Edit tour

Windows Analysis Report
setup.exe

Overview

General Information

Sample Name:	setup.exe
Analysis ID:	831887
MD5:	4b1b8d826af29ffedb77d48e34ce9494
SHA1:	c90c4aad5975c0be4a2c25240367874af1218c6a
SHA256:	9e068da322450ae34e33254c3bd919c1a38c5387f10f99ce4305bc63452acea6
Tags:	exeRhadamanthys
Infos:

Detection

RHADAMANTHYS

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected RHADAMANTHYS Stealer

Malicious sample detected (through community Yara rule)

Detected unpacking (overwrites its own PE header)

Yara detected AntiVM3

Detected unpacking (changes PE section rights)

Snort IDS alert for network traffic

Hides threads from debuggers

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Found potential ransomware demand text

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Yara detected Credential Stealer

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Creates a DirectInput object (often for capturing keystrokes)

Installs a raw input device (often for capturing keystrokes)

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to read the PEB

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Checks if the current process is being debugged

Potential time zone aware malware

Yara detected Keylogger Generic

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

setup.exe (PID: 3152 cmdline: C:\Users\user\Desktop\setup.exe MD5: 4B1B8D826AF29FFEDB77D48E34CE9494)

dllhost.exe (PID: 5552 cmdline: C:\Windows\system32\dllhost.exe MD5: 2528137C6745C4EADD87817A1909677E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.	No Attribution	https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88 https://threatmon.io/rhadamanthys-stealer-analysis-threatmon/ https://www.malware-traffic-analysis.net/2023/01/03/index.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

Threatname: Rhadamanthys

{"C2 url": "http://179.43.154.216/img/favicon.ico"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.312540780.0000000000840000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.312540780.0000000000840000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000A.00000003.309829921.00000229C95AA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000A.00000003.362720431.00000229CAC91000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000A.00000003.342439064.00000229CB205000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.312786751.000000000096E000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1488:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000A.00000003.313327371.00000229CABB7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000003.301383185.00000000009AE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000003.301383185.00000000009AE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000A.00000003.309263993.00000229C93B7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000A.00000003.342727970.00000229CB400000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000A.00000003.315292448.00000229CAE30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: setup.exe PID: 3152	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: setup.exe PID: 3152	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
Process Memory Space: dllhost.exe PID: 5552	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
Process Memory Space: dllhost.exe PID: 5552	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: dllhost.exe PID: 5552	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.3.dllhost.exe.229cae30000.11.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Snort Signatures

ET TROJAN Rhadamanthys Stealer - Payload Download Request - Source IP: 192.168.2.3 - Destination IP: 179.43.154.216

Timestamp:	192.168.2.3179.43.154.21649697802043202 03/22/23-02:44:55.586805
SID:	2043202
Source Port:	49697
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Rhadamanthys Stealer - Payload Response - Source IP: 179.43.154.216 - Destination IP: 192.168.2.3

Timestamp:	179.43.154.216192.168.2.380496972853001 03/22/23-02:44:55.688487
SID:	2853001
Source Port:	80
Destination Port:	49697
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Rhadamanthys Stealer - Data Exfil - Source IP: 192.168.2.3 - Destination IP: 179.43.154.216

Timestamp:	192.168.2.3179.43.154.21649700802853002 03/22/23-02:45:15.346327
SID:	2853002
Source Port:	49700
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Code function: 0_2_0040AA72 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_0040AA72

Source: initial sample

Static PE information: section name: .text entropy: 7.756451536968294

Source: C:\Users\user\Desktop\setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.312540780.0000000000840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.301383185.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: setup.exe PID: 3152, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: dllhost.exe, 0000000A.00000003.309829921.00000229C95AA000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.362720431.00000229CAC91000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.342439064.00000229CB205000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PARTIAL RECORD WITHOUT END(1)PARTIAL RECORD WITHOUT END(2)MISSING START OF FRAGMENTED RECORD(1)MISSING START OF FRAGMENTED RECORD(2)ERROR IN MIDDLE OF RECORDUNKNOWN RECORD TYPE %UCHECKSUM MISMATCHBAD RECORD LENGTHKERNEL32.DLLEXITPROCESS/BIN/RUNTIME.EXERTLGETVERSION%08X.LUA/EXTENSION/%08X.LUA/BIN/I386/STUB.DLL/BIN/KEEPASSHAX.DLL/BIN/I386/STUBMOD.BIN/BIN/I386/COREDLL.BIN/ETC/LICENSE.KEYHTTP:///ETC/PUK.KEYGET13CONNECTIONUPGRADEUPGRADEWEBSOCKETUSER-AGENTCURL/5.9SEC-WEBSOCKET-KEYSEC-WEBSOCKET-VERSIONABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890ABCDEFGHIJKLMNOPQRSTUVWXYZMACHINEGUIDSOFTWARE\MICROSOFT\CRYPTOGRAPHYISWOW64PROCESS\GLOBAL??ASWHOOK.DLLKLKBDFLTRTP_PROCESS_MONITOR360SELFPROTECTIONV1.0.3705GETREQUESTEDRUNTIMEINFOGETCORVERSIONCORBINDTORUNTIMECLRCREATEINSTANCEWKSCORBINDTORUNTIMEEXV4.0.30319V2.0.50727MSCOREE.DLL%PCOMMANDLINECURRENTDIRECTORY"%S" %S"%S"CREATEWIN32_PROCESSROOT\CIMV2RUNAS.EXE.EXEDUMPFINDSTRICMPPRINTTOSTRING?.\;@%SCJSONWINREGMESSAGEPACKPRELOADPACKAGE_GFRAMEWORKLOADEDDECRYPT_UTF8SEND_DATAREG_EXPORTGCREADFILEGET_ARCHPS_GETPATHSET_COMMITADD_FILEADD_STREAMPATH_EXISTFILE_EXISTPARSE_PATHFS_SEARCHNAMEFILENAMEFILESIZEHIGHFILESIZELOW%S\%S...%S\.
Source: setup.exe, 00000000.00000002.312540780.0000000000840000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, dllhost.exe, 0000000A.00000003.309829921.00000229C94B5000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.309829921.00000229C95AA000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.309263993.00000229C92C2000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.362720431.00000229CAC91000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.362475431.00000229CB4F1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.342439064.00000229CB205000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK.DLL
Source: dllhost.exe, 0000000A.00000003.309829921.00000229C94B5000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.309263993.00000229C92C2000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.362475431.00000229CB4F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6EXITPROCESSKERNEL32.DLL/ETC/LICENSE.KEYHTTP:///ETC/PUK.KEYMACHINEGUIDSOFTWARE\MICROSOFT\CRYPTOGRAPHYKLKBDFLTRTP_PROCESS_MONITOR360SELFPROTECTION\GLOBAL??ASWHOOK.DLL/BIN/RUNTIME.EXEGET13CONNECTIONUPGRADEUPGRADEWEBSOCKETUSER-AGENTCURL/5.9SEC-WEBSOCKET-KEYSEC-WEBSOCKET-VERSIONABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890ABCDEFGHIJKLMNOPQRSTUVWXYZRTLGETVERSION%08X.LUA/EXTENSION/%08X.LUA/BIN/I386/STUB.DLL/BIN/AMD64/STUB.DLL/BIN/KEEPASSHAX.DLL/BIN/I386/STUBMOD.BIN/BIN/I386/COREDLL.BIN/BIN/AMD64/COREDLL.BIN/BIN/AMD64/STUBMOD.BIN

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\setup.exe	Memory allocated: 24B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Memory allocated: 24B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Memory allocated: 24B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Memory allocated: 24B0000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\dllhost.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

API coverage: 6.9 %

Source: C:\Users\user\Desktop\setup.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_004033AD GetSystemInfo,VirtualQuery,IsBadReadPtr,VirtualQuery,

0_2_004033AD

Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490E6828C FindFirstFileW,FindNextFileW,		10_2_00007DF490E6828C
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490E6782C FindFirstFileW,FindNextFileW,FindClose,		10_2_00007DF490E6782C

Source: C:\Windows\System32\dllhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: setup.exe, 00000000.00000002.312540780.0000000000840000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: VMware
Source: setup.exe, 00000000.00000002.313022935.0000000000B00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkymbolicLink0c9f}SymbolicLink
Source: dllhost.exe, 0000000A.00000003.315292448.00000229CAE30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: setup.exe, 00000000.00000002.312540780.0000000000840000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: dllhost.exe, 0000000A.00000002.363318384.00000229C91A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: setup.exe, 00000000.00000002.312540780.0000000000840000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: setup.exe, 00000000.00000002.313022935.0000000000B00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinke5d05f0c9f}SymbolicLink
Source: dllhost.exe, 0000000A.00000003.315292448.00000229CAE30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: setup.exe, 00000000.00000002.313022935.0000000000B00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkymbolicLinkSymbolicLink
Source: dllhost.exe, 0000000A.00000002.363318384.00000229C91A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWws\System32\en-US\wshqos.dll.mui

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\setup.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

0_2_0040AA72

Source: C:\Users\user\Desktop\setup.exe

0_2_0040AA72

Source: C:\Users\user\Desktop\setup.exe

0_2_0040AA72

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_004035ED IsBadStringPtrA,lstrlenA,IsBadCodePtr,IsBadReadPtr,GetProcessHeap,RtlAllocateHeap,IsBadCodePtr,VirtualProtect,GetModuleHandleA,_memmove,HeapAlloc,InterlockedIncrement,_memmove,_memset,GetProcessHeap,HeapAlloc,HeapFree,_memmove,_memmove,

0_2_004035ED

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\setup.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_0081092B mov eax, dword ptr fs:[00000030h]		0_2_0081092B
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_00810D90 mov eax, dword ptr fs:[00000030h]		0_2_00810D90

Source: C:\Users\user\Desktop\setup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Memory protected: page execute and read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_00408150 SetUnhandledExceptionFilter,	0_2_00408150
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_00408173 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00408173
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_008183B7 SetUnhandledExceptionFilter,	0_2_008183B7
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_008183DA SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008183DA

Source: C:\Users\user\Desktop\setup.exe

Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe

Jump to behavior

Source: dllhost.exe, 0000000A.00000003.337454425.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: dllhost.exe, 0000000A.00000003.320564626.00000229CAF50000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.320117522.00000229CADB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: dllhost.exe, 0000000A.00000003.346097175.00000229C92C3000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.331435099.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: WindowOverrideScaleFactorShell_TrayWnd[
Source: dllhost.exe, 0000000A.00000003.337454425.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ntdll.dllRtlDllShutdownInProgress_p0h.*......./UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles(x86)%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.inf.ins.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen......./UseSystemForSystemFoldersdesktop.ini%SystemDrive%\\%COMPUTERNAME%...\...%s\%s\StringFileInfo\04090000\FileDescriptionT
Source: dllhost.exe, 0000000A.00000003.324074272.00000229CADBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: InitialExpandWindows.HistoryVaultRestoreWindows.closewindowWindows.menubarWindows.selectModeWindows.invertselectionWindows.selectnoneWindows.selectallWindows.pastelinkWindows.pasteWindows.includeinlibraryWindows.burnWindows.emailWindows.newfolderrenamerenamepastelinkpastelinkpropertiespropertieslinklinkpastepastecopycopycutcutdeletedeletemswindowsvideomswindowsmusicmailtohttpshttpbingmaps.zpl.xvid.WPL.wmv.wma.wm.wdp.wav.TTS.TS.rwl.rw2.raw.raf.png.pef.pdf.orf.nrw.nef.mts.mpv2.mpa.mp4v.mp4.mp3.mrw.mov.mod.mkv.m4v.m4r.m4a.m3u.m2ts.m2t.kdc.jxr.jpeg.jpe.jfif.html.htm.gif.flac.erf.epub.dib.crw.cr2.bmp.avi.arw.amr.adts.adt.aac.3gpp.3gp.3g2shcond://v2#ControlPanelExistsshcond://v1#AreAppDefaultsRestrictedshcond://v1#IsIrDASupportedshcond://v1#IsMobilityCenterEnabledshcond://v1#IsParentalControlsAvailableshcond://v1#IsProximityProviderAvailableshcond://v1#COMConditionshcond://v2#IsRemoteDesktopshcond://v2#IsProjectionAvailableshcond://v1#IsAuxDisplayConnectedAndAutoWakeEnabledshcond://v1#IsMuiEnabledshcond://v1#IsGlassOnshcond://v1#IsConnectedToInternetshcond://v1#IsTouchAvailableshcond://v1#IsPenAvailableshcond://v1#IsTabletPCshcond://v1#IsServershcond://v1#SkuEqualsshcond://v1#IsOfflineFilesEnabledshcond://v1#IsBrightnessAvailableshcond://v1#IsPresentationSettingsEnabledshcond://v1#IsMobilePCshcond://v1#IsAuxDisplayConnectedshcond://v1#IsUserAdminshcond://v1#IsMachineNotOnDomainAndDomainIsAvailshcond://v1#IsMachineOnDomainshcond://v1#RegkeyExistsshcond://v1#RegvalExistsshcond://v1#RegvalEqualsRateChartOverlayWindowAutoplayHandlerChooserOperationStatusWindowMenuSiteBaseBarExplorerBrowserControlExplorerBrowserNavigationDateRangeControlBooleanCheckMarkControlIconListControlmsctls_netaddressSysDragImageThumbnailControlPropertyControlBaseShell Preview Extension Temporary ParentShell Preview Extension Host PreviewerShell Preview Extension Host Background MsgCalendarHostDropDownRatingsControlSHELLDLL_MVPEditControlViewControlClassTrackContextMenuClassSharePointViewUserEventWindowGroupButtonShellFileSearchControlATL Shell EmbeddingDivWindowMSGlobalFolderOptionsStubProgmanStubWindow32cpShowColorcpColorWOACnslFontPreviewWOACnslWinPreview\Sharepoint\Dropbox\Google Drive\Onedrive -\3D Objects\Music\Videos\Pictures\Pictures\Camera Roll\Documents\Downloads\DesktopParse Internet Dont Escape SpacesDon't Parse RelativePendingRedirectionSyncRootsUserSyncRoots
Source: dllhost.exe, 0000000A.00000003.324074272.00000229CADBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VerticalScrollBaranimationTileContentsSrcanimationProgressSrcInneranimationProgressDstanimationProgressDstInneranimationTileContentsDstanimationTileContentsSrcInneranimationTileContentsDstInneranimationProgressSrcidOperationTileeltProgressBareltInterruptPaneeltSummaryeltRegularTileHeadereltInterruptDoForAlleltInterruptButtonsContainereltInterruptDescriptioneltItemIconeltInterruptSkipBtneltInterruptCancelBtneltInterruptRetryBtneltInterruptYesBtneltItemNameeltItemPropseltInterruptElevateBtneltInterruptDeleteBtneltInterruptDoForAllLabelidOperationInterruptidTileSubTextshell\shell32\operationstatusmgr.cppeltInterruptOKBtneltInterruptNoBtnConfirmationCheckBoxDoForAllidTileActionIdTileKeepDestIdTileKeepAsWorkIdTileKeepAsPersonalIdTileIgnoreIdTileDecideForEachidItemTileIdTileKeepSourceidTileIconeltConflictInterruptDescriptioneltItemTileContainerKeepSourceTileIconSkipTileIconDecideForEachTileIconCustomCommandIconidConflictInterrupteltInterruptTileHeaderidCustomConflictInterrupteltTimeRemainingeltTile%ueltTileContentseltPauseButtonIdTileDefault%0.2fCHARTVIEWeltRateCharteltCancelButtoneltRegularTileeltScrolleltDetailseltItemsRemainingeltLocationseltConfirmationInterrupteltConflictInterrupteltDisplayModeBtneltDisplayModeBtnFocusHoldereltTileAreaeltProgressBarContainereltDividereltScrollBarFilleridTileHosteltFooterAreaprogmanEnthusiastModeWindows.SystemToast.ExplorerRICHEDIT50WlfItaliclfUnderlinelfStrikeOutlfCharSetSoftware\Microsoft\NotepadlfEscapementlfOrientationlfWeightiPointSizeLucida ConsolelfFaceNamelfOutPrecisionlfClipPrecisionlfQualitylfPitchAndFamily
Source: dllhost.exe, 0000000A.00000003.324074272.00000229CADBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Local\SM0:%d:%d:%hsShell_TrayWnd_p0hCLSID\Software\Classes\RtlDllShutdownInProgressEtwEventWriteEtwEventEnabledEtwEventUnregisterEtwEventRegisterntdll.dllWilStaging_02NtQuerySystemInformationSecurity-SPP-Reserved-TBLProductKeyTypeshell32-license-ShowProductNameOnDesktopSoftware\Microsoft\Windows NT\CurrentVersion\WindowsDisplayVersionBasebrdWldpCheckRetailConfiguration\Registry\Machine\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3\Registry\Machine\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3BuildLabYOr
Source: dllhost.exe, 0000000A.00000003.324074272.00000229CADBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROGMANDDEMLMom%c:\%sExplorerDMGFrameGetWorkingDirGetDescriptionProgmanProgmanGetIconsetupPmFrameSoftware\Microsoft\Windows\CurrentVersion\Explorer\MapGroupsFoldersGroupsAppPropertiesBWWFrameccInsDDEBACKSCAPEDDEClientWndClassDDEClientStartUpddeClassInstallCA_DDECLASSMake Program Manager GroupMedia RecorderMediaRecorderSender#32770groups
Source: dllhost.exe, 0000000A.00000003.337454425.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: *Program ManagerpszDesktopTitleW
Source: dllhost.exe, 0000000A.00000003.324074272.00000229CADBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ConfirmCabinetIDExploreFolderShellFileOpenFindFileViewFolderCreateGroupReplaceItemDeleteItemFindFolderReloadAddItemShowGroupDeleteGroupExitProgman
Source: dllhost.exe, 0000000A.00000003.324074272.00000229CADBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CountryL1WUSF123r5.inidriverRestartCommandsSoftware\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup/LOADSAVEDWINDOWSNonRudeHWNDDesktopWindowAutoColorizationProgram ManagerpszDesktopTitleWLocal\Microsoft-Windows-DesktopBackground
Source: dllhost.exe, 0000000A.00000003.320564626.00000229CAF50000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.320117522.00000229CADB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Source: C:\Windows\System32\dllhost.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_004054DA cpuid

0_2_004054DA

Source: C:\Windows\System32\dllhost.exe

Code function: 10_2_00007DF490E6B92C CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe,

10_2_00007DF490E6B92C

Source: C:\Users\user\Desktop\setup.exe

Code function: 0_2_00407F41 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter,

0_2_00407F41

Stealing of Sensitive Information

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000000.00000002.312540780.0000000000840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.309829921.00000229C95AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.362720431.00000229CAC91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.342439064.00000229CB205000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.301383185.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.309263993.00000229C93B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.342727970.00000229CB400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: setup.exe PID: 3152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dllhost.exe PID: 5552, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: dllhost.exe, 0000000A.00000003.309829921.00000229C94B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: framework.parse_path([[%AppData%\Electrum-LTC\config]]),
Source: dllhost.exe, 0000000A.00000003.309263993.00000229C947B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: framework.parse_path([[%AppData%\ElectronCash\config]]),
Source: dllhost.exe, 0000000A.00000003.309263993.00000229C92AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: framework.parse_path([[%AppData%\com.liberty.jaxx]]),
Source: dllhost.exe, 0000000A.00000003.309263993.00000229C92AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: framework.parse_path([[%AppData%\Exodus\exodus.wallet]]),
Source: dllhost.exe, 0000000A.00000003.309263993.00000229C92AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: framework.parse_path([[%AppData%\Exodus\exodus.wallet]]),

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\System32\dllhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Bookmarks	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior

Source: Yara match

File source: Process Memory Space: dllhost.exe PID: 5552, type: MEMORYSTR

Remote Access Functionality

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 00000000.00000002.312540780.0000000000840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.309829921.00000229C95AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.362720431.00000229CAC91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.342439064.00000229CB205000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.301383185.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.309263993.00000229C93B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.342727970.00000229CB400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: setup.exe PID: 3152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dllhost.exe PID: 5552, type: MEMORYSTR

Source: C:\Windows\System32\dllhost.exe

Code function: 10_2_00007DF490E6B92C CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe,

10_2_00007DF490E6B92C

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	13 Process Injection	13 Virtualization/Sandbox Evasion	1 OS Credential Dumping	11 System Time Discovery	Remote Services	21 Input Capture	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	21 Input Capture	251 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	13 Process Injection	Security Account Manager	13 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	22 Software Packing	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
setup.exe	42%	Virustotal		Browse
setup.exe	62%	ReversingLabs	Win32.Trojan.RedLine
setup.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.setup.exe.810e67.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
0.3.setup.exe.840000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3.crl0	0%	URL Reputation	safe
http://www.e-me.lv/repository0	0%	URL Reputation	safe
http://www.acabogacia.org/doc0	0%	URL Reputation	safe
http://www.acabogacia.org/doc0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://ocsp.suscerte.gob.ve0	0%	URL Reputation	safe
http://www.postsignum.cz/crl/psrootqca2.crl02	0%	URL Reputation	safe
http://crl.dhimyotis.com/certignarootca.crl0	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy0	0%	URL Reputation	safe
http://www.suscerte.gob.ve/lcr0#	0%	URL Reputation	safe
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	0%	URL Reputation	safe
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://postsignum.ttc.cz/crl/psrootqca2.crl0	0%	URL Reputation	safe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0	0%	URL Reputation	safe
http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3P.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3P.crl0	0%	URL Reputation	safe
http://www.suscerte.gob.ve/dpc0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class2.crl0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.defence.gov.au/pki0	0%	URL Reputation	safe
http://www.sk.ee/cps/0	0%	URL Reputation	safe
http://policy.camerfirma.com0	0%	URL Reputation	safe
http://www.ssc.lt/cps03	0%	URL Reputation	safe
http://ocsp.pki.gva.es0	0%	URL Reputation	safe
https://discord.com	0%	URL Reputation	safe
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	0%	URL Reputation	safe
http://ca.mtin.es/mtin/ocsp0	0%	URL Reputation	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	URL Reputation	safe
http://web.ncdc.gov.sa/crl/nrcacomb1.crl0	0%	URL Reputation	safe
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	0%	URL Reputation	safe
https://wwww.certigna.fr/autorites/0m	0%	URL Reputation	safe
http://www.dnie.es/dpc0	0%	URL Reputation	safe
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	0%	URL Reputation	safe
http://ca.mtin.es/mtin/DPCyPoliticas0	0%	URL Reputation	safe
http://www.globaltrust.info0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3TS.crl0	0%	URL Reputation	safe
http://ac.economia.gob.mx/last.crl0G	0%	URL Reputation	safe
https://www.catcert.net/verarrel	0%	URL Reputation	safe
http://www.disig.sk/ca0f	0%	URL Reputation	safe
http://www.sk.ee/juur/crl/0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersignroot.crl0	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe
http://certs.oati.net/repository/OATICA2.crl0	0%	URL Reputation	safe
http://crl.oces.trust2408.com/oces.crl0	0%	URL Reputation	safe
http://www.quovadis.bm0	0%	URL Reputation	safe
http://crl.ssc.lt/root-a/cacrl.crl0	0%	URL Reputation	safe
http://certs.oaticerts.com/repository/OATICA2.crl	0%	URL Reputation	safe
http://www.trustdst.com/certificates/policy/ACES-index.html0	0%	URL Reputation	safe
http://certs.oati.net/repository/OATICA2.crt0	0%	URL Reputation	safe
http://www.accv.es00	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy-G20	0%	URL Reputation	safe
https://www.netlock.net/docs	0%	URL Reputation	safe
http://www.e-trust.be/CPS/QNcerts	0%	URL Reputation	safe
http://ocsp.ncdc.gov.sa0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignCA.crl0	0%	URL Reputation	safe
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0	0%	URL Reputation	safe
http://web.ncdc.gov.sa/crl/nrcaparta1.crl	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;	0%	URL Reputation	safe
https://repository.luxtrust.lu0	0%	URL Reputation	safe
http://www.globaltrust.info0=	0%	Avira URL Cloud	safe
http:///etc/puk.keyMachineGuidSOFTWARE	0%	Avira URL Cloud	safe
https://support.google.com-_https://support.google.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.certplus.com/CRL/class3.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.e-me.lv/repository0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.acabogacia.org/doc0	dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://crl.chambersign.org/chambersroot.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.suscerte.gob.ve0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.postsignum.cz/crl/psrootqca2.crl02	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.google.com	dllhost.exe, 0000000A.00000003.347171986.00000229CAD69000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false		high
https://discordapp.com	dllhost.exe, 0000000A.00000003.342439064.00000229CB205000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/intl/en_uk/chrome/https://www.google.com/intl/en_uk/chrome/https://www.google	dllhost.exe, 0000000A.00000003.346428768.00000229C9302000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346468592.00000229C92E1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346524117.00000229C92EF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.chambersign.org1	dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.pkioverheid.nl/policies/root-policy0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://repository.swisssign.com/0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.google.com/chrome?p=update_errorFix	dllhost.exe, 0000000A.00000003.346428768.00000229C92F5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.suscerte.gob.ve/lcr0#	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://crl.ssc.lt/root-c/cacrl.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://postsignum.ttc.cz/crl/psrootqca2.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chrome/answer/6315198?product=	dllhost.exe, 0000000A.00000003.346428768.00000229C92F5000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348424053.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346468592.00000229C92E1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348247260.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.351744358.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348629618.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346428768.00000229C930D000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ca.disig.sk/ca/crl/ca_disig.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.certplus.com/CRL/class3P.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://www.google.com	dllhost.exe, 0000000A.00000003.347171986.00000229CAD69000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.suscerte.gob.ve/dpc0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.certeurope.fr/reference/root2.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.certplus.com/CRL/class2.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.disig.sk/ca/crl/ca_disig.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows	dllhost.exe, 0000000A.00000003.346428768.00000229C92F5000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348424053.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346468592.00000229C92E1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348247260.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.351744358.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348629618.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346428768.00000229C930D000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp	false		high
http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.defence.gov.au/pki0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sk.ee/cps/0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.globaltrust.info0=	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.anf.es	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.google.com/chrome?p=update_error	dllhost.exe, 0000000A.00000003.346498700.00000229CAD6B000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.347171986.00000229CAD69000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346532064.00000229C92E8000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348424053.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346468592.00000229C92E1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348247260.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.351744358.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348629618.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346428768.00000229C930D000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pki.registradores.org/normativa/index.htm0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false		high
http://policy.camerfirma.com0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ssc.lt/cps03	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/intl/en_uk/chrome/Google	dllhost.exe, 0000000A.00000003.346428768.00000229C92F5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.pki.gva.es0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.anf.es/es/address-direccion.html	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.anf.es/address/)1(0&	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false		high
https://discord.com	dllhost.exe, 0000000A.00000003.342439064.00000229CB205000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search?q=chrome&oq=chrome&aqs=chrome..69i57j0j5l3j69i60l3.2663j0j4&sourceid=c	dllhost.exe, 0000000A.00000003.346468592.00000229C92E1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348247260.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.351744358.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348629618.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346428768.00000229C930D000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp	false		high
http:///etc/puk.keyMachineGuidSOFTWARE	dllhost.exe, 0000000A.00000003.309829921.00000229C94B5000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.309263993.00000229C92C2000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.362475431.00000229CB4F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://ca.mtin.es/mtin/ocsp0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.ssc.lt/root-b/cacrl.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://web.ncdc.gov.sa/crl/nrcacomb1.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.certicamara.com/dpc/0Z	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.pki.wellsfargo.com/wsprca.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.dnie.es/dpc0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ca.mtin.es/mtin/DPCyPoliticas0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.google.com-_https://support.google.com	dllhost.exe, 0000000A.00000003.347171986.00000229CAD69000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.anf.es/AC/ANFServerCA.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.globaltrust.info0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://certificates.starfieldtech.com/repository/1604	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false		high
http://acedicom.edicomgroup.com/doc0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.certplus.com/CRL/class3TS.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://crl.anf.es/AC/ANFServerCA.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/intl/en_uk/chrome/st_vi	dllhost.exe, 0000000A.00000003.346498700.00000229CAD6B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.certeurope.fr/reference/pc-root2.pdf0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ac.economia.gob.mx/last.crl0G	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.catcert.net/verarrel	dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.disig.sk/ca0f	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.e-szigno.hu/RootCA.crl	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.sk.ee/juur/crl/0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.chambersign.org/chambersignroot.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://certs.oati.net/repository/OATICA2.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.oces.trust2408.com/oces.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.quovadis.bm0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://eca.hinet.net/repository0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.ssc.lt/root-a/cacrl.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://certs.oaticerts.com/repository/OATICA2.crl	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.trustdst.com/certificates/policy/ACES-index.html0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://certs.oati.net/repository/OATICA2.crt0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.accv.es00	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.pkioverheid.nl/policies/root-policy-G20	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.netlock.net/docs	dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.e-trust.be/CPS/QNcerts	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.ncdc.gov.sa0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fedir.comsign.co.il/crl/ComSignCA.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://web.ncdc.gov.sa/crl/nrcaparta1.crl	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.datev.de/zertifikat-policy-int0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false		high
http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://repository.luxtrust.lu0	dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	831887
Start date and time:	2023-03-22 02:43:34 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	setup.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@3/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 46.7% (good quality ratio 42.5%) Quality average: 82.1% Quality standard deviation: 30.7%
HCA Information:	Successful, ratio: 66% Number of executed functions: 38 Number of non-executed functions: 30
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 179.43.154.216
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, catalog.s.download.windowsupdate.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.685021149385796
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	setup.exe
File size:	391680
MD5:	4b1b8d826af29ffedb77d48e34ce9494
SHA1:	c90c4aad5975c0be4a2c25240367874af1218c6a
SHA256:	9e068da322450ae34e33254c3bd919c1a38c5387f10f99ce4305bc63452acea6
SHA512:	2ff97a031bcae8b0f7fa49cc877e9377054928e36420c952767740d8625e3ba92ef5a72af232f56f597c8491ea0030faa7bc42ad5afed958e49a34873ced2a4c
SSDEEP:	6144:06fBLWLRZHJ89DSqbbMyA3MQZkqo56vffqzgMcWML0pWYGQ:06fBa9H89DSQbv+MQZkP43qpcGWYV
TLSH:	1B84F74382A23D45EA258B739F1FC6FCB60DF2709E497B6532199E6B14B06B3C263711
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................\.......M.......[......`................R.......L.......I.....Rich....................PE..L......b...........

File Icon


Icon Hash:	a4a4a49484aca4e2

Static PE Info

General

Entrypoint:	0x40494f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x62B59A9A [Fri Jun 24 11:06:02 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	a1987c4dfef703391c65547d45eb7acc

Entrypoint Preview

Instruction
call 00007F6C5CA56E2Dh
jmp 00007F6C5CA52E6Eh
int3
int3
int3
int3
int3
int3
int3
call 00007F6C5CA5302Ch
xchg cl, ch
jmp 00007F6C5CA53014h
call 00007F6C5CA53023h
fxch st(0), st(1)
jmp 00007F6C5CA5300Bh
fabs
fld1
mov ch, cl
xor cl, cl
jmp 00007F6C5CA53001h
mov byte ptr [ebp-00000090h], FFFFFFFEh
fabs
fxch st(0), st(1)
fabs
fxch st(0), st(1)
fpatan
or cl, cl
je 00007F6C5CA52FF6h
fldpi
fsubrp st(1), st(0)
or ch, ch
je 00007F6C5CA52FF4h
fchs
ret
fabs
fld st(0), st(0)
fld st(0), st(0)
fld1
fsubrp st(1), st(0)
fxch st(0), st(1)
fld1
faddp st(1), st(0)
fmulp st(1), st(0)
ftst
wait
fstsw word ptr [ebp-000000A0h]
wait
test byte ptr [ebp-0000009Fh], 00000001h
jne 00007F6C5CA52FF7h
xor ch, ch
fsqrt
ret
pop eax
jmp 00007F6C5CA56FFFh
fstp st(0)
fld tbyte ptr [0043933Ah]
ret
fstp st(0)
or cl, cl
je 00007F6C5CA52FFDh
fstp st(0)
fldpi
or ch, ch
je 00007F6C5CA52FF4h
fchs
ret
fstp st(0)
fldz
or ch, ch
je 00007F6C5CA52FE9h
fchs
ret
fstp st(0)
jmp 00007F6C5CA56FD5h
fstp st(0)
mov cl, ch
jmp 00007F6C5CA52FF2h
call 00007F6C5CA52FBEh
jmp 00007F6C5CA56FE0h
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
add esp, 0000FD30h

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x37830	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2fc000	0x21f50	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x31e000	0xc38	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x11f0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3000	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1a0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x371a6	0x37200	False	0.8542818168934241	data	7.756451536968294	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x39000	0x2c2df8	0x2c00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2fc000	0x21f50	0x22000	False	0.37500718060661764	data	4.152645454972247	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x31e000	0x365a	0x3800	False	0.18819754464285715	data	2.121027053999131	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2fc960	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Spanish	Mexico
RT_ICON	0x2fd808	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Spanish	Mexico
RT_ICON	0x2fe0b0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Spanish	Mexico
RT_ICON	0x300658	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Spanish	Mexico
RT_ICON	0x301700	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Spanish	Mexico
RT_ICON	0x301bb8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Spanish	Mexico
RT_ICON	0x302280	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Spanish	Mexico
RT_ICON	0x304828	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Spanish	Mexico
RT_ICON	0x304cc0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Spanish	Mexico
RT_ICON	0x305b68	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Spanish	Mexico
RT_ICON	0x306410	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Spanish	Mexico
RT_ICON	0x306978	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Spanish	Mexico
RT_ICON	0x308f20	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Spanish	Mexico
RT_ICON	0x309fc8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Spanish	Mexico
RT_ICON	0x30a950	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Spanish	Mexico
RT_ICON	0x30ae20	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Spanish	Mexico
RT_ICON	0x30bcc8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Spanish	Mexico
RT_ICON	0x30c570	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Spanish	Mexico
RT_ICON	0x30cc38	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Spanish	Mexico
RT_ICON	0x30d1a0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Spanish	Mexico
RT_ICON	0x30f748	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Spanish	Mexico
RT_ICON	0x3107f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Spanish	Mexico
RT_ICON	0x310cc0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Spanish	Mexico
RT_ICON	0x311b68	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Spanish	Mexico
RT_ICON	0x312410	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Spanish	Mexico
RT_ICON	0x312978	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Spanish	Mexico
RT_ICON	0x314f20	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Spanish	Mexico
RT_ICON	0x315fc8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Spanish	Mexico
RT_ICON	0x316950	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Spanish	Mexico
RT_ICON	0x316e20	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Spanish	Mexico
RT_ICON	0x317cc8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Spanish	Mexico
RT_ICON	0x318570	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Spanish	Mexico
RT_ICON	0x318c38	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Spanish	Mexico
RT_ICON	0x3191a0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Spanish	Mexico
RT_ICON	0x31b748	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Spanish	Mexico
RT_ICON	0x31c7f0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Spanish	Mexico
RT_ICON	0x31d178	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Spanish	Mexico
RT_DIALOG	0x31d838	0x8a	data
RT_STRING	0x31d8c8	0x25a	data
RT_STRING	0x31db28	0x428	data
RT_GROUP_ICON	0x316db8	0x68	data	Spanish	Mexico
RT_GROUP_ICON	0x301b68	0x4c	data	Spanish	Mexico
RT_GROUP_ICON	0x310c58	0x68	data	Spanish	Mexico
RT_GROUP_ICON	0x304c90	0x30	data	Spanish	Mexico
RT_GROUP_ICON	0x30adb8	0x68	data	Spanish	Mexico
RT_GROUP_ICON	0x31d5e0	0x76	data	Spanish	Mexico
RT_VERSION	0x31d658	0x1dc	data

Imports

DLL	Import
KERNEL32.dll	GetNumaProcessorNode, lstrcpynA, CallNamedPipeA, GetLogicalDriveStringsW, GlobalSize, SetDefaultCommConfigW, WaitForSingleObjectEx, LoadLibraryW, GetConsoleMode, GetWriteWatch, GetFileAttributesW, GetCompressedFileSizeA, GetConsoleAliasesW, GetLastError, ChangeTimerQueueTimer, GetProcAddress, VirtualAlloc, FindVolumeClose, CreateMemoryResourceNotification, WriteConsoleA, LocalAlloc, CreateHardLinkW, BeginUpdateResourceA, FoldStringA, FreeEnvironmentStringsW, GlobalAddAtomW, GetPrivateProfileSectionW, InterlockedPushEntrySList, FlushFileBuffers, CloseHandle, CreateFileA, HeapSize, EnumSystemCodePagesW, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, HeapFree, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, GetModuleFileNameW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, WideCharToMultiByte, GetConsoleCP, EnterCriticalSection, LeaveCriticalSection, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapReAlloc, MultiByteToWideChar, RtlUnwind, LoadLibraryA, InitializeCriticalSectionAndSpinCount, GetModuleHandleA, RaiseException, SetStdHandle, GetConsoleOutputCP, WriteConsoleW, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA
USER32.dll	ClientToScreen, GetKeyState, LoadMenuA, MessageBoxIndirectA, GetClassNameW, GetListBoxInfo, GetCaretPos, SetScrollInfo
GDI32.dll	GetCharWidthI

Possible Origin

Language of compilation system	Country where language is spoken	Map
Spanish	Mexico

Network Behavior

Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: setup.exePID: 3152, Parent PID: 3452

General

Target ID:	0
Start time:	02:44:30
Start date:	22/03/2023
Path:	C:\Users\user\Desktop\setup.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\setup.exe
Imagebase:	0x400000
File size:	391680 bytes
MD5 hash:	4B1B8D826AF29FFEDB77D48E34CE9494
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.312540780.0000000000840000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000000.00000002.312540780.0000000000840000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.312786751.000000000096E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000003.301383185.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000000.00000003.301383185.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: dllhost.exePID: 5552, Parent PID: 3152

General

Target ID:	10
Start time:	02:44:56
Start date:	22/03/2023
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\dllhost.exe
Imagebase:	0x7ff769260000
File size:	20888 bytes
MD5 hash:	2528137C6745C4EADD87817A1909677E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000A.00000003.309829921.00000229C95AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000A.00000003.362720431.00000229CAC91000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000A.00000003.342439064.00000229CB205000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000003.313327371.00000229CABB7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000A.00000003.309263993.00000229C93B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000A.00000003.342727970.00000229CB400000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000003.315292448.00000229CAE30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: setup.exePID: 3152, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	16.8%
Signature Coverage:	6.6%
Total number of Nodes:	996
Total number of Limit Nodes:	25

Executed Functions

Function 004035ED Relevance: 29.0, APIs: 19, Instructions: 483
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E004035ED() {
				signed int _t193;
				void* _t214;
				signed int* _t217;
				long* _t221;

				_t217 = _t221[0xa];
				_t193 =  !( *_t217) + 0xc;
				if(_t193 > 0xb) {
					L82:
					 *_t221 = 0;
					L96:
					return  *_t221;
				}
				_t214 =  *(_t221[9]);
				switch( *((intOrPtr*)(_t193 * 4 +  &M0040E3D0))) {
					case 0:
						 *_t221 = 0;
						_t195 = _t217[1];
						if(_t195 > 7) {
							goto L96;
						}
						 *_t221 = 0;
						_t205 = 0;
						if(_t195 <= 0) {
							L68:
							__eflags = _t205 - _t195;
							if(_t205 != _t195) {
								goto L96;
							}
							L69:
							_t197 = HeapAlloc(GetProcessHeap(), 8, 0x1c + _t195 * 8);
							if(_t197 == 0) {
								goto L82;
							}
							_t216 = _t197;
							 *_t221 = 0;
							if(_t217[1] <= 0 || _t221[9] == 0) {
								L76:
								_t206 =  *(_t214 + 0x58);
								 *_t216 = _t206;
								 *(_t206 + 4) = _t216;
								 *((intOrPtr*)(_t216 + 4)) = _t214 + 0x58;
								 *(_t214 + 0x58) = _t216;
								goto L96;
							} else {
								_t204 = 0;
								while(1) {
									_t211 =  *(_t217 + 8 + _t204 * 4);
									if( *(_t217 + 8 + _t204 * 4) == 0) {
										goto L76;
									}
									_t200 =  *((intOrPtr*)(_t221[9] + 0x14));
									if( *((intOrPtr*)(_t221[9] + 0x14)) == 0) {
										goto L76;
									}
									 *(_t216 + 0xc) =  *(_t216 + 0xc) | 1 << _t204;
									_t217 = _t221[0xa];
									_t209 =  *(_t216 + 0x10);
									 *(_t216 + 0x10) = _t209 + 1;
									_t140 = _t209 * 8; // 0x14
									E004010B0( *((intOrPtr*)(_t214 + 0xa4)), _t216 + _t140 + 0x14, _t200 + (_t211 &  *(_t221[9] + 0x18)));
									_t221 =  &(_t221[3]);
									_t204 = _t204 + 1;
									if(_t204 < _t217[1]) {
										continue;
									}
									goto L76;
								}
								goto L76;
							}
						}
						_t205 = 0;
						while( *((intOrPtr*)(_t217 + 8 + _t205 * 4)) != 0) {
							_t205 = _t205 + 1;
							if(_t195 != _t205) {
								continue;
							}
							goto L69;
						}
						goto L68;
					case 1:
						__eax = __ebp[8];
						__eflags = __eax;
						if(__eax == 0) {
							goto L82;
						}
						 *__esp = 0;
						__esi = __ebp[0xc];
						__ebx =  *(__ebx + 0x18);
						__ecx = __eax + __esi;
						__ecx = __eax + __esi | __eax;
						__edx = __ebx;
						__edx =  !__ebx;
						__eflags = __ecx & __edx;
						if((__ecx & __edx) != 0) {
							goto L96;
						}
						__esp[1] = __esi;
						__edx = __esp[9];
						__edi = __edi[0x94];
						__eflags = __edi;
						if(__edi == 0) {
							goto L96;
						}
						__ecx = __ebp[4];
						__eflags = __ecx;
						if(__ecx < 0) {
							goto L96;
						}
						__ebx = __ebx & __eax;
						__ebx = __ebx +  *((intOrPtr*)(__edx + 0x14));
						__edi =  &(__edi[__ecx]);
						__eax = IsBadStringPtrA(__edi, 2);
						__eflags = __eax;
						if(__eax != 0) {
							goto L96;
						}
						__eax = lstrlenA(__edi);
						__esi = __esp[1];
						__eflags = __eax - __esi;
						__esi =  <  ? __eax : __esi;
						_push(__esi);
						_push(__edi);
						_push(__ebx);
						goto L48;
					case 2:
						 *__esp = 0;
						__esi = __edi[0x94];
						__esi = __ebp[4] + __edi[0x94];
						__eax = IsBadCodePtr(__esi);
						__eflags = __eax;
						if(__eax != 0) {
							goto L96;
						}
						__ebx = __edi[0x94];
						__ebx = __ebp[8] + __edi[0x94];
						__eax = IsBadReadPtr(__ebx, 0xa);
						__eflags = __eax;
						if(__eax != 0) {
							goto L96;
						}
						_push(__ebx);
						_push(__edi[0x94]);
						__eax =  *__esi();
						__eflags = __eax;
						if(__eax == 0) {
							goto L96;
						}
						__eax = __eax - __edi[0x94];
						goto L95;
					case 3:
						__ebx =  &(__edi[0x50]);
						__eflags = __ebx - __edi[0x50];
						if(__ebx == __edi[0x50]) {
							goto L82;
						}
						 *__esp = 0;
						__esi = __edi[0x54];
						__eflags = __esi - __ebx;
						if(__esi == __ebx) {
							goto L96;
						}
						__esp[2] = __edi;
						do {
							__eax =  *(__esi + 8);
							__eflags =  *(__esi + 8) - __ebp[4];
							if( *(__esi + 8) != __ebp[4]) {
								goto L24;
							}
							__eflags = __edi[0xa8];
							if(__edi[0xa8] != 0) {
								goto L24;
							}
							__edi = __ebp;
							__ebp =  *(__esi + 0x10);
							__eax = GetProcessHeap();
							__ebp = __edi;
							__edi = __esp[3];
							__eax = RtlAllocateHeap(__eax, 8,  *(__esi + 0x10)); // executed
							__edi[0xa8] = __eax;
							__eflags = __eax;
							if(__eax != 0) {
								__ecx =  *(__esi + 0x10);
								__edi[0xac] =  *(__esi + 0x10);
								__eax = E00403E90(__eax,  *(__esi + 0xc),  *(__esi + 0x10));
								goto L94;
							}
							L24:
							__esi =  *(__esi + 4);
							__eflags = __esi - __ebx;
						} while (__esi != __ebx);
						goto L96;
					case 4:
						 *__esp = 0;
						__edi[0x94] = __ebp[4] + __edi[0x94];
						__eax = IsBadCodePtr(__ebp[4] + __edi[0x94]);
						__eflags = __eax;
						if(__eax != 0) {
							goto L96;
						}
						__eax = __ebp[0xc];
						__eflags = __eax;
						if(__eax == 0) {
							goto L96;
						}
						__ebp[8] = __ebp[8] + __edi[0xa8];
						__edx =  &(__esp[3]);
						__eax = VirtualProtect(__ebp[8] + __edi[0xa8], __eax, __ebp[0x10],  &(__esp[3])); // executed
						goto L95;
					case 5:
						__eax = __ebp[4];
						__eflags = __eax;
						if(__eax == 0) {
							goto L82;
						}
						 *__esp = 0;
						__ecx =  *(__ebx + 0x18);
						__edx = __eax + 4;
						__edx = __eax + 0x00000004 | __eax;
						__esi = __ecx;
						__esi =  !__ecx;
						__eflags = __edx & __esi;
						if((__edx & __esi) == 0) {
							__ecx = __ecx & __eax;
							__eax = GetModuleHandleA(__ecx);
							__edi[0x94] = __eax;
							__ecx = 0;
							__eflags = __eax;
							__ecx = 0 | __eflags != 0x00000000;
							 *__esp = __eflags != 0;
						}
						goto L96;
					case 6:
						__ebx = __ebp[0xc];
						__eflags = __ebx;
						if(__ebx == 0) {
							goto L82;
						}
						 *__esp = 0;
						__ecx = __ebp[0x10];
						__eax = __esp[9];
						__eax = __esp[9][0x18];
						__edx = __ebx + __ecx;
						__edx = __ebx + __ecx | __ebx;
						__esi = __eax;
						__esi =  !__eax;
						__eflags = __edx & __esi;
						if((__edx & __esi) != 0) {
							goto L96;
						}
						__esi = __ebp[8];
						__eflags = __esi;
						if(__esi < 0) {
							goto L96;
						}
						__edx =  &(__edi[0x50]);
						__eflags = __edx - __edi[0x50];
						if(__edx == __edi[0x50]) {
							goto L96;
						}
						__esp[1] = __esi;
						__esi = __edi[0x54];
						__eflags = __esi - __edx;
						if(__esi == __edx) {
							goto L96;
						}
						__eax = __eax & __ebx;
						__edi = __esp[9];
						__eax = __eax + __esp[9][0x14];
						__eflags = __eax;
						__edi = __ebp[4];
						while(1) {
							__eflags =  *(__esi + 8) - __edi;
							if( *(__esi + 8) == __edi) {
								break;
							}
							__esi =  *(__esi + 4);
							__eflags = __esi - __edx;
							if(__esi != __edx) {
								continue;
							}
							goto L96;
						}
						__edx =  *(__esi + 0x10);
						__edi = __esp[1];
						__edx =  *(__esi + 0x10) - __edi;
						__eflags = __edx - __ecx;
						__edx =  >=  ? __ecx : __edx;
						__edi =  &(__edi[ *(__esi + 0xc)]);
						 *__esp = __edx;
						_push(__edx);
						_push(__eax);
						_push(__edi);
						goto L99;
					case 7:
						__ecx = __ebp[4];
						__eflags = __ecx - 0xfffffffe;
						if(__ecx == 0xfffffffe) {
							__eax = __edi[0x98];
							__eflags = __eax;
							if(__eax == 0) {
								goto L82;
							}
							 *__esp = 0;
							__ecx = __ebp[0xc];
							__eflags = __ecx;
							if(__ecx == 0) {
								goto L96;
							}
							__edx = __ebp[0x10];
							__esi =  *(__ebx + 0x18);
							__ebx =  &(__ecx[__edx]);
							__ebx =  &(__ecx[__edx]) | __ecx;
							__esi =  !__esi;
							__eflags = __ebx & __esi;
							if((__ebx & __esi) != 0) {
								goto L96;
							}
							__esi = __ebp[8];
							__eflags = __esi;
							__ebx = __esp[9];
							if(__esi < 0) {
								goto L96;
							}
							__ecx = __ecx &  *(__ebx + 0x18);
							__ecx =  &(__ecx[ *(__ebx + 0x14)]);
							__edi = __edi[0x9c];
							__edi = __edi - __esi;
							__eflags = __edx - __edi;
							__edi =  <  ? __edx : __edi;
							__eax = __eax + __esi;
							 *__esp = __edi;
							_push(__edi);
							_push(__eax);
							_push(__ecx);
							L99:
							__eax = E00403E90();
							__esp =  &(__esp[3]);
							goto L96;
						}
						 *__esp = 0;
						__eflags = __ecx - 0xffffffff;
						if(__ecx != 0xffffffff) {
							__ebx = __ebp[0xc];
							__eflags = __ebx;
							if(__ebx == 0) {
								goto L96;
							}
							__eax = __esp[9];
							__edx = __esp[9][0x18];
							__eax = __ebp[0x10];
							__esp[1] = __eax;
							__esi = __eax + __ebx;
							__esi = __eax + __ebx | __ebx;
							__eax = __edx;
							__eax =  !__edx;
							__eflags = __esi & __eax;
							if((__esi & __eax) != 0) {
								goto L96;
							}
							__esi = __ebp[8];
							__eflags = __esi;
							if(__esi < 0) {
								goto L96;
							}
							__ebp =  &(__edi[0x50]);
							__eflags = __ebp - __edi[0x50];
							if(__ebp == __edi[0x50]) {
								goto L96;
							}
							__edi = __edi[0x54];
							__eflags = __edi - __ebp;
							if(__edi == __ebp) {
								goto L96;
							}
							__edx = __edx & __ebx;
							__eax = __esp[9];
							__edx =  &(__esp[9][0x14][__edx]);
							__eflags = __edx;
							while(1) {
								__eflags = __edi[8] - __ecx;
								if(__edi[8] == __ecx) {
									break;
								}
								__edi = __edi[4];
								__eflags = __edi - __ebp;
								if(__edi != __ebp) {
									continue;
								}
								goto L96;
							}
							__eax = __edi[0x10];
							__eax = __edi[0x10] - __esi;
							__ecx = __esp[1];
							__eflags = __eax - __ecx;
							__eax =  >=  ? __ecx : __eax;
							__esi = __esi + __edi[0xc];
							__eflags = __esi;
							 *__esp = __eax;
							_push(__eax);
							_push(__esi);
							_push(__edx);
							goto L99;
						}
						__eax = __edi[0x94];
						__eflags = __eax;
						if(__eax == 0) {
							goto L96;
						}
						__ecx = __ebp[0xc];
						__eflags = __ecx;
						if(__ecx == 0) {
							goto L96;
						}
						__esi = __ebp[0x10];
						__edx =  *(__ebx + 0x18);
						__edi = __esi + __ecx;
						__edi = __esi + __ecx | __ecx;
						__edx =  !( *(__ebx + 0x18));
						__eflags = __edi & __edx;
						if((__edi & __edx) != 0) {
							goto L96;
						}
						__edx = __ebp[8];
						__eflags = __edx;
						if(__edx < 0) {
							goto L96;
						}
						__ecx = __ecx &  *(__ebx + 0x18);
						__ecx =  &(__ecx[ *(__ebx + 0x14)]);
						__eax = __eax + __edx;
						__eflags = __eax;
						_push(__esi);
						_push(__eax);
						_push(__ecx);
						L48:
						__eax = E00403E90();
						 *__esp = __esi;
						goto L96;
					case 8:
						__ecx =  &(__edi[0x50]);
						__eflags = __ecx - __edi[0x50];
						if(__ecx == __edi[0x50]) {
							goto L82;
						}
						 *__esp = 0;
						__eax = __edi[0x54];
						__eflags = __eax - __ecx;
						if(__eax == __ecx) {
							goto L96;
						}
						__edx = __ebp[4];
						while(1) {
							__eflags =  *((intOrPtr*)(__eax + 8)) - __edx;
							if( *((intOrPtr*)(__eax + 8)) == __edx) {
								break;
							}
							__eax =  *(__eax + 4);
							__eflags = __eax - __ecx;
							if(__eax != __ecx) {
								continue;
							}
							goto L96;
						}
						__ecx =  *__eax;
						__edx =  *(__eax + 4);
						 *( *(__eax + 4)) =  *__eax;
						__ecx =  *__eax;
						__edx =  *(__eax + 4);
						 *( *__eax + 4) =  *(__eax + 4);
						__eax = HeapFree(__edi[0xa4], 0, __eax);
						L94:
						__eax = 0;
						__eax = 1;
						__eflags = 1;
						goto L95;
					case 9:
						__ebx = __ebp[4];
						__eflags = __ebx;
						if(__ebx <= 0) {
							__eax = 0;
							__eax = 0xffffffffffffffff;
							goto L95;
						}
						 *__esp = 0;
						__eax = __ebx + 0x14;
						__eax = HeapAlloc(__edi[0xa4], 8, __ebx + 0x14);
						__eflags = __eax;
						if(__eax == 0) {
							goto L96;
						}
						__esi = __eax;
						 *(__eax + 0x10) = __ebx;
						 *(__esi + 0xc) = __eax;
						__eax =  &(__edi[0xa0]);
						 *(__esi + 8) = InterlockedIncrement( &(__edi[0xa0]));
						__eax =  &(__edi[0x50]);
						__ecx = __edi[0x50];
						 *__esi = __ecx;
						__ecx[4] = __esi;
						 *(__esi + 4) =  &(__edi[0x50]);
						__edi[0x50] = __esi;
						__eax =  *(__esi + 8);
						goto L95;
					case 0xa:
						 *__esp = 0;
						__eax = __ebp[4];
						__eflags = __eax;
						if(__eax == 0) {
							goto L96;
						}
						__ecx = __ebp[0xc];
						__edx =  *(__ebx + 0x18);
						__esi = __eax + __ecx;
						__esi = __eax + __ecx | __eax;
						__edi = __edx;
						__edi =  !__edx;
						__eflags = __esi & __edi;
						if((__esi & __edi) != 0) {
							goto L95;
						}
						__esi = __ebp[8];
						__eflags = __esi;
						if(__esi == 0) {
							goto L95;
						}
						__ebx = __esi + __ecx;
						__ebx = __esi + __ecx | __esi;
						__eflags = __ebx & __edi;
						if((__ebx & __edi) != 0) {
							goto L95;
						}
						__edi = __esp[9];
						__edi = __esp[9][0x14];
						__eax = __eax + __edi;
						__eax = E00403E90(__eax, __esi, __ecx);
						goto L66;
					case 0xb:
						 *__esp = 0;
						__eax = __ebp[4];
						__eflags = __eax;
						if(__eax == 0) {
							goto L96;
						}
						__edx = __ebp[0xc];
						__ecx =  *(__ebx + 0x18);
						__esi = __eax + __edx;
						__esi = __eax + __edx | __eax;
						__edi = __ecx;
						__edi =  !__ecx;
						__eflags = __esi & __edi;
						if((__esi & __edi) != 0) {
							L95:
							 *__esp = __eax;
							goto L96;
						}
						__ecx = __ecx & __eax;
						__eflags = __ecx;
						__eax = E00405040(__ecx, __ebp[8], __edx);
						L66:
						__esp =  &(__esp[3]);
						__eax = __ebp[4];
						goto L95;
				}
			}

0x004035f4
0x004035fd
0x00403603
0x00403b37
0x00403b37
0x00403bd4
0x00403bde
0x00403bde
0x0040360d
0x0040360f
0x00000000
0x00403616
0x0040361d
0x00403623
0x00000000
0x00000000
0x00403629
0x00403630
0x00403637
0x00403a35
0x00403a35
0x00403a37
0x00000000
0x00000000
0x00403a3d
0x00403a4e
0x00403a56
0x00000000
0x00000000
0x00403a5c
0x00403a5e
0x00403a69
0x00403ac1
0x00403ac4
0x00403ac7
0x00403ac9
0x00403acc
0x00403acf
0x00000000
0x00403a72
0x00403a72
0x00403a74
0x00403a74
0x00403a7a
0x00000000
0x00000000
0x00403a80
0x00403a85
0x00000000
0x00000000
0x00403a97
0x00403a9a
0x00403a9e
0x00403aa4
0x00403aa7
0x00403ab3
0x00403ab8
0x00403abb
0x00403abf
0x00000000
0x00000000
0x00000000
0x00403abf
0x00000000
0x00403a74
0x00403a69
0x0040363d
0x0040363f
0x0040364a
0x0040364d
0x00000000
0x00000000
0x00000000
0x0040364f
0x00000000
0x00000000
0x00403654
0x00403657
0x00403659
0x00000000
0x00000000
0x0040365f
0x00403666
0x00403669
0x0040366c
0x0040366f
0x00403671
0x00403673
0x00403675
0x00403677
0x00000000
0x00000000
0x0040367d
0x00403681
0x00403685
0x0040368b
0x0040368d
0x00000000
0x00000000
0x00403693
0x00403696
0x00403698
0x00000000
0x00000000
0x0040369e
0x004036a0
0x004036a3
0x004036a8
0x004036ae
0x004036b0
0x00000000
0x00000000
0x004036b7
0x004036bd
0x004036c1
0x004036c3
0x004036c6
0x004036c7
0x004036c8
0x00000000
0x00000000
0x004036ce
0x004036d5
0x004036db
0x004036df
0x004036e5
0x004036e7
0x00000000
0x00000000
0x004036ed
0x004036f3
0x004036f9
0x004036ff
0x00403701
0x00000000
0x00000000
0x00403707
0x00403708
0x0040370e
0x00403710
0x00403712
0x00000000
0x00000000
0x00403718
0x00000000
0x00000000
0x00403723
0x00403726
0x00403729
0x00000000
0x00000000
0x0040372f
0x00403736
0x00403739
0x0040373b
0x00000000
0x00000000
0x00403741
0x00403745
0x00403745
0x00403748
0x0040374b
0x00000000
0x00000000
0x0040374d
0x00403754
0x00000000
0x00000000
0x00403756
0x00403758
0x0040375b
0x00403762
0x00403764
0x0040376b
0x00403771
0x00403777
0x00403779
0x00403bb6
0x00403bb9
0x00403bc6
0x00000000
0x00403bcb
0x0040377f
0x0040377f
0x00403782
0x00403782
0x00000000
0x00000000
0x0040378b
0x00403798
0x0040379c
0x004037a2
0x004037a4
0x00000000
0x00000000
0x004037aa
0x004037ad
0x004037af
0x00000000
0x00000000
0x004037b8
0x004037be
0x004037c8
0x00000000
0x00000000
0x004037cf
0x004037d2
0x004037d4
0x00000000
0x00000000
0x004037da
0x004037e1
0x004037e4
0x004037e7
0x004037e9
0x004037eb
0x004037ed
0x004037ef
0x004037f5
0x004037fb
0x00403801
0x00403807
0x00403809
0x0040380b
0x0040380e
0x0040380e
0x00000000
0x00000000
0x00403816
0x00403819
0x0040381b
0x00000000
0x00000000
0x00403821
0x00403828
0x0040382b
0x0040382f
0x00403832
0x00403835
0x00403837
0x00403839
0x0040383b
0x0040383d
0x00000000
0x00000000
0x00403843
0x00403846
0x00403848
0x00000000
0x00000000
0x0040384e
0x00403851
0x00403854
0x00000000
0x00000000
0x0040385a
0x0040385e
0x00403861
0x00403863
0x00000000
0x00000000
0x00403869
0x0040386b
0x0040386f
0x0040386f
0x00403872
0x00403875
0x00403875
0x00403878
0x00000000
0x00000000
0x0040387e
0x00403881
0x00403883
0x00000000
0x00000000
0x00000000
0x00403885
0x00403bdf
0x00403be2
0x00403be6
0x00403be8
0x00403bea
0x00403bed
0x00403bf0
0x00403bf3
0x00403bf4
0x00403bf5
0x00000000
0x00000000
0x0040388a
0x0040388d
0x00403890
0x00403ad7
0x00403add
0x00403adf
0x00000000
0x00000000
0x00403ae1
0x00403ae8
0x00403aeb
0x00403aed
0x00000000
0x00000000
0x00403af3
0x00403af6
0x00403af9
0x00403afc
0x00403afe
0x00403b00
0x00403b02
0x00000000
0x00000000
0x00403b08
0x00403b0b
0x00403b0d
0x00403b11
0x00000000
0x00000000
0x00403b17
0x00403b1a
0x00403b1d
0x00403b23
0x00403b25
0x00403b27
0x00403b2a
0x00403b2c
0x00403b2f
0x00403b30
0x00403b31
0x00403c0f
0x00403c0f
0x00403c14
0x00000000
0x00403c14
0x00403896
0x0040389d
0x004038a0
0x00403b43
0x00403b46
0x00403b48
0x00000000
0x00000000
0x00403b4e
0x00403b52
0x00403b55
0x00403b58
0x00403b5c
0x00403b5f
0x00403b61
0x00403b63
0x00403b65
0x00403b67
0x00000000
0x00000000
0x00403b69
0x00403b6c
0x00403b6e
0x00000000
0x00000000
0x00403b70
0x00403b73
0x00403b76
0x00000000
0x00000000
0x00403b78
0x00403b7b
0x00403b7d
0x00000000
0x00000000
0x00403b7f
0x00403b81
0x00403b85
0x00403b85
0x00403b88
0x00403b88
0x00403b8b
0x00000000
0x00000000
0x00403b8d
0x00403b90
0x00403b92
0x00000000
0x00000000
0x00000000
0x00403b94
0x00403bf8
0x00403bfb
0x00403bfd
0x00403c01
0x00403c03
0x00403c06
0x00403c06
0x00403c09
0x00403c0c
0x00403c0d
0x00403c0e
0x00000000
0x00403c0e
0x004038a6
0x004038ac
0x004038ae
0x00000000
0x00000000
0x004038b4
0x004038b7
0x004038b9
0x00000000
0x00000000
0x004038bf
0x004038c2
0x004038c5
0x004038c8
0x004038ca
0x004038cc
0x004038ce
0x00000000
0x00000000
0x004038d4
0x004038d7
0x004038d9
0x00000000
0x00000000
0x004038df
0x004038e2
0x004038e5
0x004038e5
0x004038e7
0x004038e8
0x004038e9
0x004038ea
0x004038ea
0x004038f2
0x00000000
0x00000000
0x004038fa
0x004038fd
0x00403900
0x00000000
0x00000000
0x00403906
0x0040390d
0x00403910
0x00403912
0x00000000
0x00000000
0x00403918
0x0040391b
0x0040391b
0x0040391e
0x00000000
0x00000000
0x00403924
0x00403927
0x00403929
0x00000000
0x00000000
0x00000000
0x0040392b
0x00403b96
0x00403b98
0x00403b9b
0x00403b9d
0x00403b9f
0x00403ba2
0x00403bae
0x00403bce
0x00403bce
0x00403bd0
0x00403bd0
0x00000000
0x00000000
0x00403930
0x00403933
0x00403935
0x00403a2d
0x00403a2f
0x00000000
0x00403a2f
0x0040393b
0x00403942
0x0040394e
0x00403954
0x00403956
0x00000000
0x00000000
0x0040395c
0x0040395e
0x00403964
0x00403967
0x00403974
0x00403977
0x0040397a
0x0040397d
0x0040397f
0x00403982
0x00403985
0x00403988
0x00000000
0x00000000
0x00403990
0x00403997
0x0040399a
0x0040399c
0x00000000
0x00000000
0x004039a2
0x004039a5
0x004039a8
0x004039ab
0x004039ad
0x004039af
0x004039b1
0x004039b3
0x00000000
0x00000000
0x004039b9
0x004039bc
0x004039be
0x00000000
0x00000000
0x004039c4
0x004039c7
0x004039c9
0x004039cb
0x00000000
0x00000000
0x004039d1
0x004039d5
0x004039da
0x004039e3
0x00000000
0x00000000
0x004039ea
0x004039f1
0x004039f4
0x004039f6
0x00000000
0x00000000
0x004039fc
0x004039ff
0x00403a02
0x00403a05
0x00403a07
0x00403a09
0x00403a0b
0x00403a0d
0x00403bd1
0x00403bd1
0x00000000
0x00403bd1
0x00403a13
0x00403a15
0x00403a1d
0x00403a22
0x00403a22
0x00403a25
0x00000000
0x00000000

APIs

IsBadStringPtrA.KERNEL32 ref: 004036A8
lstrlenA.KERNEL32(?), ref: 004036B7
IsBadCodePtr.KERNEL32 ref: 004036DF
IsBadReadPtr.KERNEL32(00000000,0000000A), ref: 004036F9
GetProcessHeap.KERNEL32 ref: 0040375B
RtlAllocateHeap.NTDLL(00000000,00000008,?), ref: 0040376B
IsBadCodePtr.KERNEL32 ref: 0040379C
VirtualProtect.KERNEL32(00000000,?,?,?), ref: 004037C8
GetModuleHandleA.KERNEL32(?), ref: 004037FB
_memmove.LIBCMT ref: 004038EA
HeapAlloc.KERNEL32(?,00000008,?,?,?,?), ref: 0040394E
InterlockedIncrement.KERNEL32(?), ref: 0040396E
_memmove.LIBCMT ref: 004039E3
_memset.LIBCMT ref: 00403A1D
GetProcessHeap.KERNEL32 ref: 00403A44
HeapAlloc.KERNEL32(00000000,00000008), ref: 00403A4E
_memmove.LIBCMT ref: 00403C0F

Memory Dump Source

Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: Heap$_memmove$AllocCodeProcess$AllocateHandleIncrementInterlockedModuleProtectReadStringVirtual_memsetlstrlen
String ID:
API String ID: 779832632-0
Opcode ID: 36606eeff70ce2228fa974d0bc36e6d0527d077cfa616246d1dcf083be8e82de
Instruction ID: 18fe11b212e25e669b99bde115275c2656a4e983ac33546e8f8470c30e468957
Opcode Fuzzy Hash: 36606eeff70ce2228fa974d0bc36e6d0527d077cfa616246d1dcf083be8e82de
Instruction Fuzzy Hash: D6028D717046059FDB14CF15C880A6ABBB9BF44709F05852EE889AB381EB38FE51CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004033AD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401D90: HeapAlloc.KERNEL32(?,00000008,00000005), ref: 00401EC8
Part of subcall function 00401D90: _memset.LIBCMT ref: 00401EE3

GetSystemInfo.KERNEL32(?), ref: 0040342B
VirtualQuery.KERNEL32(00000000,?,0000001C), ref: 0040343A
IsBadReadPtr.KERNEL32(?,?), ref: 00403465
VirtualQuery.KERNEL32(?,?,0000001C), ref: 00403482

Strings

NBWEBELCHSCNTYEAIDAU7UNMEKOW8B9AIDCR8ACEL8BGMOX9DNJNFC6G5GGQOMUMIGPVIXSXPYW8FFIM4XFVBMPZT6E884HU5JCXD6SLP4E4ZTBRSI8G5V5JJKCUCJNDTRBCUFQ5OCXUIR684VO5YI4XGPPBE7DMVWEEK7QQDAUUYCKLRFQARAMLJ8DZX6PI48LRZQMD5AKKYATK5JWKB4MLMC9W7GAWS94RW7HIQEXQQBHAKVZRMGXFDLTSVQN98QNE, xrefs: 004033C3

Memory Dump Source

Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: QueryVirtual$AllocHeapInfoReadSystem_memset
String ID: NBWEBELCHSCNTYEAIDAU7UNMEKOW8B9AIDCR8ACEL8BGMOX9DNJNFC6G5GGQOMUMIGPVIXSXPYW8FFIM4XFVBMPZT6E884HU5JCXD6SLP4E4ZTBRSI8G5V5JJKCUCJNDTRBCUFQ5OCXUIR684VO5YI4XGPPBE7DMVWEEK7QQDAUUYCKLRFQARAMLJ8DZX6PI48LRZQMD5AKKYATK5JWKB4MLMC9W7GAWS94RW7HIQEXQQBHAKVZRMGXFDLTSVQN98QNE
API String ID: 1206223359-227829153
Opcode ID: 4ff5aaeeb5f67d026d3ffe850bf1d0f0a7a951b8df9de8d3dbf3024610f1c49c
Instruction ID: 7b70796847b5c35266444012e9009b90b86d0cfec45d5ba9348df9edce5bcf87
Opcode Fuzzy Hash: 4ff5aaeeb5f67d026d3ffe850bf1d0f0a7a951b8df9de8d3dbf3024610f1c49c
Instruction Fuzzy Hash: 7141D631904300ABD301DF15DD85A2BBBE8BF84705F04883EF988B72A1D778EA55CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0081092B Relevance: 3.8, Strings: 3, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

., xrefs: 0081095F
GetProcAddress., xrefs: 008109DC, 008109DF, 008109E4
l, xrefs: 00810966

Memory Dump Source

Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_setup.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: a7102a0f231689fd65fa398c2c22b4531c2a6e7a60fdd3dc0dfb7c8f969c8fff
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: DD3118B6900619DFDB10CF99C880AEDBBF9FF48324F25414AD441E7211D7B1AA85CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402E10 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 343
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 24%

			E00402E10(intOrPtr __ecx, void* __edx) {
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				long _v44;
				signed int _v48;
				long _v52;
				intOrPtr _v56;
				signed int _v60;
				void* _v64;
				signed int _v65;
				void* _v68;
				signed int _v72;
				long _v76;
				signed int _v80;
				long _v84;
				long _v88;
				long _v92;
				signed int _v96;
				long _v100;
				void* _t167;
				void* _t171;
				signed int _t174;
				intOrPtr _t175;
				void* _t177;
				void* _t195;
				signed char _t219;
				long* _t225;
				signed int _t226;
				signed int _t227;
				signed char _t228;
				signed int _t237;
				signed int _t248;
				long _t270;
				signed int* _t280;
				intOrPtr* _t281;
				signed int* _t285;
				signed int _t294;
				signed int _t302;
				intOrPtr _t306;
				signed int _t307;
				signed int _t313;
				signed int* _t315;
				signed int* _t316;
				void* _t323;
				void* _t324;
				signed int* _t327;
				signed int* _t328;

				_v20 = __ecx;
				_v24 = 0;
				_t167 = HeapCreate(0, 0x100000, 0x1000000); // executed
				_t323 =  &_v80 - 0xc;
				_v64 = _t167;
				_v32 = 0x40e260;
				_v36 = 0x42782c;
				if(_v64 == 0) {
					return 0x42782c;
				}
				_t171 = HeapAlloc(_v64, 8, 0xb0);
				_t324 = _t323 - 0xc;
				_v68 = _t171;
				if(_v68 == 0) {
					L57:
					HeapDestroy(_v64); // executed
					_t174 =  &_v36;
					_v96 = _t174;
					L00401003();
					return _t174;
				}
				_v52 = 0;
				_v44 = 0;
				_t175 =  *0x400000; // 0x905a4d
				_v28 = _t175;
				_t177 = HeapAlloc(_v64, 8, 0x40);
				_t327 = _t324 - 0xc;
				_v72 = _t177;
				if(_v72 == 0) {
					L54:
					if( *((intOrPtr*)(_v68 + 0xa8)) != 0) {
						 *0x42c000 =  *((intOrPtr*)(_v68 + 0xa8));
					}
					HeapFree(_v64, 0, _v68);
					_t324 = _t327 - 0xc;
					goto L57;
				}
				 *(_v68 + 0xa0) = 0;
				 *((intOrPtr*)(_v68 + 0xa4)) = _v64;
				 *((intOrPtr*)(_v68 + 4)) = _v68;
				 *((intOrPtr*)(_v68 + 0x50)) = _v68 + 0x50;
				 *((intOrPtr*)(_v68 + 0x54)) = _v68 + 0x50;
				 *((intOrPtr*)(_v68 + 0x58)) = _v68 + 0x58;
				 *((intOrPtr*)(_v68 + 0x5c)) = _v68 + 0x58;
				_v96 = GetProcessHeap();
				_v92 = 0;
				_v88 = 0xbebc200;
				_t195 = RtlAllocateHeap(??, ??, ??); // executed
				_t328 = _t327 - 0xc;
				_v60 = _t195;
				if(_v60 != 0) {
					 *_t328 = _v60;
					_v100 = 0x90;
					_v96 = 0xbebc200;
					E00405040();
					_v52 = 1;
					 *_t328 = GetProcessHeap();
					_v100 = 0;
					_v96 = _v60;
					RtlFreeHeap(??, ??, ??); // executed
					_t328 = _t328 - 0xc;
				}
				if(_v52 == 0) {
					L49:
					 *_t328 = _v72;
					_v100 = 0;
					_v96 = _v80;
					HeapFree(??, ??, ??);
					_t327 = _t328 - 0xc;
					while((((_v76 + 0x00000050 & 0xffffff00 | _v76 + 0x00000050 ==  *(_v76 + 0x50)) ^ 0x000000ff) & 0x00000001) != 0) {
						_v64 =  *((intOrPtr*)(_v76 + 0x54));
						_v48 = _v64;
						 *( *(_v64 + 4)) =  *_v64;
						 *((intOrPtr*)( *_v64 + 4)) =  *((intOrPtr*)(_v64 + 4));
						 *_t327 = _v72;
						_v100 = 0;
						_v96 = _v48;
						HeapFree(??, ??, ??);
						_t327 = _t327 - 0xc;
					}
					goto L54;
				} else {
					E0040333C(_v80);
					 *_t328 = _v80;
					_v100 = _v76;
					E0040155F();
					 *_t328 = _v76;
					_v84 = 0;
					_v88 = 0;
					_v92 = 0;
					_v96 = 0x7d0;
					_v100 = E004033AD;
					E004015D1();
					if(E0040354F(_v80) == 0) {
						L48:
						E004035D2(_v80);
						goto L49;
					}
					_v56 = E0040354F(_v80);
					while(1) {
						_t219 = 0;
						if(_v56 != 0) {
							_t219 = _v80 & 0xffffff00 |  *((intOrPtr*)(_v80 + 0x18)) == 0x00000000;
						}
						if((_t219 & 0x00000001) == 0) {
							break;
						}
						 *_t328 = _v80;
						E00401547();
						 *_t328 = _v80;
						E00401C01();
						_t313 = _v80;
						_t225 = _t313 + 0x28;
						_t270 =  *(_t313 + 0x28);
						if(_t270 == 0) {
							L26:
							_t226 = _v80;
							_t315 = _t226 + 0x2c;
							_t227 =  *(_t226 + 0x2c);
							if(_t227 == 0) {
								L39:
								_t228 = 0;
								if( *((intOrPtr*)(_v80 + 0x28)) == 0) {
									_t228 = 0;
									if( *((intOrPtr*)(_v80 + 0x2c)) == 0) {
										_t228 = 0;
										if( *((intOrPtr*)(_v80 + 0x18)) == 0) {
											_t228 = 1;
											if( *((intOrPtr*)(_v80 + 4)) <= 0) {
												_t228 = (_v80 + 0x00000010 & 0xffffff00 | _v80 + 0x00000010 ==  *(_v80 + 0x10)) ^ 0x000000ff;
											}
										}
									}
								}
								E0040356B(_v80, _t228 & 1);
								_v56 = E0040354F(_v80);
								continue;
							}
							do {
								 *_t315 =  *(_t227 + 0x18);
								_t280 = _t227 + 0x1c;
								_t294 =  *(_t227 + 0x1c);
								 *(_t227 + 0x1c) = _t294 & 0xfffffffb;
								_t306 =  *((intOrPtr*)(_t227 + 0xc));
								if(_t306 == 1) {
									if((_t294 & 0x00000001) != 0 &&  *((intOrPtr*)(_t227 + 0x50)) == 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t227 + 0x14)))) =  *((intOrPtr*)(_t227 + 0x10));
										 *((intOrPtr*)( *((intOrPtr*)(_t227 + 0x10)) + 4)) =  *((intOrPtr*)(_t227 + 0x14));
										 *((intOrPtr*)( *((intOrPtr*)(_t227 + 8)) + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t227 + 8)) + 4)) + 0xffffffff;
										 *_t280 =  *_t280 | 0x00000002;
										_t281 =  *_t227;
										if(_t281 != 0) {
											 *_t328 = _t227;
											 *_t281();
										}
									}
								} else {
									if(_t306 == 3) {
										_v100 = _t227;
										E0040159F();
									}
								}
								_t227 =  *_t315;
							} while (_t227 != 0);
							goto L39;
						}
						_t307 =  *(_t270 + 0x28);
						 *_t225 = 0;
						if(_t307 == 0) {
							goto L26;
						}
						_t316 = _t313 + 0x2c;
						_t248 = _t307;
						while(1) {
							_t237 = _t248;
							_t248 =  *(_t237 + 0x28);
							_v65 = _t248 == _t307;
							if( *((intOrPtr*)(_t237 + 4)) == 1) {
								_t237 =  *_t237;
								 *((char*)(_t237 + 0x50)) = 0;
								_t285 = _t237 + 0x1c;
								_t302 =  *(_t237 + 0x1c);
								if((_t302 & 0x00000001) != 0) {
									if((_t302 & 0x00000004) == 0) {
										 *_t285 = _t302 | 0x00000004;
										 *(_t237 + 0x18) =  *_t316;
										 *_t316 = _t237;
									}
								} else {
									 *_t328 = _t237;
									_v100 = 0;
									_t237 =  *((intOrPtr*)(_t237 + 0x4c))();
								}
							}
							if(((_v65 | _t237 & 0xffffff00 | _t248 == 0x00000000) & 0x00000001) != 0) {
								break;
							}
						}
						goto L26;
					}
					if( *((intOrPtr*)(_v80 + 0x18)) != 0) {
						 *(_v80 + 0x18) = 0;
					}
					goto L48;
				}
			}

0x00402e17
0x00402e1b
0x00402e3c
0x00402e42
0x00402e45
0x00402e4f
0x00402e59
0x00402e62
0x004032ff
0x004032ff
0x00402e7f
0x00402e85
0x00402e88
0x00402e91
0x004032d9
0x004032e0
0x004032e9
0x004032ed
0x004032f0
0x00000000
0x004032f5
0x00402e97
0x00402e9f
0x00402ea7
0x00402eac
0x00402ec7
0x00402ecd
0x00402ed0
0x00402ed9
0x0040329b
0x004032a6
0x004032b2
0x004032b2
0x004032d0
0x004032d6
0x00000000
0x004032d6
0x00402ee3
0x00402ef5
0x00402f03
0x00402f11
0x00402f1f
0x00402f31
0x00402f3f
0x00402f4c
0x00402f4f
0x00402f57
0x00402f5f
0x00402f65
0x00402f68
0x00402f71
0x00402f77
0x00402f7a
0x00402f82
0x00402f8a
0x00402f8f
0x00402fa3
0x00402fa6
0x00402fae
0x00402fb2
0x00402fb8
0x00402fb8
0x00402fc0
0x00403208
0x00403212
0x00403215
0x0040321d
0x00403221
0x00403227
0x0040322a
0x0040324a
0x00403252
0x00403263
0x00403272
0x00403281
0x00403284
0x0040328c
0x00403290
0x00403296
0x00403296
0x00000000
0x00402fc6
0x00402fca
0x00402fd7
0x00402fda
0x00402fde
0x00402fe7
0x00402fea
0x00402ff2
0x00402ffa
0x00403002
0x0040300a
0x00403012
0x00403023
0x004031ff
0x00403203
0x00000000
0x00403203
0x00403032
0x00403036
0x00403036
0x0040303d
0x00403047
0x00403047
0x0040304c
0x00000000
0x00000000
0x00403057
0x0040305a
0x00403063
0x00403066
0x0040306b
0x00403071
0x00403074
0x0040307a
0x004030f6
0x004030f6
0x004030fc
0x004030ff
0x00403105
0x00403185
0x00403189
0x0040318f
0x00403195
0x0040319b
0x004031a1
0x004031a7
0x004031ad
0x004031b3
0x004031c6
0x004031c6
0x004031b3
0x004031a7
0x0040319b
0x004031d1
0x004031df
0x00000000
0x004031df
0x00403109
0x0040310c
0x00403110
0x00403113
0x0040311b
0x0040311e
0x00403126
0x00403142
0x00403152
0x0040315a
0x00403166
0x0040316e
0x00403170
0x00403175
0x00403177
0x0040317a
0x0040317a
0x00403175
0x00403128
0x0040312d
0x00403131
0x00403135
0x00403135
0x0040312d
0x0040317c
0x0040317e
0x00000000
0x00403183
0x0040307c
0x0040307f
0x00403088
0x00000000
0x00000000
0x0040308a
0x0040308d
0x0040308f
0x0040308f
0x00403091
0x00403096
0x0040309f
0x004030a1
0x004030a3
0x004030a9
0x004030ac
0x004030b7
0x004030d3
0x004030d8
0x004030dc
0x004030df
0x004030df
0x004030b9
0x004030bb
0x004030be
0x004030c6
0x004030c6
0x004030b7
0x004030f0
0x00000000
0x00000000
0x004030f2
0x00000000
0x004030f4
0x004031f0
0x004031f6
0x004031f6
0x00000000
0x004031fd

APIs

HeapCreate.KERNEL32 ref: 00402E3C
HeapAlloc.KERNEL32 ref: 00402E7F
HeapAlloc.KERNEL32 ref: 00402EC7
GetProcessHeap.KERNEL32 ref: 00402F44
RtlAllocateHeap.NTDLL ref: 00402F5F
_memset.LIBCMT ref: 00402F8A
GetProcessHeap.KERNEL32 ref: 00402F9B
RtlFreeHeap.NTDLL ref: 00402FB2

Part of subcall function 00401547: GetTickCount.KERNEL32 ref: 0040154C

HeapFree.KERNEL32 ref: 00403221
HeapFree.KERNEL32 ref: 00403290
HeapFree.KERNEL32 ref: 004032D0
HeapDestroy.KERNELBASE ref: 004032E0

Strings

@, xrefs: 00402EBF

Memory Dump Source

Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: Heap$Free$AllocProcess$AllocateCountCreateDestroyTick_memset
String ID: @
API String ID: 4248398568-2766056989
Opcode ID: 225788086ac077eb0789f98910688fef8e81866165107ad6d3efbe899e85fed5
Instruction ID: c05b7a645e7ad465c47936c3bd6be05441c51df40352e2428c51edaecc661efd
Opcode Fuzzy Hash: 225788086ac077eb0789f98910688fef8e81866165107ad6d3efbe899e85fed5
Instruction Fuzzy Hash: 80F119705083019FD304DF28C58871ABFE1BF88359F15896EE4899B3A1D779D98ACF46

Uniqueness

Uniqueness Score: -1.00%

Function 0081003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0081024D

Strings

kernel32.dll, xrefs: 0081008F, 00810095
cess, xrefs: 0081018D

Memory Dump Source

Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_setup.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: f6093475901ca60e80cc3f331bc2662dae69c62b94434f60525690b1d0a0d3c1
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 9F526874A012299FDB64CF58C984BA8BBB5BF09304F1480E9E94DAB251DB70AEC4DF15

Uniqueness

Uniqueness Score: -1.00%

Function 00401D24 Relevance: 4.5, APIs: 3, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00401D24(void* __eax, intOrPtr* _a4) {
				void* _t14;
				void* _t15;
				void* _t16;
				int _t17;
				intOrPtr* _t26;

				_t26 = _a4;
				if( *((intOrPtr*)(_t26 + 0x24)) != 0) {
					 *((intOrPtr*)(_t26 + 0x30)) = 4;
					return __eax;
				}
				_t14 =  *(_t26 + 0xc);
				if(_t14 != 0) {
					HeapFree( *( *_t26 + 0xa4), 0, _t14);
					 *(_t26 + 0xc) = 0;
				}
				_t15 =  *(_t26 + 0x14);
				if(_t15 != 0) {
					RtlFreeHeap( *( *_t26 + 0xa4), 0, _t15); // executed
					 *(_t26 + 0x14) = 0;
				}
				_t16 =  *(_t26 + 0x20);
				if(_t16 != 0) {
					_t17 = HeapFree( *( *_t26 + 0xa4), 0, _t16);
					 *(_t26 + 0x20) = 0;
					return _t17;
				}
				return _t16;
			}

0x00401d26
0x00401d2e
0x00401d30
0x00000000
0x00401d30
0x00401d39
0x00401d3e
0x00401d4c
0x00401d52
0x00401d52
0x00401d55
0x00401d5a
0x00401d68
0x00401d6e
0x00401d6e
0x00401d71
0x00401d76
0x00401d84
0x00401d8a
0x00000000
0x00401d8a
0x00401d8f

APIs

HeapFree.KERNEL32(?,00000000,?), ref: 00401D4C
RtlFreeHeap.NTDLL(?,00000000,?), ref: 00401D68
HeapFree.KERNEL32(?,00000000,?), ref: 00401D84

Memory Dump Source

Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 8fcf7ed74e1b87765ee9f6bd72872f884c70992ff707c6bc6807c26051d81fb6
Instruction ID: 12117413f669b41ab4b891788d10b24941a6278ed6d7b4da1c78066b9bf9729a
Opcode Fuzzy Hash: 8fcf7ed74e1b87765ee9f6bd72872f884c70992ff707c6bc6807c26051d81fb6
Instruction Fuzzy Hash: B301FF752016009FE7308F27ED48E23BBF9FFC5704B14497EA69A976A0C775A802CB25

Uniqueness

Uniqueness Score: -1.00%

Function 00810E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00000400,?,?,00810223,?,?), ref: 00810E19
SetErrorMode.KERNEL32(00000000,?,?,00810223,?,?), ref: 00810E1E

Memory Dump Source

Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_setup.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 38a33d7cf77271eff4fc9badce6bc49676e91161f5414cc284fa2bfc160f7c8c
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 5AD0123114512877DB002A95DC09BCD7B1CDF05B62F008411FB0DD9080C7B0998046E5

Uniqueness

Uniqueness Score: -1.00%

Function 00402DC0 Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00402DC0(void* _a4, void* _a8, intOrPtr _a12, void* _a16) {
				intOrPtr _v4;
				void* _t14;
				intOrPtr* _t15;

				_v4 = 0;
				E00402E10(_a12, _t14);
				 *_t15 = 0; // executed
				ExitProcess(??);
			}

0x00402dd3
0x00402ddf
0x00402de6
0x00402ded

APIs

Part of subcall function 00402E10: HeapCreate.KERNEL32 ref: 00402E3C
Part of subcall function 00402E10: HeapAlloc.KERNEL32 ref: 00402E7F
Part of subcall function 00402E10: HeapAlloc.KERNEL32 ref: 00402EC7
Part of subcall function 00402E10: GetProcessHeap.KERNEL32 ref: 00402F44
Part of subcall function 00402E10: RtlAllocateHeap.NTDLL ref: 00402F5F
Part of subcall function 00402E10: _memset.LIBCMT ref: 00402F8A
Part of subcall function 00402E10: GetProcessHeap.KERNEL32 ref: 00402F9B
Part of subcall function 00402E10: RtlFreeHeap.NTDLL ref: 00402FB2

ExitProcess.KERNEL32 ref: 00402DED

Memory Dump Source

Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: Heap$Process$Alloc$AllocateCreateExitFree_memset
String ID:
API String ID: 2964914810-0
Opcode ID: 32de8c49f61589b41c1f49aa65d0db61a0727ec2d96777d69fbfb0dcd33f96eb
Instruction ID: eec5627ee04d9acc81671ed1c066db47198043e7e1978f33e740ab5e90dd8be2
Opcode Fuzzy Hash: 32de8c49f61589b41c1f49aa65d0db61a0727ec2d96777d69fbfb0dcd33f96eb
Instruction Fuzzy Hash: 06D06CB42083028FC340EF18D685B0EBBE0AB88701F004C2DF8D4A3390C7B4E8588B63

Uniqueness

Uniqueness Score: -1.00%

Function 004035D2 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004035D2(void* __ecx) {
				void* _t3;
				int _t4;
				void* _t6;

				_t3 =  *(__ecx + 0x1c);
				if(_t3 != 0xffffffff) {
					_t6 = __ecx;
					_t4 = FindCloseChangeNotification(_t3); // executed
					 *((intOrPtr*)(_t6 + 0x1c)) = 0xffffffff;
					return _t4;
				}
				return _t3;
			}

0x004035d3
0x004035d9
0x004035db
0x004035de
0x004035e4
0x00000000
0x004035e4
0x004035ec

APIs

FindCloseChangeNotification.KERNEL32(?,?,00403208), ref: 004035DE

Memory Dump Source

Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ca0b2121bcc4b15e5a6c556a80ac75337720196cc70b71ed24dde49f4a00437e
Instruction ID: 6e1aa0057afca782a479451429e762898b2965b49fd59f5b16cf7e1d0c4450cf
Opcode Fuzzy Hash: ca0b2121bcc4b15e5a6c556a80ac75337720196cc70b71ed24dde49f4a00437e
Instruction Fuzzy Hash: 01C08CB0004B204BC6284F2CAC4C4423668AA013313340F5AE031E73E0C7B4DC438B80

Uniqueness

Uniqueness Score: -1.00%

Function 00810920 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00810929

Memory Dump Source

Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_setup.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: a81f69529bcf2872433a6626b6dddab0307a3207cad9c1e7665d850a07e5ea8b
Instruction ID: f1a77b98683cafb1fb7459b4dcf7902f75ab8b99c0f73db378513641b05b932d
Opcode Fuzzy Hash: a81f69529bcf2872433a6626b6dddab0307a3207cad9c1e7665d850a07e5ea8b
Instruction Fuzzy Hash: 1190026038415011D820259C4C02B0510021751634F3047107170B91D4D84496144126

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 008183DA Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00815621,?,?,?,0042E3BC), ref: 008183DF
UnhandledExceptionFilter.KERNEL32(?,?,?,0042E3BC), ref: 008183E8

Memory Dump Source

Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_setup.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 880da359c61c9ccd7a524984b0fc02d210c0cde66001c6a88c2f91b8ea5dee79
Instruction ID: ff498d75d80fdc37cc2eb3243abac809d1af37299bd5b94b69569364edcb6727
Opcode Fuzzy Hash: 880da359c61c9ccd7a524984b0fc02d210c0cde66001c6a88c2f91b8ea5dee79
Instruction Fuzzy Hash: B1B09231044208ABCB002BA2EE09B58BF68EB09762F004824F64D580628B72A4308A99

Uniqueness

Uniqueness Score: -1.00%

Function 00408173 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00408173(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}

0x00408178
0x00408188

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,004053BA,?,?,?,00000000), ref: 00408178
UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 00408181

Memory Dump Source

Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 880da359c61c9ccd7a524984b0fc02d210c0cde66001c6a88c2f91b8ea5dee79
Instruction ID: ff498d75d80fdc37cc2eb3243abac809d1af37299bd5b94b69569364edcb6727
Opcode Fuzzy Hash: 880da359c61c9ccd7a524984b0fc02d210c0cde66001c6a88c2f91b8ea5dee79
Instruction Fuzzy Hash: B1B09231044208ABCB002BA2EE09B58BF68EB09762F004824F64D580628B72A4308A99

Uniqueness

Uniqueness Score: -1.00%

Function 0081C2B3 Relevance: 1.9, APIs: 1, Instructions: 418COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_setup.jbxd

Yara matches

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: f83eac01144a14e9fabaf636d2d7c722066e4f850ca66a16e55a14a35c1fa842
Instruction ID: 1b63b6afa651f1bffdec27e254b7e96a87482af86aaee28926cbb1df1021c11e
Opcode Fuzzy Hash: f83eac01144a14e9fabaf636d2d7c722066e4f850ca66a16e55a14a35c1fa842
Instruction Fuzzy Hash: 89F14876E402598BDB24CFA9C4806EDFBB9FF58314F64812AD859EB384E7349C81CB54

Uniqueness

Uniqueness Score: -1.00%

Function 008183B7 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,008174CB,00407219), ref: 008183BD

Memory Dump Source

Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_setup.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: efc721f8a985ba7de1e74a8019bc030391d3ddba8b72fd49cf719b29c061e006
Instruction ID: 128312d1311c2f82a6a49dad589f4aa67e25fd1615101857f4746837d799de39
Opcode Fuzzy Hash: efc721f8a985ba7de1e74a8019bc030391d3ddba8b72fd49cf719b29c061e006
Instruction Fuzzy Hash: AAA0113000020CABCB002BA2EE088883FACEA082A0B000820F80C080208B32A8208A88

Uniqueness

Uniqueness Score: -1.00%

Function 00408150 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408150(_Unknown_base(*)()* _a4) {

				return SetUnhandledExceptionFilter(_a4);
			}

0x0040815d

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,00407264,00407219), ref: 00408156

Memory Dump Source

Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: efc721f8a985ba7de1e74a8019bc030391d3ddba8b72fd49cf719b29c061e006
Instruction ID: 128312d1311c2f82a6a49dad589f4aa67e25fd1615101857f4746837d799de39
Opcode Fuzzy Hash: efc721f8a985ba7de1e74a8019bc030391d3ddba8b72fd49cf719b29c061e006
Instruction Fuzzy Hash: AAA0113000020CABCB002BA2EE088883FACEA082A0B000820F80C080208B32A8208A88

Uniqueness

Uniqueness Score: -1.00%

Function 0081167B Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3fcfc09d67d64e7d7e9e626ce8ca91d044c177f0f2fcb27dc057783bb4c131
Instruction ID: 32b2adb4c8af835eca7cb2f91dfb3b3c4af9f5bc3f71f74192eda4de9f35fe3f
Opcode Fuzzy Hash: 4c3fcfc09d67d64e7d7e9e626ce8ca91d044c177f0f2fcb27dc057783bb4c131
Instruction Fuzzy Hash: 9441DA71A056018BD704CE1AC88845BF7E3FFD9204B5BC66CD58D9B7A9D630E846CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 00401414 Relevance: .1, Instructions: 116
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E00401414(intOrPtr* _a4, char* _a8, signed int* _a12, intOrPtr _a16, signed int* _a20) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _t30;
				signed int _t31;
				unsigned int _t32;
				signed int _t33;
				signed int* _t35;
				signed int _t39;
				intOrPtr _t48;
				char* _t49;
				intOrPtr _t79;
				unsigned int _t88;
				void* _t89;
				signed int* _t90;
				signed int _t91;
				intOrPtr _t92;
				intOrPtr* _t94;

				_t35 = _a12;
				_t30 = _a4;
				_t88 =  *(_t30 + 0x40);
				_t79 =  *_t30;
				_v20 =  *((intOrPtr*)(_t30 + 4));
				_t48 =  *((intOrPtr*)(_t30 + 8));
				_t92 =  *((intOrPtr*)(_t30 + 0xc));
				_t33 =  *_t35;
				asm("bswap ebx");
				_t31 = _t35[1];
				asm("bswap eax");
				_t39 = (_t88 >> 0x1f) + _t88 >> 1;
				if(_a16 == 0) {
					if(_t88 < 2) {
						L9:
						asm("rol cx, 0x8");
						_t49 = _a8;
						 *((short*)(_t49 + 2)) = _t33;
						 *((char*)(_t49 + 1)) = _t33 >> 0x10;
						 *_t49 = _t33 >> 0x18;
						 *(_t49 + 7) = _t31;
						 *(_t49 + 6) = _t31;
						 *((char*)(_t49 + 5)) = _t31 >> 0x10;
						_t32 = _t31 >> 0x18;
						 *(_t49 + 4) = _t32;
						return _t32;
					}
					_t89 = 0x9e3779b9;
					_v24 = _t48;
					 *_t94 = _t92;
					do {
						_t33 = _t33 + ((_t31 >> 0x00000005) + _v20 ^ _t31 + _t89 ^ (_t31 << 0x00000004) + _t79);
						_t31 = _t31 + ((_t33 >> 0x00000005) +  *_t94 ^ _t89 + _t33 ^ (_t33 << 0x00000004) + _v24);
						_t89 = _t89 + 0x9e3779b9;
						_t39 = _t39 - 1;
					} while (_t39 != 0);
					goto L9;
				}
				if(_t88 < 2) {
					L4:
					_t90 = _a20;
					if(_t90 != 0) {
						asm("bswap ecx");
						_t33 = _t33 ^  *_t90;
						asm("bswap edx");
						_t31 = _t31 ^ _t90[1];
						asm("movsd xmm0, [ecx]");
						asm("movsd [esi], xmm0");
					}
					goto L9;
				}
				_t91 = _t39 * 0x9e3779b9;
				 *_t94 = _t79;
				_v24 = _t48;
				do {
					_t31 = _t31 - ((_t33 >> 0x00000005) + _t92 ^ _t33 + _t91 ^ (_t33 << 0x00000004) + _v24);
					_t33 = _t33 - ((_t31 >> 0x00000005) + _v20 ^ _t91 + _t31 ^ (_t31 << 0x00000004) +  *_t94);
					_t91 = _t91 + 0x61c88647;
					_t39 = _t39 - 1;
				} while (_t39 != 0);
				goto L4;
			}

0x0040141b
0x0040141f
0x00401423
0x00401426
0x0040142b
0x0040142f
0x00401432
0x00401435
0x00401437
0x00401439
0x0040143c
0x00401445
0x0040144c
0x004014c2
0x00401510
0x00401512
0x00401516
0x0040151a
0x00401523
0x00401529
0x0040152b
0x0040152e
0x00401536
0x00401539
0x0040153c
0x00401546
0x00401546
0x004014c4
0x004014c9
0x004014cd
0x004014d0
0x004014e9
0x00401505
0x00401507
0x0040150d
0x0040150d
0x00000000
0x004014d0
0x00401451
0x0040149c
0x0040149c
0x004014a2
0x004014a9
0x004014ab
0x004014ad
0x004014af
0x004014b5
0x004014b9
0x004014b9
0x00000000
0x004014a2
0x00401453
0x00401459
0x0040145c
0x00401460
0x00401477
0x00401491
0x00401493
0x00401499
0x00401499
0x00000000

Memory Dump Source

Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3fcfc09d67d64e7d7e9e626ce8ca91d044c177f0f2fcb27dc057783bb4c131
Instruction ID: ea091c4cf95a06f6a9f0a2c21ca28a0348a097a7891f51faddf94781dd302523
Opcode Fuzzy Hash: 4c3fcfc09d67d64e7d7e9e626ce8ca91d044c177f0f2fcb27dc057783bb4c131
Instruction Fuzzy Hash: 44418571A056018BD304CE2AC88445BF7E3EFD9314B5AC66DD58DAB7A9D930E845CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 00810D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_setup.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 3178929b01d798fa34d4ef378dbf52f0378e04f11d2b01edb067f4173028140d
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: CC01DF72A006048FDB21CF60DC04BEA33A9FF86306F1545A4D90AD7285E3B0A8C18F80

Uniqueness

Uniqueness Score: -1.00%

Function 00813077 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 343
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32 ref: 008130A3
RtlAllocateHeap.NTDLL ref: 008130E6
RtlAllocateHeap.NTDLL ref: 0081312E
GetProcessHeap.KERNEL32 ref: 008131AB
RtlAllocateHeap.NTDLL ref: 008131C6
GetProcessHeap.KERNEL32 ref: 00813202
HeapFree.KERNEL32 ref: 00813219

Part of subcall function 008117AE: GetTickCount.KERNEL32 ref: 008117B3

HeapFree.KERNEL32 ref: 00813488
HeapFree.KERNEL32 ref: 008134F7
HeapFree.KERNEL32 ref: 00813537
HeapDestroy.KERNEL32 ref: 00813547

Strings

@, xrefs: 00813126

Memory Dump Source

Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_setup.jbxd

Yara matches

Similarity

API ID: Heap$Free$Allocate$Process$CountCreateDestroyTick
String ID: @
API String ID: 463782701-2766056989
Opcode ID: 9987667864bc4dd8a25f1a563ba09b02a637d5a8444b02c06aec76deb7dbc244
Instruction ID: 6f2afb8636d665e5ccd088299a6c50276fa036cf0733dd73bf2917b450884bea
Opcode Fuzzy Hash: 9987667864bc4dd8a25f1a563ba09b02a637d5a8444b02c06aec76deb7dbc244
Instruction Fuzzy Hash: D6F1F3B0508301CFD304DF28D188B5ABBE5FF88318F15896DE4999B3A1D775D989CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00407919 Relevance: 16.7, APIs: 11, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00407919(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t81;
				void* _t86;
				long _t90;
				intOrPtr _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				intOrPtr* _t105;
				intOrPtr _t106;
				intOrPtr* _t109;
				signed char _t111;
				long _t119;
				signed int _t130;
				signed int* _t134;
				intOrPtr _t135;
				signed int* _t138;
				void** _t139;
				intOrPtr _t141;
				void* _t142;
				signed int _t143;
				void** _t147;
				signed int _t149;
				void* _t150;
				void** _t154;
				void* _t155;

				_push(0x64);
				_push(0x42aa50);
				E004081F0(__ebx, __edi, __esi);
				E00409225(0xb);
				_t130 = 0;
				 *(_t155 - 4) = 0;
				if( *0x42f5a0 == 0) {
					_push(0x40);
					_t141 = 0x20;
					_push(_t141);
					_t81 = E004090A3();
					_t134 = _t81;
					 *(_t155 - 0x24) = _t134;
					if(_t134 != 0) {
						 *0x42f5a0 = _t81;
						 *0x42f588 = _t141;
						while(_t134 <  &(_t81[0x200])) {
							_t134[1] = 0xa00;
							 *_t134 =  *_t134 | 0xffffffff;
							_t134[2] = _t130;
							_t134[9] = _t134[9] & 0x00000080;
							_t134[9] = _t134[9] & 0x0000007f;
							_t134[9] = 0xa0a;
							_t134[0xe] = _t130;
							_t134[0xd] = _t130;
							_t134 =  &(_t134[0x10]);
							 *(_t155 - 0x24) = _t134;
							_t81 =  *0x42f5a0;
						}
						GetStartupInfoW(_t155 - 0x74);
						if( *((short*)(_t155 - 0x42)) == 0) {
							while(1) {
								L31:
								 *(_t155 - 0x2c) = _t130;
								if(_t130 >= 3) {
									break;
								}
								_t147 =  *0x42f5a0 + (_t130 << 6);
								 *(_t155 - 0x24) = _t147;
								if( *_t147 == 0xffffffff ||  *_t147 == 0xfffffffe) {
									_t147[1] = 0x81;
									if(_t130 != 0) {
										_t66 = _t130 - 1; // -1
										asm("sbb eax, eax");
										_t90 =  ~_t66 + 0xfffffff5;
									} else {
										_t90 = 0xfffffff6;
									}
									_t142 = GetStdHandle(_t90);
									if(_t142 == 0xffffffff || _t142 == 0) {
										L47:
										_t147[1] = _t147[1] | 0x00000040;
										 *_t147 = 0xfffffffe;
										_t94 =  *0x42e560; // 0x96d490
										if(_t94 != 0) {
											 *( *((intOrPtr*)(_t94 + _t130 * 4)) + 0x10) = 0xfffffffe;
										}
										goto L49;
									} else {
										_t98 = GetFileType(_t142);
										if(_t98 == 0) {
											goto L47;
										}
										 *_t147 = _t142;
										_t99 = _t98 & 0x000000ff;
										if(_t99 != 2) {
											if(_t99 != 3) {
												L46:
												_t70 =  &(_t147[3]); // -4388244
												InitializeCriticalSectionAndSpinCount(_t70, 0xfa0);
												_t147[2] = _t147[2] + 1;
												goto L49;
											}
											_t103 = _t147[1] | 0x00000008;
											L45:
											_t147[1] = _t103;
											goto L46;
										}
										_t103 = _t147[1] | 0x00000040;
										goto L45;
									}
								} else {
									_t147[1] = _t147[1] | 0x00000080;
									L49:
									_t130 = _t130 + 1;
									continue;
								}
							}
							 *(_t155 - 4) = 0xfffffffe;
							E00407BDD();
							L2:
							_t86 = 1;
							L3:
							return E00408235(_t86);
						}
						_t105 =  *((intOrPtr*)(_t155 - 0x40));
						if(_t105 == 0) {
							goto L31;
						}
						_t135 =  *_t105;
						 *((intOrPtr*)(_t155 - 0x1c)) = _t135;
						_t106 = _t105 + 4;
						 *((intOrPtr*)(_t155 - 0x28)) = _t106;
						 *(_t155 - 0x20) = _t106 + _t135;
						if(_t135 >= 0x800) {
							_t135 = 0x800;
							 *((intOrPtr*)(_t155 - 0x1c)) = 0x800;
						}
						_t149 = 1;
						 *(_t155 - 0x30) = 1;
						while( *0x42f588 < _t135) {
							_t138 = E004090A3(_t141, 0x40);
							 *(_t155 - 0x24) = _t138;
							if(_t138 != 0) {
								0x42f5a0[_t149] = _t138;
								 *0x42f588 =  *0x42f588 + _t141;
								while(_t138 <  &(0x42f5a0[_t149][0x200])) {
									_t138[1] = 0xa00;
									 *_t138 =  *_t138 | 0xffffffff;
									_t138[2] = _t130;
									_t138[9] = _t138[9] & 0x00000080;
									_t138[9] = 0xa0a;
									_t138[0xe] = _t130;
									_t138[0xd] = _t130;
									_t138 =  &(_t138[0x10]);
									 *(_t155 - 0x24) = _t138;
								}
								_t149 = _t149 + 1;
								 *(_t155 - 0x30) = _t149;
								_t135 =  *((intOrPtr*)(_t155 - 0x1c));
								continue;
							}
							_t135 =  *0x42f588;
							 *((intOrPtr*)(_t155 - 0x1c)) = _t135;
							break;
						}
						_t143 = _t130;
						 *(_t155 - 0x2c) = _t143;
						_t109 =  *((intOrPtr*)(_t155 - 0x28));
						_t139 =  *(_t155 - 0x20);
						while(_t143 < _t135) {
							_t150 =  *_t139;
							if(_t150 == 0xffffffff || _t150 == 0xfffffffe) {
								L26:
								_t143 = _t143 + 1;
								 *(_t155 - 0x2c) = _t143;
								_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
								 *((intOrPtr*)(_t155 - 0x28)) = _t109;
								_t139 =  &(_t139[1]);
								 *(_t155 - 0x20) = _t139;
								continue;
							} else {
								_t111 =  *_t109;
								if((_t111 & 0x00000001) == 0) {
									goto L26;
								}
								if((_t111 & 0x00000008) != 0) {
									L24:
									_t154 = 0x42f5a0[_t143 >> 5] + ((_t143 & 0x0000001f) << 6);
									 *(_t155 - 0x24) = _t154;
									 *_t154 =  *_t139;
									_t154[1] =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
									_t38 =  &(_t154[3]); // 0xd
									InitializeCriticalSectionAndSpinCount(_t38, 0xfa0);
									_t154[2] = _t154[2] + 1;
									_t139 =  *(_t155 - 0x20);
									L25:
									_t135 =  *((intOrPtr*)(_t155 - 0x1c));
									goto L26;
								}
								_t119 = GetFileType(_t150);
								_t139 =  *(_t155 - 0x20);
								if(_t119 == 0) {
									goto L25;
								}
								goto L24;
							}
						}
						goto L31;
					}
					E0040AC60(_t155, 0x42c198, _t155 - 0x10, 0xfffffffe);
					_t86 = 0;
					goto L3;
				}
				E0040AC60(_t155, 0x42c198, _t155 - 0x10, 0xfffffffe);
				goto L2;
			}

0x00407919
0x0040791b
0x00407920
0x00407927
0x0040792d
0x0040792f
0x00407938
0x00407958
0x0040795c
0x0040795d
0x0040795e
0x00407965
0x00407967
0x0040796c
0x00407985
0x0040798a
0x00407990
0x00407999
0x0040799f
0x004079a2
0x004079a5
0x004079ae
0x004079b1
0x004079b7
0x004079ba
0x004079bd
0x004079c0
0x004079c3
0x004079c3
0x004079ce
0x004079d9
0x00407b08
0x00407b08
0x00407b08
0x00407b0e
0x00000000
0x00000000
0x00407b19
0x00407b1f
0x00407b25
0x00407b3a
0x00407b40
0x00407b47
0x00407b4c
0x00407b4e
0x00407b42
0x00407b44
0x00407b44
0x00407b58
0x00407b5d
0x00407ba4
0x00407baa
0x00407bad
0x00407bb3
0x00407bba
0x00407bbf
0x00407bbf
0x00000000
0x00407b63
0x00407b64
0x00407b6c
0x00000000
0x00000000
0x00407b6e
0x00407b70
0x00407b78
0x00407b85
0x00407b90
0x00407b95
0x00407b99
0x00407b9f
0x00000000
0x00407b9f
0x00407b8b
0x00407b8d
0x00407b8d
0x00000000
0x00407b8d
0x00407b7e
0x00000000
0x00407b7e
0x00407b2c
0x00407b32
0x00407bc6
0x00407bc6
0x00000000
0x00407bc6
0x00407b25
0x00407bcc
0x00407bd3
0x0040794d
0x0040794f
0x00407950
0x00407955
0x00407955
0x004079df
0x004079e4
0x00000000
0x00000000
0x004079ea
0x004079ec
0x004079ef
0x004079f2
0x004079f7
0x00407a01
0x00407a03
0x00407a05
0x00407a05
0x00407a0a
0x00407a0b
0x00407a0e
0x00407a20
0x00407a22
0x00407a27
0x00407abb
0x00407ac2
0x00407ac8
0x00407ad8
0x00407ade
0x00407ae1
0x00407ae4
0x00407ae8
0x00407aee
0x00407af1
0x00407af4
0x00407af7
0x00407af7
0x00407afc
0x00407afd
0x00407b00
0x00000000
0x00407b00
0x00407a2d
0x00407a33
0x00000000
0x00407a33
0x00407a36
0x00407a38
0x00407a3b
0x00407a3e
0x00407a41
0x00407a49
0x00407a4e
0x00407aa8
0x00407aa8
0x00407aa9
0x00407aaf
0x00407ab0
0x00407ab3
0x00407ab6
0x00000000
0x00407a55
0x00407a55
0x00407a59
0x00000000
0x00000000
0x00407a5d
0x00407a6d
0x00407a7a
0x00407a81
0x00407a86
0x00407a8d
0x00407a95
0x00407a99
0x00407a9f
0x00407aa2
0x00407aa5
0x00407aa5
0x00000000
0x00407aa5
0x00407a60
0x00407a66
0x00407a6b
0x00000000
0x00000000
0x00000000
0x00407a6b
0x00407a4e
0x00000000
0x00407a41
0x00407979
0x00407981
0x00000000
0x00407981
0x00407945
0x00000000

APIs

__lock.LIBCMT ref: 00407927

Part of subcall function 00409225: __mtinitlocknum.LIBCMT ref: 00409237
Part of subcall function 00409225: EnterCriticalSection.KERNEL32(00000000,?,00405A23,0000000D), ref: 00409250

@_EH4_CallFilterFunc@8.LIBCMT ref: 00407945
__calloc_crt.LIBCMT ref: 0040795E
@_EH4_CallFilterFunc@8.LIBCMT ref: 00407979
GetStartupInfoW.KERNEL32(?,0042AA50,00000064), ref: 004079CE
__calloc_crt.LIBCMT ref: 00407A19
GetFileType.KERNEL32(00000001), ref: 00407A60
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 00407A99
GetStdHandle.KERNEL32(-000000F6), ref: 00407B52
GetFileType.KERNEL32(00000000), ref: 00407B64
InitializeCriticalSectionAndSpinCount.KERNEL32(-0042F594,00000FA0), ref: 00407B99

Memory Dump Source

Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: CriticalSection$CallCountFileFilterFunc@8InitializeSpinType__calloc_crt$EnterHandleInfoStartup__lock__mtinitlocknum
String ID:
API String ID: 1456538442-0
Opcode ID: 6d9b8ba4f36c0ed21241421c23b7c2f9eb2ecc0d04ff1b18c8fdbda1afe8968a
Instruction ID: d8c233d70c1a9e53d9c76028d0cf452cbb115d68185ddd2d1e64d5a2a2f0abc9
Opcode Fuzzy Hash: 6d9b8ba4f36c0ed21241421c23b7c2f9eb2ecc0d04ff1b18c8fdbda1afe8968a
Instruction Fuzzy Hash: 7191D770E082559FDB24CF68C84056DBBB0AF09328B64467ED4A6B73D1D73CA943CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004010B0 Relevance: 16.6, APIs: 11, Instructions: 135
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004010B0(void* _a4, intOrPtr _a8, CHAR* _a12) {
				char _v20;
				char _v24;
				void* __edi;
				char _t12;
				void* _t14;
				CHAR* _t16;
				int _t20;
				void* _t25;
				void* _t27;
				void _t28;
				void* _t30;
				void* _t32;
				CHAR* _t33;
				CHAR* _t35;
				void _t36;
				char _t39;
				void* _t40;
				CHAR* _t41;
				int _t42;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;

				_t35 = _a12;
				_t42 = lstrlenA(_t35);
				_t12 = 0;
				if(_a8 != 0 && _t35 != 0 && _t42 != 0) {
					_t44 = _a4;
					_t4 = _t42 + 1; // 0x1
					_t14 = HeapAlloc(_t44, 8, _t4);
					_t40 = _t14;
					if(_t14 != 0) {
						E00403E90(_t40, _t35, _t42);
						_t45 = _t45 + 0xc;
					}
					_t43 = E00401240(_t40);
					_t12 = 0;
					if(_t43 != 0) {
						_v20 = 0;
						_v24 = 0;
						_push(0x40e2f8);
						_t16 = E004044D4(_t40, _t43);
						_t46 = _t45 + 8;
						if(_t16 == 0) {
							L23:
							HeapFree(_t44, 0, _t43);
							asm("movsd xmm0, [esp]");
							asm("movsd [eax], xmm0");
							return 1;
						}
						_t41 = _t16;
						while(1) {
							_t20 = lstrlenA(_t41);
							_t6 = _t20 - 3; // -3
							if(_t6 < 0xfffffffe) {
								break;
							}
							_t39 =  *_t41;
							if(_t39 != 0x3f) {
								if(_t20 == 2) {
									_t25 = E0040476D(_t39);
									_t46 = _t46 + 4;
									if(_t25 == 0) {
										break;
									}
									_push(_t41[1]);
									L17:
									_t27 = E0040476D();
									_t46 = _t46 + 4;
									if(_t27 == 0) {
										break;
									}
									_t28 = E004049BE(_t41, 0, 0x10);
									_t46 = _t46 + 0xc;
									_t36 = _t28;
									if(_t28 + 0xffffff00 < 0xffffff01) {
										break;
									}
									_t30 = HeapAlloc(_t44, 8, 2);
									if(_t30 == 0) {
										break;
									}
									 *_t30 = _t36;
									 *((char*)(_t30 + 1)) = 0;
									L21:
									_t32 = E00401009(_t44,  &_v20, _t30);
									_t46 = _t46 + 0xc;
									if(_t32 == 0) {
										break;
									}
									_push(0x40e2f8);
									_t33 = E004044D4(_t41, 0);
									_t46 = _t46 + 8;
									_t41 = _t33;
									if(_t33 != 0) {
										continue;
									}
									goto L23;
								}
								if(_t20 != 1) {
									break;
								}
								_push(_t39);
								goto L17;
							}
							_t30 = HeapAlloc(_t44, 8, 2);
							if(_t30 == 0) {
								break;
							}
							 *_t30 = 0x100;
							goto L21;
						}
						E00401062(_t44, _t46);
						HeapFree(_t44, 0, _t43);
						return 0;
					}
				}
				return _t12;
			}

0x004010b7
0x004010c2
0x004010c4
0x004010cb
0x004010e1
0x004010e5
0x004010ec
0x004010f2
0x004010f6
0x004010fb
0x00401100
0x00401100
0x0040110a
0x0040110c
0x00401110
0x00401116
0x0040111a
0x0040111d
0x00401123
0x00401128
0x0040112d
0x004011f9
0x004011fd
0x00401203
0x0040120c
0x00000000
0x00401210
0x00401133
0x00401135
0x00401136
0x0040113c
0x00401142
0x00000000
0x00000000
0x00401148
0x0040114e
0x0040116d
0x0040117c
0x00401181
0x00401186
0x00000000
0x00000000
0x00401190
0x00401191
0x00401191
0x00401196
0x0040119b
0x00000000
0x00000000
0x004011a2
0x004011a7
0x004011aa
0x004011b6
0x00000000
0x00000000
0x004011bd
0x004011c5
0x00000000
0x00000000
0x004011c7
0x004011c9
0x004011cd
0x004011d4
0x004011d9
0x004011de
0x00000000
0x00000000
0x004011e0
0x004011e7
0x004011ec
0x004011ef
0x004011f3
0x00000000
0x00000000
0x00000000
0x004011f3
0x00401172
0x00000000
0x00000000
0x00401178
0x00000000
0x00401178
0x00401155
0x0040115d
0x00000000
0x00000000
0x00401163
0x00000000
0x00401163
0x00401218
0x00401224
0x00000000
0x0040122a
0x00401110
0x00401233

APIs

lstrlenA.KERNEL32(?), ref: 004010BC
HeapAlloc.KERNEL32(?,00000008,00000001), ref: 004010EC
_memmove.LIBCMT ref: 004010FB
_strtok.LIBCMT ref: 00401123
lstrlenA.KERNEL32(00000000), ref: 00401136
HeapAlloc.KERNEL32(?,00000008,00000002), ref: 00401155
_strtoul.LIBCMT ref: 004011A2
HeapAlloc.KERNEL32(?,00000008,00000002), ref: 004011BD
_strtok.LIBCMT ref: 004011E7
HeapFree.KERNEL32(?,00000000,00000000), ref: 004011FD
HeapFree.KERNEL32(?,00000000,00000000), ref: 00401224

Memory Dump Source

Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: Heap$Alloc$Free_strtoklstrlen$_memmove_strtoul
String ID:
API String ID: 3388104993-0
Opcode ID: 19af556fbfa5abccf98dd01959ffd7e175d170726f9d7fbf2c399ddbfaaea6fb
Instruction ID: adb70b9a9e510087b00887aa7310bd40e72bf33555e17388a9d105d8259b2b63
Opcode Fuzzy Hash: 19af556fbfa5abccf98dd01959ffd7e175d170726f9d7fbf2c399ddbfaaea6fb
Instruction Fuzzy Hash: 084154716402016BE620AB715C45B2F369C9F92705F04057AFE49FA3E2EB7CD810827E

Uniqueness

Uniqueness Score: -1.00%

Function 008153AE Relevance: 16.6, APIs: 11, Instructions: 84COMMON

Download Yara Rule

APIs

___security_init_cookie.LIBCMT ref: 008153AE

Part of subcall function 0081834A: GetStartupInfoW.KERNEL32(?), ref: 00818354

_fast_error_exit.LIBCMT ref: 00815427
_fast_error_exit.LIBCMT ref: 00815438
__RTC_Initialize.LIBCMT ref: 0081543E
__ioinit0.LIBCMT ref: 00815447
GetCommandLineA.KERNEL32(0042A940,00000014), ref: 0081544C
___crtGetEnvironmentStringsA.LIBCMT ref: 00815457
__setargv.LIBCMT ref: 00815461
__setenvp.LIBCMT ref: 00815472
__cinit.LIBCMT ref: 00815485
__wincmdln.LIBCMT ref: 00815496

Memory Dump Source

Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_setup.jbxd

Yara matches

Similarity

API ID: _fast_error_exit$CommandEnvironmentInfoInitializeLineStartupStrings___crt___security_init_cookie__cinit__ioinit0__setargv__setenvp__wincmdln
String ID:
API String ID: 1504447550-0
Opcode ID: 28e409208f6a583abcc2e46a45fb4fa7619360811febab490d0ff8c411d4b446
Instruction ID: ff36cfa308532f13fa22d7ec5b83dd6ef9a39e1930014cfdbcf0cab487948605
Opcode Fuzzy Hash: 28e409208f6a583abcc2e46a45fb4fa7619360811febab490d0ff8c411d4b446
Instruction Fuzzy Hash: 8E21C4B0608B01DAE6607BBCA843BED21ACFF50755F10402AF514EA1D2DFB489C0865F

Uniqueness

Uniqueness Score: -1.00%

Function 00405147 Relevance: 16.6, APIs: 11, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 94%

			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr _t27;
				signed int _t37;
				void* _t46;
				signed int _t49;
				void* _t51;
				void* _t53;

				_t47 = __edi;
				E00407F41();
				_push(0x14);
				_push(0x42a940);
				E004081F0(__ebx, __edi, __esi);
				_t49 = E004080E3() & 0x0000ffff;
				E00407EF4(2);
				_t53 =  *0x400000 - 0x5a4d; // 0x5a4d
				if(_t53 == 0) {
					_t17 =  *0x40003c; // 0xe8
					if( *((intOrPtr*)(_t17 + 0x400000)) != 0x4550 ||  *((intOrPtr*)(_t17 + 0x400018)) != 0x10b) {
						goto L2;
					} else {
						_t37 = 0;
						if( *((intOrPtr*)(_t17 + 0x400074)) > 0xe) {
							_t37 = 0 |  *((intOrPtr*)(_t17 + 0x4000e8)) != 0x00000000;
						}
					}
				} else {
					L2:
					_t37 = 0;
				}
				 *(_t51 - 0x1c) = _t37;
				if(E004078C9() == 0) {
					E00405295(0x1c);
				}
				if(E00405A8D(_t37, _t47) == 0) {
					_t19 = E00405295(0x10);
				}
				E00407FDB(_t19);
				 *(_t51 - 4) =  *(_t51 - 4) & 0x00000000;
				E004078FA();
				 *0x42f6b4 = GetCommandLineA();
				 *0x42d8e4 = E0040801D();
				if(E00407BE6() < 0) {
					E0040740B(8);
				}
				if(E00407E13(_t37, _t46, _t47, _t49) < 0) {
					E0040740B(9);
				}
				if(E00407445(_t47, _t49, 1) != 0) {
					E0040740B(_t26);
				}
				_t27 = E00408189();
				E00402DC0(0x400000, 0, _t27, _t49);
				_t50 = _t27;
				 *((intOrPtr*)(_t51 - 0x24)) = _t27;
				if(_t37 == 0) {
					E0040769D(_t50);
				}
				E00407436();
				 *(_t51 - 4) = 0xfffffffe;
				return E00408235(_t50);
			}

0x00405147
0x00405147
0x00405151
0x00405153
0x00405158
0x00405162
0x00405167
0x00405172
0x00405179
0x0040517f
0x0040518e
0x00000000
0x0040519e
0x0040519e
0x004051a7
0x004051af
0x004051af
0x004051a7
0x0040517b
0x0040517b
0x0040517b
0x0040517b
0x004051b2
0x004051bc
0x004051c0
0x004051c5
0x004051cd
0x004051d1
0x004051d6
0x004051d7
0x004051dc
0x004051e0
0x004051eb
0x004051f5
0x00405201
0x00405205
0x0040520a
0x00405212
0x00405216
0x0040521b
0x00405226
0x00405229
0x0040522e
0x0040522f
0x0040523d
0x00405242
0x00405244
0x00405249
0x0040524c
0x0040524c
0x00405251
0x00405286
0x00405294

APIs

___security_init_cookie.LIBCMT ref: 00405147

Part of subcall function 004080E3: GetStartupInfoW.KERNEL32(?), ref: 004080ED

_fast_error_exit.LIBCMT ref: 004051C0
_fast_error_exit.LIBCMT ref: 004051D1
__RTC_Initialize.LIBCMT ref: 004051D7
__ioinit0.LIBCMT ref: 004051E0
GetCommandLineA.KERNEL32(0042A940,00000014), ref: 004051E5
___crtGetEnvironmentStringsA.LIBCMT ref: 004051F0
__setargv.LIBCMT ref: 004051FA
__setenvp.LIBCMT ref: 0040520B
__cinit.LIBCMT ref: 0040521E
__wincmdln.LIBCMT ref: 0040522F

Memory Dump Source

Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: _fast_error_exit$CommandEnvironmentInfoInitializeLineStartupStrings___crt___security_init_cookie__cinit__ioinit0__setargv__setenvp__wincmdln
String ID:
API String ID: 1504447550-0
Opcode ID: 5091f19cf1d2d0efae3902bc976b102684804c8af962033a60bb9866b8b03b4e
Instruction ID: 7656a2e4cd24e693345d71f8b590176bc8e33421cfbb194d0ef5fa04866332ae
Opcode Fuzzy Hash: 5091f19cf1d2d0efae3902bc976b102684804c8af962033a60bb9866b8b03b4e
Instruction Fuzzy Hash: B821A370E05B019AEA207BB6A946B2B2660DF1071CF1444BFF504BE1C3DE7C98419E5F

Uniqueness

Uniqueness Score: -1.00%

Function 0081DF1D Relevance: 13.6, APIs: 9, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

__ioinit.LIBCMT ref: 0081DF20

Part of subcall function 00817B45: InitOnceExecuteOnce.KERNELBASE(0042E2A4,00407919,00000000,00000000), ref: 00817B53

__get_osfhandle.LIBCMT ref: 0081DF34
__get_osfhandle.LIBCMT ref: 0081DF5F
__get_osfhandle.LIBCMT ref: 0081DF68
__get_osfhandle.LIBCMT ref: 0081DF74
CloseHandle.KERNEL32(00000000,?,?,?,0081DEC8,?,0042ABF8,00000010,0081DA21,00000000,?,?,?), ref: 0081DF7B
GetLastError.KERNEL32(?,0081DEC8,?,0042ABF8,00000010,0081DA21,00000000,?,?,?), ref: 0081DF85
__free_osfhnd.LIBCMT ref: 0081DF92
__dosmaperr.LIBCMT ref: 0081DFB4

Memory Dump Source

Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_setup.jbxd

Yara matches

Similarity

API ID: __get_osfhandle$Once$CloseErrorExecuteHandleInitLast__dosmaperr__free_osfhnd__ioinit
String ID:
API String ID: 974577687-0
Opcode ID: d2438c5fb670a26b2348fa00dcc0a8356172505d00fbda55304707cfc3045808
Instruction ID: 4e73f1b440c9bcc6565a79a14c7d022c80e5dc3ef24f470d1f614b891aedb752
Opcode Fuzzy Hash: d2438c5fb670a26b2348fa00dcc0a8356172505d00fbda55304707cfc3045808
Instruction Fuzzy Hash: B411293260931429D224267CA905BFE779DFF41B34F250329F92BCB1D2EF6089D39152

Uniqueness

Uniqueness Score: -1.00%

Function 0040DCB6 Relevance: 13.6, APIs: 9, Instructions: 66
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040DCB6(void* __eflags, signed int _a4) {
				void* _t12;
				signed int _t13;
				signed int _t16;
				intOrPtr _t18;
				void* _t22;
				signed int _t35;
				long _t40;

				_t13 = E004078DE(_t12);
				if(_t13 >= 0) {
					_t35 = _a4;
					if(E0040B164(_t35) == 0xffffffff) {
						L10:
						_t40 = 0;
					} else {
						_t18 =  *0x42f5a0;
						if(_t35 != 1 || ( *(_t18 + 0x84) & 0x00000001) == 0) {
							if(_t35 != 2 || ( *(_t18 + 0x44) & 0x00000001) == 0) {
								goto L8;
							} else {
								goto L7;
							}
						} else {
							L7:
							_t22 = E0040B164(2);
							if(E0040B164(1) == _t22) {
								goto L10;
							} else {
								L8:
								if(CloseHandle(E0040B164(_t35)) != 0) {
									goto L10;
								} else {
									_t40 = GetLastError();
								}
							}
						}
					}
					E0040B0DE(_t35);
					 *((char*)( *((intOrPtr*)(0x42f5a0 + (_t35 >> 5) * 4)) + ((_t35 & 0x0000001f) << 6) + 4)) = 0;
					if(_t40 == 0) {
						_t16 = 0;
					} else {
						_t16 = E00405465(_t40) | 0xffffffff;
					}
					return _t16;
				} else {
					return _t13 | 0xffffffff;
				}
			}

0x0040dcb9
0x0040dcc0
0x0040dcc9
0x0040dcd6
0x0040dd28
0x0040dd28
0x0040dcd8
0x0040dcd8
0x0040dce0
0x0040dcee
0x00000000
0x00000000
0x00000000
0x00000000
0x0040dcf6
0x0040dcf6
0x0040dcf8
0x0040dd0a
0x00000000
0x0040dd0c
0x0040dd0c
0x0040dd1c
0x00000000
0x0040dd1e
0x0040dd24
0x0040dd24
0x0040dd1c
0x0040dd0a
0x0040dce0
0x0040dd2b
0x0040dd43
0x0040dd4a
0x0040dd58
0x0040dd4c
0x0040dd53
0x0040dd53
0x0040dd5d
0x0040dcc2
0x0040dcc6
0x0040dcc6

APIs

__ioinit.LIBCMT ref: 0040DCB9

Part of subcall function 004078DE: InitOnceExecuteOnce.KERNEL32(0042E2A4,00407919,00000000,00000000,0040859F), ref: 004078EC

__get_osfhandle.LIBCMT ref: 0040DCCD
__get_osfhandle.LIBCMT ref: 0040DCF8
__get_osfhandle.LIBCMT ref: 0040DD01
__get_osfhandle.LIBCMT ref: 0040DD0D
CloseHandle.KERNEL32(00000000,?,?,?,0040DC61,?,0042ABF8,00000010,0040D7BA,00000000,?,?,?), ref: 0040DD14
GetLastError.KERNEL32(?,0040DC61,?,0042ABF8,00000010,0040D7BA,00000000,?,?,?), ref: 0040DD1E
__free_osfhnd.LIBCMT ref: 0040DD2B
__dosmaperr.LIBCMT ref: 0040DD4D

Memory Dump Source

Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: __get_osfhandle$Once$CloseErrorExecuteHandleInitLast__dosmaperr__free_osfhnd__ioinit
String ID:
API String ID: 974577687-0
Opcode ID: d2438c5fb670a26b2348fa00dcc0a8356172505d00fbda55304707cfc3045808
Instruction ID: b5644f32911bfeff68ee668ed1238c02b022121f98cde97332d5b29546b81a7c
Opcode Fuzzy Hash: d2438c5fb670a26b2348fa00dcc0a8356172505d00fbda55304707cfc3045808
Instruction Fuzzy Hash: 81112932E0522015E22026B9690977B37588F91B78F19433FF918FB2D2EB7C9C89C19D

Uniqueness

Uniqueness Score: -1.00%

Function 00811317 Relevance: 12.1, APIs: 8, Instructions: 135memorystringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 00811323
RtlAllocateHeap.NTDLL(?,00000008,00000001), ref: 00811353
lstrlen.KERNEL32(00000000), ref: 0081139D
RtlAllocateHeap.NTDLL(?,00000008,00000002), ref: 008113BC
_strtoul.LIBCMT ref: 00811409
RtlAllocateHeap.NTDLL(?,00000008,00000002), ref: 00811424
HeapFree.KERNEL32(?,00000000,00000000), ref: 00811464
HeapFree.KERNEL32(?,00000000,00000000), ref: 0081148B

Memory Dump Source

Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_setup.jbxd

Yara matches

Similarity

API ID: Heap$Allocate$Freelstrlen$_strtoul
String ID:
API String ID: 2433434082-0
Opcode ID: fa84e4cfab8044eda6926e8daa913f167c4d2fff0d77b2e3c74cd1e50dc6a334
Instruction ID: 2e3af76123238451de0618879ee79feb5227a41665206266c431ec57c990cc3e
Opcode Fuzzy Hash: fa84e4cfab8044eda6926e8daa913f167c4d2fff0d77b2e3c74cd1e50dc6a334
Instruction Fuzzy Hash: 01418C715042052BEB205B315C8DFFB369EFF52B41F040534FF4AE6282EB64D884827A

Uniqueness

Uniqueness Score: -1.00%

Function 00813614 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

Part of subcall function 00811FF7: RtlAllocateHeap.NTDLL(?,00000008,00000005), ref: 0081212F

GetSystemInfo.KERNEL32(?), ref: 00813692
VirtualQuery.KERNEL32(00000000,?,0000001C), ref: 008136A1
IsBadHugeReadPtr.KERNEL32(?,?), ref: 008136CC
VirtualQuery.KERNEL32(?,?,0000001C), ref: 008136E9

Strings

h<@, xrefs: 00813784
h<@, xrefs: 00813772

Memory Dump Source

Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_setup.jbxd

Yara matches

Similarity

API ID: QueryVirtual$AllocateHeapHugeInfoReadSystem
String ID: h<@$h<@
API String ID: 3767855565-1657133309
Opcode ID: 4ff5aaeeb5f67d026d3ffe850bf1d0f0a7a951b8df9de8d3dbf3024610f1c49c
Instruction ID: 2433df62ffd39350bdd5030a19e09ee9fd55cb7f813bcd143734b7a8aca0b83c
Opcode Fuzzy Hash: 4ff5aaeeb5f67d026d3ffe850bf1d0f0a7a951b8df9de8d3dbf3024610f1c49c
Instruction Fuzzy Hash: B941F6B1908300ABD7009F15C985A9ABBECFF94314F048D3DF888E7251E770EA94CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00815CF4 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00815CF4

Part of subcall function 00817751: RtlEncodePointer.NTDLL(00000000), ref: 00817754
Part of subcall function 00817751: __initp_misc_winsig.LIBCMT ref: 00817775

__mtinitlocks.LIBCMT ref: 00815CF9

Part of subcall function 008195BB: InitializeCriticalSectionAndSpinCount.KERNEL32(0042CBF0,00000FA0,?,?,00815CFE,00815432,0042A940,00000014), ref: 008195D9

__mtterm.LIBCMT ref: 00815D02

Part of subcall function 00815D6A: RtlDeleteCriticalSection.NTDLL(00000000), ref: 008194D7
Part of subcall function 00815D6A: _free.LIBCMT ref: 008194DE
Part of subcall function 00815D6A: RtlDeleteCriticalSection.NTDLL(0042CBF0), ref: 00819500

__calloc_crt.LIBCMT ref: 00815D27
__initptd.LIBCMT ref: 00815D49
GetCurrentThreadId.KERNEL32 ref: 00815D50

Memory Dump Source

Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_setup.jbxd

Yara matches

Similarity

API ID: CriticalSection$Delete$CountCurrentEncodeInitializePointerSpinThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 757573777-0
Opcode ID: d6beeba81231d8d1cf061db1e581590a50f42152415eea8aa51c551dd52fd4f2
Instruction ID: a8f631a2fed2eeb556ad1e1932930875b088dbcf9311a2bc5b2e0b1e1262812e
Opcode Fuzzy Hash: d6beeba81231d8d1cf061db1e581590a50f42152415eea8aa51c551dd52fd4f2
Instruction Fuzzy Hash: 05F09032109B119AE6343BBDBC0BADA268DFF41730B244A39F4A4D50D2EE6084C2469A

Uniqueness

Uniqueness Score: -1.00%

Function 00405A8D Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00405A8D(void* __ebx, void* __edi) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E004074EA(_t3);
				if(E00409354() != 0) {
					_t6 = E004080A8(_t5, E00405823);
					 *0x42c194 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E004090A3(1, 0x3b8);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E00405B03();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E004080D2(_t9,  *0x42c194, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E004059E1(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E00405B03();
					return 0;
				}
			}

0x00405a8d
0x00405a99
0x00405aa8
0x00405aae
0x00405ab3
0x00405ab6
0x00000000
0x00405ab8
0x00405ac5
0x00405ac9
0x00405acb
0x00405afa
0x00405afa
0x00405aff
0x00405b02
0x00405acd
0x00405adb
0x00405add
0x00000000
0x00405adf
0x00405adf
0x00405ae1
0x00405ae2
0x00405ae9
0x00405aef
0x00405af3
0x00405af7
0x00405af9
0x00405af9
0x00405add
0x00405acb
0x00405a9b
0x00405a9b
0x00405a9b
0x00405aa2
0x00405aa2

APIs

__init_pointers.LIBCMT ref: 00405A8D

Part of subcall function 004074EA: EncodePointer.KERNEL32(00000000,?,00405A92,004051CB,0042A940,00000014), ref: 004074ED
Part of subcall function 004074EA: __initp_misc_winsig.LIBCMT ref: 0040750E

__mtinitlocks.LIBCMT ref: 00405A92

Part of subcall function 00409354: InitializeCriticalSectionAndSpinCount.KERNEL32(0042CBF0,00000FA0,?,?,00405A97,004051CB,0042A940,00000014), ref: 00409372

__mtterm.LIBCMT ref: 00405A9B

Part of subcall function 00405B03: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00405AA0,004051CB,0042A940,00000014), ref: 00409270
Part of subcall function 00405B03: _free.LIBCMT ref: 00409277
Part of subcall function 00405B03: DeleteCriticalSection.KERNEL32(0042CBF0,?,?,00405AA0,004051CB,0042A940,00000014), ref: 00409299

__calloc_crt.LIBCMT ref: 00405AC0
__initptd.LIBCMT ref: 00405AE2
GetCurrentThreadId.KERNEL32 ref: 00405AE9

Memory Dump Source

Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: CriticalSection$Delete$CountCurrentEncodeInitializePointerSpinThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 757573777-0
Opcode ID: 8c6357fa2dfdbcdb92e4daf8882d4245a40bf1d3c2794c25404fe2e1b107c065
Instruction ID: a0fb9120c6b0d80f9ae17e211b5da191d5ca47b69b926c9a59b862a4de3ec27b
Opcode Fuzzy Hash: 8c6357fa2dfdbcdb92e4daf8882d4245a40bf1d3c2794c25404fe2e1b107c065
Instruction Fuzzy Hash: 05F0A932648B121EE224B7767D0B25B3684CB10339B204A3FF459F40D2EE7CA8428D9C

Uniqueness

Uniqueness Score: -1.00%

Function 00401D90 Relevance: 9.3, APIs: 6, Instructions: 272
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00401D90() {
				long _t96;
				signed int _t98;
				signed int _t102;
				signed int _t104;
				signed int _t107;
				signed int _t110;
				signed int _t111;
				signed int _t116;
				signed int _t117;
				void* _t120;
				signed int _t121;
				void* _t122;
				signed int _t123;
				signed int _t125;
				signed int _t128;
				intOrPtr _t129;
				signed char _t130;
				intOrPtr _t132;
				signed int _t137;
				signed int _t138;
				signed int _t139;
				void* _t141;
				signed int _t142;
				signed int _t144;
				signed int _t146;
				intOrPtr _t147;
				void* _t148;
				void* _t149;
				signed int _t150;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				intOrPtr _t154;
				signed int _t156;
				signed int _t157;
				signed int* _t158;
				void* _t160;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t169;
				signed int _t171;
				signed int _t172;
				signed int _t173;
				signed int _t175;
				signed int* _t177;
				void* _t209;

				_t158 = _t177[0xc];
				_t160 = 0xffffffffffffffff;
				if(_t158 == 0) {
					L42:
					return _t160;
				}
				if(_t177[0x10] == 0) {
					_t158[0xc] = 3;
					goto L42;
				}
				_t121 = _t177[0xe];
				_t92 = _t177[0xd];
				asm("xorps xmm0, xmm0");
				asm("movups [edi+0x24], xmm0");
				asm("movups [edi+0x14], xmm0");
				asm("movups [edi+0x4], xmm0");
				 *_t158 = _t177[0xd];
				if(_t121 == 0) {
					L39:
					_t158[0xc] = 2;
					L40:
					E00401D24(_t92, _t158);
					goto L42;
				}
				_t92 = _t177[0xf];
				if(_t92 - 0x400001 < 0xffc00020 ||  *_t121 != 0x14744214) {
					goto L39;
				} else {
					_t128 = 0;
					do {
						 *((intOrPtr*)(_t128 + 0x42d8c0)) =  *((intOrPtr*)(_t121 + _t128));
						_t128 = _t128 + 4;
					} while (_t128 != 0x20);
					_t129 =  *0x42d8dc; // 0x11000
					if(_t129 < 0) {
						goto L39;
					}
					_t146 =  *0x42d8d4; // 0x10
					 *_t177 = _t146;
					if(_t146 < 0) {
						goto L39;
					}
					_t147 =  *0x42d8d8; // 0x0
					if(_t147 < 0) {
						goto L39;
					}
					_t161 =  *0x42d8cc; // 0xfe8
					_t177[1] = _t161;
					if(_t161 <= 0) {
						goto L39;
					}
					_t162 =  *0x42d8c8; // 0x20
					if(_t162 < 0) {
						goto L39;
					}
					_t177[4] = _t162;
					_t163 =  *0x42d8d0; // 0x1008
					_t177[3] = _t163;
					_t164 = _t177[4];
					if(_t177[3] < 0 ||  *0x42d8c4 <= 0 || _t129 > 0xa00000 || _t164 + _t177[1] > _t92) {
						goto L39;
					} else {
						_t148 = _t147 +  *_t177;
						if(_t177[3] + _t148 > _t92) {
							goto L39;
						}
						_t149 = _t148 + _t129;
						_t130 = 0;
						do {
							_t169 = 1 << _t130;
							_t130 = _t130 + 1;
						} while (_t149 > 1);
						_t16 = _t169 + 4; // 0x5
						_t96 = _t16;
						_t158[7] = _t96;
						_t92 = HeapAlloc( *( *_t158 + 0xa4), 8, _t96);
						_t158[5] = _t92;
						_t158[6] = _t169 - 1;
						if(_t92 == 0) {
							goto L39;
						}
						E00405040(_t92, 0, _t158[7]);
						_t98 =  *0x42d8d0; // 0x1008
						_t171 =  *0x42d8d4; // 0x10
						_t132 =  *0x42d8d8; // 0x0
						E00403E90(_t158[5], _t98 + _t121, _t132 + _t171);
						_t177 =  &(_t177[6]);
						if(_t171 <= 0) {
							L23:
							_t158[2] = _t177[0x10];
							_t102 =  *0x42d8c4; // 0x4db
							_t158[0xa] = _t102;
							_t92 = HeapAlloc( *( *_t158 + 0xa4), 8, _t102 << 2);
							_t158[8] = _t92;
							if(_t92 == 0) {
								_t158[0xc] = 0xd;
								goto L40;
							}
							_t158[9] = 0;
							_t104 =  *0x42d8cc; // 0xfe8
							_t158[4] = _t104;
							_t92 = HeapAlloc( *( *_t158 + 0xa4), 8, _t104 << 2);
							_t158[3] = _t92;
							if(_t92 == 0) {
								goto L40;
							}
							_t122 = _t121 +  *0x42d8c8;
							E00403E90(_t92, _t122, _t158[4]);
							_t177 =  &(_t177[3]);
							if( *0x42d8c4 <= 0) {
								L57:
								_t107 = _t158[6];
								_t158[1] = _t107 + 1;
								_t158[0xb] = _t107 + 0xffff0001;
								_t160 = 0;
								goto L42;
							}
							_t177[1] = _t158[3];
							_t110 =  *0x42d8cc; // 0xfe8
							_t177[6] = _t110;
							_t150 = 0;
							_t111 =  *0x42d8c4; // 0x4db
							_t177[2] = _t111;
							_t137 = 0;
							_t172 = 0;
							while(1) {
								_t177[4] = _t150;
								 *(_t158[8] + _t150 * 4) = _t137;
								_t151 =  *(_t122 + _t172) & 0x000000ff;
								_t92 = _t177[1];
								_t177[3] = _t137;
								 *(_t177[1] + _t137 * 4) = _t151;
								if(_t172 > _t177[6]) {
									break;
								}
								_t138 = _t172 + 1;
								_t48 = _t151 - 0xb; // -11
								_t92 = _t48;
								if(_t48 < 0x10) {
									L31:
									_t139 =  *(_t122 + _t138);
									 *_t177 = 5;
									L32:
									_t152 = _t177[3];
									 *(_t177[1] + 4 + _t152 * 4) = _t139;
									_t137 = _t152 + 2;
									_t153 = _t177[4];
									_t172 =  *_t177 + _t172;
									L33:
									_t150 = _t153 + 1;
									if(_t150 < _t177[2]) {
										continue;
									}
									_t123 = _t177[1];
									if(_t177[2] > 0) {
										_t141 = 0;
										_t116 =  *0x42d8c4; // 0x4db
										 *_t177 = _t116;
										_t92 = 0;
										do {
											_t154 =  *((intOrPtr*)(_t123 + _t92 * 4));
											if(_t154 - 0xb >= 0x10) {
												_t83 = _t92 + 1; // 0x1
												_t175 = _t83;
												__eflags = _t154 + 0xfffffffd - 0x1f;
												if(__eflags <= 0) {
													asm("bt ebx, edx");
													if(__eflags < 0) {
														_t117 = _t92 + 2;
														__eflags = _t117;
														_t175 = _t117;
													}
												}
												_t123 = _t177[1];
												_t156 = _t177[2];
												goto L56;
											}
											_t125 =  *(_t123 + 4 + _t92 * 4);
											_t173 = 7;
											if(_t125 < 0 || _t125 > _t158[0xa]) {
												L45:
												_t158[0xc] = _t173;
												goto L40;
											} else {
												_t157 = _t177[1];
												 *((intOrPtr*)(_t157 + 4 + _t92 * 4)) =  *((intOrPtr*)(_t158[8] + _t125 * 4));
												_t123 = _t157;
												_t156 =  *_t177;
												_t175 = _t92 + 2;
											}
											L56:
											_t141 = _t141 + 1;
											_t92 = _t175;
											_t177[2] = _t156;
										} while (_t141 < _t156);
									}
									goto L57;
									L35:
									__eflags = _t177[5] - 0x1e;
									if(_t177[5] != 0x1e) {
										L37:
										__eflags = _t151 - 0x3b;
										if(_t151 > 0x3b) {
											_t173 = 0xe;
											goto L45;
										}
										_t137 = _t177[3] + 1;
										_t153 = _t177[4];
										_t172 =  *_t177;
										goto L33;
									}
									_t139 =  *(_t122 +  *_t177) & 0x000000ff;
									 *_t177 = 2;
									goto L32;
								}
								 *_t177 = _t138;
								_t49 = _t151 - 3; // -3
								_t142 = _t49;
								_t209 = _t142 - 0x1f;
								if(_t209 > 0) {
									goto L37;
								}
								_t92 = 0x80000063;
								_t177[5] = _t142;
								asm("bt eax, ecx");
								_t138 =  *_t177;
								if(_t209 >= 0) {
									goto L35;
								}
								goto L31;
							}
							_t173 = 6;
							goto L45;
						}
						_t120 = 0;
						_t144 =  *0x42d8d4; // 0x10
						do {
							_t120 = _t120 + 4;
						} while (_t120 < _t144);
						goto L23;
					}
				}
			}

0x00401d97
0x00401d9d
0x00401da0
0x0040207b
0x00402084
0x00402084
0x00401dab
0x00402074
0x00000000
0x00402074
0x00401db1
0x00401db5
0x00401db9
0x00401dbc
0x00401dc0
0x00401dc4
0x00401dc8
0x00401dcc
0x00402062
0x00402062
0x00402069
0x0040206a
0x00000000
0x0040206f
0x00401dd2
0x00401de2
0x00000000
0x00401df4
0x00401df4
0x00401df6
0x00401df9
0x00401dff
0x00401e02
0x00401e07
0x00401e0f
0x00000000
0x00000000
0x00401e15
0x00401e1b
0x00401e20
0x00000000
0x00000000
0x00401e26
0x00401e2e
0x00000000
0x00000000
0x00401e34
0x00401e3a
0x00401e40
0x00000000
0x00000000
0x00401e46
0x00401e4e
0x00000000
0x00000000
0x00401e54
0x00401e58
0x00401e5e
0x00401e62
0x00401e6b
0x00000000
0x00401e96
0x00401e96
0x00401ea1
0x00000000
0x00000000
0x00401ea7
0x00401ea9
0x00401eae
0x00401eb0
0x00401eb2
0x00401eb3
0x00401eb7
0x00401eb7
0x00401eba
0x00401ec8
0x00401ece
0x00401ed2
0x00401ed7
0x00000000
0x00000000
0x00401ee3
0x00401eeb
0x00401ef2
0x00401ef8
0x00401f05
0x00401f0a
0x00401f0f
0x00401f20
0x00401f24
0x00401f27
0x00401f2c
0x00401f3d
0x00401f43
0x00401f48
0x00402085
0x00000000
0x00402085
0x00401f4e
0x00401f55
0x00401f5a
0x00401f6b
0x00401f71
0x00401f76
0x00000000
0x00000000
0x00401f7c
0x00401f87
0x00401f8c
0x00401f96
0x00402114
0x00402114
0x0040211a
0x00402122
0x00402125
0x00000000
0x00402125
0x00401f9f
0x00401fa3
0x00401fa8
0x00401fac
0x00401fae
0x00401fb3
0x00401fb7
0x00401fb9
0x00401fbb
0x00401fbe
0x00401fc2
0x00401fc5
0x00401fc9
0x00401fcd
0x00401fd1
0x00401fd8
0x00000000
0x00000000
0x00401fde
0x00401fe1
0x00401fe1
0x00401fe7
0x00402005
0x00402005
0x00402008
0x0040200f
0x00402013
0x00402017
0x00402022
0x00402025
0x00402029
0x0040202b
0x0040202b
0x00402030
0x00000000
0x00000000
0x0040209d
0x004020a1
0x004020a3
0x004020a5
0x004020aa
0x004020ad
0x004020af
0x004020af
0x004020b8
0x004020e7
0x004020e7
0x004020ed
0x004020f0
0x004020f7
0x004020fa
0x004020fc
0x004020fc
0x004020ff
0x004020ff
0x004020fa
0x00402101
0x00402105
0x00000000
0x00402105
0x004020ba
0x004020be
0x004020c5
0x00402093
0x00402093
0x00000000
0x004020cc
0x004020d3
0x004020d7
0x004020db
0x004020e0
0x004020e3
0x004020e3
0x00402109
0x00402109
0x0040210a
0x0040210c
0x00402110
0x004020af
0x00000000
0x00402034
0x00402034
0x00402039
0x0040204b
0x0040204b
0x0040204e
0x0040212c
0x00000000
0x0040212c
0x00402058
0x00402059
0x0040205d
0x00000000
0x0040205d
0x0040203e
0x00402042
0x00000000
0x00402042
0x00401fe9
0x00401fec
0x00401fec
0x00401fef
0x00401ff2
0x00000000
0x00000000
0x00401ff4
0x00401ff9
0x00401ffd
0x00402000
0x00402003
0x00000000
0x00000000
0x00000000
0x00402003
0x0040208e
0x00000000
0x0040208e
0x00401f11
0x00401f13
0x00401f19
0x00401f19
0x00401f1c
0x00000000
0x00401f19
0x00401e6b

APIs

HeapAlloc.KERNEL32(?,00000008,00000005), ref: 00401EC8
_memset.LIBCMT ref: 00401EE3
_memmove.LIBCMT ref: 00401F05
HeapAlloc.KERNEL32(?,00000008,000004DB), ref: 00401F3D
HeapAlloc.KERNEL32(?,00000008,00000FE8), ref: 00401F6B
_memmove.LIBCMT ref: 00401F87

Memory Dump Source

Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: AllocHeap$_memmove$_memset
String ID:
API String ID: 2021246875-0
Opcode ID: a8da47e364ec9222b83c5226e2a4727d47cf86e33682b1ae8647604246d5210e
Instruction ID: 0cd98d74923c86061d372e325762cf04d560278b323548a532e0a1f862f871aa
Opcode Fuzzy Hash: a8da47e364ec9222b83c5226e2a4727d47cf86e33682b1ae8647604246d5210e
Instruction Fuzzy Hash: F8B1BF70604306DFD318DF24CA8862AB7E1FF94304F04853EEA85973D1E7B9A995CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00403DAD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61
memoryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00403DAD() {
				int _t17;
				unsigned int _t23;
				unsigned int _t24;
				intOrPtr _t25;
				void* _t27;
				intOrPtr _t28;
				void** _t29;

				_t17 = _t29[0x19];
				_t25 =  *((intOrPtr*)(4 + _t17));
				if(_t25 != 0) {
					if( *((intOrPtr*)(_t25 + 0xa8)) == 0) {
						L7:
						return E00401D24(_t17, _t25 + 0x60);
					}
					_t17 = HeapAlloc( *(_t25 + 0xa4), 8,  *(_t25 + 0xac));
					if(_t17 == 0) {
						goto L7;
					}
					_t29[2] = 0x2065646f;
					_t29[1] = 0x63206563;
					asm("movaps xmm0, [0x40e250]");
					asm("movups [esp+0xc], xmm0");
					_t29[0x13] = 4;
					_t29[2] = _t17;
					E00403E90(_t17,  *((intOrPtr*)(_t25 + 0xa8)),  *(_t25 + 0xac));
					_t29 =  &(_t29[3]);
					_t23 =  *(_t25 + 0xac);
					if(_t23 < 8) {
						L6:
						_t17 = HeapFree( *(_t25 + 0xa4), 0,  *_t29);
						goto L7;
					}
					_t28 =  *((intOrPtr*)(_t25 + 0xa8));
					_t24 = _t23 >> 3;
					_t27 =  *_t29;
					do {
						E00401414( &(_t29[7]), _t28, _t27, 1,  &(_t29[1]));
						_t29 =  &(_t29[5]);
						_t27 = _t27 + 8;
						_t28 = _t28 + 8;
						_t24 = _t24 - 1;
					} while (_t24 != 0);
					goto L6;
				}
				return _t17;
			}

0x00403db4
0x00403db8
0x00403dbd
0x00403dca
0x00403e70
0x00000000
0x00403e79
0x00403dde
0x00403de6
0x00000000
0x00000000
0x00403dec
0x00403df4
0x00403dfc
0x00403e03
0x00403e08
0x00403e1c
0x00403e21
0x00403e26
0x00403e29
0x00403e32
0x00403e5f
0x00403e6a
0x00000000
0x00403e6a
0x00403e34
0x00403e3a
0x00403e3d
0x00403e40
0x00403e4e
0x00403e53
0x00403e56
0x00403e59
0x00403e5c
0x00403e5c
0x00000000
0x00403e40
0x00403e83

APIs

HeapAlloc.KERNEL32(?,00000008,?), ref: 00403DDE
_memmove.LIBCMT ref: 00403E21
HeapFree.KERNEL32(?,00000000), ref: 00403E6A

Strings

ce c, xrefs: 00403DF4
ode , xrefs: 00403DEC

Memory Dump Source

Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: Heap$AllocFree_memmove
String ID: ce c$ode
API String ID: 3002676227-1628434751
Opcode ID: 6376a26bd0941a49b058ee2e9f9b7f5254c48767a77057fe041d4a16616e6798
Instruction ID: edc1a9ca207d80e36b7ab1bd5e5809205ccd11b7ad63a05a10aab67541da700f
Opcode Fuzzy Hash: 6376a26bd0941a49b058ee2e9f9b7f5254c48767a77057fe041d4a16616e6798
Instruction Fuzzy Hash: C211E471600301BFD7005F60CC45F57FBA9FF91705F048629FA9C66260E371A964CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0081B674 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0081B680

Part of subcall function 0081B5E2: __FF_MSGBANNER.LIBCMT ref: 0081B5F9
Part of subcall function 0081B5E2: __NMSG_WRITE.LIBCMT ref: 0081B600
Part of subcall function 0081B5E2: RtlAllocateHeap.NTDLL(0042E2A0,00000000,00000001), ref: 0081B625

_free.LIBCMT ref: 0081B693

Memory Dump Source

Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_setup.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 54dcba1cba77acac28428781274a972a517ae939cad5e5cf24ae877359539b44
Instruction ID: 08d375d810f6e5cf11509a3f5b1faa873dc82dafa5d46af8f21b9acfe398923b
Opcode Fuzzy Hash: 54dcba1cba77acac28428781274a972a517ae939cad5e5cf24ae877359539b44
Instruction Fuzzy Hash: 5E11C132501615EBCF216F7DE845ADA379CFF343A4F604825F905D6190EB3088C086A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040B40D Relevance: 7.6, APIs: 5, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E0040B40D(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					if(_t31 != 0) {
						_push(__ebx);
						while(_t31 <= 0xffffffe0) {
							if(_t31 == 0) {
								_t31 = _t31 + 1;
							}
							_t7 = HeapReAlloc( *0x42e2a0, 0, _a4, _t31);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0x42e55c == _t7) {
									_t9 = E00405486();
									 *_t9 = E00405499(GetLastError());
									goto L17;
								} else {
									if(E0040A80B(_t7, _t31) == 0) {
										_t12 = E00405486();
										 *_t12 = E00405499(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E0040A80B(_t6, _t31);
						 *((intOrPtr*)(E00405486())) = 0xc;
						goto L12;
					} else {
						E0040906B(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E0040B37B(__ebx, __edx, __edi, _a8);
				}
			}

0x0040b414
0x0040b422
0x0040b427
0x0040b436
0x0040b469
0x0040b43b
0x0040b43d
0x0040b43d
0x0040b44a
0x0040b450
0x0040b454
0x0040b4b4
0x0040b4b4
0x0040b456
0x0040b45c
0x0040b49e
0x0040b4b2
0x00000000
0x0040b45e
0x0040b467
0x0040b486
0x0040b49a
0x0040b480
0x0040b480
0x00000000
0x00000000
0x00000000
0x0040b467
0x0040b45c
0x00000000
0x0040b482
0x0040b46f
0x0040b47a
0x00000000
0x0040b429
0x0040b42c
0x0040b432
0x0040b432
0x0040b483
0x0040b485
0x0040b416
0x0040b420
0x0040b420

APIs

_malloc.LIBCMT ref: 0040B419

Part of subcall function 0040B37B: __FF_MSGBANNER.LIBCMT ref: 0040B392
Part of subcall function 0040B37B: __NMSG_WRITE.LIBCMT ref: 0040B399
Part of subcall function 0040B37B: HeapAlloc.KERNEL32(00940000,00000000,00000001,00000000,00000000,00000000,?,00409103,00000000,00000000,00000000,00000000,?,004092EE,00000018,0042AA90), ref: 0040B3BE

_free.LIBCMT ref: 0040B42C

Memory Dump Source

Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: 1461537aa5bdf64185a22e2855a400e14d0cfbd13de291c811f624f91c3d27a4
Instruction ID: e31a16e3c6a7a2403059718067600b16c48654a5b05da7c6894cfb2bac3c2755
Opcode Fuzzy Hash: 1461537aa5bdf64185a22e2855a400e14d0cfbd13de291c811f624f91c3d27a4
Instruction Fuzzy Hash: 7011C432505711AFCB213F76AC0569F3798DB04764B10843BFD44B62D2DB3C89818AED

Uniqueness

Uniqueness Score: -1.00%

Function 00814014 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000008,?), ref: 00814045
HeapFree.KERNEL32(?,00000000), ref: 008140D1

Strings

ode , xrefs: 00814053
ce c, xrefs: 0081405B

Memory Dump Source

Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_setup.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID: ce c$ode
API String ID: 2488874121-1628434751
Opcode ID: 7d18186eced3afd32101676b68dbcaad51043d16fdf218b18470ac7d951a2305
Instruction ID: 46101012ea41a279f8e87eac35cebcb823161203ea65343bdbe198d0de8b38b8
Opcode Fuzzy Hash: 7d18186eced3afd32101676b68dbcaad51043d16fdf218b18470ac7d951a2305
Instruction Fuzzy Hash: F511B4B1600705BFDB105B21CD45F96FB69FF85704F048528F79C97210E772A4A4CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0081B463 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0081B497
__isleadbyte_l.LIBCMT ref: 0081B4C5
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000), ref: 0081B4F3
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000), ref: 0081B529

Memory Dump Source

Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_setup.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: c286a52766656667312ad477b22793e64a9e60a7a7acca1ac02e9f4ed1fd99a6
Instruction ID: 83b5345855902132e2c4f6a8946c15fd69f30a18f36d5154282d471f0e99ad24
Opcode Fuzzy Hash: c286a52766656667312ad477b22793e64a9e60a7a7acca1ac02e9f4ed1fd99a6
Instruction Fuzzy Hash: 9F319E3160425AEFDB218F75C845BEA7BAAFF41320F158429E461D72A2E770D8D1DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0040B1FC Relevance: 6.1, APIs: 4, Instructions: 96
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040B1FC(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E00404599( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E00408F8F( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							_t42 = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E00405486();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x0040b204
0x0040b209
0x0040b223
0x00000000
0x0040b223
0x0040b20b
0x0040b210
0x00000000
0x00000000
0x0040b215
0x0040b230
0x0040b235
0x0040b238
0x0040b23f
0x0040b25e
0x0040b265
0x0040b267
0x0040b2ab
0x0040b2b3
0x0040b2c2
0x0040b2c8
0x0040b2ca
0x0040b2da
0x0040b2da
0x0040b2de
0x0040b2e0
0x0040b2e3
0x0040b2e3
0x0040b2e3
0x0040b2e3
0x00000000
0x0040b2e9
0x0040b2cc
0x0040b2cc
0x0040b2d1
0x0040b2d1
0x0040b2d4
0x00000000
0x0040b2d4
0x0040b269
0x0040b26c
0x0040b270
0x0040b299
0x0040b299
0x0040b29c
0x0040b29c
0x00000000
0x00000000
0x0040b29e
0x0040b2a2
0x00000000
0x00000000
0x0040b2a4
0x0040b2a4
0x00000000
0x0040b2a4
0x0040b272
0x0040b275
0x00000000
0x00000000
0x0040b279
0x0040b28c
0x0040b292
0x0040b295
0x0040b297
0x00000000
0x00000000
0x00000000
0x0040b297
0x0040b241
0x0040b244
0x0040b246
0x0040b24b
0x0040b24b
0x0040b250
0x00000000
0x0040b250
0x0040b217
0x0040b21c
0x0040b220
0x0040b220
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0040B230
__isleadbyte_l.LIBCMT ref: 0040B25E
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000), ref: 0040B28C
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000), ref: 0040B2C2

Memory Dump Source

Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 762194cd5de1c9b9ead550572a8d015e50fa1e8de8e0d4c0df4b122f55631d38
Instruction ID: 8e81a93ff20c5179882294eb7575b41b178007e5790b646f6f671e99a04df761
Opcode Fuzzy Hash: 762194cd5de1c9b9ead550572a8d015e50fa1e8de8e0d4c0df4b122f55631d38
Instruction Fuzzy Hash: D331AE31600246AFDB218FA5D848BBF7BA5EF41310F1544BEE825A72E0D738D890DB9C

Uniqueness

Uniqueness Score: -1.00%

Function 008169CF Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 008169F3

Part of subcall function 008170D2: __fltout2.LIBCMT ref: 008170FB

__cftog_l.LIBCMT ref: 00816A19
__cftoe_l.LIBCMT ref: 00816A4B

Memory Dump Source

Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_setup.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 9e16c95706f4e9f1e77441d2be2a9d2cc1bdfb02b14281f9bedd544f4f232a55
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 46014E3204415EBBCF125E88CC11CED3F6BFF18354B588519FA99A8131E636D9B1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 00406768 Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00406768(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00406CB5(_a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E004067EE(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00406F2A(__esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00406E6B(__esi, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x0040676b
0x00406771
0x004067e4
0x00000000
0x00406778
0x00406778
0x0040677b
0x00406796
0x00406799
0x004067b9
0x004067cb
0x0040679b
0x0040679b
0x0040679e
0x00000000
0x004067a0
0x004067b2
0x004067b2
0x0040679e
0x004067e9
0x004067ed
0x0040677d
0x00406795
0x00406795
0x0040677b

APIs

__cftof_l.LIBCMT ref: 0040678C

Part of subcall function 00406E6B: __fltout2.LIBCMT ref: 00406E94

__cftog_l.LIBCMT ref: 004067B2
__cftoe_l.LIBCMT ref: 004067E4

Memory Dump Source

Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: aea4206f527f6fff8dfdf05b7a6688f4d4ea01ffa10814b623b9810bd0ea2048
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: CE01433600014ABBCF125E84CC418EE3F76BB19358B5A842AFB1965171D23AD971AB85

Uniqueness

Uniqueness Score: -1.00%

Function 0081639D Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00815BC1: __getptd_noexit.LIBCMT ref: 00815BC2

__lock.LIBCMT ref: 008163DA
InterlockedDecrement.KERNEL32(?), ref: 008163F7
_free.LIBCMT ref: 0081640A
InterlockedIncrement.KERNEL32(0042C1A4), ref: 00816422

Memory Dump Source

Source File: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_setup.jbxd

Yara matches

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: 9bf3a04d43eee07b18bb58f07ca9be70ebc8cd783a1907ed480256e1dd487afc
Instruction ID: 0b073234d1a37d696c8c046b0c98130fa721dad1d7a453f0f412a93612a277ac
Opcode Fuzzy Hash: 9bf3a04d43eee07b18bb58f07ca9be70ebc8cd783a1907ed480256e1dd487afc
Instruction Fuzzy Hash: F801C431A01722DBD720AB6994463ED7768FF00721F414529E854F7291DB7468E1CBDE

Uniqueness

Uniqueness Score: -1.00%

Function 00406136 Relevance: 6.0, APIs: 4, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E00406136(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				LONG* _t20;
				long _t22;
				signed int _t25;
				void* _t30;
				LONG* _t32;
				void* _t33;

				_push(0xc);
				_push(0x42a9d0);
				E004081F0(__ebx, __edi, __esi);
				_t30 = E0040595A();
				_t25 =  *0x42c8f4; // 0xfffffffe
				if(( *(_t30 + 0x70) & _t25) == 0 ||  *((intOrPtr*)(_t30 + 0x6c)) == 0) {
					E00409225(0xd);
					 *(_t33 - 4) =  *(_t33 - 4) & 0x00000000;
					_t32 =  *(_t30 + 0x68);
					 *(_t33 - 0x1c) = _t32;
					__eflags = _t32 -  *0x42c1a4; // 0x96a3d8
					if(__eflags != 0) {
						__eflags = _t32;
						if(_t32 != 0) {
							_t22 = InterlockedDecrement(_t32);
							__eflags = _t22;
							if(_t22 == 0) {
								__eflags = _t32 - 0x42c4a0;
								if(_t32 != 0x42c4a0) {
									E0040906B(_t32);
								}
							}
						}
						_t20 =  *0x42c1a4; // 0x96a3d8
						 *(_t30 + 0x68) = _t20;
						_t32 =  *0x42c1a4; // 0x96a3d8
						 *(_t33 - 0x1c) = _t32;
						InterlockedIncrement(_t32);
					}
					 *(_t33 - 4) = 0xfffffffe;
					E004061D2();
				} else {
					_t32 =  *(_t30 + 0x68);
				}
				if(_t32 == 0) {
					E0040740B(0x20);
				}
				return E00408235(_t32);
			}

0x00406136
0x00406138
0x0040613d
0x00406147
0x00406149
0x00406152
0x00406173
0x00406179
0x0040617d
0x00406180
0x00406183
0x00406189
0x0040618b
0x0040618d
0x00406190
0x00406196
0x00406198
0x0040619a
0x004061a0
0x004061a3
0x004061a8
0x004061a0
0x00406198
0x004061a9
0x004061ae
0x004061b1
0x004061b7
0x004061bb
0x004061bb
0x004061c1
0x004061c8
0x0040615a
0x0040615a
0x0040615a
0x0040615f
0x00406163
0x00406168
0x00406170

APIs

Part of subcall function 0040595A: __getptd_noexit.LIBCMT ref: 0040595B

__lock.LIBCMT ref: 00406173
InterlockedDecrement.KERNEL32(?), ref: 00406190
_free.LIBCMT ref: 004061A3
InterlockedIncrement.KERNEL32(0096A3D8), ref: 004061BB

Memory Dump Source

Source File: 00000000.00000002.312256073.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.312256073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_setup.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: 9a490045696f11bfaa74908e1410ad382ebca8c5b2dbda7e8616983b39942f21
Instruction ID: 92dd21f900cdea8ed63b94cc79b176875fe63f4237bcfdc2142f7b5521d70ca3
Opcode Fuzzy Hash: 9a490045696f11bfaa74908e1410ad382ebca8c5b2dbda7e8616983b39942f21
Instruction Fuzzy Hash: 1C01A535A01621ABE721AB26994676EB660AF00715F06453FE8057B3C3CB3C5D62CBDD

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dllhost.exePID: 5552, Parent PID: 3152COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.7%
Total number of Nodes:	145
Total number of Limit Nodes:	5

Executed Functions

Function 00007DF490E68718 Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 492
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDrives.KERNELBASE ref: 00007DF490E6889A
GetDriveTypeW.KERNELBASE ref: 00007DF490E688B3

Strings

A, xrefs: 00007DF490E687F2
\, xrefs: 00007DF490E68806
:, xrefs: 00007DF490E687FC
\, xrefs: 00007DF490E68B99

Memory Dump Source

Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd

Similarity

API ID: DriveDrivesLogicalType
String ID: :$A$\$\
API String ID: 4038169723-2970747007
Opcode ID: b0a694621581a0022aa59e7e97eb46f4cad8955d03962f010717c508dea69b99
Instruction ID: 33c11f9fc37f128a860e23cae35e15ceb6768a3f5672f20b86655c31e2683008
Opcode Fuzzy Hash: b0a694621581a0022aa59e7e97eb46f4cad8955d03962f010717c508dea69b99
Instruction Fuzzy Hash: EAF1523561CA4C8BEB69EF18D885AEA73F0FB58304F54462ED48FC3151DA78E945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00007DF490E636A0 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 570
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00007DF490E63BF8
FindCloseChangeNotification.KERNELBASE ref: 00007DF490E63C01
??3@YAXPEAX@Z.MSVCRT ref: 00007DF490E63C48

Strings

d, xrefs: 00007DF490E63A19

Memory Dump Source

Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd

Similarity

API ID: ??3@ChangeCloseCreateFindNotificationThread
String ID: d
API String ID: 1887508895-2564639436
Opcode ID: f8442b9e398ab651c0b0ad759ddfe03e1ed3a010777be940d021345a2825fb8b
Instruction ID: fa3a7de9919e758c279b07d43087d06f887ed8d1d33470d8b71a4e904bf83cf8
Opcode Fuzzy Hash: f8442b9e398ab651c0b0ad759ddfe03e1ed3a010777be940d021345a2825fb8b
Instruction Fuzzy Hash: E412FB74618A4C8FEB95EF38D845AEAB7E1FB94300F54462EE44FC3291DB34E5458B82

Uniqueness

Uniqueness Score: -1.00%

Function 00007DF490E6782C Relevance: 4.6, APIs: 3, Instructions: 135
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00007DF490E6789B
FindNextFileW.KERNELBASE ref: 00007DF490E6795A
FindClose.KERNELBASE ref: 00007DF490E6796B

Memory Dump Source

Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 5473507164dcd3926eec300200079bceabdad213ffc4607040328178f24ee394
Instruction ID: 434c118b61d1cf05502e526ae2c2e9b74380384c6f98d1db4a32407ad29dadbb
Opcode Fuzzy Hash: 5473507164dcd3926eec300200079bceabdad213ffc4607040328178f24ee394
Instruction Fuzzy Hash: E6414135718E584FEB94EB28E859AAA77E1FBD5301F54463EE04BC3290DE38D9448782

Uniqueness

Uniqueness Score: -1.00%

Function 00007DF490E6B92C Relevance: 4.6, APIs: 3, Instructions: 110
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateNamedPipeW.KERNELBASE ref: 00007DF490E6B9E3
BindIoCompletionCallback.KERNEL32 ref: 00007DF490E6BA1A
ConnectNamedPipe.KERNELBASE ref: 00007DF490E6BA2B

Memory Dump Source

Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd

Similarity

API ID: NamedPipe$BindCallbackCompletionConnectCreate
String ID:
API String ID: 2502124517-0
Opcode ID: 86698cdaea6b070168e9757c8e61cb38fc1f5760e73426677b828c464fbefd93
Instruction ID: ec5d7afb114b5f9fe2af21197c3e9699837f3a07a7254c47cc7315ef1b029308
Opcode Fuzzy Hash: 86698cdaea6b070168e9757c8e61cb38fc1f5760e73426677b828c464fbefd93
Instruction Fuzzy Hash: 56316D34708A488FEB94DF28D888B9A77E1FB95310F54462AD05BC31D0DB38D985CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00007DF490E6828C Relevance: 3.2, APIs: 2, Instructions: 241
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE ref: 00007DF490E6833C

Part of subcall function 00007DF490E6828C: FindNextFileW.KERNELBASE ref: 00007DF490E6852E

Memory Dump Source

Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: cc4e1f58a741e0a847789479910143e1a41a58a390ab4c56df2ab5461faa735f
Instruction ID: 356ae50d74c97bcbfbf712a7b24962603814f1a359728b854d39bb24df70b557
Opcode Fuzzy Hash: cc4e1f58a741e0a847789479910143e1a41a58a390ab4c56df2ab5461faa735f
Instruction Fuzzy Hash: D9812035608A488FEF54EF28E898A9673E1FB94305F14467ED44FC7295DB38E944CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00007DF490E615E4 Relevance: 2.3, APIs: 1, Instructions: 815threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007DF490E61E6B

Memory Dump Source

Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: e204f23e07e5fe114be256f26043225e89d310e5d3f21a5691eae402d807ca03
Instruction ID: eec6ab8b7c57573984625d032278161dbf5fedcb333001ae0a864804157d41be
Opcode Fuzzy Hash: e204f23e07e5fe114be256f26043225e89d310e5d3f21a5691eae402d807ca03
Instruction Fuzzy Hash: D3426434A1CB488FDB69EF28D485AAE77E5FB94300F18456ED48FC3251DA34E941CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00007DF490E6C06C Relevance: 1.6, APIs: 1, Instructions: 114encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32 ref: 00007DF490E6C0F5

Memory Dump Source

Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 065909b5226e5ffbc6317179f027ca50902e3b2efe95567b1e5a46f5e667f156
Instruction ID: 0aa9a2d7670ba4f595c11e3180415f81da0266798a24b5ed3fcde6b17a30fe23
Opcode Fuzzy Hash: 065909b5226e5ffbc6317179f027ca50902e3b2efe95567b1e5a46f5e667f156
Instruction Fuzzy Hash: 9731413471CA484FEB58EB6CD849A6AB7E1FB9A301F44452EE54BC3291DE39D841C782

Uniqueness

Uniqueness Score: -1.00%

Function 00007DF490E72834 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00007DF490E72844

Memory Dump Source

Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: d58f8b538f263f367ae549b4eb4f40a92b68296be0ce84c3cb29e4ca6c126a6e
Instruction ID: b2b6a9f1dab92307d32347c41406752ccafce972f2737cc997380d85f8ba844d
Opcode Fuzzy Hash: d58f8b538f263f367ae549b4eb4f40a92b68296be0ce84c3cb29e4ca6c126a6e
Instruction Fuzzy Hash: C4C08C04F1AC4A4BFD4867BE4D82B2930A0ABE9300F880019940AC2190E60DE4824393

Uniqueness

Uniqueness Score: -1.00%

Function 00000229C8F430D0 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 355
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlDeleteBoundaryDescriptor.NTDLL ref: 00000229C8F4343D

Strings

H, xrefs: 00000229C8F4335E
!Rex, xrefs: 00000229C8F43136
D, xrefs: 00000229C8F43372
!, xrefs: 00000229C8F43359
S, xrefs: 00000229C8F4337E
E, xrefs: 00000229C8F43377
, xrefs: 00000229C8F43383
!Rcx, xrefs: 00000229C8F432C9
A, xrefs: 00000229C8F4336A

Memory Dump Source

Source File: 0000000A.00000002.363078043.00000229C8F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000229C8F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_229c8f40000_dllhost.jbxd

Similarity

API ID: BoundaryDeleteDescriptor
String ID: $!$!Rcx$!Rex$A$D$E$H$S
API String ID: 3203483114-3349172591
Opcode ID: 65066c02667e23bd76fdc9d3f10aea0dbf6c071d317dcde6615cabaccb18c29d
Instruction ID: 2aea8251fc42641ebc95257a6f75f14e9c738ea388b4ae6d5028b3b35fb09ddc
Opcode Fuzzy Hash: 65066c02667e23bd76fdc9d3f10aea0dbf6c071d317dcde6615cabaccb18c29d
Instruction Fuzzy Hash: 9FB1B63121CB485FD75AEF59D485A9AB3E1FBDC300F800A2FE48AC3156DA70E99587D2

Uniqueness

Uniqueness Score: -1.00%

Function 00007DF490E744A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007DF490E74506
ReadFile.KERNELBASE ref: 00007DF490E74551
??3@YAXPEAX@Z.MSVCRT ref: 00007DF490E745D6

Strings

MZ, xrefs: 00007DF490E7455B

Memory Dump Source

Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd

Similarity

API ID: File$??3@CreateRead
String ID: MZ
API String ID: 481216328-2410715997
Opcode ID: 5e4af987994b7acbedf1a617c617516e2b7c83a12c39e074aeeec05ef4365be6
Instruction ID: 580e0671ba654adbbefbeb0cc6365236731e3c662b9f801b30fbfbe3ed07b812
Opcode Fuzzy Hash: 5e4af987994b7acbedf1a617c617516e2b7c83a12c39e074aeeec05ef4365be6
Instruction Fuzzy Hash: 7E417270B0CA584FDB54EB6898856AA73E1FF99311F04462EE44FC3184EB38E9518B92

Uniqueness

Uniqueness Score: -1.00%

Function 00007DF490E748C8 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 426
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE ref: 00007DF490E74C25

Strings

MZ, xrefs: 00007DF490E74CD0
MZ, xrefs: 00007DF490E74AFA
MZ, xrefs: 00007DF490E74C94

Memory Dump Source

Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd

Similarity

API ID: FreeVirtual
String ID: MZ$MZ$MZ
API String ID: 1263568516-970779948
Opcode ID: 872aeec84cbaeb3725683b3f97cc31e77a18b92113d903afa561b5ea92fb0226
Instruction ID: 312147b554bc745c0f7579325d09feff2ad19bbf7cb4fe5e96d7d513f620b930
Opcode Fuzzy Hash: 872aeec84cbaeb3725683b3f97cc31e77a18b92113d903afa561b5ea92fb0226
Instruction Fuzzy Hash: 69D19375B1CA894BEF65AF2C9885AAA73E1EFE5300F04452ED44FC3195EF78E8418781

Uniqueness

Uniqueness Score: -1.00%

Function 00000229C8F90280 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenFileMappingW.KERNELBASE ref: 00000229C8F902BC
MapViewOfFile.KERNELBASE ref: 00000229C8F902DC

Strings

!Rex, xrefs: 00000229C8F903BF

Memory Dump Source

Source File: 0000000A.00000002.363110039.00000229C8F90000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000229C8F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_229c8f90000_dllhost.jbxd

Similarity

API ID: File$MappingOpenView
String ID: !Rex
API String ID: 3439327939-279350133
Opcode ID: 17450c00fed49fe80342f3e25c2c945cb80a2df36b887535064fd9d07ebb3af5
Instruction ID: 5db9f8b736b65d8deb372bfa74b1d68a5d3b3ae8b48ec81a828ac23b4b96823b
Opcode Fuzzy Hash: 17450c00fed49fe80342f3e25c2c945cb80a2df36b887535064fd9d07ebb3af5
Instruction Fuzzy Hash: 64518C31208B499FDB65EB69C489BDAB3E4FFE8300F40493ED48AC3141DE31D9958B82

Uniqueness

Uniqueness Score: -1.00%

Function 00007DF490E527E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??3@YAXPEAX@Z.MSVCRT ref: 00007DF490E52904

Strings

!Rcx, xrefs: 00007DF490E527F3

Memory Dump Source

Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd

Similarity

API ID: ??3@
String ID: !Rcx
API String ID: 613200358-1190931699
Opcode ID: 375216cf1db1b95d5aee2b7e97bdc21f36d06a79622ee621d3fb19e0d25edae2
Instruction ID: 11529a1bd4dff5e1a8d0f6530c9e2afb132799829b1c8a2e916065d34baccc41
Opcode Fuzzy Hash: 375216cf1db1b95d5aee2b7e97bdc21f36d06a79622ee621d3fb19e0d25edae2
Instruction Fuzzy Hash: 85319230718A484FDF64EF68C885BAAB7E0FBA5315F144A3FD44EC2291DA34E545C782

Uniqueness

Uniqueness Score: -1.00%

Function 00007DF490E60EF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007DF490E522E4: LoadLibraryA.KERNELBASE ref: 00007DF490E5231F

SetErrorMode.KERNELBASE ref: 00007DF490E60F6C

Strings

{, xrefs: 00007DF490E60F0F

Memory Dump Source

Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID: {
API String ID: 2987862817-366298937
Opcode ID: ce8c5c31cd73c92eaa4bb109d3a5c28e0b34eac1a0d27fbc4dc84f37bbccbbdd
Instruction ID: a50668434cd69d77f2a200ed74acabdb3dd6af56e9b0c43b2c1a5b34b591a375
Opcode Fuzzy Hash: ce8c5c31cd73c92eaa4bb109d3a5c28e0b34eac1a0d27fbc4dc84f37bbccbbdd
Instruction Fuzzy Hash: 6601A52871C5540BEF94A63C6801AA772E5EF95310F04463EE41FC31C6ED18DC054292

Uniqueness

Uniqueness Score: -1.00%

Function 00007DF490E746B4 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 214
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007DF490E744A4: CreateFileW.KERNELBASE ref: 00007DF490E74506
Part of subcall function 00007DF490E744A4: ReadFile.KERNELBASE ref: 00007DF490E74551

VirtualFree.KERNELBASE ref: 00007DF490E748AE

Strings

MZ, xrefs: 00007DF490E74718

Memory Dump Source

Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd

Similarity

API ID: File$CreateFreeReadVirtual
String ID: MZ
API String ID: 1417541778-2410715997
Opcode ID: dc4bd1325c9b6ce831cdb2494975a3abfd7c2e64201de334ba9217b2b9306c25
Instruction ID: 5d5d7f9e66964dbcb282b8396c262f5e0a1020f29425c18c74ba540286072ee8
Opcode Fuzzy Hash: dc4bd1325c9b6ce831cdb2494975a3abfd7c2e64201de334ba9217b2b9306c25
Instruction Fuzzy Hash: 73516975B1CA884BEFA8AA3C9845A6F72E6EFD5310F14056EE44FC3195DF38E8014782

Uniqueness

Uniqueness Score: -1.00%

Function 00007DF490E63E3A Relevance: 3.1, APIs: 2, Instructions: 131
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MapViewOfFile.KERNELBASE ref: 00007DF490E63FB7
FindCloseChangeNotification.KERNELBASE ref: 00007DF490E6406E

Memory Dump Source

Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd

Similarity

API ID: ChangeCloseFileFindNotificationView
String ID:
API String ID: 556135526-0
Opcode ID: 502e52437849565e925d83ccf3de6c5e9e7ab8b63f1dbba070af9e040f3b2d98
Instruction ID: 4c831a8468faa5c19645a4ffd9a8c54de127eee98a569f5bd6378e1798226554
Opcode Fuzzy Hash: 502e52437849565e925d83ccf3de6c5e9e7ab8b63f1dbba070af9e040f3b2d98
Instruction Fuzzy Hash: 79411D34708A498FEF99FB28D455AAAB3B1FF94310F14462ED45FC3182DE29E8158B91

Uniqueness

Uniqueness Score: -1.00%

Function 00007DF490E522E4 Relevance: 3.1, APIs: 2, Instructions: 109
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00007DF490E5231F
GetProcAddressForCaller.KERNELBASE ref: 00007DF490E5236C

Memory Dump Source

Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd

Similarity

API ID: AddressCallerLibraryLoadProc
String ID:
API String ID: 4215043672-0
Opcode ID: 360a3b14b73cf4ba8c025e592f2c7af1987442e7d978021b0d53979cebde274f
Instruction ID: 971cb51070c8d490fca43328f3444669c5e3648dbbf5aac05f1307f4d6898886
Opcode Fuzzy Hash: 360a3b14b73cf4ba8c025e592f2c7af1987442e7d978021b0d53979cebde274f
Instruction Fuzzy Hash: E721E225B0DA4E4BEF28996C9C45B7633E4DB47321F1D047FD84BC7192E96DF8828291

Uniqueness

Uniqueness Score: -1.00%

Function 00007DF490E675AC Relevance: 3.1, APIs: 2, Instructions: 72
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007DF490E675D7
ReadFile.KERNELBASE ref: 00007DF490E67627

Memory Dump Source

Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd

Similarity

API ID: File$CreateRead
String ID:
API String ID: 3388366904-0
Opcode ID: a5499618f628a59e0d96b57db253cb0100af634853b51a4cee71ef425f696bbf
Instruction ID: 85644a50f7486c1d8e60f921288cc65687010dac20bdfa197068a664a6064f99
Opcode Fuzzy Hash: a5499618f628a59e0d96b57db253cb0100af634853b51a4cee71ef425f696bbf
Instruction Fuzzy Hash: 0A11B130618A488FDB90AF6CD88876E77E0FB98315F04862EE88EC3290CB3899458751

Uniqueness

Uniqueness Score: -1.00%

Function 00000229C8F40000 Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363078043.00000229C8F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000229C8F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_229c8f40000_dllhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82552c8ceb4bd420dba5bcd59e8ddc246d38e28e5f7935b533cdb85efc16f220
Instruction ID: 8684eb889db6d443d6842a2fcb88de21225c5c1e9ccf3b1de685123818c2256e
Opcode Fuzzy Hash: 82552c8ceb4bd420dba5bcd59e8ddc246d38e28e5f7935b533cdb85efc16f220
Instruction Fuzzy Hash: 70510530618A055BD71EEF5AC4899B9B3E1FBD8710F54863FE487C7186EE70E88286D0

Uniqueness

Uniqueness Score: -1.00%

Function 00007DF490E623E4 Relevance: 1.6, APIs: 1, Instructions: 127COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE ref: 00007DF490E624F2

Memory Dump Source

Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 53bae16748ecdc21ae953881b952189692968bc814a88933c73c387c58fe5f91
Instruction ID: 5f7a7904f87e47f3d9630f3042607d3eebd57cf037b2920601846b9e108de86a
Opcode Fuzzy Hash: 53bae16748ecdc21ae953881b952189692968bc814a88933c73c387c58fe5f91
Instruction Fuzzy Hash: EA410E3561CB488BE765EF28D895BDBB7E0FB94304F404A2EE48BC2191EF799504CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007DF490E6F9B8 Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 00007DF490E6FA1F

Memory Dump Source

Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: b321590e39003328950868adb3b7baf0a738c2a81c9ed83129ade6c1723d170f
Instruction ID: e7d47a432114c7896f867c7c1a5fcc3c780fd9bb6c45ecc5398b178364bbba51
Opcode Fuzzy Hash: b321590e39003328950868adb3b7baf0a738c2a81c9ed83129ade6c1723d170f
Instruction Fuzzy Hash: 8831043461890D8FDF85EF2CD494FA533A1FF58311F4841B9D80ECB29ACA34A845CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007DF490F11A14 Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 00007DF490F11AA9

Memory Dump Source

Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 472e16019ba601094a4c2923f039f601fa415deb3ae2891c44a4e6fa2e872d25
Instruction ID: dc137faa13fcffa22ea56959b73a4447f8f569ca62b1c1484ff2537795affcd4
Opcode Fuzzy Hash: 472e16019ba601094a4c2923f039f601fa415deb3ae2891c44a4e6fa2e872d25
Instruction Fuzzy Hash: A8212C34B098184FDED4EA2CC0C4D797BE6FF8875072902A6D81BC729DE569ED81C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007DF490E6D3F4 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 00007DF490E6D428

Memory Dump Source

Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 1173c4bf6734c2ddcbf1999c0336684670098a1b8ff3ecb332de893cda3149d8
Instruction ID: 7085371e78f0e0ce48038a191d4c72047fdf891aacb50829aca5bc74f0b7d617
Opcode Fuzzy Hash: 1173c4bf6734c2ddcbf1999c0336684670098a1b8ff3ecb332de893cda3149d8
Instruction Fuzzy Hash: 27F0F974A19E4A8FEB84AF6DD498B6577B0FB68305FA4007ED41AC6190DB75AC54C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007DF490E51AAC Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

HeapDestroy.KERNELBASE ref: 00007DF490E51AF2

Memory Dump Source

Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd

Similarity

API ID: DestroyHeap
String ID:
API String ID: 2435110975-0
Opcode ID: 6bee0d47c2223d56f047f492df5b049f4a47428231dacf7fdd2a0f68541b21f6
Instruction ID: 7ecab14eb4a360e2035f0832f8666157bc50deeb6d24f0eb920365250c69bd8c
Opcode Fuzzy Hash: 6bee0d47c2223d56f047f492df5b049f4a47428231dacf7fdd2a0f68541b21f6
Instruction Fuzzy Hash: 03014634B0D6848FEF50EFADACC5A2532B5EB89710B4808BFD00ADA164C63CA8408B12

Uniqueness

Uniqueness Score: -1.00%

Function 00007DF490E51A58 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE ref: 00007DF490E51A78

Memory Dump Source

Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b4ad1c0d008e997b21b3bc8a6b3226dd8f46068eaaf9a4adb11886a91f20d782
Instruction ID: cf9948e050d299319042d0067db0626b7b290353cf5633a56b3d8650c87bafa8
Opcode Fuzzy Hash: b4ad1c0d008e997b21b3bc8a6b3226dd8f46068eaaf9a4adb11886a91f20d782
Instruction Fuzzy Hash: AEF0A029F0E1894AFF21AF3D5C846372276EB88321F294E7FD04BC6182D93CD8C18242

Uniqueness

Uniqueness Score: -1.00%

Function 00007DF490EC1C6C Relevance: 1.5, APIs: 1, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE ref: 00007DF490EC1C89

Memory Dump Source

Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: bccd8a624eb6b28d8ce315b06ee3766c31c6b0b7e90251d88198d832bd84872c
Instruction ID: af7a0c4efb83a43d3dd6eca2473c3cc2213c567d43e53af28580ee8b2cdbf410
Opcode Fuzzy Hash: bccd8a624eb6b28d8ce315b06ee3766c31c6b0b7e90251d88198d832bd84872c
Instruction Fuzzy Hash: 0FE04835F1044956F749F735EC998D733A1FF68300B84416ADC0B910E6FE2C5286C6C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007DF490E52BE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 00007DF490E52BF1

Memory Dump Source

Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 2b6ebd628b6762cacce5267312cbc1474e2efd12aa7b3ce2d7e01679878ed3e9
Instruction ID: b3670ef8330dce2f2d7d2bf7083a2b37775f516ed42de02125f419482e3fa940
Opcode Fuzzy Hash: 2b6ebd628b6762cacce5267312cbc1474e2efd12aa7b3ce2d7e01679878ed3e9
Instruction Fuzzy Hash: C5B0122892BD6B06ED8C377A0C5A5253560AF08311FC8005CD80AC0040E60CC5D46386

Uniqueness

Uniqueness Score: -1.00%

Function 00007DF490E62B50 Relevance: 1.3, APIs: 1, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNELBASE ref: 00007DF490E62B64

Memory Dump Source

Source File: 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00007DF490E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7df490e50000_dllhost.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 4a93cf2f88255c0bb6d24dd12e50ceba59c46d297b66380d94f1b892c0c9261f
Instruction ID: 3d085ae7aaa33ab3aaf9a1ab97f09b268cceebe4e2d56206a11af7c4d78bd258
Opcode Fuzzy Hash: 4a93cf2f88255c0bb6d24dd12e50ceba59c46d297b66380d94f1b892c0c9261f
Instruction Fuzzy Hash: D6F08235314D095BFF649F39AC88ABA37A9EB84341B18872ED40BC5164EF6CD9049744

Uniqueness

Uniqueness Score: -1.00%

Source: setup.exe	Virustotal: Detection: 42%			Perma Link
Source: setup.exe	ReversingLabs: Detection: 62%

Source: Traffic	Snort IDS: 2043202 ET TROJAN Rhadamanthys Stealer - Payload Download Request 192.168.2.3:49697 -> 179.43.154.216:80
Source: Traffic	Snort IDS: 2853001 ETPRO TROJAN Rhadamanthys Stealer - Payload Response 179.43.154.216:80 -> 192.168.2.3:49697
Source: Traffic	Snort IDS: 2853002 ETPRO TROJAN Rhadamanthys Stealer - Data Exfil 192.168.2.3:49700 -> 179.43.154.216:80

Source: dllhost.exe, 0000000A.00000003.309829921.00000229C95AA000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.362720431.00000229CAC91000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.342439064.00000229CB205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http:///etc/puk.keyGET13ConnectionupgradeUpgradewebsocketUser-Agentcurl/5.9Sec-Websocket-KeySec-Webs
Source: dllhost.exe, 0000000A.00000003.309829921.00000229C94B5000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363740128.00007DF490E50000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.309263993.00000229C92C2000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.362475431.00000229CB4F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http:///etc/puk.keyMachineGuidSOFTWARE
Source: dllhost.exe, 0000000A.00000002.363452486.00000229C9405000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.362475431.00000229CB5DE000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363733987.00000229CB5E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://179.43.154.216/img/favicon.ico
Source: dllhost.exe, 0000000A.00000003.362475431.00000229CB5DE000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363733987.00000229CB5E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://179.43.154.216/img/favicon.ico;
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.defence.gov.au/pki0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CAF90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enRootDirUrlSoftware
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.defence.gov.au/pki0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: dllhost.exe, 0000000A.00000003.324074272.00000229CADBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dsquery.dll
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.e-me.lv/repository0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.eme.lv/repository0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0=
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.oaticerts.com/repository.
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.rcsc.lt/repository0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CAF90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://%s.pinrules.crt/%sendTraceLogca1.3.6.1.4.1.311.10.8.11.3.6.1.4.1.311.10.11.1.3.6.1.4.1.311.1
Source: dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: dllhost.exe, 0000000A.00000003.342439064.00000229CB205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com
Source: dllhost.exe, 0000000A.00000003.342439064.00000229CB205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com
Source: dllhost.exe, 0000000A.00000003.346428768.00000229C9302000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BBD4EA3DA
Source: dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://eca.hinet.net/repository0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: dllhost.exe, 0000000A.00000003.347171986.00000229CAD69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com
Source: dllhost.exe, 0000000A.00000003.347171986.00000229CAD69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com-_https://support.google.com
Source: dllhost.exe, 0000000A.00000003.346428768.00000229C92F5000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348424053.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348247260.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.351744358.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348629618.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346428768.00000229C930D000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/111996?visit_id=637962485686793996-3320600880&p=update_erro
Source: dllhost.exe, 0000000A.00000003.346428768.00000229C92F5000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348424053.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346468592.00000229C92E1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348247260.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.351744358.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348629618.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346428768.00000229C930D000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6315198?product=
Source: dllhost.exe, 0000000A.00000003.346498700.00000229CAD6B000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.347171986.00000229CAD69000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346532064.00000229C92E8000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348424053.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346468592.00000229C92E1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348247260.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.351744358.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348629618.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346428768.00000229C930D000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome?p=update_error
Source: dllhost.exe, 0000000A.00000003.346428768.00000229C92F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome?p=update_errorFix
Source: dllhost.exe, 0000000A.00000003.346498700.00000229CAD6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome?p=update_errore
Source: dllhost.exe, 0000000A.00000003.346428768.00000229C92F5000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348424053.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346468592.00000229C92E1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348247260.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.351744358.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348629618.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346428768.00000229C930D000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/installer/?product=
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/address/)1(0&
Source: dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: dllhost.exe, 0000000A.00000003.347171986.00000229CAD69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: dllhost.exe, 0000000A.00000003.346333049.00000229C92D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: dllhost.exe, 0000000A.00000003.346498700.00000229CAD6B000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.347171986.00000229CAD69000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346532064.00000229C92E8000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346428768.00000229C9302000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348424053.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346468592.00000229C92E1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348247260.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.351744358.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348629618.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346428768.00000229C930D000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/
Source: dllhost.exe, 0000000A.00000003.347171986.00000229CAD69000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348424053.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348247260.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348629618.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/.
Source: dllhost.exe, 0000000A.00000003.346428768.00000229C92F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/Google
Source: dllhost.exe, 0000000A.00000003.346498700.00000229CAD6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/e
Source: dllhost.exe, 0000000A.00000003.346428768.00000229C9302000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346468592.00000229C92E1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346524117.00000229C92EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/https://www.google.com/intl/en_uk/chrome/https://www.google
Source: dllhost.exe, 0000000A.00000003.346498700.00000229CAD6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/st_vi
Source: dllhost.exe, 0000000A.00000003.346428768.00000229C92F5000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348424053.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346468592.00000229C92E1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348247260.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.351744358.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348629618.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346428768.00000229C930D000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
Source: dllhost.exe, 0000000A.00000003.346468592.00000229C92E1000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348247260.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.351744358.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.348629618.00000229CAD7A000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.346428768.00000229C930D000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000002.363477323.00000229CAD67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=chrome&oq=chrome&aqs=chrome..69i57j0j5l3j69i60l3.2663j0j4&sourceid=c
Source: dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.net/docs
Source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CB0CD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m

Source: dllhost.exe, 0000000A.00000003.322929010.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ?_Mtx_unlock@threads@stdext@@YAXPEAX@Z
Source: dllhost.exe, 0000000A.00000003.322929010.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
Source: dllhost.exe, 0000000A.00000003.322929010.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
Source: dllhost.exe, 0000000A.00000003.322929010.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ

Source: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.312786751.000000000096E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source:	Binary string: netutils.pdbUGP source: dllhost.exe, 0000000A.00000003.338383043.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdb source: dllhost.exe, 0000000A.00000003.319605704.00000229CAEE0000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.319293046.00000229CADB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: dllhost.exe, 0000000A.00000003.315959802.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\huxiwavemejedi kuwususudidix\vemoxu.pdb source: setup.exe
Source:	Binary string: msvcrt.pdb source: dllhost.exe, 0000000A.00000003.319958084.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Dw=helpvolumelabelmasteredudfUDFJOLIETItemPosItemOrder%s (%d).%sData\Program Files\Data\Windows\Program Files\Data\Program Files (x86)\Data\ProgramData\.cdxml.cer.automaticdestinations-ms.cat.dmp.cookie.customdestinations-msWindows\$Windows.~BT\Program Files (x86)\ProgramData\.appxbundle.appxpackageWindows.old\.appx.msip.msm.ocx.olb.mui.nst.etl.fon.dsft.efi.mpb.mp.partial.pdb.p7s.p7x.pfx.pem.pfm.p10.p12.ost.otf.p7m.p7r.p7b.p7c.sys.ttc.spkg.sst.vmrs.vsi.vmcx.psd1.psf.sft.spc.rll.wim.winmd.vsix.wfsWININET.xap\shellL source: dllhost.exe, 0000000A.00000003.324074272.00000229CADBF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdbUGP source: dllhost.exe, 0000000A.00000003.319605704.00000229CAEE0000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.319293046.00000229CADB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: dllhost.exe, 0000000A.00000003.346097175.00000229C92C3000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.331435099.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdbUGP source: dllhost.exe, 0000000A.00000003.319768034.00000229CADE3000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: dllhost.exe, 0000000A.00000003.323423570.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: fltLib.pdb source: dllhost.exe, 0000000A.00000003.337709960.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cfgmgr32.pdbUGP source: dllhost.exe, 0000000A.00000003.328492995.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shell32.pdb source: dllhost.exe, 0000000A.00000003.324074272.00000229CADBF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: crypt32.pdbUGP source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CAF90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdb source: dllhost.exe, 0000000A.00000003.322929010.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: psapi.pdbUGP source: dllhost.exe, 0000000A.00000003.323886807.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msasn1.pdbUGP source: dllhost.exe, 0000000A.00000003.340759627.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: gdi32.pdbUGP source: dllhost.exe, 0000000A.00000003.321319502.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: dllhost.exe, 0000000A.00000003.337454425.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdbUGP source: dllhost.exe, 0000000A.00000003.337454425.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: dllhost.exe, 0000000A.00000003.312902566.00000229CABB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: user32.pdbUGP source: dllhost.exe, 0000000A.00000003.320564626.00000229CAF50000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.320117522.00000229CADB4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: combase.pdbUGP source: dllhost.exe, 0000000A.00000003.317709991.00000229CB0F0000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.316365466.00000229CADBB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gdi32full.pdb source: dllhost.exe, 0000000A.00000003.322096367.00000229CB09D000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.321498214.00000229CAF02000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: win32u.pdb source: dllhost.exe, 0000000A.00000003.321242005.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: dllhost.exe, 0000000A.00000003.315959802.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shell32.pdbUGP source: dllhost.exe, 0000000A.00000003.324074272.00000229CADBF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fltLib.pdbGCTL source: dllhost.exe, 0000000A.00000003.337709960.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb source: dllhost.exe, 0000000A.00000003.323185450.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: gdi32full.pdbUGP source: dllhost.exe, 0000000A.00000003.322096367.00000229CB09D000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.321498214.00000229CAF02000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdbUGP source: dllhost.exe, 0000000A.00000003.312902566.00000229CABB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: dllhost.exe, 0000000A.00000003.337601120.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: gdi32.pdb source: dllhost.exe, 0000000A.00000003.321319502.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdb source: dllhost.exe, 0000000A.00000003.323264632.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shcore.pdbUGP source: dllhost.exe, 0000000A.00000003.346097175.00000229C92C3000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.331435099.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: dllhost.exe, 0000000A.00000003.323662985.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: dllhost.exe, 0000000A.00000003.311996027.00000229CADA0000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.310400293.00000229CABB9000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.311204740.00000229CABB4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ole32.pdbUGP source: dllhost.exe, 0000000A.00000003.338000747.00000229CAF10000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.337738921.00000229CADBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: powrprof.pdbUGP source: dllhost.exe, 0000000A.00000003.337631080.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: powrprof.pdb source: dllhost.exe, 0000000A.00000003.337631080.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cPC:\huxiwavemejedi kuwususudidix\vemoxu.pdb source: setup.exe
Source:	Binary string: ole32.pdb source: dllhost.exe, 0000000A.00000003.338000747.00000229CAF10000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.337738921.00000229CADBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: win32u.pdbGCTL source: dllhost.exe, 0000000A.00000003.321242005.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Kernel.Appcore.pdbUGP source: dllhost.exe, 0000000A.00000003.337560536.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: sechost.pdbUGP source: dllhost.exe, 0000000A.00000003.323662985.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: imm32.pdbUGP source: dllhost.exe, 0000000A.00000003.323185450.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: user32.pdb source: dllhost.exe, 0000000A.00000003.320564626.00000229CAF50000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.320117522.00000229CADB4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: dllhost.exe, 0000000A.00000003.313327371.00000229CABB7000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.315292448.00000229CAE30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: dllhost.exe, 0000000A.00000003.337560536.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msasn1.pdb source: dllhost.exe, 0000000A.00000003.340759627.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: psapi.pdb source: dllhost.exe, 0000000A.00000003.323886807.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdbUGP source: dllhost.exe, 0000000A.00000003.322929010.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdbUGP source: dllhost.exe, 0000000A.00000003.323423570.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: netapi32.pdb source: dllhost.exe, 0000000A.00000003.338340488.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdb source: dllhost.exe, 0000000A.00000003.319768034.00000229CADE3000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdbUGP source: dllhost.exe, 0000000A.00000003.338217837.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cfgmgr32.pdb source: dllhost.exe, 0000000A.00000003.328492995.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: dllhost.exe, 0000000A.00000003.311996027.00000229CADA0000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.310400293.00000229CABB9000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.311204740.00000229CABB4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: dllhost.exe, 0000000A.00000003.317709991.00000229CB0F0000.00000004.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.316365466.00000229CADBB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profapi.pdbUGP source: dllhost.exe, 0000000A.00000003.337601120.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: netapi32.pdbUGP source: dllhost.exe, 0000000A.00000003.338340488.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdb source: dllhost.exe, 0000000A.00000003.338217837.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdbUGP source: dllhost.exe, 0000000A.00000003.323264632.00000229CADB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: dllhost.exe, 0000000A.00000003.313327371.00000229CABB7000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.315292448.00000229CAE30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: netutils.pdb source: dllhost.exe, 0000000A.00000003.338383043.00000229C93C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: crypt32.pdb source: dllhost.exe, 0000000A.00000003.338412172.00000229CADB0000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000A.00000003.339882220.00000229CAF90000.00000004.00001000.00020000.00000000.sdmp

Source: Yara match	File source: 10.3.dllhost.exe.229cae30000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.313327371.00000229CABB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.315292448.00000229CAE30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dllhost.exe PID: 5552, type: MEMORYSTR

Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_0040C04C	0_2_0040C04C
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_00401414	0_2_00401414
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_0040B56C	0_2_0040B56C
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_0040D987	0_2_0040D987
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_004086D4	0_2_004086D4
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_0040BADC	0_2_0040BADC
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_0040C7C8	0_2_0040C7C8
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_0081893B	0_2_0081893B
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_0081C2B3	0_2_0081C2B3
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_0081167B	0_2_0081167B
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_0081DBEE	0_2_0081DBEE
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00000229C8F429F8	10_2_00000229C8F429F8
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00000229C8F4455C	10_2_00000229C8F4455C
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00000229C8F41968	10_2_00000229C8F41968
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00000229C8F42558	10_2_00000229C8F42558
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00000229C8F422B3	10_2_00000229C8F422B3
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00000229C8F45994	10_2_00000229C8F45994
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00000229C8F45094	10_2_00000229C8F45094
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00000229C8F45414	10_2_00000229C8F45414
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490E615E4	10_2_00007DF490E615E4
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490E68718	10_2_00007DF490E68718
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490E636A0	10_2_00007DF490E636A0
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490E9B0C8	10_2_00007DF490E9B0C8
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490EC8090	10_2_00007DF490EC8090
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490E91224	10_2_00007DF490E91224
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490E9A3F4	10_2_00007DF490E9A3F4
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490E503D8	10_2_00007DF490E503D8
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490E9D558	10_2_00007DF490E9D558
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490E51530	10_2_00007DF490E51530
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490EE84C4	10_2_00007DF490EE84C4
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490E5D608	10_2_00007DF490E5D608
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490E975A8	10_2_00007DF490E975A8
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490EA3754	10_2_00007DF490EA3754
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490EB673C	10_2_00007DF490EB673C
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490ED36E8	10_2_00007DF490ED36E8
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490EDA698	10_2_00007DF490EDA698
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490EBF864	10_2_00007DF490EBF864
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490E69828	10_2_00007DF490E69828
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490E9B77C	10_2_00007DF490E9B77C
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490EF9964	10_2_00007DF490EF9964
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490E91900	10_2_00007DF490E91900
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490EB4A18	10_2_00007DF490EB4A18
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490E9C9FC	10_2_00007DF490E9C9FC
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490E699F0	10_2_00007DF490E699F0
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490EF5B3C	10_2_00007DF490EF5B3C
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490E99B34	10_2_00007DF490E99B34
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490EDEB34	10_2_00007DF490EDEB34
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490ED6AA0	10_2_00007DF490ED6AA0
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490E53C68	10_2_00007DF490E53C68
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490E90C58	10_2_00007DF490E90C58
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490E91C4C	10_2_00007DF490E91C4C
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490EE9D58	10_2_00007DF490EE9D58
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490EABC88	10_2_00007DF490EABC88
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490E76E60	10_2_00007DF490E76E60
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490E5FE38	10_2_00007DF490E5FE38
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490EB0DF0	10_2_00007DF490EB0DF0
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490F12DE4	10_2_00007DF490F12DE4
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490E90E98	10_2_00007DF490E90E98
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00007DF490ECAE88	10_2_00007DF490ECAE88

Source: unknown	Process created: C:\Users\user\Desktop\setup.exe C:\Users\user\Desktop\setup.exe
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Random name
Source: C:\Users\user\Desktop\setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}

Source: setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_00408235 push ecx; ret	0_2_00408248
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_0081849C push ecx; ret	0_2_008184AF
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_0081CA27 push eax; ret	0_2_0081CA28
Source: C:\Windows\System32\dllhost.exe	Code function: 10_2_00000229C8F90003 push esp; retf 91AFh	10_2_00000229C8F90009

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: 00000000.00000002.312472780.0000000000810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.312786751.000000000096E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Rhadamanthys

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
setup.exe

Function 004035ED Relevance: 29.0, APIs: 19, Instructions: 483
memorystringCOMMON

Function 004033AD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125
COMMON

Function 0081092B Relevance: 3.8, Strings: 3, Instructions: 90
COMMON

Function 00402E10 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 343
memoryCOMMON

Function 0081003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Function 00401D24 Relevance: 4.5, APIs: 3, Instructions: 40
memoryCOMMON

Function 00810E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 00402DC0 Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Function 004035D2 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Function 00810920 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 00408173 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Function 00408150 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 00401414 Relevance: .1, Instructions: 116
COMMONCrypto

Function 00813077 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 343
memoryCOMMON

Function 00407919 Relevance: 16.7, APIs: 11, Instructions: 229
COMMON

Function 004010B0 Relevance: 16.6, APIs: 11, Instructions: 135
memorystringCOMMON

Function 00405147 Relevance: 16.6, APIs: 11, Instructions: 84
COMMON

Function 0040DCB6 Relevance: 13.6, APIs: 9, Instructions: 66
COMMONLIBRARYCODE

Function 00405A8D Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Function 00401D90 Relevance: 9.3, APIs: 6, Instructions: 272
memoryCOMMON

Function 00403DAD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61
memoryCOMMON

Function 0040B40D Relevance: 7.6, APIs: 5, Instructions: 67
COMMONLIBRARYCODE

Function 0040B1FC Relevance: 6.1, APIs: 4, Instructions: 96
COMMONLIBRARYCODE

Function 00406768 Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Function 00406136 Relevance: 6.0, APIs: 4, Instructions: 47
COMMONLIBRARYCODE

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre