFF9C}

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

C:\Windows\Temp\~DF3C2E41AA06136370.TMP

C:\Windows\Temp\~DF5F64832CD71B2EC1.TMP

C:\Windows\Temp\~DF7C7D267F3BE97AB0.TMP

C:\Windows\Temp\~DF879783CA8456C4B6.TMP

C:\Windows\Temp\~DF990042BC864CFA63.TMP

C:\Windows\Temp\~DF9CFD100E0F8B6B5E.TMP

C:\Windows\Temp\~DFCD6E206639A8CBFF.TMP

C:\Windows\Temp\~DFED9D7AC097B0F001.TMP

C:\Windows\Temp\~DFF788403CC86B8F41.TMP

C:\Windows\Temp\~DFFB14D25889712E8F.TMP

Windows Analysis Report
45c62e.msi

Function 00007FF8A7AC7CA4 Relevance: 24.0, APIs: 1, Strings: 2, Instructions: 19536
COMMON

Function 00007FF8A7AC9790 Relevance: 18.7, APIs: 1, Instructions: 17454
memoryCOMMONLIBRARYCODE

Function 00000001800026C0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 269
stringCOMMONLIBRARYCODE

Function 000001D6C6A50B00 Relevance: 4.1, APIs: 3, Instructions: 371
memoryCOMMON

Function 0000000180002C30 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26
memoryCOMMON

Function 00007FF8A7A844E5 Relevance: 86.1, APIs: 33, Strings: 16, Instructions: 382
stringwindowfileCOMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre