Edit tour

Windows Analysis Report
Fatrr_UewhcWF.msi

Overview

General Information

Sample Name:	Fatrr_UewhcWF.msi
Analysis ID:	895606
MD5:	076682947cdb70a184620aed267a64e5
SHA1:	49a78fd9ba854e7e2a16276cdd4188ade83ce384
SHA256:	fcfa8b7b8dc0ef9d2a4baabcd78551c0ef1b2b505180d30ee1729298013b5204
Tags:	msi
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Stores files to the Windows start menu directory

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Searches for user specific document files

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Binary contains a suspicious time stamp

Creates a start menu entry (Start Menu\Programs\Startup)

Checks for available system drives (often done to infect USB drives)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 5964 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Fatrr_UewhcWF.msi" MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 5840 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 1652 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding C78C18F24792FB2CF3D3274F6B2C7332 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

identity_helper.exe (PID: 1164 cmdline: "C:\Users\Public\Documents\identity_helper.exe" MD5: 216FBFDD15F983EE770F1A135EDA572C)

identity_helper.exe (PID: 5956 cmdline: "C:\Users\Public\Documents\identity_helper.exe" MD5: 216FBFDD15F983EE770F1A135EDA572C)

cleanup

Snort Signatures

ETPRO MALWARE TakeMyFile User-Agent - Source IP: 192.168.2.3 - Destination IP: 54.198.235.9

Timestamp:	192.168.2.354.198.235.949698802849814 06/28/23-11:59:26.808026
SID:	2849814
Source Port:	49698
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE TakeMyFile Installer Checkin - Source IP: 192.168.2.3 - Destination IP: 54.198.235.9

Timestamp:	192.168.2.354.198.235.949698802849813 06/28/23-11:59:26.808026
SID:	2849813
Source Port:	49698
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: POST / HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64)Host: collect.installeranalytics.comContent-Length: 167Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: collect.installeranalytics.com

Source: global traffic

HTTP traffic detected: GET /MARA01/index.php?VS=MARA01&PL=NAO HTTP/1.1User-Agent: "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36"Host: 20.165.170.228Connection: Keep-Alive

Source: identity_helper.exe, 00000003.00000002.623615275.00000000056BA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIEB4C.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\48e8fa.msi

Jump to behavior

Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_0106A330	3_2_0106A330
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_01069290	3_2_01069290
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_01068830	3_2_01068830
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_0105CB10	3_2_0105CB10
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_01073E90	3_2_01073E90
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_010721B0	3_2_010721B0
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_0107A1C0	3_2_0107A1C0
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_0100E03C	3_2_0100E03C
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_01010040	3_2_01010040
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_01064040	3_2_01064040
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_01067090	3_2_01067090
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_010A70B9	3_2_010A70B9
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_00FE614D	3_2_00FE614D
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_010870C7	3_2_010870C7
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_01075370	3_2_01075370
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_00FE626D	3_2_00FE626D
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_01070390	3_2_01070390
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_010523C0	3_2_010523C0
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_010653C0	3_2_010653C0
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_0107D3E0	3_2_0107D3E0
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_010A320E	3_2_010A320E
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_010892A0	3_2_010892A0
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_00FE6349	3_2_00FE6349
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_010662C0	3_2_010662C0
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_00FE24C0	3_2_00FE24C0
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_01043550	3_2_01043550
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_010515C0	3_2_010515C0
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_01022400	3_2_01022400
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_010204BB	3_2_010204BB
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_00FE1540	3_2_00FE1540
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_010524D0	3_2_010524D0
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_00FE66D5	3_2_00FE66D5
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_00FE867D	3_2_00FE867D
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_00FE5650	3_2_00FE5650
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_010487E0	3_2_010487E0
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_01065620	3_2_01065620
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_01072680	3_2_01072680
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_0104A690	3_2_0104A690
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_01083690	3_2_01083690
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_0100E6AB	3_2_0100E6AB
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_00FE68DD	3_2_00FE68DD
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_00FE18B0	3_2_00FE18B0
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_01069810	3_2_01069810
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_01070810	3_2_01070810
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_00FE19E0	3_2_00FE19E0
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_01065820	3_2_01065820
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_0100F860	3_2_0100F860
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_01043890	3_2_01043890
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 4_2_097C2052	4_2_097C2052
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 4_2_6B8C2052	4_2_6B8C2052
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 4_2_07361FD1	4_2_07361FD1
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 4_2_07363850	4_2_07363850
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 4_2_0736E170	4_2_0736E170
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 4_2_07364C00	4_2_07364C00

Source: C:\Users\Public\Documents\identity_helper.exe	Code function: String function: 01092C41 appears 102 times
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: String function: 0100DF3C appears 131 times

Source: Fatrr_UewhcWF.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs Fatrr_UewhcWF.msi
Source: Fatrr_UewhcWF.msi	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs Fatrr_UewhcWF.msi
Source: Fatrr_UewhcWF.msi	Binary or memory string: OriginalFilenameInstallerAnalytics.dllF vs Fatrr_UewhcWF.msi
Source: Fatrr_UewhcWF.msi	Binary or memory string: OriginalFilenameembeddeduiproxy.dllF vs Fatrr_UewhcWF.msi

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: starttiledata.dll	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Fatrr_UewhcWF.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C78C18F24792FB2CF3D3274F6B2C7332
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\Public\Documents\identity_helper.exe "C:\Users\Public\Documents\identity_helper.exe"
Source: unknown	Process created: C:\Users\Public\Documents\identity_helper.exe "C:\Users\Public\Documents\identity_helper.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C78C18F24792FB2CF3D3274F6B2C7332	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\Public\Documents\identity_helper.exe "C:\Users\Public\Documents\identity_helper.exe"	Jump to behavior

Source: C:\Users\Public\Documents\identity_helper.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: identity_helper.lnk.2.dr

LNK file: ..\..\..\..\..\..\..\..\Public\Documents\identity_helper.exe

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Local\AdvinstAnalytics

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF96920643A953DED5.TMP

Jump to behavior

Source: shiED5F.tmp.2.dr

Binary string: o\Device\NameResTrk\RecordNrtCloneOpenPacketW

Source: classification engine

Classification label: mal48.evad.winMSI@7/31@2/2

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: 3.2.identity_helper.exe.6b8c0000.2.unpack, Jhku003d/dhsu003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.identity_helper.exe.6b8c0000.2.unpack, Jhku003d/dhsu003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.identity_helper.exe.97c0000.1.unpack, Jhku003d/dhsu003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: msedge_elf.dll.2.dr, Jhku003d/dhsu003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.identity_helper.exe.98e0000.1.unpack, Jhku003d/dhsu003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\Public\Documents\identity_helper.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Local\AdvinstAnalytics\649abc180e6ce9401d6e81cf\7.8.6.7\tracking.ini

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Fatrr_UewhcWF.msi

Static file information: File size 2252800 > 1048576

Source:	Binary string: C:\Users\Pichau\Documents\SYSMX\NEWMAG - GB - EDGE- CONTANOMODULO - BARRAOK-NOVAPROGRESS - GB\SISTEMA2.0 - DLL - TIMER-1\Bin\Debug\msedge_elf.pdb source: identity_helper.exe, identity_helper.exe, 00000004.00000002.627670949.00000000097C2000.00000020.00000001.01000000.00000004.sdmp, identity_helper.exe, 00000004.00000002.628047218.000000006B8C2000.00000020.00000001.01000000.00000004.sdmp, msedge_elf.dll.2.dr
Source:	Binary string: wininet.pdb source: shiED5F.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\bin\x86\embeddeduiproxy.pdb source: Fatrr_UewhcWF.msi, 48e8fa.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: Fatrr_UewhcWF.msi, MSIED15.tmp.1.dr, 48e8fa.msi.1.dr
Source:	Binary string: D:\a\_work\e\src\out\Release\identity_helper.exe.pdb source: identity_helper.exe, 00000003.00000000.391646114.00000000010BD000.00000002.00000001.01000000.00000003.sdmp, identity_helper.exe, 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmp, identity_helper.exe, 00000004.00000002.622394030.00000000010BD000.00000002.00000001.01000000.00000003.sdmp, identity_helper.exe, 00000004.00000000.408427765.00000000010BD000.00000002.00000001.01000000.00000003.sdmp, identity_helper.exe.2.dr
Source:	Binary string: d3d12.pdbUGP source: shiEE2B.tmp.2.dr
Source:	Binary string: d3d12.pdb source: shiEE2B.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb\ source: Fatrr_UewhcWF.msi, MSIED15.tmp.1.dr, 48e8fa.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdbu source: Fatrr_UewhcWF.msi, MSI2BD9.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr
Source:	Binary string: wininet.pdbUGP source: shiED5F.tmp.2.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdb source: Fatrr_UewhcWF.msi, MSI2BD9.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: Fatrr_UewhcWF.msi, MSIEC77.tmp.1.dr, 48e8fa.msi.1.dr, MSIEC76.tmp.1.dr, MSIF1FA.tmp.1.dr, MSIECE5.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbg source: Fatrr_UewhcWF.msi, MSIEC77.tmp.1.dr, 48e8fa.msi.1.dr, MSIEC76.tmp.1.dr, MSIF1FA.tmp.1.dr, MSIECE5.tmp.1.dr

Source: C:\Users\Public\Documents\identity_helper.exe

Code function: 3_2_0108294B push ecx; ret

3_2_0108295E

Source: identity_helper.exe.2.dr	Static PE information: section name: .00cfg
Source: shiEE2B.tmp.2.dr	Static PE information: section name: .text_hf
Source: shiEE2B.tmp.2.dr	Static PE information: section name: .didat
Source: shiEE2B.tmp.2.dr	Static PE information: section name: .DDIData
Source: shiED5F.tmp.2.dr	Static PE information: section name: .wpp_sf
Source: shiED5F.tmp.2.dr	Static PE information: section name: .didat

Source: shiED5F.tmp.2.dr

Static PE information: 0x84CD8294 [Wed Aug 8 17:47:00 2040 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 6.8074948944091345

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEFD5.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\Public\Documents\msedge_elf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIECE5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2BD9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEB4C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIED15.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\shiEE2B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEC76.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\Public\Documents\identity_helper.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF034.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF1FA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEC77.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\shiED5F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF268.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEFD5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIECE5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2BD9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEB4C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIED15.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEC76.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF034.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF1FA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEC77.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF268.tmp	Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zino.ps1			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\identity_helper.lnk			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\identity_helper.lnk

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe TID: 4132	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3320	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe TID: 4532	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe TID: 7072	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe TID: 7072	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe TID: 5748	Thread sleep count: 9835 > 30	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe TID: 5924	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe TID: 4044	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe TID: 2888	Thread sleep count: 9851 > 30	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIEFD5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIECE5.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiEE2B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF034.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF1FA.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiED5F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIEC77.tmp	Jump to dropped file

Source: C:\Users\Public\Documents\identity_helper.exe

Code function: 4_2_07367220 rdtsc

4_2_07367220

Source: C:\Users\Public\Documents\identity_helper.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\Public\Documents\identity_helper.exe	Window / User API: threadDelayed 9835			Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Window / User API: threadDelayed 9851			Jump to behavior

Source: C:\Users\Public\Documents\identity_helper.exe

API coverage: 7.4 %

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\Documents\identity_helper.exe

Code function: 3_2_010821B1 VirtualQuery,GetSystemInfo,

3_2_010821B1

Source: C:\Users\Public\Documents\identity_helper.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: identity_helper.exe, 00000003.00000002.623615275.00000000056F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 48e8fa.msi.1.dr	Binary or memory string: 01234567890.0.0.0.%dVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IROOT\CIMV2SELECT * FROM Win32_ComputerSystemSELECT * FROM Win32_BIOSManufacturerModelVersionGetting system informationManufacturer [Model [BIOS [IsWow64Processkernel32Software\Microsoft\Windows NT\CurrentVersionSYSTEM\CurrentControlSet\Control\ProductOptionsCurrentMajorVersionNumberCurrentMinorVersionNumberCurrentVersionCurrentBuildNumberReleaseIdCSDVersionProductTypeProductSuiteWinNTServerNTSmall BusinessEnterpriseBackOfficeCommunicationServerTerminal ServerSmall Business(Restricted)EmbeddedNTDataCenterPersonalBladeEmbedded(Restricted)Security ApplianceStorage ServerCompute Server Failed to create IWbemLocator object. Error code: \\Could not connect to WMI provider. Error code: Failed to initialize security. Error code: Could not set proxy blanket. Error code: WQLWMI Query failed: []. Error code:

Source: C:\Users\Public\Documents\identity_helper.exe

Code function: 3_2_0109C376 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_0109C376

Source: C:\Users\Public\Documents\identity_helper.exe

Code function: 4_2_07367220 rdtsc

4_2_07367220

Source: C:\Users\Public\Documents\identity_helper.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\Documents\identity_helper.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_0109C376 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_0109C376
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: 3_2_01082756 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		3_2_01082756

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Users\Public\Documents\identity_helper.exe "C:\Users\Public\Documents\identity_helper.exe"

Jump to behavior

Source: identity_helper.exe, 00000003.00000002.627526421.00000000074CA000.00000004.00000800.00020000.00000000.sdmp, identity_helper.exe, 00000003.00000002.627526421.000000000760E000.00000004.00000800.00020000.00000000.sdmp, identity_helper.exe, 00000003.00000002.627526421.00000000075E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: identity_helper.exe, 00000003.00000002.627526421.000000000760E000.00000004.00000800.00020000.00000000.sdmp, identity_helper.exe, 00000003.00000002.627526421.00000000075E7000.00000004.00000800.00020000.00000000.sdmp, identity_helper.exe, 00000003.00000002.627526421.00000000075FD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerT

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Users\Public\Documents\OgtQTC.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Users\Public\Documents\OgtQTC.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Users\Public\Documents\OgtQTC.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Users\Public\Documents\OgtQTC.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Users\Public\Documents\OgtQTC.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Users\Public\Documents\OgtQTC.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Users\Public\Documents\OgtQTC.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Queries volume information: C:\Users\Public\Documents\msedge_elf.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Queries volume information: C:\Users\Public\Documents\msedge_elf.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Documents\identity_helper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\Public\Documents\identity_helper.exe	Code function: GetLocaleInfoW,	3_2_0109B22C
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_0109F237
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_0109F530
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: EnumSystemLocalesW,	3_2_0109F488
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: EnumSystemLocalesW,	3_2_0109B76D
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: EnumSystemLocalesW,	3_2_0109F783
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: GetLocaleInfoW,	3_2_0109F7F0
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: GetLocaleInfoW,	3_2_0109F910
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_0109F9B7
Source: C:\Users\Public\Documents\identity_helper.exe	Code function: EnumSystemLocalesW,	3_2_0109F8C5

Source: C:\Users\Public\Documents\identity_helper.exe

Code function: 3_2_010662C0 cpuid

3_2_010662C0

Source: C:\Users\Public\Documents\identity_helper.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\Public\Documents\identity_helper.exe

Code function: 3_2_01054420 _strlen,_strlen,GetLocalTime,GetTickCount,_strlen,

3_2_01054420

Source: C:\Users\Public\Documents\identity_helper.exe

Code function: 3_2_0109452C GetTimeZoneInformation,

3_2_0109452C

Source: C:\Users\Public\Documents\identity_helper.exe

Code function: 3_2_01045610 GetVersionExW,GetProductInfo,__Init_thread_header,GetNativeSystemInfo,

3_2_01045610

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\Public\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\Public\Documents	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Directory queried: C:\Users\Public\Documents	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	3 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 Input Capture	2 System Time Discovery	1 Replication Through Removable Media	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	2 Registry Run Keys / Startup Folder	12 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	2 Registry Run Keys / Startup Folder	4 Obfuscated Files or Information	Security Account Manager	13 File and Directory Discovery	SMB/Windows Admin Shares	1 Input Capture	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Software Packing	NTDS	56 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	41 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 File Deletion	DCSync	31 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	21 Masquerading	Proc Filesystem	1 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	31 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Remote System Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	12 Process Injection	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Fatrr_UewhcWF.msi	5%	ReversingLabs
Fatrr_UewhcWF.msi	5%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Users\Public\Documents\identity_helper.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shiED5F.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shiEE2B.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI2BD9.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIEB4C.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIEC76.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIEC77.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIECE5.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIED15.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIEFD5.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIF034.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIF1FA.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIF268.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://20.165.170.2284	0%	Avira URL Cloud	safe
http://20.165.170.228/MARA01/index.php?VS=MARA01&PL=NAO	0%	Avira URL Cloud	safe
https://HTTP/1.1	0%	Avira URL Cloud	safe
http://html4/loose.dtd	0%	Avira URL Cloud	safe
http://20.165.170.228/MARA01/index.php?VS=MARA01&PL=NAO	0%	Virustotal		Browse
http://20.165.170.228/MARA01/index.php	0%	Avira URL Cloud	safe
https://amxx1515cabreun23.asxo	0%	Avira URL Cloud	safe
https://amxx1515cabreun23.asxo/	0%	Avira URL Cloud	safe
http://.css	0%	Avira URL Cloud	safe
http://.jpg	0%	Avira URL Cloud	safe
http://20.165.170.228	0%	Avira URL Cloud	safe
https://amxx1515cabreun23.asxo4	0%	Avira URL Cloud	safe
https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
collect.installeranalytics.com	54.198.235.9	true	false		high
amxx1515cabreun23.asxo	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://20.165.170.228/MARA01/index.php?VS=MARA01&PL=NAO	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://collect.installeranalytics.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	shiED5F.tmp.2.dr	false	Avira URL Cloud: safe	low
https://HTTP/1.1	shiED5F.tmp.2.dr	false	Avira URL Cloud: safe	low
http://20.165.170.2284	identity_helper.exe, 00000003.00000002.627526421.00000000074CA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith	identity_helper.exe, 00000003.00000000.391646114.00000000010BD000.00000002.00000001.01000000.00000003.sdmp, identity_helper.exe, 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmp, identity_helper.exe, 00000004.00000002.622394030.00000000010BD000.00000002.00000001.01000000.00000003.sdmp, identity_helper.exe, 00000004.00000000.408427765.00000000010BD000.00000002.00000001.01000000.00000003.sdmp, identity_helper.exe.2.dr	false		high
https://amxx1515cabreun23.asxo	identity_helper.exe, 00000003.00000002.627526421.00000000075E7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.thawte.com/cps0/	Fatrr_UewhcWF.msi, MSIEC77.tmp.1.dr, MSI2BD9.tmp.1.dr, MSIED15.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr, MSIEC76.tmp.1.dr, MSIF1FA.tmp.1.dr, MSIECE5.tmp.1.dr	false		high
https://www.thawte.com/repository0W	Fatrr_UewhcWF.msi, MSIEC77.tmp.1.dr, MSI2BD9.tmp.1.dr, MSIED15.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr, MSIEC76.tmp.1.dr, MSIF1FA.tmp.1.dr, MSIECE5.tmp.1.dr	false		high
https://www.advancedinstaller.com	Fatrr_UewhcWF.msi, MSIEC77.tmp.1.dr, MSI2BD9.tmp.1.dr, MSIED15.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr, MSIEC76.tmp.1.dr, MSIF1FA.tmp.1.dr, MSIECE5.tmp.1.dr	false		high
http://20.165.170.228/MARA01/index.php	identity_helper.exe, 00000003.00000002.627526421.00000000074CA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://amxx1515cabreun23.asxo/	identity_helper.exe, 00000003.00000002.627526421.00000000075E7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://collect.installeranalytics.com	Fatrr_UewhcWF.msi, MSI2BD9.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr	false		high
http://.css	shiED5F.tmp.2.dr	false	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	identity_helper.exe, 00000003.00000002.627526421.00000000074A1000.00000004.00000800.00020000.00000000.sdmp, identity_helper.exe, 00000004.00000002.627493890.0000000007381000.00000004.00000800.00020000.00000000.sdmp	false		high
http://.jpg	shiED5F.tmp.2.dr	false	Avira URL Cloud: safe	low
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff	identity_helper.exe, 00000003.00000000.391646114.00000000010BD000.00000002.00000001.01000000.00000003.sdmp, identity_helper.exe, 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmp, identity_helper.exe, 00000004.00000002.622394030.00000000010BD000.00000002.00000001.01000000.00000003.sdmp, identity_helper.exe, 00000004.00000000.408427765.00000000010BD000.00000002.00000001.01000000.00000003.sdmp, identity_helper.exe.2.dr	false		high
http://20.165.170.228	identity_helper.exe, 00000003.00000002.627526421.00000000074CA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://amxx1515cabreun23.asxo4	identity_helper.exe, 00000003.00000002.627526421.00000000075E7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://collect.installeranalytics.com	Fatrr_UewhcWF.msi, MSI2BD9.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr	false		high
https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic	Fatrr_UewhcWF.msi, MSI2BD9.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
54.198.235.9	collect.installeranalytics.com	United States		14618	AMAZON-AESUS	false
20.165.170.228	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	895606
Start date and time:	2023-06-28 11:58:10 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Fatrr_UewhcWF.msi
Detection:	MAL
Classification:	mal48.evad.winMSI@7/31@2/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 0.4% (good quality ratio 0.3%) Quality average: 74.2% Quality standard deviation: 38.4%
HCA Information:	Successful, ratio: 90% Number of executed functions: 44 Number of non-executed functions: 128
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 142.251.36.202, 142.251.36.234, 142.251.37.10, 172.217.16.170, 142.251.36.170
Excluded domains from analysis (whitelisted): firebasestorage.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:59:05	API Interceptor	3x Sleep call for process: msiexec.exe modified
11:59:18	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\identity_helper.lnk
11:59:23	API Interceptor	2x Sleep call for process: identity_helper.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
54.198.235.9	54zEUp34e1.exe	Get hash	malicious	Unknown	Browse
	IcEL4U66yX.exe	Get hash	malicious	Unknown	Browse
	hWiWP9kOC9.exe	Get hash	malicious	PrivateLoader	Browse
	hWiWP9kOC9.exe	Get hash	malicious	Unknown	Browse
	S4iK1tSHGc.exe	Get hash	malicious	Unknown	Browse
	WCYoS776qm.exe	Get hash	malicious	Nymaim	Browse
	a1rzxoicOg.exe	Get hash	malicious	Unknown	Browse
	8UvPumbygi.exe	Get hash	malicious	Nymaim	Browse
	8UvPumbygi.exe	Get hash	malicious	Nymaim	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
collect.installeranalytics.com	54zEUp34e1.exe	Get hash	malicious	Unknown	Browse	52.73.64.126
	54zEUp34e1.exe	Get hash	malicious	Unknown	Browse	54.198.235.9
	ECnCJ4QWok.exe	Get hash	malicious	Unknown	Browse	52.73.64.126
	ECnCJ4QWok.exe	Get hash	malicious	Unknown	Browse	52.73.64.126
	IcEL4U66yX.exe	Get hash	malicious	Unknown	Browse	54.198.235.9
	IcEL4U66yX.exe	Get hash	malicious	Unknown	Browse	52.73.64.126
	hWiWP9kOC9.exe	Get hash	malicious	PrivateLoader	Browse	54.198.235.9
	hWiWP9kOC9.exe	Get hash	malicious	Unknown	Browse	54.198.235.9
	S4iK1tSHGc.exe	Get hash	malicious	Unknown	Browse	52.73.64.126
	S4iK1tSHGc.exe	Get hash	malicious	Unknown	Browse	52.73.64.126
	WCYoS776qm.exe	Get hash	malicious	Nymaim	Browse	54.198.235.9
	a1rzxoicOg.exe	Get hash	malicious	Unknown	Browse	52.73.64.126
	a1rzxoicOg.exe	Get hash	malicious	Unknown	Browse	54.198.235.9
	8UvPumbygi.exe	Get hash	malicious	Nymaim	Browse	54.198.235.9
	8UvPumbygi.exe	Get hash	malicious	Nymaim	Browse	52.73.64.126
	Levelogger-4.6.2-Installer.exe	Get hash	malicious	Unknown	Browse	54.225.226.3
	21REzKeOgq.exe	Get hash	malicious	Nymaim	Browse	54.204.22.198
	21REzKeOgq.exe	Get hash	malicious	Nymaim	Browse	3.222.139.61
	V1lIaJpTZP.exe	Get hash	malicious	MinerDownloader, Nymaim, RedLine, Vidar, Xmrig	Browse	54.204.22.198
	https://tinyurl.com/2abosd8k	Get hash	malicious	Unknown	Browse	54.204.22.198

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	PXPz45kM78.elf	Get hash	malicious	Mirai	Browse	100.25.20.79
	eOF9g6JYAX.elf	Get hash	malicious	Unknown	Browse	54.211.50.102
	fDtncWP2T2.elf	Get hash	malicious	Unknown	Browse	34.232.174.101
	rM1MLEPWb4.elf	Get hash	malicious	Mirai	Browse	18.209.137.146
	https://chipotle.app.link/?$3p=e_et&$fallback_url=https://quattropublicidades.com.br/owa/aa/brian.herman@viewtrade.com	Get hash	malicious	Unknown	Browse	44.210.162.14
	3EYm3kgcui.exe	Get hash	malicious	AsyncRAT	Browse	3.88.20.74
	Invoice.xlsx	Get hash	malicious	HTMLPhisher	Browse	3.233.147.185
	Invoice.xlsx	Get hash	malicious	HTMLPhisher	Browse	3.233.152.246
	https://ct.turing.com/?ti=XnKxebcpeDwvWdbRVlUADzrVRSEAbsLtZmQpeGyzdrlemfqvIS&rd=http%3A%2F%2Fhatbaemama.com/marvel/XnKxebcpeDwvWdbRVlUADzrVRSEAbsLtZmQpeGyzdrlemfqvIS/bW5ld3NvbWVAZ2NnYW1pbmcuY29t	Get hash	malicious	Unknown	Browse	54.144.133.96
	https://summersorthodontics-my.sharepoint.com/:o:/g/personal/fatima_summersortho_com/EtUYeda7l-ZMryzN7-vUM0wBS1Pod5d3nG8Cq96qllxUEw?e=5%3ar24ixc&at=9	Get hash	malicious	Unknown	Browse	34.204.41.25
	https://r20.rs6.net/tn.jsp?f=001OXnSzYvsU7x7Sd9FEbIVki9NlE-9YwTEwGnXtmsCD9V9pV26ksVXm6FUmsPfS2zSxLjRMoqWvyPCqDbRMDWvSonHaizVRSRW-h2k-7eUhbqJvIr7SqW3pRDQQ9NJ97UCgVqBBmI1SzvOFmuHuTFGIQ==&c=CLLSgXE2Ct1Gczd1H2zRGobWELW6Q1Pp8Vdnn0Ed0gkdROw-qWZwHQ==&ch=fo7c-4X5k475-fpd1iafaf2lVjzqukrqOI_Zt4rBVvfzM0tISS9vxA==	Get hash	malicious	Unknown	Browse	52.55.206.165
	BR_000098.08.htm	Get hash	malicious	Unknown	Browse	34.193.113.164
	http://eb4.us/d5f9bd8d	Get hash	malicious	Unknown	Browse	54.237.24.211
	https://www.google.co.uk/amp/s/john-mcquillan-contracts.notion.site/John-McQuillan-Contracts-a9c55eedec754f018f1b2f7a453e17e9?pvs=4	Get hash	malicious	Unknown	Browse	54.82.169.31
	https://ct.turing.com/?ti=XnKxebcpeDwvWdbRVlUADzrVRSEAbsLtZmQpeGyzdrlemfqvIS&rd=http%3A%2F%2Fhatbaemama.com/marvel/XnKxebcpeDwvWdbRVlUADzrVRSEAbsLtZmQpeGyzdrlemfqvIS/bW5ld3NvbWVAZ2NnYW1pbmcuY29t	Get hash	malicious	Unknown	Browse	52.206.206.168
	https://mayfielddairy.sitey.me/?fbclid=IwAR0eRZS2-iqFa8jM-XOItFQv2oVqCJkZul0Lfc627eGRtBT7mGaVuBdc36U	Get hash	malicious	Unknown	Browse	54.225.156.255
	https://profoundexpertbread.tumblr.com/#2UzMyQzMtVzMyQTZkZDN1QzMvM2Yu4WYyVmZpZmLuh2d5N3LvoDc0RHa	Get hash	malicious	Unknown	Browse	3.218.56.233
	http://slim-gum.com	Get hash	malicious	Unknown	Browse	54.166.245.170
	https://airtable.com/shrwF7KLfMHkdRiTL/	Get hash	malicious	Unknown	Browse	107.22.198.248
	https://oirupt.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	3.92.5.217
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://magicalarcadewerewolf.tumblr.com/#==gYBBFTHNlYPBzSY9yaulGbuAHch5yNn9WZ38yL6MHc0RHa	Get hash	malicious	Unknown	Browse	40.114.177.156
	https://boathiresydney.com.au/wjzmchvery/vodka.gif	Get hash	malicious	Unknown	Browse	23.96.124.156
	uwOz6fQ4En.elf	Get hash	malicious	Mirai	Browse	20.113.107.67
	http://p1.pagewiz.net/ze2s7tmr/	Get hash	malicious	HTMLPhisher	Browse	13.90.63.16
	izie2V13jr.elf	Get hash	malicious	Unknown	Browse	21.21.154.101
	PXPz45kM78.elf	Get hash	malicious	Mirai	Browse	20.145.166.159
	eOF9g6JYAX.elf	Get hash	malicious	Unknown	Browse	22.237.172.191
	fDtncWP2T2.elf	Get hash	malicious	Unknown	Browse	40.89.56.122
	qEItSfx4cQ.elf	Get hash	malicious	Unknown	Browse	21.250.137.116
	ZR657rkiJ0.elf	Get hash	malicious	Mirai	Browse	22.216.82.12
	R_ DHL Express - I documenti sono disponibili per il download.msg	Get hash	malicious	Unknown	Browse	52.109.32.24
	rM1MLEPWb4.elf	Get hash	malicious	Mirai	Browse	20.56.176.244
	http://crookedgiverpoetry.tumblr.com/#2UzMyQzMtVzMyQTZkZDN1QzMvM2Yu4WYyVmZpZmLqpGa0V2LvoDc0RHa	Get hash	malicious	Unknown	Browse	40.114.177.156
	https://ncv.microsoft.com/n5Kx1XhuzS	Get hash	malicious	HTMLPhisher	Browse	13.107.213.45
	file.exe	Get hash	malicious	Tofsee	Browse	104.47.53.36
	ATT00001 (1).htm	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://chipotle.app.link/?$3p=e_et&$fallback_url=https://quattropublicidades.com.br/owa/aa/brian.herman@viewtrade.com	Get hash	malicious	Unknown	Browse	40.126.53.21
	ATT00001.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	#U2705 ATT000387641.html	Get hash	malicious	Unknown	Browse	13.107.213.45
	https://callon.carter-hay.com/MRV6XVRQXP2K700YTGHM/abcd@abcd.com	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\shiED5F.tmp	54zEUp34e1.exe	Get hash	malicious	Unknown	Browse
	54zEUp34e1.exe	Get hash	malicious	Unknown	Browse
	ECnCJ4QWok.exe	Get hash	malicious	Unknown	Browse
	ECnCJ4QWok.exe	Get hash	malicious	Unknown	Browse
	IcEL4U66yX.exe	Get hash	malicious	Unknown	Browse
	IcEL4U66yX.exe	Get hash	malicious	Unknown	Browse
	hWiWP9kOC9.exe	Get hash	malicious	PrivateLoader	Browse
	hWiWP9kOC9.exe	Get hash	malicious	Unknown	Browse
	S4iK1tSHGc.exe	Get hash	malicious	Unknown	Browse
	S4iK1tSHGc.exe	Get hash	malicious	Unknown	Browse
	WCYoS776qm.exe	Get hash	malicious	Nymaim	Browse
	a1rzxoicOg.exe	Get hash	malicious	Unknown	Browse
	a1rzxoicOg.exe	Get hash	malicious	Unknown	Browse
	8UvPumbygi.exe	Get hash	malicious	Nymaim	Browse
	8UvPumbygi.exe	Get hash	malicious	Nymaim	Browse
	Levelogger-4.6.2-Installer.exe	Get hash	malicious	Unknown	Browse
	21REzKeOgq.exe	Get hash	malicious	Nymaim	Browse
	21REzKeOgq.exe	Get hash	malicious	Nymaim	Browse
	https://tinyurl.com/2abosd8k	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.GenericKD.65705581.16120.15146.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\Public\Documents\OgtQTC.zip

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	952513
Entropy (8bit):	7.998406700980047
Encrypted:	true
SSDEEP:	24576:tW5oPAU6mipm4lBXHfp611l133D/ly2BTW37VcuqHq:O9U6mJ4n/s1T133zI2wrVcuIq
MD5:	CE9B3A65EB8800DB4014605841B359BD
SHA1:	53FD860C7DC69431D16F6E45B6045F51B7BA9EDC
SHA-256:	C6D1EFECFBC48876E60F4FCE83DA65CF4DD8A53E8D6E7E4E320466D74249B28C
SHA-512:	0CBBCD39C72EA7149623434363984607489CD7FC0C7E72BD0C80DA68E104F0FA6D8216E23E489A32CD08D1AE036CA590A72AC3330B5C653E37EE5AFB9D07DC2F
Malicious:	false
Reputation:	low
Preview:	PK........C..V./..............identity_helper.exe.Z{\|.E...L.W...B.. `.]....LP0.H.Q... .dr!F.......qE......,...Dy.0.."!.....I.!.5..Uu.Lf........IWWWW.....3v.".#..H..L..-.;...b..n.K.u..'....slsrf..g....2.'..Yb..Tq.-=c.D.%...]'..'.k..H_]....u.>....Ph=..'$.q.....y.6.\|6.YG6NP...z.%;..I.D...f".....@....&.X@...).BB...Q......+.}.g.l.v.....r.Y.~4gh]t..E ;0'}f.LB....uA._../..{.6..y7ry..K8..Ghp?.....s.1....!..Pz...b}...._.~..9.sf....C..O..z9..m...%..._H..._...U.$..'J.T...m..F.0FpN..."....3......-:..z...L.q.....x\|WV.....W..=..7.h6.s..#E..H.B..-0...Bt..-b.q...".i......9...v.~....._.$....BI.sm...kG.,.C...N.."X..z.HX.i....~.k.C.."h...~..hk~..y.......1.P=`....,d..-mj.Z.R..r...$g..r...'dd........G.....9S..4S..\|...`.......h..>.`s5..\|.%....t...9.\...F....Ws}...m.rT.r..`..........H.V.oR...\.[.b.'@]/.>.x.$...i..a.p.,:D._...Q.(.7.....,...{..E..EV".yf(.Z.yiv9M....j..a.4C`C.i..S.-.......5.[..i.5..+^...Q.d.}.H.......8P.cw....X.....,.d.u..p..e..f3-X.^`..U...Z.

C:\Users\Public\Documents\identity_helper.exe

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1103264
Entropy (8bit):	6.783368023991025
Encrypted:	false
SSDEEP:	24576:APUsmWUOp5Owzjx7vlHgfopIPm12/1ScWqV89//bo:YUsNhjsOIf1Sc7+//U
MD5:	216FBFDD15F983EE770F1A135EDA572C
SHA1:	82471E22544494305C11F3DA11763F25EB722AAF
SHA-256:	BEEC4C4E010F1F5EA76EBF43C6A2B9E2E2264A5280BDF41E5E8607F889B61E0A
SHA-512:	7E6E3216EBB3DF7347C51DEB1B6D0503B49972BBFF593D609C0C830ECC073F5C3E7E4F060611EEDE5EF7037BF3E2F984EC42D425C3022BBCBDAD6B691DD16E98
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......d.........."..................,............@..................................!....@.................................d........`...................'...p..0...\...8...........................`................................................text.............................. ..`.rdata...3.......4..................@..@.data....>.......>..................@....00cfg.......@....... ..............@..@.tls.........P......."..............@....rsrc........`.......$..............@..@.reloc..0....p.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Documents\msedge_elf.dll

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	823808
Entropy (8bit):	6.243154340022517
Encrypted:	false
SSDEEP:	12288:Qr3qqqXxWEsDXXXTrIqsLhHfvsDbh499FqsLsqsLXzqqqXQuBW80DXXXTwvzrI/:sdPgHfo4YCkNIvy
MD5:	C4F1B57F506672ECEA678BA35A44F4B9
SHA1:	BDC9ABF7CC236832948B4222DA6EE002343C0A7E
SHA-256:	BD42A3174F34E485725D887F72EEC48D787C2428243617D5F9DEC0DC1EF50B8F
SHA-512:	15D1D9854D7415A6C068A916DE95622ECE976B316559D43569CC9E34324EBAC7A6150651116631C56D9480BD490164CD5F14C038F6164C00B5D355D21AB28FBE
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....).d...........!.....:...........Y... ...`....@.. ....................................@..........................`..(....Y..O.................................................................................... ............... ..H............text....9... ...:.................. ..`.sdata.......`.......>..............@....rsrc................@..............@..@.reloc..pL.......N...D..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\AdvinstAnalytics\649abc180e6ce9401d6e81cf\7.8.6.7\tracking.ini

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	4.0081320258334
Encrypted:	false
SSDEEP:	3:1EyEMyvn:1BEN
MD5:	6BC190DD42A169DFA14515484427FC8E
SHA1:	B53BD614A834416E4A20292AA291A6D2FC221A5E
SHA-256:	B3395B660EB1EDB00FF91ECE4596E3ABE99FA558B149200F50AABF2CB77F5087
SHA-512:	5B7011ED628B673217695809A38A800E9C8A42CEB0C54AB6F8BC39DBA0745297A4FBD66D6B09188FCC952C08217152844DFC3ADA7CF468C3AAFCEC379C0B16B6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[General]..Active = true..

C:\Users\user\AppData\Local\AdvinstAnalytics\649abc180e6ce9401d6e81cf\7.8.6.7\{FA015603-7D74-4142-8F3D-91E0218EBBFB}.session

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	13732
Entropy (8bit):	5.40828066022351
Encrypted:	false
SSDEEP:	384:UwQ/414lsVGg5aJpRvQkdYZXJg7aExhV3N+iWhFr0PkPg+2Ig4EDM:UwQ/414lsVGg5aJpRvhdYZXJg7aEXV9m
MD5:	8AC23955DD43C6182C7958430BF3606E
SHA1:	B0727BC12C4991A5F4C5D5F1C07E61AA1924DDAC
SHA-256:	54E5655892AF52E63888E8E8D1AD0D77E14BEABAECA08CED6020836EC1BE98E6
SHA-512:	968BC9F84F3704208F2C06E61507254640F2B101EA19C075C7D15E5AE123885A9896CB50E99E2C2FC0D7B9E3C6BED1C354D2A1FC59731C1D7BECA433DA5606BE
Malicious:	false
Preview:	[Hit {1AA2B042-59CE-4C48-83C3-FB83AEBD0468}]..Queue Time = 0..Hit Type = lifecycle..Life control = start..Protocol Version = 3..Application ID = 649abc180e6ce9401d6e81cf..Application Version = 7.8.6.7..Client ID = 7D2E30BECC9DF42122B47B83C0F9D9F226A6C78B..Session ID = {FA015603-7D74-4142-8F3D-91E0218EBBFB}....[Hit {6BD7C390-2F6E-4400-9BA9-D6A7A1807735}]..Queue Time = 0..Hit Type = property..Label = VersionNT..Value = 1000..Protocol Version = 3..Application ID = 649abc180e6ce9401d6e81cf..Application Version = 7.8.6.7..Client ID = 7D2E30BECC9DF42122B47B83C0F9D9F226A6C78B..Session ID = {FA015603-7D74-4142-8F3D-91E0218EBBFB}....[Hit {3F24059A-48C7-435C-805F-D29504A3250E}]..Queue Time = 0..Hit Type = property..Label = VersionNT64..Value = 1000..Protocol Version = 3..Application ID = 649abc180e6ce9401d6e81cf..Application Version = 7.8.6.7..Client ID = 7D2E30BECC9DF42122B47B83C0F9D9F226A6C78B..Session ID = {FA015603-7D74-4142-8F3D-91E0218EBBFB}....[Hit {18C0204C-1AFA-48EE-B1C6-CDC7D9899C75}].

C:\Users\user\AppData\Local\Temp\shiED5F.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3015168
Entropy (8bit):	6.488798060334229
Encrypted:	false
SSDEEP:	49152:sS4Q3T9DntJVJZy+PDGffBlj+mBLZESa9cxpy4AiE6CxdNnstH/9hGwQn+rV:x4QpDnDVJZySGfX1uSa9y9evdNnstH/n
MD5:	2BED2F1B8B7975B5F317813B9D2DC150
SHA1:	DC9C89E36F2BC4E01907E0CE698881BB267EAE34
SHA-256:	A1804D8C5127E13C27F664CDD3427C185FAE6ED2AB36108B501859C670F328BD
SHA-512:	49FFB70F169198F1F60C5AB6B15AA535D6905988623DF875A976D3A0ABD5E5EA1F09969B26F50F2E6C56DFC5624BAD84E73CB4238FC9F94B9E252775C691B3EE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 54zEUp34e1.exe, Detection: malicious, Browse Filename: 54zEUp34e1.exe, Detection: malicious, Browse Filename: ECnCJ4QWok.exe, Detection: malicious, Browse Filename: ECnCJ4QWok.exe, Detection: malicious, Browse Filename: IcEL4U66yX.exe, Detection: malicious, Browse Filename: IcEL4U66yX.exe, Detection: malicious, Browse Filename: hWiWP9kOC9.exe, Detection: malicious, Browse Filename: hWiWP9kOC9.exe, Detection: malicious, Browse Filename: S4iK1tSHGc.exe, Detection: malicious, Browse Filename: S4iK1tSHGc.exe, Detection: malicious, Browse Filename: WCYoS776qm.exe, Detection: malicious, Browse Filename: a1rzxoicOg.exe, Detection: malicious, Browse Filename: a1rzxoicOg.exe, Detection: malicious, Browse Filename: 8UvPumbygi.exe, Detection: malicious, Browse Filename: 8UvPumbygi.exe, Detection: malicious, Browse Filename: Levelogger-4.6.2-Installer.exe, Detection: malicious, Browse Filename: 21REzKeOgq.exe, Detection: malicious, Browse Filename: 21REzKeOgq.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.GenericKD.65705581.16120.15146.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g....l..l..l.~....l..bo..l..bm..l..bi..l..m.I.l..bh..l..bl..l..bb...l..b...l..bn..l.Rich..l.................PE..L.................!...............P.............c.........................`............@A..........................).K&.......... +...................... -..=...:..T....................N.......#......................e)......................text.....).......)................. ..`.wpp_sf.:.....).......)............. ..`.data...@4........................@....idata..\|/......0.................@..@.didat..H.....+....................@....rsrc........ +....................@..@.reloc...=... -..>....,.............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\shiEE2B.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1299560
Entropy (8bit):	6.717180055414863
Encrypted:	false
SSDEEP:	24576:MhGigXBH4snfDLhfxTdLXWVjpUVAs7ImLKrVA16yiLo+aegfNoZFag9WM1KOn:AGigXBHvfD1f3Li9UVlerVWhNcag97sY
MD5:	84A28C3CF7B811847D74CE68C894FBA0
SHA1:	3140559C1BF1FF76A481C2E264808B3D094008FE
SHA-256:	A95C72F5B9FB9274AC9DAF554B24300E32C5E300AC92B6CE5EC8DB11F5745104
SHA-512:	E1DED6FBA8FC17DAECF97E5B0004FF6064D4403E3B02086CFCB3A2F04C36E7617D96DE9CC993B12AA00B64613BC766E985CEE25F818AC214196B8D16A2BCC2B2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Wh..9;..9;..9;...;..9;..::.9;..=:.9;..8:..9;..<:..9;..8;..9;..7:..9;..9:..9;...;..9;..;:..9;Rich..9;................PE..L..................!.....\|...h............................................... ............@A........................ ........#.. ....`..................hN...P......`...T...................DV.......S............... ...............................text...)\|.......~.................. ..`.text_hf............................ ..`.data...........(..................@....idata..V.... ... ..................@..@.didat..<....@......................@....DDIData.....P......................@....rsrc........`......................@..@.reloc.......P......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	4.155379993589854
Encrypted:	false
SSDEEP:	48:rlsPwyILZzJqlYXUqKquMgP0XEOqulG1qXZw3quptfBWY2zadR0vmh01ykquZQb:vXRSM3g/qGcyDfBWtedR0v40Y7
MD5:	07E2B417ABEA51AB598DC5757F7FB0A8
SHA1:	57FE111CC909743BBCDBC1B7AAE0DCD1CB771691
SHA-256:	B99D43254F27FC886E9E67E474E47E316F5B6F21D2B5C20588D6F3BA622C5941
SHA-512:	8ECD1AC320DBBCEAB8531431D369F82BD896855636A17E67C13B39D9CF0216D40878FC2C47CF35DF1EC3BF08CDDC51E4DAE16ADF582CDBF695B3FC94502A66E6
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\identity_helper.lnk

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	880
Entropy (8bit):	3.2421499879593454
Encrypted:	false
SSDEEP:	12:8wl05RsXUd9CVJEIQGbBIWtEqYIAvmNJS4t2Y+xIBjK:8t+IG2KZcCJO7aB
MD5:	14820CB37F2B8A01F49E62BF826F9B8A
SHA1:	6CE79C8C9225E8959F27FE95CA7C04DBCA9DF31E
SHA-256:	E5F8FB412CAE20A46BA6CE083FED8F13AB80773AEF15C1C30BAF0682C58BFEA7
SHA-512:	35DA4BC78AACC901093B2EBDED3ACCB4CB1111BC4B1A1E4D130B99728E757FA279E9CCB16DDA86E407E8E89045E801B792A5C4E71F9365EF4C64D6C4590EE261
Malicious:	false
Preview:	L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........Public..>............................................P.u.b.l.i.c.....\.1...........Documents.D............................................D.o.c.u.m.e.n.t.s.....z.2...........identity_helper.exe.X............................................i.d.e.n.t.i.t.y._.h.e.l.p.e.r...e.x.e..."...<.....\.....\.....\.....\.....\.....\.....\.....\.P.u.b.l.i.c.\.D.o.c.u.m.e.n.t.s.\.i.d.e.n.t.i.t.y._.h.e.l.p.e.r...e.x.e...C.:.\.U.s.e.r.s.\.P.u.b.l.i.c.\.D.o.c.u.m.e.n.t.s.\.............-............$H...E...ye.64-...............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zino.ps1

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6
Entropy (8bit):	2.2516291673878226
Encrypted:	false
SSDEEP:	3:gpyn:g4n
MD5:	A067F5EC97BA51B576825B69BC855E58
SHA1:	907D296538A45D5B593512881D721C7D347B8E04
SHA-256:	CF3E339D25C3C023C9417FFC5D8E73F1DA828B18FEECAF14FDB9C24D04E49BA0
SHA-512:	F6058F37CF764E6CD807D9C0E9DE881849E4C94EC1D2E0C0EB504ABF77147E77CB09113B087E1C10E790C3EC45780E5986D29B2A84B364C5F697F884B1549F4D
Malicious:	false
Preview:	NULL..

C:\Windows\Installer\48e8fa.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {4EACFE79-EFFB-4636-86E9-CECF9E2524A6}, Number of Words: 10, Subject: UUIN RSTRROEUTR, Author: UUIN RSTRROEUTR, Name of Creating Application: Advanced Installer 18.3 build e2a0201b, Template: ;1046, Comments: UUIN RSTRROEUTR, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	2252800
Entropy (8bit):	6.488775770786979
Encrypted:	false
SSDEEP:	49152:2m5DxGSFVtaN4AyK8tKk5ojmrhCMz5vk3ukDln/hFRFNUEekBIWsRkn4frUMXjDA:vxM4AeKknz5vqu0sRe4frUMXjTY
MD5:	076682947CDB70A184620AED267A64E5
SHA1:	49A78FD9BA854E7E2A16276CDD4188ADE83CE384
SHA-256:	FCFA8B7B8DC0EF9D2A4BAABCD78551C0EF1B2B505180D30EE1729298013B5204
SHA-512:	43E34AC7CCDF8861B8E4D6DCEDA852FC2AE548340F03055B24B43FE60079C6B391ABFE05BDD3C824A6AF6E78555795966F513906056C7D60547EB63CE205F123
Malicious:	false
Preview:	......................>...................#...................................................................................................................J...K...L...M...N...O...P...Q...R...S...T...U...............................................................................................................................................................................................................................................................................................................................c...............%...7........................................................................................... ...!..."...#...$.../...0...'...(...)...*...+...,...-...........1...5...2...3...4...8...6...@...C...9...:...;...<...=...>...?...R...A...B...H...D...E...F...G...q...I...b...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a.......d...u...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...v.......w...x...y...z...

C:\Windows\Installer\MSI2BD9.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	780768
Entropy (8bit):	6.387720196228063
Encrypted:	false
SSDEEP:	12288:8tlNr2btWAp/wEqjh/lNKCQSZ1YVzsRiiqn6BbFAmrhymkM49+Og2Z04KHjJaI/5:8tlNrgpSZKVsRkn4frUMXjJaI/tWogPa
MD5:	573F5E653258BF622AE1C0AD118880A2
SHA1:	E243C761983908D14BAF6C7C0879301C8437415D
SHA-256:	371D1346EC9CA236B257FED5B5A5C260114E56DFF009F515FA543E11C4BB81F7
SHA-512:	DFFF15345DBF62307C3E6A4C0B363C133D1A0B8B368492F1200273407C2520B33ACB20BFF90FEAC356305990492F800844D849EE454E7124395F945DE39F39EA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#P.Qg1..g1..g1..sZ..j1..sZ...1...E..v1...E..p1...E..51..sZ...1..sZ..f1..sZ..z1..g1..T0...E..+1...E..f1...Ex.f1..g1..e1...E..f1..Richg1..........PE..L.../.`.........."!.........B......4................................................j....@..........................;......@=...............................0......X%..p....................&.......%..@............................................text............................... ..`.rdata..............................@..@.data.......P.......@..............@....rsrc...............................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIEB4C.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	780768
Entropy (8bit):	6.387720196228063
Encrypted:	false
SSDEEP:	12288:8tlNr2btWAp/wEqjh/lNKCQSZ1YVzsRiiqn6BbFAmrhymkM49+Og2Z04KHjJaI/5:8tlNrgpSZKVsRkn4frUMXjJaI/tWogPa
MD5:	573F5E653258BF622AE1C0AD118880A2
SHA1:	E243C761983908D14BAF6C7C0879301C8437415D
SHA-256:	371D1346EC9CA236B257FED5B5A5C260114E56DFF009F515FA543E11C4BB81F7
SHA-512:	DFFF15345DBF62307C3E6A4C0B363C133D1A0B8B368492F1200273407C2520B33ACB20BFF90FEAC356305990492F800844D849EE454E7124395F945DE39F39EA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#P.Qg1..g1..g1..sZ..j1..sZ...1...E..v1...E..p1...E..51..sZ...1..sZ..f1..sZ..z1..g1..T0...E..+1...E..f1...Ex.f1..g1..e1...E..f1..Richg1..........PE..L.../.`.........."!.........B......4................................................j....@..........................;......@=...............................0......X%..p....................&.......%..@............................................text............................... ..`.rdata..............................@..@.data.......P.......@..............@....rsrc...............................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIEC76.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	388064
Entropy (8bit):	6.407392408414975
Encrypted:	false
SSDEEP:	6144:U7C5QB3/CNG2HBOqf2BLuoZSKYfuAO8DOE09VKYnyZwYW:qB3WBOG2BPDKSf9VtyZNW
MD5:	20C782EB64C81AC14C83A853546A8924
SHA1:	A1506933D294DE07A7A2AE1FBC6BE468F51371D6
SHA-256:	0ED6836D55180AF20F71F7852E3D728F2DEFE22AA6D2526C54CFBBB4B48CC6A1
SHA-512:	AFF21E3E00B39F8983D101A0C616CA84CC3DC72D6464A0DD331965CF6BECCF9B45025A7DB2042D6E8B05221D3EB5813445C8ADA69AE96E2727A607398A3DE3D9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......b2..&S..&S..&S..28..+S..28..S...'..)S...'..1S...'..aS..28..?S..28..'S..28..;S..&S..wR...'..tS...'..'S...'+.'S..&SC.'S...'..'S..Rich&S..........................PE..L.....`.........."!.................Z..............................................a.....@.........................@n.......v..........0.......................d?..X...p...............................@............... ............................text............................... ..`.rdata.............................@..@.data...............................@....rsrc...0...........................@..@.reloc..d?.......@..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIEC77.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	388064
Entropy (8bit):	6.407392408414975
Encrypted:	false
SSDEEP:	6144:U7C5QB3/CNG2HBOqf2BLuoZSKYfuAO8DOE09VKYnyZwYW:qB3WBOG2BPDKSf9VtyZNW
MD5:	20C782EB64C81AC14C83A853546A8924
SHA1:	A1506933D294DE07A7A2AE1FBC6BE468F51371D6
SHA-256:	0ED6836D55180AF20F71F7852E3D728F2DEFE22AA6D2526C54CFBBB4B48CC6A1
SHA-512:	AFF21E3E00B39F8983D101A0C616CA84CC3DC72D6464A0DD331965CF6BECCF9B45025A7DB2042D6E8B05221D3EB5813445C8ADA69AE96E2727A607398A3DE3D9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......b2..&S..&S..&S..28..+S..28..S...'..)S...'..1S...'..aS..28..?S..28..'S..28..;S..&S..wR...'..tS...'..'S...'+.'S..&SC.'S...'..'S..Rich&S..........................PE..L.....`.........."!.................Z..............................................a.....@.........................@n.......v..........0.......................d?..X...p...............................@............... ............................text............................... ..`.rdata.............................@..@.data...............................@....rsrc...0...........................@..@.reloc..d?.......@..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIECE5.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	388064
Entropy (8bit):	6.407392408414975
Encrypted:	false
SSDEEP:	6144:U7C5QB3/CNG2HBOqf2BLuoZSKYfuAO8DOE09VKYnyZwYW:qB3WBOG2BPDKSf9VtyZNW
MD5:	20C782EB64C81AC14C83A853546A8924
SHA1:	A1506933D294DE07A7A2AE1FBC6BE468F51371D6
SHA-256:	0ED6836D55180AF20F71F7852E3D728F2DEFE22AA6D2526C54CFBBB4B48CC6A1
SHA-512:	AFF21E3E00B39F8983D101A0C616CA84CC3DC72D6464A0DD331965CF6BECCF9B45025A7DB2042D6E8B05221D3EB5813445C8ADA69AE96E2727A607398A3DE3D9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......b2..&S..&S..&S..28..+S..28..S...'..)S...'..1S...'..aS..28..?S..28..'S..28..;S..&S..wR...'..tS...'..'S...'+.'S..&SC.'S...'..'S..Rich&S..........................PE..L.....`.........."!.................Z..............................................a.....@.........................@n.......v..........0.......................d?..X...p...............................@............... ............................text............................... ..`.rdata.............................@..@.data...............................@....rsrc...0...........................@..@.reloc..d?.......@..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIED15.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	878560
Entropy (8bit):	6.452749824306929
Encrypted:	false
SSDEEP:	24576:QK8S3AccKkqSojmrhCMou5vk3Y+ukDln/hFRFNUEekB:QK8tKk5ojmrhCMz5vk3ukDln/hFRFNU0
MD5:	D51A7E3BCE34C74638E89366DEEE2AAB
SHA1:	0E68022B52C288E8CDFFE85739DE1194253A7EF0
SHA-256:	7C6BDF16A0992DB092B7F94C374B21DE5D53E3043F5717A6EECAE614432E0DF5
SHA-512:	8ED246747CDD05CAC352919D7DED3F14B1E523CCC1F7F172DB85EED800B0C5D24475C270B34A7C25E7934467ACE7E363542A586CDEB156BFC484F7417C3A4AB0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j{..............`.......`..W...<.......<.......<.......`.......`.......`..............>.......>.......>...............>.......Rich....................PE..L...}.`.........."!.........\|...........................................................@............................t...T........................N..............X}..p....................~.......}..@............................................text............................... ..`.rdata..............................@..@.data...\...........................@....rsrc................^..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIEFD5.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	780768
Entropy (8bit):	6.387720196228063
Encrypted:	false
SSDEEP:	12288:8tlNr2btWAp/wEqjh/lNKCQSZ1YVzsRiiqn6BbFAmrhymkM49+Og2Z04KHjJaI/5:8tlNrgpSZKVsRkn4frUMXjJaI/tWogPa
MD5:	573F5E653258BF622AE1C0AD118880A2
SHA1:	E243C761983908D14BAF6C7C0879301C8437415D
SHA-256:	371D1346EC9CA236B257FED5B5A5C260114E56DFF009F515FA543E11C4BB81F7
SHA-512:	DFFF15345DBF62307C3E6A4C0B363C133D1A0B8B368492F1200273407C2520B33ACB20BFF90FEAC356305990492F800844D849EE454E7124395F945DE39F39EA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#P.Qg1..g1..g1..sZ..j1..sZ...1...E..v1...E..p1...E..51..sZ...1..sZ..f1..sZ..z1..g1..T0...E..+1...E..f1...Ex.f1..g1..e1...E..f1..Richg1..........PE..L.../.`.........."!.........B......4................................................j....@..........................;......@=...............................0......X%..p....................&.......%..@............................................text............................... ..`.rdata..............................@..@.data.......P.......@..............@....rsrc...............................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIF034.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	780768
Entropy (8bit):	6.387720196228063
Encrypted:	false
SSDEEP:	12288:8tlNr2btWAp/wEqjh/lNKCQSZ1YVzsRiiqn6BbFAmrhymkM49+Og2Z04KHjJaI/5:8tlNrgpSZKVsRkn4frUMXjJaI/tWogPa
MD5:	573F5E653258BF622AE1C0AD118880A2
SHA1:	E243C761983908D14BAF6C7C0879301C8437415D
SHA-256:	371D1346EC9CA236B257FED5B5A5C260114E56DFF009F515FA543E11C4BB81F7
SHA-512:	DFFF15345DBF62307C3E6A4C0B363C133D1A0B8B368492F1200273407C2520B33ACB20BFF90FEAC356305990492F800844D849EE454E7124395F945DE39F39EA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#P.Qg1..g1..g1..sZ..j1..sZ...1...E..v1...E..p1...E..51..sZ...1..sZ..f1..sZ..z1..g1..T0...E..+1...E..f1...Ex.f1..g1..e1...E..f1..Richg1..........PE..L.../.`.........."!.........B......4................................................j....@..........................;......@=...............................0......X%..p....................&.......%..@............................................text............................... ..`.rdata..............................@..@.data.......P.......@..............@....rsrc...............................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIF1FA.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	388064
Entropy (8bit):	6.407392408414975
Encrypted:	false
SSDEEP:	6144:U7C5QB3/CNG2HBOqf2BLuoZSKYfuAO8DOE09VKYnyZwYW:qB3WBOG2BPDKSf9VtyZNW
MD5:	20C782EB64C81AC14C83A853546A8924
SHA1:	A1506933D294DE07A7A2AE1FBC6BE468F51371D6
SHA-256:	0ED6836D55180AF20F71F7852E3D728F2DEFE22AA6D2526C54CFBBB4B48CC6A1
SHA-512:	AFF21E3E00B39F8983D101A0C616CA84CC3DC72D6464A0DD331965CF6BECCF9B45025A7DB2042D6E8B05221D3EB5813445C8ADA69AE96E2727A607398A3DE3D9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......b2..&S..&S..&S..28..+S..28..S...'..)S...'..1S...'..aS..28..?S..28..'S..28..;S..&S..wR...'..tS...'..'S...'+.'S..&SC.'S...'..'S..Rich&S..........................PE..L.....`.........."!.................Z..............................................a.....@.........................@n.......v..........0.......................d?..X...p...............................@............... ............................text............................... ..`.rdata.............................@..@.data...............................@....rsrc...0...........................@..@.reloc..d?.......@..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIF268.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	780768
Entropy (8bit):	6.387720196228063
Encrypted:	false
SSDEEP:	12288:8tlNr2btWAp/wEqjh/lNKCQSZ1YVzsRiiqn6BbFAmrhymkM49+Og2Z04KHjJaI/5:8tlNrgpSZKVsRkn4frUMXjJaI/tWogPa
MD5:	573F5E653258BF622AE1C0AD118880A2
SHA1:	E243C761983908D14BAF6C7C0879301C8437415D
SHA-256:	371D1346EC9CA236B257FED5B5A5C260114E56DFF009F515FA543E11C4BB81F7
SHA-512:	DFFF15345DBF62307C3E6A4C0B363C133D1A0B8B368492F1200273407C2520B33ACB20BFF90FEAC356305990492F800844D849EE454E7124395F945DE39F39EA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#P.Qg1..g1..g1..sZ..j1..sZ...1...E..v1...E..p1...E..51..sZ...1..sZ..f1..sZ..z1..g1..T0...E..+1...E..f1...Ex.f1..g1..e1...E..f1..Richg1..........PE..L.../.`.........."!.........B......4................................................j....@..........................;......@=...............................0......X%..p....................&.......%..@............................................text............................... ..`.rdata..............................@..@.data.......P.......@..............@....rsrc...............................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIF325.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	1412
Entropy (8bit):	5.5357399609592175
Encrypted:	false
SSDEEP:	24:Wg4Hqt6fI03ylTi6OZhEu6ANjWk/C9VvbkBSDvb6KHq8x/6+Xkb1f0xX6yGb6KHr:W0YQBA4Cs2tj+K1AX62tBG
MD5:	BCCB88D76838A79BB167E1A9BCA8EC76
SHA1:	31AEFB87740363C5504F35F2AA16B27B083954BD
SHA-256:	E6FC1FAD4CD01B19039AB8C42EB7A57FDD11476876247B948CE856240742424E
SHA-512:	117269B41B8D6B4F704639F12D5AF1CDEF7F0617B3369401E5B8B76A09230274536087EDC6797FB243F875AD532E5C508CA3DAE7CE4D10DEB6A5B7E176EAEFAC
Malicious:	false
Preview:	...@IXOS.@.....@c_.V.@.....@.....@.....@.....@.....@......&.{5E04AB3D-945E-4FDC-A15F-A16FAEACC06C}..UUIN RSTRROEUTR..Fatrr_UewhcWF.msi.@.....@.....@.....@........&.{4EACFE79-EFFB-4636-86E9-CECF9E2524A6}.....@.....@.....@.....@.......@.....@.....@.......@......UUIN RSTRROEUTR......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]...@.......@........ProcessComponents%.Atualizando o registro de componentes...@.....@.....@.]....&.{6E497D3B-DB84-4917-A984-13BA463D2AF8}?.C:\Users\user\AppData\Roaming\UUIN RSTRROEUTR\UUIN RSTRROEUTR\.@.......@.....@.....@......&.{FADF6E33-9191-4E1B-99FB-4E958F5FC0DA}4.01:\Software\UUIN RSTRROEUTR\UUIN RSTRROEUTR\Version.@.......@.....@.....@......&.{8FB416A0-C9BA-44AB-8B1F-8D07EF665C67}P.01:\Software\UUIN RSTRROEUTR\{5E04AB3D-945E-4FDC-A15F-A16FAEACC06C}\AI_IA_ENABLE.@.......@.....@.....@........CreateFolders..Criando novas pastas..Pasta: [1]".?.C:\Users\user\AppData\Roaming\UUIN RSTRROEUTR\UUIN

C:\Windows\Installer\SourceHash{5E04AB3D-945E-4FDC-A15F-A16FAEACC06C}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1654945483537515
Encrypted:	false
SSDEEP:	12:JSbX72FjNkAGiLIlHVRpEh/7777777777777777777777777vDHFi2WL2IFc/L/z:J4QI5UVcWGF
MD5:	CE282E2C20C8BCE889CEF85F8F82CF13
SHA1:	0760370FCDA855EF5FE2D7A895D896DF1CF7CC57
SHA-256:	AFA1E1AABB57804DBC393CE737F4FFEBA2C6DDE4A5E912BC16D3B4EAD3494ACE
SHA-512:	63B35BBA246E095C385B54C7B7CE63ABDBF460F9ACCA0D692C082FC03A75398855363EB62C122EA1FD788F68EE47DE11C2D71377E08883436B8412A6EE07BFE2
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	1.832833343081842
Encrypted:	false
SSDEEP:	48:T8Ph5uRc06WXJSFT5qIa70DUj+7SKj+1AEKgCypykv8xqo8x4swXGcp4ru2xBxYE:6h51JFTQIy+7F++kCSMk87K4G1+7F+0
MD5:	BE83F2F0279A63A809B33DB6DB05F43C
SHA1:	D08DF19A13C7CB41D91BF165A1EE6C85AC4E8538
SHA-256:	40D801ACB344C78A25D8F2E339DC77E170200AF36A6D7E42896A56E80BA2A5E0
SHA-512:	53A7AC884862F2C9F11666E0CA88B5934B69BE93DAEDF5FFD8474A8C69E0748E1850AF131D22AEAE973E8EDEFD1E97D6625D7B3C142133523CA9A037949E39D2
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	192827
Entropy (8bit):	5.3920160716202545
Encrypted:	false
SSDEEP:	3072:iHHJCoX5CNWFHjkzRl1pqf5JjzH6wbxygaK8Nkv6kF8Kwu8K8uBD556GIlZZ6bF+:i0LVlAA
MD5:	E7133710F1F9C56CDBE00083629CD8DB
SHA1:	7D2227AB994E1F5315AEE5C4DF22BBDAD62D9535
SHA-256:	64395648165AC5D7BFBFA164DE385358CFF7177E660BCF14E40E434A9750876F
SHA-512:	2D0AD74602777CD5233B9C214FAC23737BEF6C8BE2FDF8ABE52F008A01D3116684F89E260BBE2CE8E47D74AD9FC32E0859D63D56EDB795F1061D7534C5BC6950
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 10:13:25.847 [3928]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.Hosting, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.863 [3928]: ngen returning 0x00000000..07/23/2020 10:13:25.925 [1900]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.ServerDocument, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.925 [1900]: ngen returning 0x00000000..07/23/2020 10:13:25.972 [4436]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.v4.0.Framework, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /N

C:\Windows\Temp\~DF3E67AFDA2D889E15.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	1.832833343081842
Encrypted:	false
SSDEEP:	48:T8Ph5uRc06WXJSFT5qIa70DUj+7SKj+1AEKgCypykv8xqo8x4swXGcp4ru2xBxYE:6h51JFTQIy+7F++kCSMk87K4G1+7F+0
MD5:	BE83F2F0279A63A809B33DB6DB05F43C
SHA1:	D08DF19A13C7CB41D91BF165A1EE6C85AC4E8538
SHA-256:	40D801ACB344C78A25D8F2E339DC77E170200AF36A6D7E42896A56E80BA2A5E0
SHA-512:	53A7AC884862F2C9F11666E0CA88B5934B69BE93DAEDF5FFD8474A8C69E0748E1850AF131D22AEAE973E8EDEFD1E97D6625D7B3C142133523CA9A037949E39D2
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4025A625E0D551F5.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF462659B33DA05CF2.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.072847580922046
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOi2adL2IFcY8tSVky6lV1:2F0i8n0itFzDHFi2WL2IFc/L/
MD5:	2CD04518189452D5253B5CA33A9735D9
SHA1:	8EC221C6FA6877B79C9538C08502DB9E237791B1
SHA-256:	7BE4391DDDF44C35204DA2FF395480C08D17D0091EBF5833DAD59D82E165A78B
SHA-512:	3B371223F3935D8595F746D992EB03EEDE8A6AD11A52E88D879FFC00B21CAC5FAC9D3BDDD3C67A745FF8A68DE673293BE1E915DC7F1C8476B8FDDD028D85874F
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF51C47882E3B42229.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF6E1C4ADD4CB737F3.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	1.2036358901766264
Encrypted:	false
SSDEEP:	96:HBaI7T387Iy+7F++kCSMk87K4G1+7F+0:h57zXFzDGs
MD5:	198D3337119DB257FA5D06C381864193
SHA1:	0E2E4339484A8DBD8C094E18DAF854FEF7662370
SHA-256:	ABA86CC0D095B2467434E2250E8E6CA383DB9A583DA8B129B24A268B0EECA0C8
SHA-512:	B52EA28FF4AB617AA1115C6C5B530BBD16E19F400C4EF46C26AFC14497ABFC07A934AFFB17CE8D6B6853363D13CF1AE5E4C9D4C118C9F743B5FC3A6968371B3F
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF96920643A953DED5.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.3028227972966795
Encrypted:	false
SSDEEP:	48:tEzRT2j+7SKj+6j+7SKj+1AEKgCypykv8xqo8x4swXGcp4ru2xBxYxMxqxrxbxEJ:ya+7F+8+7F++kCSMk87K4GNH
MD5:	0DD91C410C7756F774CA2FAE33FA0FA4
SHA1:	270DA2E203E7B71A7CA6B15621D4C2F7E36BCD21
SHA-256:	32235FF48BE743D1F3D5A3DC7E4863F7410A96ECF60F3BCE873B321FBE48BAE4
SHA-512:	C44B8E1B2464BEEC4C08032D0D46B3D0D328C962E752CAD9FBC4D9191D111642ACCF76594807EA2D35EF70C10E7FFE14F31DCA2CB8CADD363462DA28EF847577
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {4EACFE79-EFFB-4636-86E9-CECF9E2524A6}, Number of Words: 10, Subject: UUIN RSTRROEUTR, Author: UUIN RSTRROEUTR, Name of Creating Application: Advanced Installer 18.3 build e2a0201b, Template: ;1046, Comments: UUIN RSTRROEUTR, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Entropy (8bit):	6.488775770786979
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	Fatrr_UewhcWF.msi
File size:	2'252'800 bytes
MD5:	076682947cdb70a184620aed267a64e5
SHA1:	49a78fd9ba854e7e2a16276cdd4188ade83ce384
SHA256:	fcfa8b7b8dc0ef9d2a4baabcd78551c0ef1b2b505180d30ee1729298013b5204
SHA512:	43e34ac7ccdf8861b8e4d6dceda852fc2ae548340f03055b24b43fe60079c6b391abfe05bdd3c824a6af6e78555795966f513906056c7d60547eb63ce205f123
SSDEEP:	49152:2m5DxGSFVtaN4AyK8tKk5ojmrhCMz5vk3ukDln/hFRFNUEekBIWsRkn4frUMXjDA:vxM4AeKknz5vqu0sRe4frUMXjTY
TLSH:	5CA58D1275CA8732EA7E8134A5AAD73621FA3FE01BB154DF53D4593A0EB05C242B2F17
File Content Preview:	........................>...................#...................................................................................................................J...K...L...M...N...O...P...Q...R...S...T...U..................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.354.198.235.949698802849814 06/28/23-11:59:26.808026	TCP	2849814	ETPRO MALWARE TakeMyFile User-Agent	49698	80	192.168.2.3	54.198.235.9
192.168.2.354.198.235.949698802849813 06/28/23-11:59:26.808026	TCP	2849813	ETPRO MALWARE TakeMyFile Installer Checkin	49698	80	192.168.2.3	54.198.235.9

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 28, 2023 11:59:19.734811068 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:19.880330086 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:19.880470037 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:19.880568027 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:19.880738974 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:20.028831959 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:20.029001951 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:20.033425093 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:20.033519983 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:20.041246891 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:20.041246891 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:20.186165094 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:20.190954924 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:20.192019939 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:20.195630074 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:20.195630074 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:20.340396881 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:20.344896078 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:20.344993114 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:20.347153902 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:20.347235918 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:20.491894960 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:20.496581078 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:20.497339964 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:20.498967886 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:20.499056101 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:20.643743038 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:20.648226976 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:20.648317099 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:20.650125980 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:20.650168896 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:20.794931889 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:20.799293995 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:20.799619913 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:20.801671982 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:20.801738024 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:20.947312117 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:20.951879978 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:20.951980114 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:20.965895891 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:20.965943098 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:21.110753059 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:21.115596056 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:21.115688086 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:21.117192984 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:21.117192984 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:21.262067080 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:21.266661882 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:21.266808033 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:21.270152092 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:21.270153046 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:21.415079117 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:21.419419050 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:21.419574976 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:21.420922995 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:21.420922995 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:21.565717936 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:21.570180893 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:21.570306063 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:21.572173119 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:21.572211981 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:21.717025995 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:21.721196890 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:21.721502066 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:21.724052906 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:21.724121094 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:21.868777990 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:21.873471022 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:21.873744965 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:21.876401901 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:21.876401901 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:22.021140099 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:22.034540892 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:22.034709930 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:22.037369967 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:22.037437916 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:22.182156086 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:22.186919928 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:22.187118053 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:22.188186884 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:22.188225985 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:22.333084106 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:22.337660074 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:22.337959051 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:22.340310097 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:22.340451002 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:22.486139059 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:22.532136917 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:22.532243967 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:22.533828020 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:22.533871889 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:22.678723097 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:22.683301926 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:22.683453083 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:22.685344934 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:22.685376883 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:22.833430052 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:22.838324070 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:22.838558912 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:22.841305017 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:22.841438055 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:22.986242056 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:22.990664005 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:22.990833998 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:22.992186069 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:22.992186069 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:23.141467094 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:23.243037939 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:23.243264914 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:23.244498968 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:23.244546890 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:23.389270067 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:23.393836975 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:23.394017935 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:23.396625042 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:23.396727085 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:23.541475058 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:23.545558929 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:23.545686960 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:23.547868967 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:23.547938108 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:23.692711115 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:23.704056025 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:23.704157114 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:23.705996990 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:23.706034899 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:23.851080894 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:23.854576111 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:23.855550051 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:23.855837107 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:23.855873108 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:24.000596046 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:24.004755974 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:24.004837990 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:24.006185055 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:24.006223917 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:24.150945902 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:24.199446917 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:24.199536085 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:24.200870037 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:24.200907946 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:24.345755100 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:24.350294113 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:24.350379944 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:24.351911068 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:24.351990938 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:24.496781111 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:24.500977039 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:24.501070976 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:24.502922058 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:24.503031969 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:24.647759914 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:24.652072906 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:24.652251005 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:24.653465033 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:24.653502941 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:24.798285961 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:24.803061008 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:24.803210020 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:24.804680109 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:24.804718971 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:24.949423075 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:24.953893900 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:24.954802990 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:24.957423925 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:24.957518101 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:25.102246046 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:25.707835913 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:25.709933043 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:25.711179018 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:25.711179018 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:25.856167078 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:25.869736910 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:25.870104074 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:25.872939110 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:25.872939110 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:26.018019915 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:26.041735888 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:26.041980028 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:26.044327974 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:26.044327974 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:26.189094067 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:26.193871021 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:26.194175005 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:26.196824074 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:26.196918011 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:26.341691017 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:26.346458912 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:26.346740961 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:26.349838972 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:26.349963903 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:26.494699001 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:26.499509096 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:26.499687910 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:26.502446890 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:26.502542973 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:26.648169041 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:26.652754068 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:26.652992964 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:26.655591965 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:26.655658960 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:26.800443888 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:26.805027962 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:26.805300951 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:26.808026075 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:26.808090925 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:26.952732086 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:26.968133926 CEST	80	49698	54.198.235.9	192.168.2.3
Jun 28, 2023 11:59:26.968388081 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:27.146084070 CEST	49698	80	192.168.2.3	54.198.235.9
Jun 28, 2023 11:59:42.403894901 CEST	49699	80	192.168.2.3	20.165.170.228
Jun 28, 2023 11:59:42.548702955 CEST	80	49699	20.165.170.228	192.168.2.3
Jun 28, 2023 11:59:42.549962044 CEST	49699	80	192.168.2.3	20.165.170.228
Jun 28, 2023 11:59:42.550473928 CEST	49699	80	192.168.2.3	20.165.170.228
Jun 28, 2023 11:59:42.695920944 CEST	80	49699	20.165.170.228	192.168.2.3
Jun 28, 2023 11:59:42.961000919 CEST	80	49699	20.165.170.228	192.168.2.3
Jun 28, 2023 11:59:43.012453079 CEST	49699	80	192.168.2.3	20.165.170.228
Jun 28, 2023 11:59:47.966221094 CEST	80	49699	20.165.170.228	192.168.2.3
Jun 28, 2023 11:59:47.966331959 CEST	49699	80	192.168.2.3	20.165.170.228

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 28, 2023 11:59:19.702387094 CEST	56924	53	192.168.2.3	8.8.8.8
Jun 28, 2023 11:59:19.732975960 CEST	53	56924	8.8.8.8	192.168.2.3
Jun 28, 2023 11:59:43.008497953 CEST	60625	53	192.168.2.3	8.8.8.8
Jun 28, 2023 11:59:43.029006958 CEST	53	60625	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 28, 2023 11:59:19.702387094 CEST	192.168.2.3	8.8.8.8	0xb3d4	Standard query (0)	collect.installeranalytics.com	A (IP address)	IN (0x0001)	false
Jun 28, 2023 11:59:43.008497953 CEST	192.168.2.3	8.8.8.8	0xc97e	Standard query (0)	amxx1515cabreun23.asxo	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 28, 2023 11:59:19.732975960 CEST	8.8.8.8	192.168.2.3	0xb3d4	No error (0)	collect.installeranalytics.com		54.198.235.9	A (IP address)	IN (0x0001)	false
Jun 28, 2023 11:59:19.732975960 CEST	8.8.8.8	192.168.2.3	0xb3d4	No error (0)	collect.installeranalytics.com		52.73.64.126	A (IP address)	IN (0x0001)	false
Jun 28, 2023 11:59:43.029006958 CEST	8.8.8.8	192.168.2.3	0xc97e	Name error (3)	amxx1515cabreun23.asxo	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

collect.installeranalytics.com

20.165.170.228

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49698	54.198.235.9	80	C:\Windows\SysWOW64\msiexec.exe

Timestamp	kBytes transferred	Direction	Data
Jun 28, 2023 11:59:19.880568027 CEST	1180	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 167 Cache-Control: no-cache
Jun 28, 2023 11:59:19.880738974 CEST	1180	OUT	Data Raw: 71 74 3d 34 38 35 35 31 38 37 26 74 3d 6c 69 66 65 63 79 63 6c 65 26 6c 63 3d 73 74 61 72 74 26 76 3d 33 26 61 69 64 3d 36 34 39 61 62 63 31 38 30 65 36 63 65 39 34 30 31 64 36 65 38 31 63 66 26 61 76 3d 37 2e 38 2e 36 2e 37 26 63 69 64 3d 37 44 Data Ascii: qt=4855187&t=lifecycle&lc=start&v=3&aid=649abc180e6ce9401d6e81cf&av=7.8.6.7&cid=7D2E30BECC9DF42122B47B83C0F9D9F226A6C78B&sid=%7BFA015603-7D74-4142-8F3D-91E0218EBBFB%7D
Jun 28, 2023 11:59:20.033425093 CEST	1205	IN	HTTP/1.1 200 OK Cache-control: no-cache="set-cookie" Date: Wed, 28 Jun 2023 09:59:19 GMT Set-Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7;PATH=/;MAX-AGE=600 X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:20.041246891 CEST	1206	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 179 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:20.041246891 CEST	1206	OUT	Data Raw: 71 74 3d 34 38 35 35 35 34 36 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 56 65 72 73 69 6f 6e 4e 54 26 76 61 6c 3d 31 30 30 30 26 76 3d 33 26 61 69 64 3d 36 34 39 61 62 63 31 38 30 65 36 63 65 39 34 30 31 64 36 65 38 31 63 66 26 61 76 3d 37 2e Data Ascii: qt=4855546&t=property&lb=VersionNT&val=1000&v=3&aid=649abc180e6ce9401d6e81cf&av=7.8.6.7&cid=7D2E30BECC9DF42122B47B83C0F9D9F226A6C78B&sid=%7BFA015603-7D74-4142-8F3D-91E0218EBBFB%7D
Jun 28, 2023 11:59:20.190954924 CEST	1207	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:20 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:20.195630074 CEST	1207	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 181 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:20.195630074 CEST	1207	OUT	Data Raw: 71 74 3d 34 38 35 35 36 38 37 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 56 65 72 73 69 6f 6e 4e 54 36 34 26 76 61 6c 3d 31 30 30 30 26 76 3d 33 26 61 69 64 3d 36 34 39 61 62 63 31 38 30 65 36 63 65 39 34 30 31 64 36 65 38 31 63 66 26 61 76 3d Data Ascii: qt=4855687&t=property&lb=VersionNT64&val=1000&v=3&aid=649abc180e6ce9401d6e81cf&av=7.8.6.7&cid=7D2E30BECC9DF42122B47B83C0F9D9F226A6C78B&sid=%7BFA015603-7D74-4142-8F3D-91E0218EBBFB%7D
Jun 28, 2023 11:59:20.344896078 CEST	1208	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:20 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:20.347153902 CEST	1208	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 184 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:20.347235918 CEST	1208	OUT	Data Raw: 71 74 3d 34 38 35 35 38 39 30 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 50 68 79 73 69 63 61 6c 4d 65 6d 6f 72 79 26 76 61 6c 3d 38 31 39 31 26 76 3d 33 26 61 69 64 3d 36 34 39 61 62 63 31 38 30 65 36 63 65 39 34 30 31 64 36 65 38 31 63 66 26 Data Ascii: qt=4855890&t=property&lb=PhysicalMemory&val=8191&v=3&aid=649abc180e6ce9401d6e81cf&av=7.8.6.7&cid=7D2E30BECC9DF42122B47B83C0F9D9F226A6C78B&sid=%7BFA015603-7D74-4142-8F3D-91E0218EBBFB%7D
Jun 28, 2023 11:59:20.496581078 CEST	1209	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:20 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:20.498967886 CEST	1209	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 180 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:20.499056101 CEST	1209	OUT	Data Raw: 71 74 3d 34 38 35 36 30 34 36 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 56 65 72 73 69 6f 6e 4d 73 69 26 76 61 6c 3d 35 2e 30 30 26 76 3d 33 26 61 69 64 3d 36 34 39 61 62 63 31 38 30 65 36 63 65 39 34 30 31 64 36 65 38 31 63 66 26 61 76 3d 37 Data Ascii: qt=4856046&t=property&lb=VersionMsi&val=5.00&v=3&aid=649abc180e6ce9401d6e81cf&av=7.8.6.7&cid=7D2E30BECC9DF42122B47B83C0F9D9F226A6C78B&sid=%7BFA015603-7D74-4142-8F3D-91E0218EBBFB%7D
Jun 28, 2023 11:59:20.648226976 CEST	1209	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:20 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:20.650125980 CEST	1210	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 174 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:20.650168896 CEST	1210	OUT	Data Raw: 71 74 3d 34 38 35 36 31 38 37 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 55 49 4c 65 76 65 6c 26 76 61 6c 3d 33 26 76 3d 33 26 61 69 64 3d 36 34 39 61 62 63 31 38 30 65 36 63 65 39 34 30 31 64 36 65 38 31 63 66 26 61 76 3d 37 2e 38 2e 36 2e 37 Data Ascii: qt=4856187&t=property&lb=UILevel&val=3&v=3&aid=649abc180e6ce9401d6e81cf&av=7.8.6.7&cid=7D2E30BECC9DF42122B47B83C0F9D9F226A6C78B&sid=%7BFA015603-7D74-4142-8F3D-91E0218EBBFB%7D
Jun 28, 2023 11:59:20.799293995 CEST	1210	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:20 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:20.801671982 CEST	1211	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 183 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:20.801738024 CEST	1211	OUT	Data Raw: 71 74 3d 34 38 35 36 33 34 33 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 56 69 72 74 75 61 6c 4d 65 6d 6f 72 79 26 76 61 6c 3d 36 38 37 36 26 76 3d 33 26 61 69 64 3d 36 34 39 61 62 63 31 38 30 65 36 63 65 39 34 30 31 64 36 65 38 31 63 66 26 61 Data Ascii: qt=4856343&t=property&lb=VirtualMemory&val=6876&v=3&aid=649abc180e6ce9401d6e81cf&av=7.8.6.7&cid=7D2E30BECC9DF42122B47B83C0F9D9F226A6C78B&sid=%7BFA015603-7D74-4142-8F3D-91E0218EBBFB%7D
Jun 28, 2023 11:59:20.951879978 CEST	1211	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:20 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:20.965895891 CEST	1212	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 183 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:20.965943098 CEST	1212	OUT	Data Raw: 71 74 3d 34 38 35 36 35 30 30 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 4d 73 69 4e 54 50 72 6f 64 75 63 74 54 79 70 65 26 76 61 6c 3d 31 26 76 3d 33 26 61 69 64 3d 36 34 39 61 62 63 31 38 30 65 36 63 65 39 34 30 31 64 36 65 38 31 63 66 26 61 Data Ascii: qt=4856500&t=property&lb=MsiNTProductType&val=1&v=3&aid=649abc180e6ce9401d6e81cf&av=7.8.6.7&cid=7D2E30BECC9DF42122B47B83C0F9D9F226A6C78B&sid=%7BFA015603-7D74-4142-8F3D-91E0218EBBFB%7D
Jun 28, 2023 11:59:21.115596056 CEST	1212	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:21 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:21.117192984 CEST	1213	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 183 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:21.117192984 CEST	1213	OUT	Data Raw: 71 74 3d 34 38 35 36 36 34 30 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 53 65 72 76 69 63 65 50 61 63 6b 4c 65 76 65 6c 26 76 61 6c 3d 30 26 76 3d 33 26 61 69 64 3d 36 34 39 61 62 63 31 38 30 65 36 63 65 39 34 30 31 64 36 65 38 31 63 66 26 61 Data Ascii: qt=4856640&t=property&lb=ServicePackLevel&val=0&v=3&aid=649abc180e6ce9401d6e81cf&av=7.8.6.7&cid=7D2E30BECC9DF42122B47B83C0F9D9F226A6C78B&sid=%7BFA015603-7D74-4142-8F3D-91E0218EBBFB%7D
Jun 28, 2023 11:59:21.266661882 CEST	1213	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:21 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:21.270152092 CEST	1214	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 185 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:21.270153046 CEST	1214	OUT	Data Raw: 71 74 3d 34 38 35 36 37 39 36 26 74 3d 70 72 6f 70 65 72 74 79 26 6c 62 3d 50 72 6f 64 75 63 74 4c 61 6e 67 75 61 67 65 26 76 61 6c 3d 31 30 34 36 26 76 3d 33 26 61 69 64 3d 36 34 39 61 62 63 31 38 30 65 36 63 65 39 34 30 31 64 36 65 38 31 63 66 Data Ascii: qt=4856796&t=property&lb=ProductLanguage&val=1046&v=3&aid=649abc180e6ce9401d6e81cf&av=7.8.6.7&cid=7D2E30BECC9DF42122B47B83C0F9D9F226A6C78B&sid=%7BFA015603-7D74-4142-8F3D-91E0218EBBFB%7D
Jun 28, 2023 11:59:21.419419050 CEST	1214	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:21 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:21.420922995 CEST	1215	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 197 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:21.570180893 CEST	1215	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:21 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:21.572173119 CEST	1216	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 192 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:21.721196890 CEST	1216	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:21 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:21.724052906 CEST	1217	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 195 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:21.873471022 CEST	1217	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:21 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:21.876401901 CEST	1218	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 201 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:22.034540892 CEST	1218	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:21 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:22.037369967 CEST	1219	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 192 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:22.186919928 CEST	1219	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:22 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:22.188186884 CEST	1220	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 194 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:22.337660074 CEST	1220	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:22 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:22.340310097 CEST	1221	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 210 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:22.532136917 CEST	1221	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:22 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:22.533828020 CEST	1222	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 211 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:22.683301926 CEST	1222	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:22 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:22.685344934 CEST	1222	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 193 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:22.838324070 CEST	1223	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:22 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:22.841305017 CEST	1223	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 207 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:22.990664005 CEST	1224	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:22 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:22.992186069 CEST	1224	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 199 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:23.243037939 CEST	1225	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:23 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:23.244498968 CEST	1225	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 201 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:23.393836975 CEST	1226	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:23 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:23.396625042 CEST	1226	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 201 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:23.545558929 CEST	1227	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:23 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:23.547868967 CEST	1227	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 203 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:23.704056025 CEST	1228	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:23 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:23.705996990 CEST	1228	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 202 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:23.854576111 CEST	1229	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:23 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:23.855837107 CEST	1229	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 204 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:24.004755974 CEST	1230	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:23 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:24.006185055 CEST	1230	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 204 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:24.199446917 CEST	1231	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:24 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:24.200870037 CEST	1231	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 207 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:24.350294113 CEST	1232	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:24 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:24.351911068 CEST	1232	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 206 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:24.500977039 CEST	1233	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:24 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:24.502922058 CEST	1233	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 201 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:24.652072906 CEST	1234	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:24 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:24.653465033 CEST	1234	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 208 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:24.803061008 CEST	1235	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:24 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:24.804680109 CEST	1235	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 212 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:24.953893900 CEST	1236	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:24 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:24.957423925 CEST	1236	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 191 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:25.707835913 CEST	1237	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:25 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:25.711179018 CEST	1237	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 183 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:25.869736910 CEST	1238	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:25 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:25.872939110 CEST	1238	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 176 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:26.041735888 CEST	1238	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:25 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:26.044327974 CEST	1239	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 184 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:26.193871021 CEST	1239	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:26 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:26.196824074 CEST	1240	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 184 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:26.346458912 CEST	1240	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:26 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:26.349838972 CEST	1241	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 172 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:26.499509096 CEST	1241	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:26 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:26.502446890 CEST	1242	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 179 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:26.652754068 CEST	1242	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:26 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:26.655591965 CEST	1243	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 219 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:26.805027962 CEST	1243	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:26 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive
Jun 28, 2023 11:59:26.808026075 CEST	1244	OUT	POST / HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.17134 ; x64) Host: collect.installeranalytics.com Content-Length: 181 Cache-Control: no-cache Cookie: AWSELB=D7177B5704D1BF661882EF94F6A835B9FB0EACE97C49CE22FDEE1CA1001AFF5F71AA12E5F06B26C30D4C68D2091FE6ED40F621B6434D87C1489153A94C392995E08A8228A7
Jun 28, 2023 11:59:26.968133926 CEST	1244	IN	HTTP/1.1 200 OK Date: Wed, 28 Jun 2023 09:59:26 GMT X-Powered-By: Express Content-Length: 0 Connection: keep-alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49699	20.165.170.228	80	C:\Users\Public\Documents\identity_helper.exe

Timestamp	kBytes transferred	Direction	Data
Jun 28, 2023 11:59:42.550473928 CEST	1245	OUT	GET /MARA01/index.php?VS=MARA01&PL=NAO HTTP/1.1 User-Agent: "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36" Host: 20.165.170.228 Connection: Keep-Alive
Jun 28, 2023 11:59:42.961000919 CEST	1245	IN	HTTP/1.1 302 Found Date: Wed, 28 Jun 2023 09:59:42 GMT Server: Apache/2.4.29 (Ubuntu) Location: https://amxx1515cabreun23.asxo/ Content-Length: 6 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 5a 75 72 69 63 68 Data Ascii: Zurich

Target ID:	0
Start time:	11:59:02
Start date:	28/06/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Fatrr_UewhcWF.msi"
Imagebase:	0x7ff7d8f70000
File size:	66'048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	1
Start time:	11:59:02
Start date:	28/06/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7d8f70000
File size:	66'048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	11:59:03
Start date:	28/06/2023
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding C78C18F24792FB2CF3D3274F6B2C7332
Imagebase:	0xa70000
File size:	59'904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	11:59:19
Start date:	28/06/2023
Path:	C:\Users\Public\Documents\identity_helper.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Documents\identity_helper.exe"
Imagebase:	0xfe0000
File size:	1'103'264 bytes
MD5 hash:	216FBFDD15F983EE770F1A135EDA572C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	4
Start time:	11:59:27
Start date:	28/06/2023
Path:	C:\Users\Public\Documents\identity_helper.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Documents\identity_helper.exe"
Imagebase:	0xfe0000
File size:	1'103'264 bytes
MD5 hash:	216FBFDD15F983EE770F1A135EDA572C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.4%
Total number of Nodes:	621
Total number of Limit Nodes:	39

Executed Functions

Function 0105CB10 Relevance: 43.6, APIs: 23, Strings: 1, Instructions: 1599COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?), ref: 0105CBBB
ReleaseSRWLockExclusive.KERNEL32(?), ref: 0105CBF3
ReleaseSRWLockExclusive.KERNEL32(?,?,?), ref: 0105D1A6
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 0105D2D6
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 0105D39A
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 0105D42B
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 0105D4F7
ReleaseSRWLockExclusive.KERNEL32(?), ref: 0105D6AA
ReleaseSRWLockExclusive.KERNEL32(?), ref: 0105D70A
ReleaseSRWLockExclusive.KERNEL32(?), ref: 0105D762
ReleaseSRWLockExclusive.KERNEL32(?), ref: 0105D7C2
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 0105D888
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 0105D91C
ReleaseSRWLockExclusive.KERNEL32(?), ref: 0105DC21

Part of subcall function 0105C5A0: TryAcquireSRWLockExclusive.KERNEL32(010F3EE0,00000000,FBE85001,0000000A,0CFC9968,0105F533,010814B2), ref: 0105C5BC
Part of subcall function 0105C5A0: AcquireSRWLockExclusive.KERNEL32(010F3EE0), ref: 0105C5ED

TryAcquireSRWLockExclusive.KERNEL32(?), ref: 0105D9DD
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 0105DA71
ReleaseSRWLockExclusive.KERNEL32(?), ref: 0105DBCE
ReleaseSRWLockExclusive.KERNEL32(?), ref: 0105DC74
ReleaseSRWLockExclusive.KERNEL32(?), ref: 0105DCC7

Part of subcall function 0105BFC0: TryAcquireSRWLockExclusive.KERNEL32(?), ref: 0105C00C
Part of subcall function 0105BFC0: ReleaseSRWLockExclusive.KERNEL32(?,?,00000021,?,00004000,000000FF), ref: 0105C161

Strings

first, xrefs: 0105D61B, 0105D64A, 0105D7E7, 0105DED0, 0105DEFF, 0105DF2D, 0105E128

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: first
API String ID: 1678258262-2456940119
Opcode ID: ddda818c63c767154a207f1b9a9c67a7b0d7f3936650b64147223b2ba3cf047b
Instruction ID: 6aad283e3bd8217148e8b7fd18a6f1f800006c9f3ab09c58262809d619ac6749
Opcode Fuzzy Hash: ddda818c63c767154a207f1b9a9c67a7b0d7f3936650b64147223b2ba3cf047b
Instruction Fuzzy Hash: 0DE2E0716043029FD799CF28C884BAABBE2FF84314F19856DEDC98B291D735E945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01069290 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 389
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TryAcquireSRWLockExclusive.KERNEL32(?), ref: 01069446
ReleaseSRWLockExclusive.KERNEL32(?), ref: 01069645

Part of subcall function 0105C5A0: TryAcquireSRWLockExclusive.KERNEL32(010F3EE0,00000000,FBE85001,0000000A,0CFC9968,0105F533,010814B2), ref: 0105C5BC
Part of subcall function 0105C5A0: AcquireSRWLockExclusive.KERNEL32(010F3EE0), ref: 0105C5ED

ReleaseSRWLockExclusive.KERNEL32(?,?), ref: 010697E8

Strings

first, xrefs: 010695E5, 010697B7

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: first
API String ID: 1678258262-2456940119
Opcode ID: 9b7b97fea8ca01abc45a549e3538799937b25a959ce24a0a06d7ed059667562d
Instruction ID: 5ace3e9b00b225ed76ef2b9d423c711b81a5a1ffc4e9b1a10c9063971dbceb5f
Opcode Fuzzy Hash: 9b7b97fea8ca01abc45a549e3538799937b25a959ce24a0a06d7ed059667562d
Instruction Fuzzy Hash: 86F11472A043118FD718CF28C484B6ABBE5BF88318F0985ADE9C99B785D735ED45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01068830 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 366
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TryAcquireSRWLockExclusive.KERNEL32(?), ref: 010689C3
ReleaseSRWLockExclusive.KERNEL32(?,?,00000000,00000000,00004000,00000000), ref: 01068BAB

Part of subcall function 0105C5A0: TryAcquireSRWLockExclusive.KERNEL32(010F3EE0,00000000,FBE85001,0000000A,0CFC9968,0105F533,010814B2), ref: 0105C5BC
Part of subcall function 0105C5A0: AcquireSRWLockExclusive.KERNEL32(010F3EE0), ref: 0105C5ED

ReleaseSRWLockExclusive.KERNEL32(?), ref: 01068D3E

Strings

first, xrefs: 01068B4B, 01068CE8, 01068D15

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: first
API String ID: 1678258262-2456940119
Opcode ID: 053d9be5068bd73515b9768b3ffd34f28a7d271c20b8d938927c8efdb165b651
Instruction ID: 565fd74d6ca443fe788e6293c2e924fea891d32642b79ae247a7fb6cb5824c44
Opcode Fuzzy Hash: 053d9be5068bd73515b9768b3ffd34f28a7d271c20b8d938927c8efdb165b651
Instruction Fuzzy Hash: 59E100726043018FD758CF28C88476ABBE6BF84314F19C56EE9C99B385D775E941CB82

Uniqueness

Uniqueness Score: -1.00%

Function 01073E90 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 574
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReleaseSRWLockExclusive.KERNEL32(?), ref: 0107451B
ReleaseSRWLockExclusive.KERNEL32(?), ref: 0107464C

Strings

spansize, xrefs: 01074328
first, xrefs: 0107427F
slotsize, xrefs: 010742FF

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLockRelease
String ID: first$slotsize$spansize
API String ID: 1766480654-3908016032
Opcode ID: 071775116ea53779ac78338b4eaa53fa16c2465b14e2f6eb0f8e4cc387e17838
Instruction ID: a8c93bbc7ad76dec8edaa537441a849b2d47be87519c98f7a6b6e8af9eb7e77f
Opcode Fuzzy Hash: 071775116ea53779ac78338b4eaa53fa16c2465b14e2f6eb0f8e4cc387e17838
Instruction Fuzzy Hash: 40329F71A043019FD718CF28C881B9AB7E2BF88314F19C56DE999CB396D774E841CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0106A330 Relevance: 6.6, APIs: 4, Instructions: 560
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TryAcquireSRWLockExclusive.KERNEL32(?), ref: 0106A6A0
ReleaseSRWLockExclusive.KERNEL32(?), ref: 0106A715
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 0106A795
ReleaseSRWLockExclusive.KERNEL32(?), ref: 0106A808

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 9b127f1cbc1da464f0bf1872b8d0af0523e2241f204836433bee1eb2f2ef6ce2
Instruction ID: 4bf3fda8dc0c048b31cbe92862caee4127d12e5cdb1841031ff590e96d30d4dc
Opcode Fuzzy Hash: 9b127f1cbc1da464f0bf1872b8d0af0523e2241f204836433bee1eb2f2ef6ce2
Instruction Fuzzy Hash: 00321371B00202CFDB64DF68C8857BABBF9BF45314F1981A8E985AB246D739DC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01075A70 Relevance: 37.7, APIs: 30, Instructions: 171
sleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00000002,00000002,3FE08300,00000002,?,00000002,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694), ref: 01075A8B
GetLastError.KERNEL32(?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075AB8
Sleep.KERNEL32(00000032,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075AD6
VirtualAlloc.KERNEL32(00000000,00000002,00000002,3FE08300,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002), ref: 01075AE4
GetLastError.KERNEL32(?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075AF2
Sleep.KERNEL32(00000032,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075B10
VirtualAlloc.KERNEL32(00000000,00000002,00000002,3FE08300,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002), ref: 01075B1E
GetLastError.KERNEL32(?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075B2C
Sleep.KERNEL32(00000032,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075B4A
VirtualAlloc.KERNEL32(00000000,00000002,00000002,3FE08300,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002), ref: 01075B58
GetLastError.KERNEL32(?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075B66
Sleep.KERNEL32(00000032,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075B84
VirtualAlloc.KERNEL32(00000000,00000002,00000002,3FE08300,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002), ref: 01075B92
GetLastError.KERNEL32(?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075BA0
Sleep.KERNEL32(00000032,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075BBE
VirtualAlloc.KERNEL32(00000000,00000002,00000002,3FE08300,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002), ref: 01075BCC
GetLastError.KERNEL32(?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075BDA
Sleep.KERNEL32(00000032,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075BF8
VirtualAlloc.KERNEL32(00000000,00000002,00000002,3FE08300,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002), ref: 01075C06
GetLastError.KERNEL32(?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075C14
Sleep.KERNEL32(00000032,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075C32
VirtualAlloc.KERNEL32(00000000,00000002,00000002,3FE08300,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002), ref: 01075C40
GetLastError.KERNEL32(?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075C4E
Sleep.KERNEL32(00000032,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075C68
VirtualAlloc.KERNEL32(00000000,00000002,00000002,3FE08300,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002), ref: 01075C76
GetLastError.KERNEL32(?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075C80
Sleep.KERNEL32(00000032,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075C9A
VirtualAlloc.KERNEL32(00000000,00000002,00000002,3FE08300,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002), ref: 01075CA8
GetLastError.KERNEL32(?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075CB2
Sleep.KERNEL32(00000032,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075CCC

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: AllocErrorLastSleepVirtual
String ID:
API String ID: 2288223010-0
Opcode ID: e02f6c99086d6d8df878b8d007757f8dd14a7a902b79f8107243dce75f8cf2a0
Instruction ID: cede2448f7ac18596add0e558754120a84a5cc5b56da85624680952c826a2ff5
Opcode Fuzzy Hash: e02f6c99086d6d8df878b8d007757f8dd14a7a902b79f8107243dce75f8cf2a0
Instruction Fuzzy Hash: C6517F30B0224AAFDF321F64CD4DBAA3E79EF42751F2541A8FAC9C9050DB768940CB56

Uniqueness

Uniqueness Score: -1.00%

Function 01076160 Relevance: 12.2, APIs: 1, Strings: 7, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNEL32(00000000,00000002,00004000,?,?,0105E694,3FE08300,00000002,00000002,00000000,?,?,?,3FE08300,3FE08340,?), ref: 010761B7

Strings

..\..\buildtools\third_party\libc++\trunk\include\vector, xrefs: 0107657C
%s:%d: assertion %s failed: %s, xrefs: 01076594
..\..\buildtools\third_party\libc++\trunk\include\__memory\construct_at.h, xrefs: 0107658F
null pointer given to construct_at, xrefs: 01076583
back() called on an empty vector, xrefs: 0107656D
!empty(), xrefs: 01076572
__location != nullptr, xrefs: 01076588

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: FreeVirtual
String ID: !empty()$%s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\__memory\construct_at.h$..\..\buildtools\third_party\libc++\trunk\include\vector$__location != nullptr$back() called on an empty vector$null pointer given to construct_at
API String ID: 1263568516-751371438
Opcode ID: 43bf2dcea16b6806b7ed5111ccd866933d7e2b9c54ae0a3aad5da156ce84899a
Instruction ID: 3e42e51d5eec6700293773bc833cb0826b54f5185d53bf2cfd13851d886041e6
Opcode Fuzzy Hash: 43bf2dcea16b6806b7ed5111ccd866933d7e2b9c54ae0a3aad5da156ce84899a
Instruction Fuzzy Hash: D061F0B1E087029FE7109F28C8819AEB7E5FB88710F444A2DF5C797640EB75E900CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 01075CE0 Relevance: 10.2, APIs: 8, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNEL32(-00000100,00000000,00008000,?,010758FE,?,?,?,01074CD2,00000002,00000000,-00000100,?,00000000,-00000100,00000000), ref: 01075CED

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 535162facc06004760f05a832abd8d3ff623e2c7331e36928b481123a7f98aa8
Instruction ID: 5449c321245b233a03864d997cbf4a3d55f3834b26e29d062ec6d48a759b128c
Opcode Fuzzy Hash: 535162facc06004760f05a832abd8d3ff623e2c7331e36928b481123a7f98aa8
Instruction Fuzzy Hash: EA510371E00205ABFB246A68DC49BFF3699EB40340F184439FB8AD7285EA7ADC4147D9

Uniqueness

Uniqueness Score: -1.00%

Function 01075FD0 Relevance: 9.2, APIs: 6, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,?,?,01075DDC,?,00000000,00000000,?,-00000100,?,00000000), ref: 0107603D
TryAcquireSRWLockExclusive.KERNEL32(010F2E8C,?,?,?,?,?,01075DDC,?,00000000,00000000,?,-00000100,?,00000000), ref: 01076061
VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,01075DDC,?,00000000,00000000,?,-00000100,?,00000000), ref: 0107608C
ReleaseSRWLockExclusive.KERNEL32(010F2E8C,?,?,?,?,?,01075DDC,?,00000000,00000000,?,-00000100,?,00000000), ref: 010760BA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,01075DDC,?,00000000,00000000,?,-00000100), ref: 0107610C
VirtualFree.KERNEL32(00000000,00000002,00004000,?,?,0105E694,3FE08300,00000002,00000002,00000000,?,?,?,3FE08300,3FE08340,?), ref: 010761B7

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ErrorExclusiveFreeLastLockVirtual$AcquireRelease
String ID:
API String ID: 1130761037-0
Opcode ID: 522fa9175929e47cdf7fb47743f950b52a2b33582c21d24d0779023ea2c018f8
Instruction ID: 6cc8c990b31a0e1cd3fbe17f07359cf4190eccabe4e31bc2f2121a41e0a6e345
Opcode Fuzzy Hash: 522fa9175929e47cdf7fb47743f950b52a2b33582c21d24d0779023ea2c018f8
Instruction Fuzzy Hash: 6C71AF71E087029BE7118F68D885BAB77F8FB84340F14496DF6C797640EB76E8008B99

Uniqueness

Uniqueness Score: -1.00%

Function 01075DA0 Relevance: 7.8, APIs: 6, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,?,-00000100,?,00000000), ref: 01075DFA
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00000000,00000000,?,-00000100,?,00000000), ref: 01075E5B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 01075F74
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 01075F06

Part of subcall function 01075A70: VirtualAlloc.KERNEL32(00000000,00000002,00000002,3FE08300,00000002,?,00000002,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694), ref: 01075A8B
Part of subcall function 01075A70: GetLastError.KERNEL32(?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075AB8
Part of subcall function 01075A70: Sleep.KERNEL32(00000032,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075AD6
Part of subcall function 01075A70: VirtualAlloc.KERNEL32(00000000,00000002,00000002,3FE08300,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002), ref: 01075AE4
Part of subcall function 01075A70: GetLastError.KERNEL32(?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075AF2
Part of subcall function 01075A70: Sleep.KERNEL32(00000032,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075B10
Part of subcall function 01075A70: VirtualAlloc.KERNEL32(00000000,00000002,00000002,3FE08300,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002), ref: 01075B1E
Part of subcall function 01075A70: GetLastError.KERNEL32(?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075B2C
Part of subcall function 01075A70: Sleep.KERNEL32(00000032,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075B4A
Part of subcall function 01075A70: VirtualAlloc.KERNEL32(00000000,00000002,00000002,3FE08300,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002), ref: 01075B58
Part of subcall function 01075A70: GetLastError.KERNEL32(?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075B66
Part of subcall function 01075A70: Sleep.KERNEL32(00000032,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075B84
Part of subcall function 01075A70: VirtualAlloc.KERNEL32(00000000,00000002,00000002,3FE08300,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002), ref: 01075B92
Part of subcall function 01075A70: GetLastError.KERNEL32(?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075BA0
Part of subcall function 01075A70: Sleep.KERNEL32(00000032,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075BBE
Part of subcall function 01075A70: VirtualAlloc.KERNEL32(00000000,00000002,00000002,3FE08300,?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002), ref: 01075BCC
Part of subcall function 01075A70: GetLastError.KERNEL32(?,010761A5,00000000,00000002,00001000,00000001,?,?,0105E694,3FE08300,00000002,00000002,00000000,?), ref: 01075BDA

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: Virtual$ErrorLast$Alloc$Sleep$Free
String ID:
API String ID: 2167363077-0
Opcode ID: 257b8ff49d228f9338670853913e9d3ec9299e70a1a6de73766d4a2186df6f75
Instruction ID: dc587e1d22e0bbae3bba10aebd5a04bb3db4bc591d0a4c342949b510c02fd48f
Opcode Fuzzy Hash: 257b8ff49d228f9338670853913e9d3ec9299e70a1a6de73766d4a2186df6f75
Instruction Fuzzy Hash: 8971F772F002069BFB109E68DC85BEF37A9EB84344F184479FE89D7244EA76DC118799

Uniqueness

Uniqueness Score: -1.00%

Function 0105C730 Relevance: 4.6, APIs: 3, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 0105C741
ReleaseSRWLockExclusive.KERNEL32 ref: 0105C75A
ReleaseSRWLockExclusive.KERNEL32 ref: 0105C904

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLock$Release$Acquire
String ID:
API String ID: 1021914862-0
Opcode ID: c442fabdb58280e181c0530568ea10a8308205813c28e0a7bc9e346ba5674c3d
Instruction ID: e519e18465680dff3dda73057e65afba6706a384c7c9cf54eb76c23130f78541
Opcode Fuzzy Hash: c442fabdb58280e181c0530568ea10a8308205813c28e0a7bc9e346ba5674c3d
Instruction Fuzzy Hash: 6851C4708087869AFB52AB38C9443EAFFE4BF51318F498699DCD44A242D775A1D8C7C2

Uniqueness

Uniqueness Score: -1.00%

Function 0108FED8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C:\Users\Public\Documents\identity_helper.exe, xrefs: 0108FF70, 0108FF77, 0108FF94, 0108FFA9, 0108FFE1

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID: C:\Users\Public\Documents\identity_helper.exe
API String ID: 0-3719357055
Opcode ID: 600bcf494e92a4b6f02e37127716c0266c4fe16c02ff1dd0de31f764923c5f00
Instruction ID: c77054189e4fc0e4b9e3966982270a729d5e3bac282844d23bfb6f2c1e419a20
Opcode Fuzzy Hash: 600bcf494e92a4b6f02e37127716c0266c4fe16c02ff1dd0de31f764923c5f00
Instruction Fuzzy Hash: 8641C372A04219EFDB31AFA9D88499FBBEDEF85660F1100AAF5C5D7205D6718900DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0106AB40 Relevance: 3.3, APIs: 2, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TryAcquireSRWLockExclusive.KERNEL32(?), ref: 0106ACCD
ReleaseSRWLockExclusive.KERNEL32(?,00000001), ref: 0106AD40

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 9911e061f845cc41efdf0a5e9f498fd51e0abda407571eed800d7d817fb4a3f5
Instruction ID: 3d85c5aa96b26df57ca1cd477c3602979734376b5703794716f6c2fbcb55619a
Opcode Fuzzy Hash: 9911e061f845cc41efdf0a5e9f498fd51e0abda407571eed800d7d817fb4a3f5
Instruction Fuzzy Hash: E4A14532700206CFD755DF28C8807A5FBE9FF41324F0886A8E9899F656D775E851CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0109AA5B Relevance: 2.6, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00000000,00000001,01090B71,01097BB4,010DF0E0,00000028,01092A4C,00000016,0109A9C4,?,?), ref: 0109AA5F
SetLastError.KERNEL32(00000000,?,00000008,000000FF,?,?), ref: 0109AB01

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 7622f9c58277673f919566dc6812ea24dbb779fcb1cf8dc8584b85b69b59ad16
Instruction ID: 13b7d4cb26829ef8335d8c95d0d72bda9b79d145c83ac3e20c43e71522515b2d
Opcode Fuzzy Hash: 7622f9c58277673f919566dc6812ea24dbb779fcb1cf8dc8584b85b69b59ad16
Instruction Fuzzy Hash: 00114CF1304212EFEF6176B5BDE4EAB3AD89B40578F100134F5C1970A5DF5D48006220

Uniqueness

Uniqueness Score: -1.00%

Function 01076120 Relevance: 2.5, APIs: 2, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(?,00000001,00004000,?,0100C1DF,00000001,?,00000001,?,?,?,?), ref: 0107612E
GetLastError.KERNEL32(?,0100C1DF,00000001,?,00000001,?,?,?,?), ref: 01076138

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ErrorFreeLastVirtual
String ID:
API String ID: 499627090-0
Opcode ID: 0820cd158c85b89e5585a9563da43a5be50fe7ca92c2899f47b47e843654c0be
Instruction ID: 6bbec0a19fcc53aa8380f4939758688759d7534b3c7155a4ef2b7b008b9194db
Opcode Fuzzy Hash: 0820cd158c85b89e5585a9563da43a5be50fe7ca92c2899f47b47e843654c0be
Instruction Fuzzy Hash: 43D0C93164020C6BAB211E65BC09B153F9DAB01B55B0844A4FB498A412EB7390919748

Uniqueness

Uniqueness Score: -1.00%

Function 01024820 Relevance: 1.7, APIs: 1, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Init_thread_header.LIBCMT ref: 01024BB0

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: Init_thread_header
String ID:
API String ID: 3738618077-0
Opcode ID: 9053591e887eee7e57cb4da5ae1e614434e4ddb2eabb6684955dd70189305469
Instruction ID: 3e714b9b3f7d9d3c47ef7954c2798e28b9d13aaa9077898aeac1a6418f0d19d2
Opcode Fuzzy Hash: 9053591e887eee7e57cb4da5ae1e614434e4ddb2eabb6684955dd70189305469
Instruction Fuzzy Hash: CF8149B0A042198FD724AF9BE85CB5A7BF1FB54B04F014209E4E5DF395DB7A98188F81

Uniqueness

Uniqueness Score: -1.00%

Function 0109E68B Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0109E6CF

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ___free_lconv_mon
String ID:
API String ID: 3903695350-0
Opcode ID: 64f37b87885ef83afc357c5affb43ff5f4d87a1eae1dcb138633d2853619fe2b
Instruction ID: aff2e9290578b4eabab0e736556c23202021892453149918cb9d4049792682cc
Opcode Fuzzy Hash: 64f37b87885ef83afc357c5affb43ff5f4d87a1eae1dcb138633d2853619fe2b
Instruction Fuzzy Hash: 02319F71600306DFFFA1EA78D884B9AB7E9BF00251F144469E1DAD7190DF34EC809B69

Uniqueness

Uniqueness Score: -1.00%

Function 01028340 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

__Init_thread_header.LIBCMT ref: 010283BB

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: Init_thread_header
String ID:
API String ID: 3738618077-0
Opcode ID: 1fea2600dd122d2c8cc5378ce6b612213f81e996c735caae2395ffc9d1b1b01d
Instruction ID: 6c044ef60be1d8596958996e0637599523a5f6a682397df2f1fbbd3070d64923
Opcode Fuzzy Hash: 1fea2600dd122d2c8cc5378ce6b612213f81e996c735caae2395ffc9d1b1b01d
Instruction Fuzzy Hash: 532198B4904300CFC718EF09E949A99BBF0FB49724F0581AEF9998F351E3369814CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01024760 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

__Init_thread_header.LIBCMT ref: 010247C3

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: Init_thread_header
String ID:
API String ID: 3738618077-0
Opcode ID: 9cddbe0a5ab05ef884c2f090452f80b61cb2687c8b7a25f8f04a13941bce3e04
Instruction ID: 59decad429719a6a6dc716c7d331350b17c2012a0e3e4561fe12f52ae542a8c8
Opcode Fuzzy Hash: 9cddbe0a5ab05ef884c2f090452f80b61cb2687c8b7a25f8f04a13941bce3e04
Instruction Fuzzy Hash: 3411C0B19006A0CFC720EF59E849B9AB7F0FB46B20F054279D596DB380D3356800CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 01037200 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__Init_thread_header.LIBCMT ref: 01037265

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: Init_thread_header
String ID:
API String ID: 3738618077-0
Opcode ID: a9f021799ea2d34f8a1cfdef475ae3ef75c22bcc036d059ec6988f25bd0b37ee
Instruction ID: b08ffeaad4a1bdf51c907cfb7642f4792c6fde9daa350d24d33a8bf389a5590b
Opcode Fuzzy Hash: a9f021799ea2d34f8a1cfdef475ae3ef75c22bcc036d059ec6988f25bd0b37ee
Instruction Fuzzy Hash: 8D118EB8504640CFD320EF5AE949A59BBF4FB48B28F00866AF5954B340C3366404CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 01036EB0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__Init_thread_header.LIBCMT ref: 01036F15

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: Init_thread_header
String ID:
API String ID: 3738618077-0
Opcode ID: c7ac9b212fb73fda7ebacde389d026543f4be623597293be335082e902940cfc
Instruction ID: 455b1f72cce225d7bccb09f133eb6e86d2fc08b968f0ad8c80542b70ad3c0335
Opcode Fuzzy Hash: c7ac9b212fb73fda7ebacde389d026543f4be623597293be335082e902940cfc
Instruction Fuzzy Hash: 9E11AC78540640CFD320EF0AE849B99BBE4FB88B28F404A6AF5C50B780C3362514CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0100CEC4 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

GetInstallDetailsPayload.MSEDGE_ELF(?,%s:%d: assertion %s failed: %s,..\..\buildtools\third_party\libc++\trunk\include\string,00000387,__s != nullptr,basic_string(const char*) detected nullptr,?,00000000,0100CC06,?,0105F0CB,extended,?), ref: 0100CEC7

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: DetailsInstallPayload
String ID:
API String ID: 3030567736-0
Opcode ID: 6ec441e05d17875c870612afcfc8379d0070038f3e0b1a8cb2b6a4418320408a
Instruction ID: d629b0be44656a371a3de9696c65c9274ada8528b5b7110361c350d79022ea50
Opcode Fuzzy Hash: 6ec441e05d17875c870612afcfc8379d0070038f3e0b1a8cb2b6a4418320408a
Instruction Fuzzy Hash: 6EB012F280060907869037E07C0E447320C04210207850060AD4D45104EC5EF090439A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01069810 Relevance: 21.8, APIs: 10, Strings: 2, Instructions: 783COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?), ref: 01069BA7
ReleaseSRWLockExclusive.KERNEL32(?,?), ref: 01069FCE
ReleaseSRWLockExclusive.KERNEL32(?), ref: 0106A2C8
ReleaseSRWLockExclusive.KERNEL32(?,?,00000000,00000000,00004000,?), ref: 0106A301

Strings

first, xrefs: 01069F3C, 01069F69, 0106A106, 0106A26D, 0106A29A
A, xrefs: 01069A91

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLock$Release$Acquire
String ID: A$first
API String ID: 1021914862-3078553561
Opcode ID: e0ad8233f84d1865d8742ee5598d195f1ca9dda9bc01e28e486dbe881b40b112
Instruction ID: 04caa7ef436ef78fad6f0fb21d22d4fadf2eda2d4da7aee718108f4726fae959
Opcode Fuzzy Hash: e0ad8233f84d1865d8742ee5598d195f1ca9dda9bc01e28e486dbe881b40b112
Instruction Fuzzy Hash: B8621272604302CFD718DF28C88076ABBE6FF88318F09866DE9C59B685D775E945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0100E6AB Relevance: 21.7, Strings: 17, Instructions: 406COMMON

Download Yara Rule

Strings

3333, xrefs: 0100E865
UUUU, xrefs: 0100E812
UUUU, xrefs: 0100E6BD
3333, xrefs: 0100E8BD
3333, xrefs: 0100E832
UUUU, xrefs: 0100E74D
UUUU, xrefs: 0100E7FF
UUUU, xrefs: 0100E708
3333, xrefs: 0100E96C
3333, xrefs: 0100E911
UUUU, xrefs: 0100E7AC
3333, xrefs: 0100E957
UUUU, xrefs: 0100E767
UUUU, xrefs: 0100E7C6
3333, xrefs: 0100E894
3333, xrefs: 0100E8E8
UUUU, xrefs: 0100E6EE

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID: 3333$3333$3333$3333$3333$3333$3333$3333$UUUU$UUUU$UUUU$UUUU$UUUU$UUUU$UUUU$UUUU$UUUU
API String ID: 0-3925639157
Opcode ID: 5886f80acb38bb4a72f48d7ef223183355da908bd1e2f2f65a90cc3244282943
Instruction ID: a01a762cf72bf99a0c188d367c3e6cfc0970bad371fc4b630614da49b81e3eec
Opcode Fuzzy Hash: 5886f80acb38bb4a72f48d7ef223183355da908bd1e2f2f65a90cc3244282943
Instruction Fuzzy Hash: 0CE120B7F209258BCB54CF5DC88168DB7F2AB9C32072D816AD919F7305D674ED068B80

Uniqueness

Uniqueness Score: -1.00%

Function 01054420 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 278timeCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0105443E
_strlen.LIBCMT ref: 010544A4
GetLocalTime.KERNEL32(0000005B,?,?,?,?,?,?,?,?,01045FF1), ref: 01054536
GetTickCount.KERNEL32 ref: 01054660
_strlen.LIBCMT ref: 01054699

Strings

VERBOSE, xrefs: 010546B3
:, xrefs: 01054670
:, xrefs: 01054641
)] , xrefs: 01054709
UNKNOWN, xrefs: 01054687, 01054698, 010546A2

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: _strlen$CountLocalTickTime
String ID: )] $:$:$UNKNOWN$VERBOSE
API String ID: 3535325690-776901039
Opcode ID: 92209fda0a0041ef82fc4ed203f0fef36e870b173ea5f6cf7646e5eb8896b73e
Instruction ID: 0a5083de052b8025a05b5ab7312325191ddbf726c59268ce80c246b9472d812d
Opcode Fuzzy Hash: 92209fda0a0041ef82fc4ed203f0fef36e870b173ea5f6cf7646e5eb8896b73e
Instruction Fuzzy Hash: 7B9116B4E00305AFEB11EBA0CC44FEF7BB9AF56708F044458E8856B3C1EA755945CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0100E03C Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 534COMMON

Download Yara Rule

APIs

OQS_CPU_has_extension.IDENTITY_HELPER(00000002), ref: 0100E00E

Strings

DDDD, xrefs: 0100E26F
DDDD, xrefs: 0100E21E
"""", xrefs: 0100E1F1
DDDD, xrefs: 0100E282
DDDD, xrefs: 0100E206
"""", xrefs: 0100E25A
UUUU, xrefs: 0101DEF4

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: U_has_extension
String ID: """"$""""$DDDD$DDDD$DDDD$DDDD$UUUU
API String ID: 2855587727-881520860
Opcode ID: 73a17f70ee3613b9c9635ee9e1dff68991dba0e8e9c2c8efa304526f8b6c0332
Instruction ID: 919b6e6d0ec80690afcddb66e61be87863838a78840f4f02e2fd8d627e19f733
Opcode Fuzzy Hash: 73a17f70ee3613b9c9635ee9e1dff68991dba0e8e9c2c8efa304526f8b6c0332
Instruction Fuzzy Hash: 10024673A083508FE715CF68C84119AFBE1FBD5314F0985ADE8D897282E6359906CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01064040 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 249COMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000001,FFFFFFFF,00000000), ref: 0106417C

Part of subcall function 01092A3C: IsProcessorFeaturePresent.KERNEL32(00000017,0109A9C4,?,?), ref: 01092A58

Strings

msedge.exe, xrefs: 01064043
PinSystemLibrary, xrefs: 010640D4
..\..\base\native_library_win.cc, xrefs: 010640CF
GetFileAttributesExFromAppW, xrefs: 01064045

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: FeatureHandleModulePresentProcessor
String ID: ..\..\base\native_library_win.cc$GetFileAttributesExFromAppW$PinSystemLibrary$msedge.exe
API String ID: 1274991676-3668766867
Opcode ID: 876035f3a2a426d9d9adaeae173c2b5655bd48d08602a5e06e91fecb6889e642
Instruction ID: 5041a5af0c9f7f88c1093c73eb3bdbd6b2e833798bf54c47583ac80ae92e52b8
Opcode Fuzzy Hash: 876035f3a2a426d9d9adaeae173c2b5655bd48d08602a5e06e91fecb6889e642
Instruction Fuzzy Hash: 8991C470A083829BE710CF28D88476FBBD9ABD5714F144A6CF5D5CB281DB74D948C792

Uniqueness

Uniqueness Score: -1.00%

Function 01067090 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 227fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 0106714F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,01049C1A,00000000), ref: 01067160
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,01049C1A,00000000), ref: 01067199
MapViewOfFile.KERNEL32(?,?,?,?,?), ref: 01067297

Strings

MapFileRegionToMemory, xrefs: 010670DA
..\..\base\files\memory_mapped_file_win.cc, xrefs: 010670D5

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ErrorFileLast$CreateMappingView
String ID: ..\..\base\files\memory_mapped_file_win.cc$MapFileRegionToMemory
API String ID: 2231327692-2123313340
Opcode ID: 50e9e77c938dc588830077b3b8ba866487c02bad4f89ecbfe5924f8519af419a
Instruction ID: 5215710da195190356c9b8f060272653a601fe4a839523f356330996792a4ac2
Opcode Fuzzy Hash: 50e9e77c938dc588830077b3b8ba866487c02bad4f89ecbfe5924f8519af419a
Instruction Fuzzy Hash: A57118716003029BD7149F68C891B6FB7EAEBD4314F148A2DEAD68B380EB75D805C782

Uniqueness

Uniqueness Score: -1.00%

Function 010523C0 Relevance: 10.2, Strings: 8, Instructions: 212COMMON

Download Yara Rule

Strings

max, xrefs: 0105247C
min, xrefs: 01052445
..\..\buildtools\third_party\libc++\trunk\include\vector, xrefs: 010524C1
%s:%d: assertion %s failed: %s, xrefs: 010524C6
type, xrefs: 010523FD
vector[] index out of bounds, xrefs: 010524B2
__n < size(), xrefs: 010524B7
bucket_count, xrefs: 01052492

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\vector$__n < size()$bucket_count$max$min$type$vector[] index out of bounds
API String ID: 0-596577333
Opcode ID: 52f0c1813f19acdd2ddd200741a0eb931675c910b1bd7dd0de1050c94c6cb17a
Instruction ID: dd5e11bc82e33bf631fc84dbfe6055cb5881c1d2abdb866913a8a0eb433a9fe1
Opcode Fuzzy Hash: 52f0c1813f19acdd2ddd200741a0eb931675c910b1bd7dd0de1050c94c6cb17a
Instruction Fuzzy Hash: F371AFB0E0020A9BCF14DF68D890AAFB7B5EF84714F044129ED96AB385DB71ED158BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0107A1C0 Relevance: 9.4, APIs: 6, Instructions: 392COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(00000000), ref: 0107A31C
ReleaseSRWLockExclusive.KERNEL32(?,?), ref: 0107A3D9
TryAcquireSRWLockExclusive.KERNEL32(00000000,?), ref: 0107A40C
ReleaseSRWLockExclusive.KERNEL32(?), ref: 0107A4A4

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 17de3c6c69107562f21f340faae861103118ad807a92f3cb00e5fc3d010f9289
Instruction ID: bfb848012738d4ecfdd5f2d8283a14a4bd380e0a17d54097040f01c0ae9d36c8
Opcode Fuzzy Hash: 17de3c6c69107562f21f340faae861103118ad807a92f3cb00e5fc3d010f9289
Instruction Fuzzy Hash: 6BD10F71F00356DBCB14DF28D880AAEBBE4BF94210F084A29EAC18B641DB75E905CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 010662C0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 137COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0107942D

Strings

ntel, xrefs: 010792CF
OPENSSL_ia32cap, xrefs: 0107940B
Genu, xrefs: 010792BF
ineI, xrefs: 010792C7

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: Genu$OPENSSL_ia32cap$ineI$ntel
API String ID: 601868998-3767422159
Opcode ID: e69b99a42c9d7dcd8c4ae4e557bd07e2929540c4ebc2faa67110592b060b230b
Instruction ID: bcbea59fa275089cc2b48583764d339e11803b56f323072b74d2da158f01aa22
Opcode Fuzzy Hash: e69b99a42c9d7dcd8c4ae4e557bd07e2929540c4ebc2faa67110592b060b230b
Instruction Fuzzy Hash: B5412AB2F0420507EF6C857CE8963BE75C6AB9133CF18927EEA97D22C5DD3599408289

Uniqueness

Uniqueness Score: -1.00%

Function 0109F9B7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000006,2000000B,0109F36D,00000002,00000000,?,?,?,0109F36D,?,00000000), ref: 0109FA50
GetLocaleInfoW.KERNEL32(00000006,20001004,0109F36D,00000002,00000000,?,?,?,0109F36D,?,00000000), ref: 0109FA79
GetACP.KERNEL32(?,?,0109F36D,?,00000000), ref: 0109FA8E

Strings

ACP, xrefs: 0109F9D5
OCP, xrefs: 0109FA0B

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: bc539f8336e623a3db9b142f090c33f8651ca11c8ac3f3d655454448781339bf
Instruction ID: 3f2a23105b6982be00123b18a43817841540f902c78f7f3f67ac55a543362001
Opcode Fuzzy Hash: bc539f8336e623a3db9b142f090c33f8651ca11c8ac3f3d655454448781339bf
Instruction Fuzzy Hash: 7921C7B2600103AAEF758B18C820A9B7BE6AF44E54B5A80A4E9CAD7115EB36DD41E350

Uniqueness

Uniqueness Score: -1.00%

Function 010653C0 Relevance: 7.7, APIs: 5, Instructions: 204threadCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 010653F0
CloseHandle.KERNEL32(?), ref: 01065405
GetCurrentThreadId.KERNEL32 ref: 01065455
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 010654C3

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: CloseHandle$AcquireCurrentExclusiveLockThread
String ID:
API String ID: 436005173-0
Opcode ID: 29ca9caf9696fe85918788f0c2e5e829ad24f1f8a7e985984e0ca91d65fe07da
Instruction ID: ee9d6fa3510d1b64c8418f4f8e3269957bfe98440cf65117dcd910a7110d8cac
Opcode Fuzzy Hash: 29ca9caf9696fe85918788f0c2e5e829ad24f1f8a7e985984e0ca91d65fe07da
Instruction Fuzzy Hash: B661F570E0020A9BDB14DF68E854BFE7BE9AF85244F044468EAC69F341DB75A911C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0109F237 Relevance: 7.7, APIs: 5, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 0109A90A: GetLastError.KERNEL32(?,?,0108922D,?,?,?,?,01092CDC,?,?,?,?), ref: 0109A90E
Part of subcall function 0109A90A: SetLastError.KERNEL32(00000000,?,?), ref: 0109A9B0

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 0109F33F
IsValidCodePage.KERNEL32(00000000), ref: 0109F37D
IsValidLocale.KERNEL32(?,00000001), ref: 0109F390
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0109F3D8
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0109F3F3

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 4b9237979c5bef12814d7e244d4a4807e4d3ddc73c6e00c097d8681d916e5ed0
Instruction ID: 0ab270d1f829aceacda67cda2b0a8c4403cae7e0ddd523d5b58eefcf72b7fb5f
Opcode Fuzzy Hash: 4b9237979c5bef12814d7e244d4a4807e4d3ddc73c6e00c097d8681d916e5ed0
Instruction Fuzzy Hash: 58516171A00207ABEF60DFA9DC50AFE7BF8BF14700F0484A9E990EB190EB749540DB61

Uniqueness

Uniqueness Score: -1.00%

Function 010515C0 Relevance: 6.6, Strings: 5, Instructions: 355COMMON

Download Yara Rule

Strings

Histogram.MismatchedConstructionArguments, xrefs: 0105181A
..\..\buildtools\third_party\libc++\trunk\include\vector, xrefs: 01051851
%s:%d: assertion %s failed: %s, xrefs: 01051856
vector[] index out of bounds, xrefs: 01051842
__n < size(), xrefs: 01051847

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLock$AcquireInit_thread_headerRelease
String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\vector$Histogram.MismatchedConstructionArguments$__n < size()$vector[] index out of bounds
API String ID: 1281622111-748511
Opcode ID: 9a00bea3ad92741d56150e44093124b12b62e524166a347257f9481af0a22fdc
Instruction ID: 932d0f97cef6a05d0a0cdba44976fe0eef82c654ec59b01bc1c1670f35c24c0a
Opcode Fuzzy Hash: 9a00bea3ad92741d56150e44093124b12b62e524166a347257f9481af0a22fdc
Instruction Fuzzy Hash: 99C18174F0020A9FDB64DFA9D894AAFBBF5FF88204B04451DE9969B341D735E904CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010892A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c45bac9f3abf0a78b0ba354ff54b440fea3dfc5006bfe2d00687007389b833a7
Instruction ID: 77505ab5a403899ca969e1deeea01f29e84a39ec0c3632ae957c104fda8e12de
Opcode Fuzzy Hash: c45bac9f3abf0a78b0ba354ff54b440fea3dfc5006bfe2d00687007389b833a7
Instruction Fuzzy Hash: C5024D71E052199BDF14EFA8C880AEEFBF1FF88318F148269D599A7341D731A901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01045610 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C), ref: 0104564D
GetProductInfo.KERNEL32(?,?,00000000,00000000,00000000), ref: 01045674
__Init_thread_header.LIBCMT ref: 010456D3
GetNativeSystemInfo.KERNEL32(010E5978), ref: 01045704

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: Info$Init_thread_headerNativeProductSystemVersion
String ID:
API String ID: 2164803554-0
Opcode ID: c60746f55cad188bdebea861856e8195a828ff30deb5d5871e8359236315517a
Instruction ID: bfc6a74e99fde56c37f146be6fc3de0c33fa707b552897cd449985953d741ed5
Opcode Fuzzy Hash: c60746f55cad188bdebea861856e8195a828ff30deb5d5871e8359236315517a
Instruction Fuzzy Hash: BB212875A402049FD730EB55EC85BED73B4BB9E728F000569E6C45A140DB7A2990CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01065820 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?), ref: 010658B0

Part of subcall function 01047600: AcquireSRWLockExclusive.KERNEL32(00000000,?,01065318), ref: 01047604

ReleaseSRWLockExclusive.KERNEL32(?), ref: 010659B5

Strings

MZx, xrefs: 01065A03

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: MZx
API String ID: 1678258262-2575928145
Opcode ID: aa8a20e35dbace10338a1d3fa59cff00bdb3532447c2bdfe14725bf6f3839abe
Instruction ID: e1e321627dae74fee7696570af13edc8f3791feb4390acf64c129a54e23f882f
Opcode Fuzzy Hash: aa8a20e35dbace10338a1d3fa59cff00bdb3532447c2bdfe14725bf6f3839abe
Instruction Fuzzy Hash: 1E510531E005068FDB14CE5CD8406AEB7EAAF85360F188069D989EB305DB31AD40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010821B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 010821C2
GetSystemInfo.KERNEL32(?), ref: 010821DD

Strings

D, xrefs: 010821D1

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: f6fed817eeb4d8f349e03b01dfc6b3dd30ef42dbf88210776b7671743934db53
Instruction ID: 7496f13480aa3112e95d1d168409831e5831e885eac48f9fbdbd5acb62b588f1
Opcode Fuzzy Hash: f6fed817eeb4d8f349e03b01dfc6b3dd30ef42dbf88210776b7671743934db53
Instruction Fuzzy Hash: 2101FC726001096BDF14EE2DCC05BDE7BE9AFC4324F1DC165ED99D7145D634D411C680

Uniqueness

Uniqueness Score: -1.00%

Function 01072680 Relevance: 4.7, APIs: 3, Instructions: 210COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?), ref: 0107268F
ReleaseSRWLockExclusive.KERNEL32(?), ref: 01072813

Part of subcall function 01047600: AcquireSRWLockExclusive.KERNEL32(00000000,?,01065318), ref: 01047604

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID:
API String ID: 1678258262-0
Opcode ID: 23f78fa0e51871061867106a9d7106d1e6e3dfd04432b1c5ead3be10afa17de5
Instruction ID: eb4ce698c9a2404818e0893536b82a7cd499a1e3f1e552c10b937718d9937bce
Opcode Fuzzy Hash: 23f78fa0e51871061867106a9d7106d1e6e3dfd04432b1c5ead3be10afa17de5
Instruction Fuzzy Hash: 5A61F431F002058BCB54DF28D884A6EBBF6FB84210B18846DE986DB345DB32E951C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 0109F530 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0109A90A: GetLastError.KERNEL32(?,?,0108922D,?,?,?,?,01092CDC,?,?,?,?), ref: 0109A90E
Part of subcall function 0109A90A: SetLastError.KERNEL32(00000000,?,?), ref: 0109A9B0

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0109F584
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0109F5CE
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0109F694

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: cd63615218132cba28a543007162297d8790b435a2b5276a48138c18d6286a79
Instruction ID: c08af54c3d2c12365fcfbbe33edd1b0145714f4639518436a099df5bfa6cba3e
Opcode Fuzzy Hash: cd63615218132cba28a543007162297d8790b435a2b5276a48138c18d6286a79
Instruction Fuzzy Hash: FC61C1719102079FEF699F28CDA1BBABBE8FF08300F1040B9E995C6195EB75D941EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0109C376 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0109C46E
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0109C478
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 0109C485

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: f04b01812eef07979d3aaa342cba325a40f65f88bc54d6be6b3dbf4850a73d98
Instruction ID: 40753dd44dc1ae2940146d18dd109b7c1f9c3359d162682ae29078fa1a06f189
Opcode Fuzzy Hash: f04b01812eef07979d3aaa342cba325a40f65f88bc54d6be6b3dbf4850a73d98
Instruction Fuzzy Hash: 1031D47494121DABCB21EF69D9887DCBBF8BF18310F5041DAE84CA7250EB749B858F45

Uniqueness

Uniqueness Score: -1.00%

Function 01022400 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 244COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 010225A2

Strings

3333, xrefs: 0102245B

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: __floor_pentium4
String ID: 3333
API String ID: 4168288129-2924271548
Opcode ID: 96c217c76f7c4207befab1f918e9ab3147ffa3dfb3b488b4f81b184c692d3b2c
Instruction ID: 49e1d94b8399838f989f7db980316213498c2cdd87963935919117d3e238eded
Opcode Fuzzy Hash: 96c217c76f7c4207befab1f918e9ab3147ffa3dfb3b488b4f81b184c692d3b2c
Instruction Fuzzy Hash: 2491B572E012258FCB15CFA9C8905ADB7F2AF9D310B18C669E885FB345DB31AD51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010721B0 Relevance: 3.3, APIs: 2, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 628cf17758620656c93a10a8f2422b6853aa12be61e6eb80a71993105bcaec6a
Instruction ID: 657c76733b240036f0f32fed95cce507ca713e82f618a1169ccff4b54cd50a94
Opcode Fuzzy Hash: 628cf17758620656c93a10a8f2422b6853aa12be61e6eb80a71993105bcaec6a
Instruction Fuzzy Hash: 91B1D371F046068FCB19CF69C4901ADF7F2BF99210B19C669D986EB340EB31EC818B55

Uniqueness

Uniqueness Score: -1.00%

Function 010487E0 Relevance: 3.3, APIs: 2, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eac2f82ff8a49288a71953a6be5f6cae8aa4df0be02da2e328df90da2e4254f
Instruction ID: abaa147a16283b04b3e425ae83c65194b113db9528c325130ebab3207a37a7b9
Opcode Fuzzy Hash: 5eac2f82ff8a49288a71953a6be5f6cae8aa4df0be02da2e328df90da2e4254f
Instruction Fuzzy Hash: 52B1A4B1A046168FDB15CFA9C48056DF7F2BF99310719CA6AD986EB340E731EC81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01043550 Relevance: 3.3, APIs: 2, Instructions: 275COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 010436B2
__floor_pentium4.LIBCMT ref: 01043765

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: __floor_pentium4
String ID:
API String ID: 4168288129-0
Opcode ID: c9f7efda38a63956c6c6bbf567a1fea01dd862c22b139c49977daf8ee77444e1
Instruction ID: 13927be53fdb02dabbe10db62dae38ba1758afe0f3c2497963fcf57e7b7444d8
Opcode Fuzzy Hash: c9f7efda38a63956c6c6bbf567a1fea01dd862c22b139c49977daf8ee77444e1
Instruction Fuzzy Hash: 10A1C5B1F046268FDB15CE69C4C066EF7F2BF99210B19C669D895AF344E731E8818B81

Uniqueness

Uniqueness Score: -1.00%

Function 01043890 Relevance: 3.3, APIs: 2, Instructions: 274COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 010439E4
__floor_pentium4.LIBCMT ref: 01043A97

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: __floor_pentium4
String ID:
API String ID: 4168288129-0
Opcode ID: 2bb5f0d637f7e0040248baca96505cddde2701d5d2337bd2f01dbd999a398e8e
Instruction ID: 27bf344c3b9eb0e902652c866666c74e21344bf07ea0959b9dfabfdf73aba2b3
Opcode Fuzzy Hash: 2bb5f0d637f7e0040248baca96505cddde2701d5d2337bd2f01dbd999a398e8e
Instruction Fuzzy Hash: 79A1C4B1B046258FCB15CE29C4C166DF7B2BFD9210719C269D986AF345E731EC818B81

Uniqueness

Uniqueness Score: -1.00%

Function 0104A690 Relevance: 3.3, APIs: 2, Instructions: 266COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0104A7E5
__floor_pentium4.LIBCMT ref: 0104A882

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: __floor_pentium4
String ID:
API String ID: 4168288129-0
Opcode ID: 8a3c16bdf63a777c3c63b60a3713d6ed8724968e56fd5701729e26241f283ff1
Instruction ID: 7fcce0bf603053f1dcb251e07dfccb0acbb7c554cee3bd16f701765e11811057
Opcode Fuzzy Hash: 8a3c16bdf63a777c3c63b60a3713d6ed8724968e56fd5701729e26241f283ff1
Instruction Fuzzy Hash: 6AA1B6B6B44616CFCB15CE29C8C02ADB7B2BF99210719C679D986EB344E731EC81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 01070390 Relevance: 3.2, APIs: 2, Instructions: 191COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?,010729C0,01072A30,?,?,?,?,?,?,?,?,?,?,?,01070367,?), ref: 01070423

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: AcquireExclusiveLock
String ID:
API String ID: 4021432409-0
Opcode ID: 532cd460a45db10f825ea83149ceb928af790ce632073535ce479ba69f9e1c0d
Instruction ID: b92c794cf89196ac5139ec2c80b0bc90ed7fd8dccc22e5240f6e46a78d32b8f4
Opcode Fuzzy Hash: 532cd460a45db10f825ea83149ceb928af790ce632073535ce479ba69f9e1c0d
Instruction Fuzzy Hash: 7561A4B0E0020A9FCF44DF69D450AEEB7B0FF99304F044129E986AB345DB71A951CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 01065620 Relevance: 3.2, APIs: 2, Instructions: 170COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,0106561A,?,?), ref: 01065675

Part of subcall function 01047600: AcquireSRWLockExclusive.KERNEL32(00000000,?,01065318), ref: 01047604

ReleaseSRWLockExclusive.KERNEL32(?,00000000,?), ref: 010657D1

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID:
API String ID: 1678258262-0
Opcode ID: 8d718841ee0ca83e4607b59bcc668c9231e31a2f07e4809cffc2f081489113f5
Instruction ID: 253dfe3bb83c2c614ff36ae06ba6e50b1a1a131e3bf74936dc25d836ab8410cb
Opcode Fuzzy Hash: 8d718841ee0ca83e4607b59bcc668c9231e31a2f07e4809cffc2f081489113f5
Instruction Fuzzy Hash: 0251F571E0011A8FDB14CF58EC846EDB7F9BF58754F188069E986AB301DB39AD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0107D3E0 Relevance: 2.1, APIs: 1, Instructions: 551COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0107D4FC

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: __floor_pentium4
String ID:
API String ID: 4168288129-0
Opcode ID: e8bd05cd26adfce5c48da4e138535f0407838352621e484ecd1ccc4252635dfd
Instruction ID: eee63ba2db16884f698cc9673bc4d5b14964290f62ce44fc5c4cfc66fd306182
Opcode Fuzzy Hash: e8bd05cd26adfce5c48da4e138535f0407838352621e484ecd1ccc4252635dfd
Instruction Fuzzy Hash: D812B372A083469FC725EF64C890AEFB7E9AFD9314F04451DF9C997240DB30A949CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0109452C Relevance: 1.6, APIs: 1, Instructions: 140timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,01094A02,?,-00000004), ref: 010945E0

Part of subcall function 010A0FBA: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0109A874,?,00000000,-00000008), ref: 010A101B

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ByteCharInformationMultiTimeWideZone
String ID:
API String ID: 1123094072-0
Opcode ID: ad12fe000acba302dc93f4a35ae899b6ac7264a6fa4f5de16ba632a51fb177d4
Instruction ID: 6dfb256869b975e5ec2ac417025b45c3e9c773ad2154067a3941967a3555a206
Opcode Fuzzy Hash: ad12fe000acba302dc93f4a35ae899b6ac7264a6fa4f5de16ba632a51fb177d4
Instruction Fuzzy Hash: 0F4125B1E00216BBDF107FAADC00A9E7FA8EF14610F0140A5F984EB161EB72D910DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0109F7F0 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 0109A90A: GetLastError.KERNEL32(?,?,0108922D,?,?,?,?,01092CDC,?,?,?,?), ref: 0109A90E
Part of subcall function 0109A90A: SetLastError.KERNEL32(00000000,?,?), ref: 0109A9B0

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0109F844

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 97f15b8d92346a8d7af9e808dac50b6c5adb8824d23d6e1bc482b2ea4a9749ab
Instruction ID: e210de652235530d3fb1d2ffaa0c1b53bb63184ff4824f724a97a2c48de38cd6
Opcode Fuzzy Hash: 97f15b8d92346a8d7af9e808dac50b6c5adb8824d23d6e1bc482b2ea4a9749ab
Instruction Fuzzy Hash: C121D732605117ABEF689E29DC61ABB3BE8EF04310F1040BAED41DB145EB74DD00EB50

Uniqueness

Uniqueness Score: -1.00%

Function 010870C7 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 0108724B

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: e2bd2493e5c5c6af9822e48c28b877bec80e8b13805e7ae313f78877320dddee
Instruction ID: 81c16b1ea4d34f2986504a0d06530aad85d1102b504a3c723dad81214ac88cd0
Opcode Fuzzy Hash: e2bd2493e5c5c6af9822e48c28b877bec80e8b13805e7ae313f78877320dddee
Instruction Fuzzy Hash: BEB1053090C60B9BDF69FEACC8956BEBBE2AF01204F34465DDAD297B49C731A501CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0109F488 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 0109A90A: GetLastError.KERNEL32(?,?,0108922D,?,?,?,?,01092CDC,?,?,?,?), ref: 0109A90E
Part of subcall function 0109A90A: SetLastError.KERNEL32(00000000,?,?), ref: 0109A9B0

EnumSystemLocalesW.KERNEL32(0109F530,00000001,00000000,?,-00000050,?,0109F313,00000000,-00000002,00000000,?,00000055,?), ref: 0109F4FA

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: e2a5714bacfe688e8cd420a3e5a235d4822e0bf97b45434dd7908d70625db2b7
Instruction ID: 6824e90e630606dcc7f7f7d8a8441da8da88c7e8d02f5312574b8d42a443add5
Opcode Fuzzy Hash: e2a5714bacfe688e8cd420a3e5a235d4822e0bf97b45434dd7908d70625db2b7
Instruction Fuzzy Hash: 7811E9372007069FDF289F39D8A16BABB91FF84368B15842DD9C687A40D771B943D740

Uniqueness

Uniqueness Score: -1.00%

Function 0109F910 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 0109A90A: GetLastError.KERNEL32(?,?,0108922D,?,?,?,?,01092CDC,?,?,?,?), ref: 0109A90E
Part of subcall function 0109A90A: SetLastError.KERNEL32(00000000,?,?), ref: 0109A9B0

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0109F964

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 4676e51cd13fbea6a81ca98d1b6a781256d25989bd395e83132586742ded0d83
Instruction ID: 30f8e9809206a39552b5d78f69eb693f4905d4974a710a49f0d4450202c9d52d
Opcode Fuzzy Hash: 4676e51cd13fbea6a81ca98d1b6a781256d25989bd395e83132586742ded0d83
Instruction Fuzzy Hash: A711C672651217ABDF14EF28DC61ABA7BE8EF04314B11407AE545D7140EB78E9419750

Uniqueness

Uniqueness Score: -1.00%

Function 0109F783 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 0109A90A: GetLastError.KERNEL32(?,?,0108922D,?,?,?,?,01092CDC,?,?,?,?), ref: 0109A90E
Part of subcall function 0109A90A: SetLastError.KERNEL32(00000000,?,?), ref: 0109A9B0

EnumSystemLocalesW.KERNEL32(0109F7F0,00000001,00001002,?,-00000050,?,0109F2DB,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 0109F7CD

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: f481eb18db22e13f36e5ad28790a0a8f8ed074a68ba819ab23e1b6323faea0a5
Instruction ID: 3ded2ba86dfa2182be388d34c3b67d2982639af4e276f9eaa4981e8af39b5991
Opcode Fuzzy Hash: f481eb18db22e13f36e5ad28790a0a8f8ed074a68ba819ab23e1b6323faea0a5
Instruction Fuzzy Hash: F7F0C23620030A5FDF255E3998A1A6ABFD5FF80768B15846DE985CB680C6B1A842A650

Uniqueness

Uniqueness Score: -1.00%

Function 0109B76D Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0109B871: EnterCriticalSection.KERNEL32(-000999D6,?,0108E1EB,00000000), ref: 0109B880

EnumSystemLocalesW.KERNEL32(0109B760,00000001,010DF2E8,0000000C,0109B0D1,-00000050), ref: 0109B7A5

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 260e5618121f6e18e3db38bb1855307fc996dcfb6e023600ffe6616e2c342053
Instruction ID: ab0d73e7c7fe0a61f99074e2bb1eadc9e27f71da12060c6540f2941e123b8940
Opcode Fuzzy Hash: 260e5618121f6e18e3db38bb1855307fc996dcfb6e023600ffe6616e2c342053
Instruction Fuzzy Hash: 7DF03776A40309DFDB20EF99E441B9DB7F0FB59B20F10812AF891DB290CABA5901DF40

Uniqueness

Uniqueness Score: -1.00%

Function 0109F8C5 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0109A90A: GetLastError.KERNEL32(?,?,0108922D,?,?,?,?,01092CDC,?,?,?,?), ref: 0109A90E
Part of subcall function 0109A90A: SetLastError.KERNEL32(00000000,?,?), ref: 0109A9B0

EnumSystemLocalesW.KERNEL32(0109F910,00000001,00001002,?,?,0109F335,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 0109F8FC

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 750ef9d88ad2d8a67d97d36dd389977827985c49522c9eea529214afcc07c4b7
Instruction ID: 4465691b415c2fa3efe2f6afb19518e1d0d0723119ed79ae69e5140907d1b575
Opcode Fuzzy Hash: 750ef9d88ad2d8a67d97d36dd389977827985c49522c9eea529214afcc07c4b7
Instruction Fuzzy Hash: CBF0553A30020A67CF159F39D82466BBF94EFC1610B0B4098EE89CF280CA329842D790

Uniqueness

Uniqueness Score: -1.00%

Function 0109B22C Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,0108FCD3,?,20001004,00000000,00000002,?,?,0108EBE4), ref: 0109B260

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 1d9fbf1dac92167fde59fea3f1f83df197fa2c98afc0b7915d21e6980ea52c4b
Instruction ID: 89370d79b0bad2d5961718d5b1872e052ca6eb7e54ca3ea0350ca57ca165398d
Opcode Fuzzy Hash: 1d9fbf1dac92167fde59fea3f1f83df197fa2c98afc0b7915d21e6980ea52c4b
Instruction Fuzzy Hash: D5E01A31500218BBCF222E60EC14FAE7F19EF44660F008021FD85651248F768921AAD4

Uniqueness

Uniqueness Score: -1.00%

Function 010A70B9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d07c37c28ef5aacb06e90172e787fbe1ad4cc83c27a3eeaf349aeff335fa224d
Instruction ID: 70c7ee6758c6fc4059d3d3c7524e88b930c89e510acd2451fc86f1f911d86d6b
Opcode Fuzzy Hash: d07c37c28ef5aacb06e90172e787fbe1ad4cc83c27a3eeaf349aeff335fa224d
Instruction Fuzzy Hash: 9D323731D69F014DD7339638C821336B698AFB72D5F55D727E85AB5D9AEF2AC0834200

Uniqueness

Uniqueness Score: -1.00%

Function 00FE24C0 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c33fb274095a188932260f0ea2736bc6a8e3ca316cc910230737caadc8204e01
Instruction ID: e5ef7e560a2aa38ed7f22d26cade27102aef4201e682cda08e996320a0c429e1
Opcode Fuzzy Hash: c33fb274095a188932260f0ea2736bc6a8e3ca316cc910230737caadc8204e01
Instruction Fuzzy Hash: 96F17121C1DFDA87D6139B3A8542166F3A0BFFA288F14EB1AFDD435412EB70B2D59240

Uniqueness

Uniqueness Score: -1.00%

Function 00FE5650 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd09723fc643d0e2ee6b257d94cca0fce2373df82c73f826f93028f387d61145
Instruction ID: 47aeaaac46cadc797a226e4c34e547b17c64e59c69488b17d9ed8be6dbaff1af
Opcode Fuzzy Hash: dd09723fc643d0e2ee6b257d94cca0fce2373df82c73f826f93028f387d61145
Instruction Fuzzy Hash: 3DB14D72700B164BD728EEA9DC91796B3E3AB84326F8EC73C9046C6F55F2BCA4454680

Uniqueness

Uniqueness Score: -1.00%

Function 01075370 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c4f81371896f28a0e6c1027a95801f77d1efa8d7dda990d94ee719606f2aaf
Instruction ID: 710611f3d3aa4a292af5338f29c7da3e88d845a7c35b147e06f6f443743ee8e3
Opcode Fuzzy Hash: c1c4f81371896f28a0e6c1027a95801f77d1efa8d7dda990d94ee719606f2aaf
Instruction Fuzzy Hash: C7C13B33E00B148E8B0CDA19CAA626CEBAB9BD4700B9B917FD907DB1A1CEB1D405C5D5

Uniqueness

Uniqueness Score: -1.00%

Function 010A320E Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd86f6601f0fc04a6833768a6de5a0992ba7d6652606db14d1c5a459c7ef2ca1
Instruction ID: 3be2bba6ea2876aad0c0f6312f45c105a9c7c316ad0f0bc30fbacded6fa67033
Opcode Fuzzy Hash: fd86f6601f0fc04a6833768a6de5a0992ba7d6652606db14d1c5a459c7ef2ca1
Instruction Fuzzy Hash: 25B1DF30D2AF408DD32396398931336B69CAFBB2C5B52D71BFC9774D56EB2685834640

Uniqueness

Uniqueness Score: -1.00%

Function 00FE1540 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a46fd9a0c7651f21d0a439fba3ad5ffb515a0e8e1e41b4cee262b977e9b59456
Instruction ID: 5583d1dcf39fea7f8632635a6ddfb2d50cb36aea0ea41ffe157d8b8a4b78555b
Opcode Fuzzy Hash: a46fd9a0c7651f21d0a439fba3ad5ffb515a0e8e1e41b4cee262b977e9b59456
Instruction Fuzzy Hash: 32A12622D18FD793E7155F3ACA005B6B760BEB9348B05FB08DDD915922DB34B6E4D280

Uniqueness

Uniqueness Score: -1.00%

Function 010204BB Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbebc6bf74e8b6d55a407b1e54c708d6680680bc0a23a1261344b0f5cf1f4284
Instruction ID: 14879c6233b7b738de9676251c82e00a82992dcdc174f3f8e8a3ef7e9e69293c
Opcode Fuzzy Hash: dbebc6bf74e8b6d55a407b1e54c708d6680680bc0a23a1261344b0f5cf1f4284
Instruction Fuzzy Hash: 5B61E871E003258FDB15CE69C4847FEFBF2EFC8350F25816AE985AB645C33958468B90

Uniqueness

Uniqueness Score: -1.00%

Function 01070810 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614bbcbf78afe7056ed1ecbd2a9075d3dd4773dda811e9671364f1ab090cf45b
Instruction ID: 69de955d5ca74a1dcd973c2a553c75693b7cedb9b1e54f7f7574d1c3372c1750
Opcode Fuzzy Hash: 614bbcbf78afe7056ed1ecbd2a9075d3dd4773dda811e9671364f1ab090cf45b
Instruction Fuzzy Hash: EC510731F001194BDB98CE69C8806AEBBE3ABC7210B18C2ADE4C5DB24EE731D901C758

Uniqueness

Uniqueness Score: -1.00%

Function 00FE6349 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e27cd1294e25ddc6d7be20974898094e3d3db1bf7931f2d7eb99be54948a70
Instruction ID: 8351b2a664c45e89b85cda14845288999d58b502bcdcd9ae46bc29a3e46ce0c1
Opcode Fuzzy Hash: 20e27cd1294e25ddc6d7be20974898094e3d3db1bf7931f2d7eb99be54948a70
Instruction Fuzzy Hash: 71514CDAC29FAA45E323673E5983292EA10AEF7598610E347FCF835E11F701B5C47220

Uniqueness

Uniqueness Score: -1.00%

Function 010524D0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 317d05d2ce900e8523991b84dfe16fc7496aa4d16bea1db389e819f745b1c7b2
Instruction ID: 26f25fd4d412322dcdd1041477883884954192d07f1365c256e43e6649bf5b8e
Opcode Fuzzy Hash: 317d05d2ce900e8523991b84dfe16fc7496aa4d16bea1db389e819f745b1c7b2
Instruction Fuzzy Hash: 22518DB0E0010A8BCF54DF59D8A4AAEB7B5FF84308F144129ED86AB345D771ED15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FE867D Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7843b180895422b3b0bcc0ba4a262943549954c7f4171b96b157888fc70d2e22
Instruction ID: 311669716090957f8679d7992403cf5dc000a06c2b0a2c1c7858420e3da70835
Opcode Fuzzy Hash: 7843b180895422b3b0bcc0ba4a262943549954c7f4171b96b157888fc70d2e22
Instruction Fuzzy Hash: 4C51ACF380D3985BD3249FA5CC8129AF3E0BFD8250F4B872DED88E7601EB7496019681

Uniqueness

Uniqueness Score: -1.00%

Function 00FE68DD Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a5f0ccd61e87605ef42d33d3aae0f02861f2c28ac56394109ac1bc1c5e57cda
Instruction ID: 5a93fdfdf8deec1ec549e4749ed766ff4285d6233e5d97b9f4a97513d9f9c93d
Opcode Fuzzy Hash: 7a5f0ccd61e87605ef42d33d3aae0f02861f2c28ac56394109ac1bc1c5e57cda
Instruction Fuzzy Hash: 9A41CB79D1AF6A16EB13A73A6803363E6109FF355CA42DB1BFCB4399A9D70275003214

Uniqueness

Uniqueness Score: -1.00%

Function 00FE66D5 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88447afc45a1f6bcb49f5dd9d78a59160c77bbb213f53383de30a712b68f4499
Instruction ID: 0de0b20eeb53940733590dd5ee7fa1f608efa641baa2fc2b6ccb14a6b69e3624
Opcode Fuzzy Hash: 88447afc45a1f6bcb49f5dd9d78a59160c77bbb213f53383de30a712b68f4499
Instruction Fuzzy Hash: 0141CBA9D1AF6A16EB23B73A6803363D6109FF355DA42DB1BFCB439DA9D30275003254

Uniqueness

Uniqueness Score: -1.00%

Function 00FE19E0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ad43ef9492b0eabf3af094ecf28adf8b082ba3035ed07e572c91c519b4f747
Instruction ID: d91dc97b24c5aa302df46519c06b93841821d9954a33b92eebbbb5264f5f59e4
Opcode Fuzzy Hash: d7ad43ef9492b0eabf3af094ecf28adf8b082ba3035ed07e572c91c519b4f747
Instruction Fuzzy Hash: 1A41B534D0CF9A87D7129F3EC541566F3A0BFAA254F04CB1EED9436162E731B6C4A681

Uniqueness

Uniqueness Score: -1.00%

Function 0100F860 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15dae88d9d877f94ed26aa412ba681ccaab8d15b693bcf817a8c1c7b506dd10
Instruction ID: 99689e3ea12587408ccff73e29fce5b5a103c4e934683312ecf6ae513152fefa
Opcode Fuzzy Hash: c15dae88d9d877f94ed26aa412ba681ccaab8d15b693bcf817a8c1c7b506dd10
Instruction Fuzzy Hash: A9314DB2B146168BEB2D8A1FE82037A36E1F744719F09416DD986CF7C4CB7A9904D784

Uniqueness

Uniqueness Score: -1.00%

Function 01010040 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9616ebb1345d3b8bad18ed5f1731ce2cbf60fb93b3bb8f0cda6dde8ef9c2d8fc
Instruction ID: 8992ebdaf648f15564c62a0cfa581d8fe688e76face7df2cf5a0097247bf217d
Opcode Fuzzy Hash: 9616ebb1345d3b8bad18ed5f1731ce2cbf60fb93b3bb8f0cda6dde8ef9c2d8fc
Instruction Fuzzy Hash: 7C31C4B6A043129FC715DE28C88066ABBE5FFC9364F05852DF8E9C7389D7349940CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FE18B0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a23c78da3b6716c584f250082441a8c334e7b2b212062c327525d921f6641d
Instruction ID: a5e0a4ce7d7a262e7892f4f125322dfc952568b54fc176d5ccb6b1fb832c92aa
Opcode Fuzzy Hash: 60a23c78da3b6716c584f250082441a8c334e7b2b212062c327525d921f6641d
Instruction Fuzzy Hash: 37318F34C0CB9A97D7029F3AC441156F7A0BFAA258F00CB1EEDD433261D771BA84AA52

Uniqueness

Uniqueness Score: -1.00%

Function 01083690 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 49bbfb3df503cfccbeba92d706836226a12534d2bc0feedb2f7b737626bf6121
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 6B1138BB30D08143E294BA2DD8B45BBBBD5FBC962972CC2FAC2C24F754D223D0659600

Uniqueness

Uniqueness Score: -1.00%

Function 00FE614D Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f477ecbd8c86e18464dd12c1106ff108f6fe7e53e3396059e243e6e9527724
Instruction ID: 3e4aa2ddb2d8e81c8354a7a9abd9c0855dd406e35942f766b766150b3b172115
Opcode Fuzzy Hash: 51f477ecbd8c86e18464dd12c1106ff108f6fe7e53e3396059e243e6e9527724
Instruction Fuzzy Hash: DD1151D9C2AF7A06E713633B5D42242DA105EF7989550D347FCB439D61F701B5C17210

Uniqueness

Uniqueness Score: -1.00%

Function 00FE626D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d35fea1031711773cf9ca4232a4cd6f839659ec201a35b62fd392b4a4f0e2cbd
Instruction ID: 7b954fd7434b16f392998e7452f15770c1e012c64c0d35b07d88df37a7d881fe
Opcode Fuzzy Hash: d35fea1031711773cf9ca4232a4cd6f839659ec201a35b62fd392b4a4f0e2cbd
Instruction Fuzzy Hash: CB014FDAC24FAA45E313A33D6843282E6109FF7548620E347FCF838E62F70176D46220

Uniqueness

Uniqueness Score: -1.00%

Function 00FE4577 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b478e1f546ce9a5c90263f502841de5ed2815c13aa0d6343b5217c81eca3c23b
Instruction ID: b7e5fbf0d9c632281ddf35d32e110880ce2daf8bbec9c2d4db82308f25af64ff
Opcode Fuzzy Hash: b478e1f546ce9a5c90263f502841de5ed2815c13aa0d6343b5217c81eca3c23b
Instruction Fuzzy Hash: EDE012305183418FC746DF20C190866FBF1EF87311B06E689D4599B566D334EE88CB55

Uniqueness

Uniqueness Score: -1.00%

Function 01077930 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 233COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0107796D

Strings

"Unsupported (crbug.com/1225176)", xrefs: 01077A83
false, xrefs: 010779A1
%lld, xrefs: 010779D3
Infinity, xrefs: 01077B2F
"NaN", xrefs: 01077A35
NULL, xrefs: 01077964, 0107796C, 01077981, 01077A95
"-Infinity", xrefs: 01077B1E
NaN, xrefs: 01077A3A
%llu, xrefs: 010779C4
true, xrefs: 0107797D, 010779A6, 010779B4, 01077A58, 01077A77, 01077BC5
"0x%llx", xrefs: 01077A44
"Infinity", xrefs: 01077B2A
-Infinity, xrefs: 01077B23, 01077B3D
0x%llx, xrefs: 01077A49, 01077A57

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: _strlen
String ID: "-Infinity"$"0x%llx"$"Infinity"$"NaN"$"Unsupported (crbug.com/1225176)"$%lld$%llu$-Infinity$0x%llx$Infinity$NULL$NaN$false$true
API String ID: 4218353326-265266769
Opcode ID: a3d33f01a3fe3b15a2644b1a466d3678b0f03e3919cfca369ee82848a9f1553c
Instruction ID: b547c5c0ecc8fd0827350357a1090d968485f8685f3cd102f05b3dea6d93ff16
Opcode Fuzzy Hash: a3d33f01a3fe3b15a2644b1a466d3678b0f03e3919cfca369ee82848a9f1553c
Instruction Fuzzy Hash: 62718670E08301ABE711AE24CC49BBF7BE6AFC2694F10895CFAC55A191E73089458757

Uniqueness

Uniqueness Score: -1.00%

Function 01061050 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 189COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0106125F
_strlen.LIBCMT ref: 01061295

Strings

MSEdgeBeta, xrefs: 010610D8
MSEdgeWebView, xrefs: 0106110E
Microsoft.MSEdgeWebView, xrefs: 010611EE
Microsoft.MSEdgeInternal, xrefs: 010611DB
MSEdgeInternal, xrefs: 010610F3
MSEdgeDev, xrefs: 010610BD
Microsoft.MSEdgeDev, xrefs: 01061193
Microsoft.MSEdgeBeta, xrefs: 010611B7
Microsoft.MSEdgeStable, xrefs: 01061148
Microsoft.MSEdgeCanary, xrefs: 0106116F
MSEdgeCanary, xrefs: 010610A2

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: _strlen
String ID: MSEdgeBeta$MSEdgeCanary$MSEdgeDev$MSEdgeInternal$MSEdgeWebView$Microsoft.MSEdgeBeta$Microsoft.MSEdgeCanary$Microsoft.MSEdgeDev$Microsoft.MSEdgeInternal$Microsoft.MSEdgeStable$Microsoft.MSEdgeWebView
API String ID: 4218353326-4251218085
Opcode ID: 485158b7c1f9b0ecc796e6d4ef88a0acd642639cf403449313c22b6a8dfca9a6
Instruction ID: 00343d3a5b2545782299bf4a8625ae67319715d82b23fa284eb7afb498c6efed
Opcode Fuzzy Hash: 485158b7c1f9b0ecc796e6d4ef88a0acd642639cf403449313c22b6a8dfca9a6
Instruction Fuzzy Hash: C861E5B1E40309AFDB04EF65DC42BDE7AF5AF94704F14402DE984EF240EAB19916CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 010471C0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 104threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 010471EF
SetThreadPriority.KERNEL32(00000000,00020000,?,000000CF,?), ref: 0104720C
GetCurrentThread.KERNEL32 ref: 010472DC

Strings

SetThreadInformation, xrefs: 01047330
kernel32.dll, xrefs: 01047325

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: Thread$Current$Priority
String ID: SetThreadInformation$kernel32.dll
API String ID: 3341643625-3009701951
Opcode ID: ad2ad3b1040b96b5453b9d10c133d885d029664d000e6f34154d0447bd0a0ce8
Instruction ID: 98ffc7261fb6d40fe929a5ad0c07c00dc63c35fc4225ae65d5a038e786ba9566
Opcode Fuzzy Hash: ad2ad3b1040b96b5453b9d10c133d885d029664d000e6f34154d0447bd0a0ce8
Instruction Fuzzy Hash: 0A316DF1A003459FDB316B29D9C99AD3BF5FB06625F040579F9D1DB184DB3A4500CB41

Uniqueness

Uniqueness Score: -1.00%

Function 01054050 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 173fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 010540B9
GetCurrentDirectoryW.KERNEL32(00000104,00000000), ref: 010540FC
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0105416C
CreateFileW.KERNEL32 ref: 01054270

Strings

%s:%d: assertion %s failed: %s, xrefs: 010542FB
string::back(): string is empty, xrefs: 010542D6
__s should never be greater than or equal to the short string capacity, xrefs: 010542E7
!empty(), xrefs: 010542DB
..\..\buildtools\third_party\libc++\trunk\include\string, xrefs: 010542F6
debug.log, xrefs: 01054237, 010542A9
__s < __min_cap, xrefs: 010542EC

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: File$Create$CurrentDirectoryModuleName
String ID: !empty()$%s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\string$__s < __min_cap$__s should never be greater than or equal to the short string capacity$debug.log$string::back(): string is empty
API String ID: 4120427848-116757326
Opcode ID: 91644d57cd22d9ebcbf7d967c89d7a8f7f7e478f295f962bbb534317867ad5b5
Instruction ID: 003085cb43eb30b002d98334b2d9f850bfae41ae1b7db6e57f47fb2d4fa9e902
Opcode Fuzzy Hash: 91644d57cd22d9ebcbf7d967c89d7a8f7f7e478f295f962bbb534317867ad5b5
Instruction Fuzzy Hash: A96122306403158FD7609F69C888BEA7BF1BF90B18F84819CE9C59F2C1EBB59585CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0105C9A0 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 88COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0105C9DE
IsWow64Process.KERNEL32(00000000,00000000), ref: 0105C9EA

Strings

c, xrefs: 0105CA71
ize, xrefs: 0105CA42
va_s, xrefs: 0105CA52, 0105CA56
ow_6, xrefs: 0105CA0F
is_w, xrefs: 0105CA1F, 0105CA23
size, xrefs: 0105CAE6, 0105CAEA
allo, xrefs: 0105CA81, 0105CA85
it, xrefs: 0105CAAA
comm, xrefs: 0105CABA, 0105CABE

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: Process$CurrentWow64
String ID: allo$c$comm$is_w$it$ize$ow_6$size$va_s
API String ID: 1905925150-1478685300
Opcode ID: 3f66afbd0eb6ad8f512db89d6b64e3dec903edc73006f7aa2f3f11a5509a78b9
Instruction ID: 779197015a32b6ba64c5a35f41f2ae0e0dd6faf33f18123642c14a4cc96f1d75
Opcode Fuzzy Hash: 3f66afbd0eb6ad8f512db89d6b64e3dec903edc73006f7aa2f3f11a5509a78b9
Instruction Fuzzy Hash: 69315BB19083419BE714DFA4D88879BBBF8BB99304F140A2DF9C987240D776D5088B87

Uniqueness

Uniqueness Score: -1.00%

Function 01054760 Relevance: 18.0, APIs: 7, Strings: 3, Instructions: 464fileCOMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 01054982
OutputDebugStringA.KERNEL32(?), ref: 01054A71
_strlen.LIBCMT ref: 01054C18

Part of subcall function 01054050: CreateFileW.KERNEL32 ref: 010540B9
Part of subcall function 01054050: GetCurrentDirectoryW.KERNEL32(00000104,00000000), ref: 010540FC
Part of subcall function 01054050: CreateFileW.KERNEL32 ref: 01054270

WriteFile.KERNEL32(?,?,?,00000000), ref: 01054B0F
__Init_thread_header.LIBCMT ref: 01054D36

Part of subcall function 010816E7: EnterCriticalSection.KERNEL32(010E3D70,?,?,?,01065379,010F0438,00000000,?,?,?,?,010650F7,00000000,00000000), ref: 010816F2
Part of subcall function 010816E7: LeaveCriticalSection.KERNEL32(010E3D70,?,?,?,01065379,010F0438,00000000,?,?,?,?,010650F7,00000000,00000000), ref: 0108172F

__Init_thread_header.LIBCMT ref: 01054D79
__Init_thread_header.LIBCMT ref: 01054DAF

Strings

LOG_FATAL, xrefs: 01054D50
%s:%d: %s, xrefs: 01054999
LogMessage, xrefs: 010548F3

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: FileInit_thread_header$CreateCriticalSection$CurrentDebugDirectoryEnterLeaveOutputStringWrite_strlen_strrchr
String ID: %s:%d: %s$LOG_FATAL$LogMessage
API String ID: 3233774340-1864124823
Opcode ID: 5668180e4ba772bf623054141026df487a28103605c489ca8afa7be9effb0804
Instruction ID: a5ca129768c4c5d032f8f34b5bc3a8eae1169f5ba1382249ca0b801990546e6d
Opcode Fuzzy Hash: 5668180e4ba772bf623054141026df487a28103605c489ca8afa7be9effb0804
Instruction Fuzzy Hash: 5E02F1746083419FD751EF24C884AAFBBE1BF99718F08492CF9C99B241E731E985CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01045830 Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 251libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00000000,0000011C,00000000,?,010456B7,0000011C,010E5978,00000000), ref: 01045860
GetModuleHandleW.KERNEL32(api-ms-win-core-wow64-l1-1-1.dll,?,?,?,?,?,?,?,00000000,0000011C,00000000,?,010456B7,0000011C,010E5978,00000000), ref: 0104586D
GetProcAddress.KERNEL32(00000000,IsWow64Process2), ref: 01045886
GetCurrentProcess.KERNEL32(?,?,?,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000001), ref: 01045A64

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 01045975
IsWow64Process2, xrefs: 01045880
api-ms-win-core-wow64-l1-1-1.dll, xrefs: 01045868
DisplayVersion, xrefs: 010459A5
ReleaseId, xrefs: 010459C5
UBR, xrefs: 01045995

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: CurrentProcess$AddressHandleModuleProc
String ID: DisplayVersion$IsWow64Process2$ReleaseId$SOFTWARE\Microsoft\Windows NT\CurrentVersion$UBR$api-ms-win-core-wow64-l1-1-1.dll
API String ID: 1114296175-236569533
Opcode ID: 32b7fb085e658cb2c07085209acf74032dc3b15b3fd13eaa9914d3e7817032ec
Instruction ID: 566cdbf40c701e0449d3b4ea046bdacf6309d9a069a5a61d578c01cc83e5e617
Opcode Fuzzy Hash: 32b7fb085e658cb2c07085209acf74032dc3b15b3fd13eaa9914d3e7817032ec
Instruction Fuzzy Hash: A8A1C1B4A007099FEB20CF68C8C47AEBBF1EF49314F14452DE8C697681E775A985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0103A0C0 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 229COMMON

Download Yara Rule

APIs

__Init_thread_header.LIBCMT ref: 0103A4EF

Strings

December, xrefs: 0103A231
April, xrefs: 0103A122
March, xrefs: 0103A112
October, xrefs: 0103A20C
September, xrefs: 0103A1FB
February, xrefs: 0103A0FD
August, xrefs: 0103A1EA
January, xrefs: 0103A0EC
November, xrefs: 0103A221

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: Init_thread_header
String ID: April$August$December$February$January$March$November$October$September
API String ID: 3738618077-521072420
Opcode ID: 89dfb4b4f1b960939ae8ac6a663a9e2fa1a6dec27146479decf22bbb53332ca0
Instruction ID: bc9fda2f2ab36b7453f8e159ebe80558c596b6f1b1ef661550cb1577a2576ba1
Opcode Fuzzy Hash: 89dfb4b4f1b960939ae8ac6a663a9e2fa1a6dec27146479decf22bbb53332ca0
Instruction Fuzzy Hash: 6FA18CF9B05341DFE3259F02D8287197BD9BB90B1EF448C0C96D96F285DBBA28448B52

Uniqueness

Uniqueness Score: -1.00%

Function 010408E0 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 01040790: _strlen.LIBCMT ref: 01040828

ReleaseSRWLockExclusive.KERNEL32(?), ref: 01040968
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 01040972
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,010434A0,01043530,010434F0), ref: 010409D0
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 010409DA

Strings

%s:%d: assertion %s failed: %s, xrefs: 01040AC2
__x != nullptr, xrefs: 01040AB3
..\..\buildtools\third_party\libc++\trunk\include\__tree, xrefs: 01040ABD
SetDisabledWhileLocked, xrefs: 01040A65
node shouldn't be null, xrefs: 01040AAE
..\..\base\trace_event\trace_log.cc, xrefs: 01040A60

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$_strlen
String ID: %s:%d: assertion %s failed: %s$..\..\base\trace_event\trace_log.cc$..\..\buildtools\third_party\libc++\trunk\include\__tree$SetDisabledWhileLocked$__x != nullptr$node shouldn't be null
API String ID: 1657474455-3419696668
Opcode ID: 7861dabbfd7fe901bc502bca0dcb9224ad50575c93f1eea4df4bbd0d6629c7c0
Instruction ID: 304a7dae66daa1ffcb90fd58f019c54b41c06f25a913784246d4c1bd8f412103
Opcode Fuzzy Hash: 7861dabbfd7fe901bc502bca0dcb9224ad50575c93f1eea4df4bbd0d6629c7c0
Instruction Fuzzy Hash: D151EFB5A002159FEB10EF68D4C0AEEB7B1BF58714F050168FAC2BB245D731AC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 010397D0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 133COMMON

Download Yara Rule

APIs

__Init_thread_header.LIBCMT ref: 01039A0A

Strings

Thursday, xrefs: 01039848
Friday, xrefs: 01039858
Tuesday, xrefs: 01039822
Monday, xrefs: 01039811
Sunday, xrefs: 01039801
Wednesday, xrefs: 01039833
Saturday, xrefs: 01039868

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: Init_thread_header
String ID: Friday$Monday$Saturday$Sunday$Thursday$Tuesday$Wednesday
API String ID: 3738618077-1471634407
Opcode ID: 863301630a6557af6150ca86c9244df2f8359a1372e9e584862a67a0c3f7cfd3
Instruction ID: 86284929a52fd0946a34cb162b5e390cc9e0ff977fde8b448ec74876c2215e56
Opcode Fuzzy Hash: 863301630a6557af6150ca86c9244df2f8359a1372e9e584862a67a0c3f7cfd3
Instruction Fuzzy Hash: 1151AF789043429EE3256B42D8197597BE9BBD2B1CF44080DF6D92F385C7FA28458781

Uniqueness

Uniqueness Score: -1.00%

Function 0100D7A8 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 101COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0100D868

Strings

char_traits::copy overlapped range, xrefs: 0100D833
%s:%d: assertion %s failed: %s, xrefs: 0100D847
__s2 < __s1 || __s2 >= __s1+__n, xrefs: 0100D838
..\..\buildtools\third_party\libc++\trunk\include\__string\char_traits.h, xrefs: 0100D842
basic_string(const char*, n) detected nullptr, xrefs: 0100D81D
..\..\buildtools\third_party\libc++\trunk\include\string, xrefs: 0100D82C
__n == 0 || __s != nullptr, xrefs: 0100D822

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: _strlen
String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\__string\char_traits.h$..\..\buildtools\third_party\libc++\trunk\include\string$__n == 0 || __s != nullptr$__s2 < __s1 || __s2 >= __s1+__n$basic_string(const char*, n) detected nullptr$char_traits::copy overlapped range
API String ID: 4218353326-3850207310
Opcode ID: 4dfdd0d73dd22746ec1eb075ae4cf70038b6207be0dffdaf60551c3f7ef280c8
Instruction ID: 77ac8ac6d0196ae5425b8353d87879ef8f00d2bf766a2ef5f15640ce1f41ce8f
Opcode Fuzzy Hash: 4dfdd0d73dd22746ec1eb075ae4cf70038b6207be0dffdaf60551c3f7ef280c8
Instruction Fuzzy Hash: 18213C713003466BF7236AD99CC1EAEB689EB51E54F18413FF5C9D7381E9A09D0087B6

Uniqueness

Uniqueness Score: -1.00%

Function 01046240 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 90libraryloaderCOMMON

Download Yara Rule

APIs

__Init_thread_header.LIBCMT ref: 010462A7
GetProcAddress.KERNEL32(00000000,RoInitialize), ref: 010462E4
__Init_thread_header.LIBCMT ref: 0104630A

Part of subcall function 010816E7: EnterCriticalSection.KERNEL32(010E3D70,?,?,?,01065379,010F0438,00000000,?,?,?,?,010650F7,00000000,00000000), ref: 010816F2
Part of subcall function 010816E7: LeaveCriticalSection.KERNEL32(010E3D70,?,?,?,01065379,010F0438,00000000,?,?,?,?,010650F7,00000000,00000000), ref: 0108172F

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,?,010E59B8,?,?,?,?,?,?,?,?,?,-00000001), ref: 01046358

Strings

operator(), xrefs: 0104632E
..\..\base\win\scoped_winrt_initializer.cc, xrefs: 01046329
RoInitialize, xrefs: 010462DE
combase.dll, xrefs: 01046353

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: CriticalInit_thread_headerSection$AddressEnterLeaveLibraryLoadProc
String ID: ..\..\base\win\scoped_winrt_initializer.cc$RoInitialize$combase.dll$operator()
API String ID: 882557473-4077768022
Opcode ID: 495929756e3d8e613947944b1c0474724e889f2d147484e94df4c129a79f4d3c
Instruction ID: d14df7fa95ac6c9985cde4b6adffa55fe93e4b4a34930f37154e4f2fb8f328a9
Opcode Fuzzy Hash: 495929756e3d8e613947944b1c0474724e889f2d147484e94df4c129a79f4d3c
Instruction Fuzzy Hash: E1313BB4A05201AFD760EB6AED85EEA33E0BB4AB24F04053CE8C69F244E77758008756

Uniqueness

Uniqueness Score: -1.00%

Function 01046380 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

__Init_thread_header.LIBCMT ref: 010463E3
GetProcAddress.KERNEL32(00000000,RoUninitialize), ref: 01046420
__Init_thread_header.LIBCMT ref: 01046446
LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,?,010E59B8), ref: 01046494

Strings

operator(), xrefs: 0104646A
RoUninitialize, xrefs: 0104641A
..\..\base\win\scoped_winrt_initializer.cc, xrefs: 01046465
combase.dll, xrefs: 0104648F

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: Init_thread_header$AddressLibraryLoadProc
String ID: ..\..\base\win\scoped_winrt_initializer.cc$RoUninitialize$combase.dll$operator()
API String ID: 900114960-1867938867
Opcode ID: ca305065996fae7f6601d097d1f0071f7666ba26980389da039491d63ce44ad2
Instruction ID: 2330a4002102a185ddb4260e4f924fdbdca34d0de6770606d9cd996486ee8b66
Opcode Fuzzy Hash: ca305065996fae7f6601d097d1f0071f7666ba26980389da039491d63ce44ad2
Instruction Fuzzy Hash: FD31E8B4A053419BD760AB2AEC85AED77E1BB86B24F00457DE8C55F240EB376441CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0100D858 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 66COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0100D868

Strings

char_traits::copy overlapped range, xrefs: 0100D833, 0100D8EB
__s != nullptr, xrefs: 0100D8DA
%s:%d: assertion %s failed: %s, xrefs: 0100D847, 0100D8FF
__s2 < __s1 || __s2 >= __s1+__n, xrefs: 0100D838, 0100D8F0
..\..\buildtools\third_party\libc++\trunk\include\__string\char_traits.h, xrefs: 0100D842, 0100D8FA
..\..\buildtools\third_party\libc++\trunk\include\string, xrefs: 0100D82C, 0100D8E4
basic_string(const char*) detected nullptr, xrefs: 0100D8D5

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: _strlen
String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\__string\char_traits.h$..\..\buildtools\third_party\libc++\trunk\include\string$__s != nullptr$__s2 < __s1 || __s2 >= __s1+__n$basic_string(const char*) detected nullptr$char_traits::copy overlapped range
API String ID: 4218353326-4006657160
Opcode ID: b4c0f9ae69622032404ca2c8a55a418640b7b9546604553bd7a5229cbb7b4763
Instruction ID: 5d10dbb5e27d993ffeda15019b0090550d64fe65d72f1ab3977aa3defe13b602
Opcode Fuzzy Hash: b4c0f9ae69622032404ca2c8a55a418640b7b9546604553bd7a5229cbb7b4763
Instruction Fuzzy Hash: FE1108713403066BF3262BEA9CC1AAFB68A9B55D54F18453EF2C9DB381DCA0DD0047B6

Uniqueness

Uniqueness Score: -1.00%

Function 01099918 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 01099A37
CatchIt.LIBVCRUNTIME ref: 01099B96
_UnwindNestedFrames.LIBCMT ref: 01099C97
CallUnexpected.LIBVCRUNTIME ref: 01099CB2

Strings

csm, xrefs: 010999C2
csm, xrefs: 01099955
csm, xrefs: 01099A6E

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: CallCatchFramesNestedUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2332921423-393685449
Opcode ID: a87d70bdcee861c44895536f672a9c72f7ccf24fb956f837bd3e8cdb3c3e540c
Instruction ID: bc0c1f2cbbcab394e5370d09016d30bada7b2b80fd840db945ce869107bdccb9
Opcode Fuzzy Hash: a87d70bdcee861c44895536f672a9c72f7ccf24fb956f837bd3e8cdb3c3e540c
Instruction Fuzzy Hash: 28B1ACB180020ADFCF15DFA9C9A09AEBBF5FF54318F14419EE8916B202D335DA51EB91

Uniqueness

Uniqueness Score: -1.00%

Function 0103F6D0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 256COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(010CED04,010CED04,ThreadLocalEventBuffer,?,?,?,?,?,?,?,?,__location != nullptr,null pointer given to construct_at), ref: 0103F91E
ReleaseSRWLockExclusive.KERNEL32(?,?,?,010D2DFC,?,?,?,?,?,?,?,?,?,__location != nullptr,null pointer given to construct_at), ref: 0103F992

Strings

%s:%d: assertion %s failed: %s, xrefs: 0103F800
..\..\buildtools\third_party\libc++\trunk\include\__memory\construct_at.h, xrefs: 0103F7FB
null pointer given to construct_at, xrefs: 0103F7EF
ThreadLocalEventBuffer, xrefs: 0103F907
__location != nullptr, xrefs: 0103F7F4

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\__memory\construct_at.h$ThreadLocalEventBuffer$__location != nullptr$null pointer given to construct_at
API String ID: 17069307-3489168812
Opcode ID: 7d49de60396bfd51b29c09b85b4ab8fac43ea103ea54c14ab8b666256f8040a3
Instruction ID: edbe3c4ee55671826b9f5d9143878a755760279cc6e6ed9b74e1d68a8ea71aa8
Opcode Fuzzy Hash: 7d49de60396bfd51b29c09b85b4ab8fac43ea103ea54c14ab8b666256f8040a3
Instruction Fuzzy Hash: 368128B1E002069FDB14EF68C884AAEB7F5BF94314F09466DE5899B341DB31E905CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 01053210 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 148COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(00000000,010535C7,?,?,?,?,?,?,?,?,?,01057E08,?,010E3CC8), ref: 01053238
ReleaseSRWLockExclusive.KERNEL32(00000000,FFFFFFFF,?), ref: 0105327D
ReleaseSRWLockExclusive.KERNEL32(00000000,FFFFFFFF,?), ref: 010532E5

Part of subcall function 01047600: AcquireSRWLockExclusive.KERNEL32(00000000,?,01065318), ref: 01047604

Strings

char_traits::copy overlapped range, xrefs: 0105338F
%s:%d: assertion %s failed: %s, xrefs: 010533A3
__s2 < __s1 || __s2 >= __s1+__n, xrefs: 01053394
..\..\buildtools\third_party\libc++\trunk\include\__string\char_traits.h, xrefs: 0105339E

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\__string\char_traits.h$__s2 < __s1 || __s2 >= __s1+__n$char_traits::copy overlapped range
API String ID: 17069307-2841209950
Opcode ID: 0f130966648f0cbb7042988e396ab05168a49b532267344651d083cd6b542203
Instruction ID: 2dac7d91b126093ce52b79cdd53f9e892b86fb7ebb38626fe51da2dda901f89a
Opcode Fuzzy Hash: 0f130966648f0cbb7042988e396ab05168a49b532267344651d083cd6b542203
Instruction Fuzzy Hash: 0E41CF70A00205AFDBA1DF68C8C4AAF7BA4BF05794F14819DECD59F242DB35E941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0107C9B0 Relevance: 12.4, APIs: 8, Instructions: 353COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0107CA59
__aullrem.LIBCMT ref: 0107CA6E
__aulldiv.LIBCMT ref: 0107CAE8
__aullrem.LIBCMT ref: 0107CAF6
__aulldiv.LIBCMT ref: 0107CB35
__aulldiv.LIBCMT ref: 0107CB52
__aullrem.LIBCMT ref: 0107CB93
__aullrem.LIBCMT ref: 0107CBD7

Part of subcall function 0107CDE7: __aullrem.LIBCMT ref: 0107CE05
Part of subcall function 0107CDE7: __aulldiv.LIBCMT ref: 0107CE18
Part of subcall function 0107CDE7: __aullrem.LIBCMT ref: 0107CE28
Part of subcall function 0107CDE7: __aulldiv.LIBCMT ref: 0107CE3D

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: __aulldiv__aullrem
String ID:
API String ID: 3839614884-0
Opcode ID: 07c2b291fe048204a1ab1e6223226ffe436b5c3e35a24254ad53b8aa803f6942
Instruction ID: f79cf8406497de951ad8e0fd5a0811b3a2a5c5b227bbbb2b092e856c2cdee26f
Opcode Fuzzy Hash: 07c2b291fe048204a1ab1e6223226ffe436b5c3e35a24254ad53b8aa803f6942
Instruction Fuzzy Hash: 4BC1C071F0021B9FEF149E6CC990BAFBBE6AFC9310F154128E995E7385D6349C118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01079520 Relevance: 10.7, APIs: 7, Instructions: 206COMMON

Download Yara Rule

APIs

IsValidSecurityDescriptor.ADVAPI32(00000000), ref: 01079541
GetSecurityDescriptorControl.ADVAPI32(00000000,0000FFFF,FFFFFFFF), ref: 0107956D
GetSecurityDescriptorOwner.ADVAPI32(00000000,FFFFFFFF,FFFFFFFF), ref: 0107958E

Part of subcall function 01064880: IsValidSid.ADVAPI32(00000000), ref: 010647BE
Part of subcall function 01064880: GetLengthSid.ADVAPI32(00000000), ref: 010647C9

SetLastError.KERNEL32(0000053A), ref: 010795B3
GetSecurityDescriptorGroup.ADVAPI32(00000000,FFFFFFFF,FFFFFFFF), ref: 01079615
GetSecurityDescriptorDacl.ADVAPI32(00000000,FFFFFFFF,FFFFFFFF,FFFFFFFF), ref: 01079664
GetSecurityDescriptorSacl.ADVAPI32(00000000,FFFFFFFF,FFFFFFFF,FFFFFFFF), ref: 010796C7

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: DescriptorSecurity$Valid$ControlDaclErrorGroupLastLengthOwnerSacl
String ID:
API String ID: 1486342557-0
Opcode ID: b7d036d2c42f75954011a2a23bc4e137a4548273f02ad9061837080f4fa02d38
Instruction ID: 6087c4f000e2287e95ee5785759e25f8994feb1127f6a5b8e6a63bf4e9f04602
Opcode Fuzzy Hash: b7d036d2c42f75954011a2a23bc4e137a4548273f02ad9061837080f4fa02d38
Instruction Fuzzy Hash: F8918770D0029D9EEF21DFA8CC44BEEBFB8AF16328F044299D4D9661C1DB345689CB25

Uniqueness

Uniqueness Score: -1.00%

Function 010585F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 0105869E
ReleaseSRWLockExclusive.KERNEL32 ref: 01058794
ReleaseSRWLockExclusive.KERNEL32 ref: 01058854
__Init_thread_header.LIBCMT ref: 010588E2

Strings

DumpWithoutCrashing, xrefs: 01058895, 010588AC

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLock$Release$AcquireInit_thread_header
String ID: DumpWithoutCrashing
API String ID: 3494467697-3234294828
Opcode ID: 687e63589a9ed1afe2a28bf760e79c2eb6fd75a3773f05ee2c4d18fcbb7de6af
Instruction ID: 52e6ac3564e6e6be9ea6dddd8513e0092997807b0d238116d0bf28fe002e4c96
Opcode Fuzzy Hash: 687e63589a9ed1afe2a28bf760e79c2eb6fd75a3773f05ee2c4d18fcbb7de6af
Instruction Fuzzy Hash: CC916A74A08341CFC754EF2AD49466ABBF0BF89318F558A1EEDD58B280D775A844CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0103939B Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 188COMMON

Download Yara Rule

APIs

__Init_thread_header.LIBCMT ref: 010396E9

Strings

Monday, xrefs: 01039439
Friday, xrefs: 0103953B
rday, xrefs: 01039572
Sunday, xrefs: 010393F7
Tuesday, xrefs: 01039478

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: Init_thread_header
String ID: Friday$Monday$Sunday$Tuesday$rday
API String ID: 3738618077-4029317968
Opcode ID: 7b582c63d7b9c3b507339783aff909f224802e738204edb2402ddc0392109138
Instruction ID: 6b31a951c3c2f643e42a3ec67d928e91c7811abcac2dfbf22cac0d9d71d6ca97
Opcode Fuzzy Hash: 7b582c63d7b9c3b507339783aff909f224802e738204edb2402ddc0392109138
Instruction Fuzzy Hash: B9818C7CA092428EE3219F16E8083157BE5BB96B1CF04489DD9D92F384C7FEA844CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0105F4A0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 181COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0105F4BC
_strlen.LIBCMT ref: 0105F4EF
_strlen.LIBCMT ref: 0105F55A
_strlen.LIBCMT ref: 0105F643

Strings

, {, xrefs: 0105F52A
} l,, xrefs: 0105F6C2

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: _strlen
String ID: , {$} l,
API String ID: 4218353326-191534019
Opcode ID: a92ea460695c84438fd303ffddfb0940678543dc21bc000b1249e4cc078e4183
Instruction ID: 3ebcdaea572103baba83b8841045b089c6f6d0d0a6d28cf4c46296ec962a3f3d
Opcode Fuzzy Hash: a92ea460695c84438fd303ffddfb0940678543dc21bc000b1249e4cc078e4183
Instruction Fuzzy Hash: 7A51F7B1D002167BEF11EFA48C45BFF7BB8AF16208F040159ED8477291E77A5A458BA2

Uniqueness

Uniqueness Score: -1.00%

Function 010213D4 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 160COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 010214E0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01021535

Strings

[printf format error], xrefs: 0102147D
%s%s %s, xrefs: 0102159B
%*s:%s, xrefs: 0102150D
[%03u.%03u] , xrefs: 01021579

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_strlen
String ID: %*s:%s$%s%s %s$[%03u.%03u] $[printf format error]
API String ID: 2172594012-3351823563
Opcode ID: 840346b074328f40ff5c8b8a1905f18758cff1d55077a07f02b95becd66aa8e4
Instruction ID: 6c959174aea343968ab296db6f3e081ea2fc8bd2b00c6f353766516012f3fbda
Opcode Fuzzy Hash: 840346b074328f40ff5c8b8a1905f18758cff1d55077a07f02b95becd66aa8e4
Instruction Fuzzy Hash: AA515AB2E003526BEB10AF648C46EAFB7A9EFD5710F04873CF9D956180EB7195148B92

Uniqueness

Uniqueness Score: -1.00%

Function 01075910 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(00000000,?,00000000,?,01074CAD,?,00000000,-00000100,?,00000000,-00000100,00000000,?,?,-00000100), ref: 01075920
TryAcquireSRWLockExclusive.KERNEL32(00000000,00000002,?,?,0100BF10,00000002,?,?), ref: 010759D0
ReleaseSRWLockExclusive.KERNEL32(00000000,?,01074CAD,?,00000000,-00000100,?,00000000,-00000100,00000000,?,?,-00000100,?,00000000), ref: 010759A0

Part of subcall function 0105C5A0: TryAcquireSRWLockExclusive.KERNEL32(010F3EE0,00000000,FBE85001,0000000A,0CFC9968,0105F533,010814B2), ref: 0105C5BC
Part of subcall function 0105C5A0: AcquireSRWLockExclusive.KERNEL32(010F3EE0), ref: 0105C5ED

ReleaseSRWLockExclusive.KERNEL32(00000000,?,0100BF10,00000002,?,?), ref: 01075A50

Strings

bitset set argument out of range, xrefs: 010759AC
bitset reset argument out of range, xrefs: 01075A5C

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: bitset reset argument out of range$bitset set argument out of range
API String ID: 1678258262-3395121086
Opcode ID: 30623f5e2358a1d5306685c87d5c551b9e9f92f77afff6c67d8b9cadde72dd70
Instruction ID: c88c7fd53c96c3bf6fc705351ee8de3fc1c24cb208eed03e12488a2dd7c14208
Opcode Fuzzy Hash: 30623f5e2358a1d5306685c87d5c551b9e9f92f77afff6c67d8b9cadde72dd70
Instruction Fuzzy Hash: CD317D32A1010997CB686958DC846FE374ADBD3231F154269E9D387285DB71D842C3A9

Uniqueness

Uniqueness Score: -1.00%

Function 0105B910 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(010E2C58), ref: 0105B918
ReleaseSRWLockExclusive.KERNEL32(010E2C58), ref: 0105B962
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 0105B9E6
ReleaseSRWLockExclusive.KERNEL32(?,00000001), ref: 0105BA52
TlsSetValue.KERNEL32(00000001), ref: 0105BA60

Strings

first, xrefs: 0105BD92

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$Value
String ID: first
API String ID: 3402380315-2456940119
Opcode ID: 9fbe9a70228e7dada893496014aca2545cad9fc55c815c31871e9f64a66d4892
Instruction ID: b40236c00185127ee4401dd9eb4aed4128b4a80b073702af3e784fae24206ffe
Opcode Fuzzy Hash: 9fbe9a70228e7dada893496014aca2545cad9fc55c815c31871e9f64a66d4892
Instruction Fuzzy Hash: 8D412531A002468FDB649F6AD849BBA7BF6EF85315F040478EEC98B690D77AA441CB41

Uniqueness

Uniqueness Score: -1.00%

Function 010834E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 01083517
___except_validate_context_record.LIBVCRUNTIME ref: 0108351F
_ValidateLocalCookies.LIBCMT ref: 010835A8
__IsNonwritableInCurrentImage.LIBCMT ref: 010835D3
_ValidateLocalCookies.LIBCMT ref: 01083628

Strings

csm, xrefs: 010835BD

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: b7b4d44603399c60adba9d2224dbaffbeb0e2f0d279f05990374abda276f3df7
Instruction ID: 68dfed93f1b660c0815abbc62b5792b9e88e4b99d98bcbf8c7f7d6634e5f6f20
Opcode Fuzzy Hash: b7b4d44603399c60adba9d2224dbaffbeb0e2f0d279f05990374abda276f3df7
Instruction Fuzzy Hash: B141D134A04219DBCF10EF6CC880A9EBBE4BF84724F048095E8D49F351D772EA15CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010493F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 88fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,00000000), ref: 01049460
CreateFileW.KERNEL32(?,010497CC,00000007,00000000,00000003,02000000,00000000,?,00000000), ref: 0104948B
GetLastError.KERNEL32(?,00000000), ref: 01049497
SetLastError.KERNEL32(00000000,?,00000000), ref: 010494B4

Strings

..\..\base\files\file_util_win.cc, xrefs: 01049438
PathHasAccess, xrefs: 0104943D

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ErrorFileLast$AttributesCreate
String ID: ..\..\base\files\file_util_win.cc$PathHasAccess
API String ID: 1299224125-128198036
Opcode ID: 428a126b5d8f6b957cbf3e15fff38ad4efd4805672415e6265c23c65a46c2fec
Instruction ID: 3ad30b372b3c3355aaf043bd6974d20d62f9c034cd1f69321b8ec5ebfd80ab89
Opcode Fuzzy Hash: 428a126b5d8f6b957cbf3e15fff38ad4efd4805672415e6265c23c65a46c2fec
Instruction Fuzzy Hash: B22106B16043416BE7206F78CCC5B6B7794ABDA774F100738FAE5961C0EFA5A9048391

Uniqueness

Uniqueness Score: -1.00%

Function 010470E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74synchronizationthreadCOMMON

Download Yara Rule

APIs

GetThreadId.KERNEL32(000000CF,?,?,?,?,00000014,00000000,?,01063800,?,?,?,?,01044849,?,?), ref: 010470FA
GetLastError.KERNEL32 ref: 01047110
WaitForSingleObject.KERNEL32(000000CF,000000FF,?,00000000,?,?,?,?,?,?,?,?,?,?,00000014,00000000), ref: 01047185
CloseHandle.KERNEL32(000000CF,?,?,?,?,?,?,?,?,?,?,00000014,00000000,?,01063800,?), ref: 01047190

Strings

..\..\base\threading\platform_thread_win.cc, xrefs: 01047163
Join, xrefs: 01047168

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: CloseErrorHandleLastObjectSingleThreadWait
String ID: ..\..\base\threading\platform_thread_win.cc$Join
API String ID: 813778123-1746769387
Opcode ID: a751ec879c6eb913eaec632ac325575d1aae4a80d634130f793bd05f92f9b36f
Instruction ID: 4acdaf913be78b75931621bcadb0eb311845957964de1b7ab64d40b36fa678c2
Opcode Fuzzy Hash: a751ec879c6eb913eaec632ac325575d1aae4a80d634130f793bd05f92f9b36f
Instruction Fuzzy Hash: 3711C3719043459BD310EF68DC45AAFB7E8AFD9724F000B2DF9E096180EB7492498B93

Uniqueness

Uniqueness Score: -1.00%

Function 0109B4BE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,0109B5CD,?,01092CDC,00000000,?,?,?,0109B1AF,00000022,FlsSetValue,010C0614,FlsSetValue,?), ref: 0109B57F

Strings

ext-ms-, xrefs: 0109B529
api-ms-, xrefs: 0109B515

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 1b9485c61eb58297c697441eedd5a4c7acab4355952a4ca66350dcd7593c8385
Instruction ID: a4339ef0479d2232556734a876fa54ba3b747eaca87b131995c13865341cb106
Opcode Fuzzy Hash: 1b9485c61eb58297c697441eedd5a4c7acab4355952a4ca66350dcd7593c8385
Instruction Fuzzy Hash: C6213831A02110EBCF729A69FC50F6A37A8AB41B70F110254FDD6A7290EA34E900DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 01082055 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,010820D0,010822D8), ref: 0108206C
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 01082082
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 01082097

Strings

ReleaseSRWLockExclusive, xrefs: 0108208C
AcquireSRWLockExclusive, xrefs: 0108207C
KERNEL32.DLL, xrefs: 01082067

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 49f5fb0c7d8752a9b63435d129c60dacc2859ccabff9e1e9767f441a3f9e5bfb
Instruction ID: 29a92a1899e91f87098d68dcb24736839be735acce46e610f8fa627fd1f98328
Opcode Fuzzy Hash: 49f5fb0c7d8752a9b63435d129c60dacc2859ccabff9e1e9767f441a3f9e5bfb
Instruction Fuzzy Hash: 3FF028717492225F2BB13DAA684057A36CABB0654034202BDFDC1DB102D61BD403DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0109208F Relevance: 9.3, APIs: 6, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f1a70b5acc471c6f10bd1560ce76198d7ef98acd69d0efb7ecc7d49dcfe97c
Instruction ID: 9d6f2938861527c94f129a65f11facdfeb38299b2705d4d1ed25f978c7fe6ca5
Opcode Fuzzy Hash: e1f1a70b5acc471c6f10bd1560ce76198d7ef98acd69d0efb7ecc7d49dcfe97c
Instruction Fuzzy Hash: F5B1F170E0424ABBEF11DFADC8A0BAD7BF5BF55314F048198E9C5AB282C7719941DB60

Uniqueness

Uniqueness Score: -1.00%

Function 010990A7 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000001,0109909E,01083644,00000011), ref: 010990B5
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 010990C3
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 010990DC
SetLastError.KERNEL32(00000000), ref: 0109912E

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2d8fc5906eb5ac6155cc821005b41f7309f20ce442c2fee2b5535adeec8ea674
Instruction ID: a4462dc3b923ed0893643afce40619a80079055f47a1b46f34dbcdc6c57cd6e6
Opcode Fuzzy Hash: 2d8fc5906eb5ac6155cc821005b41f7309f20ce442c2fee2b5535adeec8ea674
Instruction Fuzzy Hash: FB01DDF23092125EAF7636F97C9889A27C5EB1177EB20022EF6E4550D4EF5648016241

Uniqueness

Uniqueness Score: -1.00%

Function 010521A0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 010521C3

Strings

..\..\buildtools\third_party\libc++\trunk\include\vector, xrefs: 010522A4
%s:%d: assertion %s failed: %s, xrefs: 010522A9
vector[] index out of bounds, xrefs: 01052295
__n < size(), xrefs: 0105229A

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: _strlen
String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\vector$__n < size()$vector[] index out of bounds
API String ID: 4218353326-797005249
Opcode ID: 53e49f97bd7d82173bd39453e99e7ed6065b578fac8240dfe267dcf79f90bb0f
Instruction ID: 4d24c0c12f64be172024b91317c8bebfa3c7cdf2d7862609117a9f5f1e1b0e36
Opcode Fuzzy Hash: 53e49f97bd7d82173bd39453e99e7ed6065b578fac8240dfe267dcf79f90bb0f
Instruction Fuzzy Hash: 98319274B002069F8B54DFA8C4D18BFBBB5EF89664B10415EED599B341CB31A8418BE1

Uniqueness

Uniqueness Score: -1.00%

Function 01041640 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 010416B2

Part of subcall function 0103CF98: _strlen.LIBCMT ref: 0103CFA3

Strings

__s != nullptr, xrefs: 01041659
%s:%d: assertion %s failed: %s, xrefs: 01041668
..\..\buildtools\third_party\libc++\trunk\include\string, xrefs: 01041663
string::assign received nullptr, xrefs: 01041654

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: _strlen
String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\string$__s != nullptr$string::assign received nullptr
API String ID: 4218353326-1155457705
Opcode ID: 2107e9defeaa5801bd55e44f6acf53e7af211303e29a34c003b86548cc34f491
Instruction ID: 9f2b84a42b3caecb10afa4124d1fea8d3b414b9e6f71f168304ff43753b56807
Opcode Fuzzy Hash: 2107e9defeaa5801bd55e44f6acf53e7af211303e29a34c003b86548cc34f491
Instruction Fuzzy Hash: 0301F9F270030A6BBA10565EEDC0E6AB7CD9F59954B0C4076FE84AB601D670FC8086A1

Uniqueness

Uniqueness Score: -1.00%

Function 01058090 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 010580B6
__Init_thread_header.LIBCMT ref: 01058151

Part of subcall function 010816E7: EnterCriticalSection.KERNEL32(010E3D70,?,?,?,01065379,010F0438,00000000,?,?,?,?,010650F7,00000000,00000000), ref: 010816F2
Part of subcall function 010816E7: LeaveCriticalSection.KERNEL32(010E3D70,?,?,?,01065379,010F0438,00000000,?,?,?,?,010650F7,00000000,00000000), ref: 0108172F

Strings

FeatureList-feature-accessed-too-early, xrefs: 0105816B
..\..\base\feature_list.cc, xrefs: 01058108
Fail, xrefs: 0105810D

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: CriticalSection$EnterInit_thread_headerLeave_strlen
String ID: ..\..\base\feature_list.cc$Fail$FeatureList-feature-accessed-too-early
API String ID: 3908761850-1983271533
Opcode ID: 5c89a3422e44960e6eec2dcdb66d7ac9a4aabb099f4151246faeb7fc22a91a8c
Instruction ID: c2a2dd2c11bc2d6b7d7578e37ced205bb52f67a0fd42693fd890456cbe4a58ae
Opcode Fuzzy Hash: 5c89a3422e44960e6eec2dcdb66d7ac9a4aabb099f4151246faeb7fc22a91a8c
Instruction Fuzzy Hash: 802148B1A007029BD360EF269C8195B77E5BB85728F444A2DFCD20F280E772590487E2

Uniqueness

Uniqueness Score: -1.00%

Function 0103D4B4 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0103D4C3

Strings

__s != nullptr, xrefs: 0103D4DF
%s:%d: assertion %s failed: %s, xrefs: 0103D4EE
string::append received nullptr, xrefs: 0103D4DA
..\..\buildtools\third_party\libc++\trunk\include\string, xrefs: 0103D4E9

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: _strlen
String ID: %s:%d: assertion %s failed: %s$..\..\buildtools\third_party\libc++\trunk\include\string$__s != nullptr$string::append received nullptr
API String ID: 4218353326-424192179
Opcode ID: 975257546627291b1b1b3fbd0cb891220ab6dddf8d3750494f7b6a942d52fbe9
Instruction ID: c199c2080a944bdb61ccc22cb24fcb226313faac79fc0268bd03a7466746f649
Opcode Fuzzy Hash: 975257546627291b1b1b3fbd0cb891220ab6dddf8d3750494f7b6a942d52fbe9
Instruction Fuzzy Hash: EFF04C2334411937961161EA5C01DFF7F9ECAD1E34B04802FF9849B242DEA0A90183F3

Uniqueness

Uniqueness Score: -1.00%

Function 01074660 Relevance: 7.8, APIs: 5, Instructions: 277COMMON

Download Yara Rule

APIs

ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,00000000,?,?,?,01073F80,?,?), ref: 01074687
TryAcquireSRWLockExclusive.KERNEL32(?,?), ref: 010748F1
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,00000000,?,?,?,01073F80,?,?), ref: 0107493B
TryAcquireSRWLockExclusive.KERNEL32(?,?), ref: 0107496D
ReleaseSRWLockExclusive.KERNEL32(?), ref: 01074986

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLock$Release$Acquire
String ID:
API String ID: 1021914862-0
Opcode ID: 6e757f7886178ddb2a1cc85c597693eb48c3e3995d3f934d9e3d9b5b6641a5e3
Instruction ID: 30f60a6f2c30dc1d012d3365a76e107fa203f473161df5c6dba21e16487525a6
Opcode Fuzzy Hash: 6e757f7886178ddb2a1cc85c597693eb48c3e3995d3f934d9e3d9b5b6641a5e3
Instruction Fuzzy Hash: 9EB1C274E003099FEB15DFA8C880BEEB7F5BF49304F184468DA96A7382D775A941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0106B6B0 Relevance: 7.7, APIs: 5, Instructions: 201COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0106B815
__floor_pentium4.LIBCMT ref: 0106B8AF
__floor_pentium4.LIBCMT ref: 0106B8DD
TryAcquireSRWLockExclusive.KERNEL32 ref: 0106B93B
ReleaseSRWLockExclusive.KERNEL32 ref: 0106B970

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: __floor_pentium4$ExclusiveLock$AcquireRelease
String ID:
API String ID: 2497314063-0
Opcode ID: 9f23d5beb6a6c7063ef548c8f40dd3533ccb389de97a98c2663f5a5c1705873c
Instruction ID: eff638d521b8f1f2f4e0c91cd79d50c7c8e862ff527a66c55d06ca0fe54ae621
Opcode Fuzzy Hash: 9f23d5beb6a6c7063ef548c8f40dd3533ccb389de97a98c2663f5a5c1705873c
Instruction Fuzzy Hash: 8B81A271A08B05CFC712DF38D49029AB7E5BF96780F458B2DE8C5A7251EB35D885CB42

Uniqueness

Uniqueness Score: -1.00%

Function 01079150 Relevance: 7.6, APIs: 5, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNEL32(010F2EA0,01079130,01079290,00000000), ref: 01079187
TlsGetValue.KERNEL32 ref: 010791A8
AcquireSRWLockExclusive.KERNEL32(010F2EAC), ref: 010791BD
ReleaseSRWLockExclusive.KERNEL32(010F2EAC), ref: 010791EC
TlsAlloc.KERNEL32 ref: 01079293

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLockOnce$AcquireAllocExecuteInitReleaseValue
String ID:
API String ID: 655554649-0
Opcode ID: 1929cce0b3e067cd775bd423ce8ad85f0a34821149d8e995e7f601cc72d548ef
Instruction ID: 49b4a5a1ca4f74f4b2bd0e0e105b474d82ba4897b2e173a2270a693a267cc381
Opcode Fuzzy Hash: 1929cce0b3e067cd775bd423ce8ad85f0a34821149d8e995e7f601cc72d548ef
Instruction Fuzzy Hash: AC31A275A012089FDB24EFA4E886A7E77B4BF44720B24002CED8697644DB3AE801CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0108175D Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(010E3D70,FFFFFF00,?,01024420,010E4BA0,?,010245A3), ref: 01081767
LeaveCriticalSection.KERNEL32(010E3D70,?,01024420,010E4BA0,?,010245A3), ref: 0108179A
WakeAllConditionVariable.KERNEL32(?,010E4BA0,?,010245A3), ref: 0108180D
SetEvent.KERNEL32(?,010E4BA0,?,010245A3), ref: 01081817
ResetEvent.KERNEL32(?,010E4BA0,?,010245A3), ref: 01081823

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
String ID:
API String ID: 3916383385-0
Opcode ID: 4e292e809b1765696a3aa9e10ff4bd8e6862156988a5eb888669a2cc52364ff2
Instruction ID: cb0ed9a33d240fba81149ac463547d68b3c077646aa177274766c08262789869
Opcode Fuzzy Hash: 4e292e809b1765696a3aa9e10ff4bd8e6862156988a5eb888669a2cc52364ff2
Instruction Fuzzy Hash: B4016D31609114DFC735BF19F848A987FF5FB09B10B01406AF8818B308CB7B6801CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01067530 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142COMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 0106764A
___from_strstr_to_strchr.LIBCMT ref: 01067674

Strings

GCTL, xrefs: 01067595

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ___from_strstr_to_strchr_strncpy
String ID: GCTL
API String ID: 19282097-4108720618
Opcode ID: f2fcb3430d8727d2b9e869f9bf451cbdbb6da1b45260087240d2daf793d10225
Instruction ID: 91f49a0d0f30120130f9d32ba203b999ae6db30e8e74121f9d38fd5712994577
Opcode Fuzzy Hash: f2fcb3430d8727d2b9e869f9bf451cbdbb6da1b45260087240d2daf793d10225
Instruction Fuzzy Hash: 3151B771D103598BCF15CF98C8806ADB7B8FF49318F14456AE985AB344E770AD44C790

Uniqueness

Uniqueness Score: -1.00%

Function 0107A6B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(00000000), ref: 0107A6DA

Part of subcall function 01047600: AcquireSRWLockExclusive.KERNEL32(00000000,?,01065318), ref: 01047604

ReleaseSRWLockExclusive.KERNEL32(?,?,?,0107B550,0107B7B0), ref: 0107A865

Strings

..\..\base\task\thread_pool\sequence.cc, xrefs: 0107A7F7
Clear, xrefs: 0107A7FC

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: ..\..\base\task\thread_pool\sequence.cc$Clear
API String ID: 1678258262-2777391792
Opcode ID: f51adb64d40190df19a671a1ab2b46cfe5023d808ea178b11b7f081300ff5bcd
Instruction ID: 614897a39bc2a4c167627263b3e795a0f96106fab4b73842972a26f8bd1ea816
Opcode Fuzzy Hash: f51adb64d40190df19a671a1ab2b46cfe5023d808ea178b11b7f081300ff5bcd
Instruction Fuzzy Hash: 36517BB0A04702AFD781DF29C49475ABBF0BF88704F44492DE9898B641D775E825CBC6

Uniqueness

Uniqueness Score: -1.00%

Function 01070200 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,0105139F), ref: 01070273
ReleaseSRWLockExclusive.KERNEL32(?,FFFFFFFF,?,?), ref: 01070368

Strings

..\..\base\metrics\statistics_recorder.cc, xrefs: 01070333
FindAndRunHistogramCallbacks, xrefs: 01070338

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: ..\..\base\metrics\statistics_recorder.cc$FindAndRunHistogramCallbacks
API String ID: 17069307-3431145642
Opcode ID: e7f935f38f5dc079c1bc680dc28ba139fa58251b1341e10b26b8bc876dc4dc8a
Instruction ID: 9d1b78b01b9d3088527619abe8643a0e32bb465d64b66f2f84c2a91f1ea08f8c
Opcode Fuzzy Hash: e7f935f38f5dc079c1bc680dc28ba139fa58251b1341e10b26b8bc876dc4dc8a
Instruction Fuzzy Hash: DE31E571E00301ABEB11EE55E842A9F379DEBA9714F14051CFAC61B2C5D761E90487A6

Uniqueness

Uniqueness Score: -1.00%

Function 01046690 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,?,00000001,?,?,?,?,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000001), ref: 0104672D
ExpandEnvironmentStringsW.KERNEL32(?,?,00000400,?,?,?,?,?,?,?,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000001), ref: 01046787

Strings

ReadValue, xrefs: 010466F3
..\..\base\win\registry.cc, xrefs: 010466EE

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: EnvironmentExpandQueryStringsValue
String ID: ..\..\base\win\registry.cc$ReadValue
API String ID: 1756134249-2708835790
Opcode ID: 1a487cae38fac3f3be61b65cd28dc4e0eac309fb36f40700918e2a55ac7f2033
Instruction ID: 5be266113c826fb7fdc61ce0fa29b9637b77cb78d0df08659048666f63a69f3b
Opcode Fuzzy Hash: 1a487cae38fac3f3be61b65cd28dc4e0eac309fb36f40700918e2a55ac7f2033
Instruction Fuzzy Hash: 9C31F671A4025977DB30EA64CC81FDA77ACBF54310F0044B5F5D9AB180EAB59AC59F90

Uniqueness

Uniqueness Score: -1.00%

Function 0104B350 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll), ref: 0104B379
GetProcAddress.KERNEL32(00000000,RtlGetDeviceFamilyInfoEnum), ref: 0104B385

Strings

RtlGetDeviceFamilyInfoEnum, xrefs: 0104B37F
ntdll.dll, xrefs: 0104B374

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlGetDeviceFamilyInfoEnum$ntdll.dll
API String ID: 1646373207-1730918567
Opcode ID: 45b2ff59574189aa0deabe8b65e50eaaa4e7985f77347b368ca7552a8cb7fcda
Instruction ID: 937e7d4da1d8993d257e1ed23e14d51d17dfbde0a4e616fdb31bbbd797c7072b
Opcode Fuzzy Hash: 45b2ff59574189aa0deabe8b65e50eaaa4e7985f77347b368ca7552a8cb7fcda
Instruction Fuzzy Hash: 8F21D576E042189FC7109BB5D888B5D7BB4AF0A721F0585F5ED9AEF3A0D635DC408B81

Uniqueness

Uniqueness Score: -1.00%

Function 01049310 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,00000000), ref: 010493B7

Strings

msedge.exe, xrefs: 01049313
..\..\base\files\file_util_win.cc, xrefs: 01049357
PathExists, xrefs: 0104935C

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: AttributesFile
String ID: ..\..\base\files\file_util_win.cc$PathExists$msedge.exe
API String ID: 3188754299-3206840752
Opcode ID: 8f02e10f34b801a6cd978f75f1fe2abe21ef325c497f1bbad767d234b5dcd227
Instruction ID: 3c94b069873dd006e1fdd33c9e09e593292cca3c3070280d95d323f1e0ae6de4
Opcode Fuzzy Hash: 8f02e10f34b801a6cd978f75f1fe2abe21ef325c497f1bbad767d234b5dcd227
Instruction Fuzzy Hash: 851108B19187C16BD7209B248C8576FB7A4AFDA774F100B2DF8E0562C0EBA19544C382

Uniqueness

Uniqueness Score: -1.00%

Function 01046530 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,80000002,00000000,01045984,?,?,?,01045984), ref: 01046585
RegCloseKey.ADVAPI32(?), ref: 0104659C

Strings

..\..\base\win\registry.cc, xrefs: 01046558
Open, xrefs: 0104655D

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: CloseOpen
String ID: ..\..\base\win\registry.cc$Open
API String ID: 47109696-830328924
Opcode ID: b899d38b5dbf68d67e05555f6f447527614bef558f2c164571c05b0ee57704c6
Instruction ID: 1eb3cf593787d7a47cba5acb986828223996dd8e30390534d860b4d733af9a5b
Opcode Fuzzy Hash: b899d38b5dbf68d67e05555f6f447527614bef558f2c164571c05b0ee57704c6
Instruction Fuzzy Hash: 2C11A371A01309ABDB10DF99CC54EDF7BB8EF59760F454428F895A7240DB35AA01CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 01023950 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 01023958
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 01023964

Strings

GetSystemTimePreciseAsFileTime, xrefs: 0102395E
kernel32.dll, xrefs: 01023953

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemTimePreciseAsFileTime$kernel32.dll
API String ID: 1646373207-706389432
Opcode ID: 7425f19b5b0cee08ba1014f5675c313a486518104560b745b077110b34947bbc
Instruction ID: b9be44b16b41ca7f77a6b9878ee72179049dec13d4075d9f48d1be1d1d87efc6
Opcode Fuzzy Hash: 7425f19b5b0cee08ba1014f5675c313a486518104560b745b077110b34947bbc
Instruction Fuzzy Hash: C9D01270A4930D6B86206FE7EC0AF197BECB60AD54701005CFDC9CA108EAAAD0008F56

Uniqueness

Uniqueness Score: -1.00%

Function 01067800 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,010679E4), ref: 01067808
GetProcAddress.KERNEL32(00000000,PrefetchVirtualMemory), ref: 01067814

Strings

kernel32.dll, xrefs: 01067803
PrefetchVirtualMemory, xrefs: 0106780E

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: PrefetchVirtualMemory$kernel32.dll
API String ID: 1646373207-4069913949
Opcode ID: 71685c1c695825014cf86f0f8b145d4aa4c938d6c145e81b09704d8aa29d2ab1
Instruction ID: a16fb3b0342f4dc4f3962a020bd156d34f58abf340e15ba58b3d13f856da8256
Opcode Fuzzy Hash: 71685c1c695825014cf86f0f8b145d4aa4c938d6c145e81b09704d8aa29d2ab1
Instruction Fuzzy Hash: 2FB0927118130CB7861036E3BC0FC063A2CF516A127854119F9898A809AEBA90004762

Uniqueness

Uniqueness Score: -1.00%

Function 0109963F Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 01099706
___AdjustPointer.LIBCMT ref: 01099729
___AdjustPointer.LIBCMT ref: 010997C5

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 0b2cbd0573c87ab04b65605b1344a533e37fd1fa47dc718a08f8380bffb31d1b
Instruction ID: b474def4a535da04edef7e91d5f16d33ed432846284d7fe429ff79c886c59010
Opcode Fuzzy Hash: 0b2cbd0573c87ab04b65605b1344a533e37fd1fa47dc718a08f8380bffb31d1b
Instruction Fuzzy Hash: B8510771505202AFEF259F58D860BBEB7E8FF44318F14455DE9C657290EB31E841EB90

Uniqueness

Uniqueness Score: -1.00%

Function 0107F6A0 Relevance: 6.1, APIs: 4, Instructions: 147COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(FFFFFFFF), ref: 0107F6C9

Part of subcall function 010814D0: TlsSetValue.KERNEL32(FFFFFFFF,0107F70B,?,0107F70B,FFFFFFFF,?), ref: 010814D9

TryAcquireSRWLockExclusive.KERNEL32(?), ref: 0107F75E
ReleaseSRWLockExclusive.KERNEL32(?), ref: 0107F789

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLockValue$AcquireRelease
String ID:
API String ID: 541261624-0
Opcode ID: 4dd4a12aade8639370d6313f6d65159953cf026e637b8ddb1f75f6f2a231839c
Instruction ID: 18a8e89eeb5bb56296bd6403b59402ecc80770663e320df5031d9933d7c306ef
Opcode Fuzzy Hash: 4dd4a12aade8639370d6313f6d65159953cf026e637b8ddb1f75f6f2a231839c
Instruction Fuzzy Hash: 3C518B71E003064BDB60BF58EC44BE973E5BF04310F1404B8DAE99B282EB765A45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0106F790 Relevance: 6.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?), ref: 0106F7F0
_strlen.LIBCMT ref: 0106F878
ReleaseSRWLockExclusive.KERNEL32(010D9098,?,?,010D9098,?,?), ref: 0106F8B7
ReleaseSRWLockExclusive.KERNEL32(010D9098,?,?,?,?,?,010D9098,?,?), ref: 0106F91F

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLock$Release$Acquire_strlen
String ID:
API String ID: 175025429-0
Opcode ID: 11d44f127ad6fc6791bb27cec391ffe5dbe010e7a430479816c87bfc7e5f5e69
Instruction ID: 29e8a62702a52a1d5f34120262ca2906c02181c60603b0023ff44f971516a007
Opcode Fuzzy Hash: 11d44f127ad6fc6791bb27cec391ffe5dbe010e7a430479816c87bfc7e5f5e69
Instruction Fuzzy Hash: 79410C71E002169FDB11EF94E891EEE77BDBF58704F14006DEAC26B281DB669D0487A1

Uniqueness

Uniqueness Score: -1.00%

Function 01091358 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c600a48a09b37cf55b938c4735cfda20681c61bf7b6695a65d7da3aba75171c
Instruction ID: b951c80ccf129f6fe002e3e4959240446056efa94efe5ed0c6f1983f90c99a19
Opcode Fuzzy Hash: 9c600a48a09b37cf55b938c4735cfda20681c61bf7b6695a65d7da3aba75171c
Instruction Fuzzy Hash: 6821AC71704207BF9F21AF69C8A08AA77ADAF15278700C569F9E59B541EB31EC40A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 010A10B6 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 010A10BE

Part of subcall function 010A0FBA: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0109A874,?,00000000,-00000008), ref: 010A101B

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 010A10F6
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 010A1116

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: f28911b75d6dcf3931f0b38eae7c7c00c901ca81375452cdfe8bc423410e99cc
Instruction ID: 5994b9f334ae6f7c1d45098b1faa1aa91e94296ec69422d20aa08c02fd9664ba
Opcode Fuzzy Hash: f28911b75d6dcf3931f0b38eae7c7c00c901ca81375452cdfe8bc423410e99cc
Instruction Fuzzy Hash: F711C8F160151FBF672127F55CC8CBF7A9DED85195B400125F98292100EE34ED0046B5

Uniqueness

Uniqueness Score: -1.00%

Function 01051490 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(010E5A94,?,?,?,0106EC04,00000001), ref: 010514E7
ReleaseSRWLockExclusive.KERNEL32(010E5A94,?,0106EC04,0106EC04,?,?,?,0106EC04,00000001), ref: 0105151E
__Init_thread_header.LIBCMT ref: 0105153B
__Init_thread_header.LIBCMT ref: 01051585

Part of subcall function 010816E7: EnterCriticalSection.KERNEL32(010E3D70,?,?,?,01065379,010F0438,00000000,?,?,?,?,010650F7,00000000,00000000), ref: 010816F2
Part of subcall function 010816E7: LeaveCriticalSection.KERNEL32(010E3D70,?,?,?,01065379,010F0438,00000000,?,?,?,?,010650F7,00000000,00000000), ref: 0108172F

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: CriticalExclusiveInit_thread_headerLockSection$AcquireEnterLeaveRelease
String ID:
API String ID: 35131462-0
Opcode ID: a31a6a7f6a34e9e5111a2aad645f2cf5eaf712a9217c62dc87c3afbbe8b76215
Instruction ID: 374e281bc1ecfdeaf42b60eb89755f19a1a0c9dc3cfb3af316ef94f4f706a090
Opcode Fuzzy Hash: a31a6a7f6a34e9e5111a2aad645f2cf5eaf712a9217c62dc87c3afbbe8b76215
Instruction Fuzzy Hash: D921BF78A003129FC720EF5AFCC9B9A37E1BF8561CF080968D8C64F240DB36A8458B91

Uniqueness

Uniqueness Score: -1.00%

Function 01044810 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?,00000000,?,?,?,?,01044B8B,00000000,?,%s:%d: assertion %s failed: %s,..\..\buildtools\third_party\libc++\trunk\include\__tree,000000CF,__x != nullptr,node shouldn't be null), ref: 01044823
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,01044B8B,00000000,?,%s:%d: assertion %s failed: %s,..\..\buildtools\third_party\libc++\trunk\include\__tree,000000CF,__x != nullptr,node shouldn't be null), ref: 01044838
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,01044B8B,00000000,?,%s:%d: assertion %s failed: %s,..\..\buildtools\third_party\libc++\trunk\include\__tree,000000CF,__x != nullptr,node shouldn't be null), ref: 0104484A
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,01044B8B,00000000,?,%s:%d: assertion %s failed: %s,..\..\buildtools\third_party\libc++\trunk\include\__tree,000000CF,__x != nullptr,node shouldn't be null), ref: 01044889

Part of subcall function 01047600: AcquireSRWLockExclusive.KERNEL32(00000000,?,01065318), ref: 01047604

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID:
API String ID: 1678258262-0
Opcode ID: 51da32985967827353ae2c15cb4cda92e9b8d10e12ec236556a442f807b1a4a4
Instruction ID: 0a1e6d2ad3c9d5b4c4d56c768ede6359c357505d3acc69290a7048c2f945abb9
Opcode Fuzzy Hash: 51da32985967827353ae2c15cb4cda92e9b8d10e12ec236556a442f807b1a4a4
Instruction Fuzzy Hash: D4216D742003419FEB24AF64E8C8BBE7BB9BF99604F04056CE98687241DB76A805CB61

Uniqueness

Uniqueness Score: -1.00%

Function 01091268 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,04C48300,04F39DE8,00000000,01094DB3,00000000,?,01091105,01094DB3,01094DB3,?,?,?,010492CA,?,00000001), ref: 0109127E
GetLastError.KERNEL32(?,01091105,01094DB3,01094DB3,?,?,?,010492CA,?,00000001,00000000,00000000,?,01094DB3,?,010492CA), ref: 01091288
__dosmaperr.LIBCMT ref: 0109128F
GetFullPathNameW.KERNEL32(?,04C48300,04F39DE8,00000000,04C48301,?,01091105,01094DB3,01094DB3,?,?,?,010492CA,?,00000001,00000000), ref: 010912B9

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: FullNamePath$ErrorLast__dosmaperr
String ID:
API String ID: 1391015842-0
Opcode ID: e596a8433791f4ee0bb1994449bac4515331cb068b379eb8464ab71bd29d2584
Instruction ID: 51bae2ecf26db16cc796fdb93c79c0ee3681bf5dcf85ed3bb682f1797760a4e8
Opcode Fuzzy Hash: e596a8433791f4ee0bb1994449bac4515331cb068b379eb8464ab71bd29d2584
Instruction Fuzzy Hash: B4F03176300306AFDF316FA9D814E5B7BE9EF4567071089A9F6D5C2150DF32E820A750

Uniqueness

Uniqueness Score: -1.00%

Function 010912CE Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,04C48300,04F39DE8,00000000,01094DB3,00000000,?,01091177,01094DB3,?,?,?,010492CA,?,00000001,00000000), ref: 010912E4
GetLastError.KERNEL32(?,01091177,01094DB3,?,?,?,010492CA,?,00000001,00000000,00000000,?,01094DB3,?,010492CA,?), ref: 010912EE
__dosmaperr.LIBCMT ref: 010912F5
GetFullPathNameW.KERNEL32(?,04C48300,04F39DE8,00000000,04C48301,?,01091177,01094DB3,?,?,?,010492CA,?,00000001,00000000,00000000), ref: 0109131F

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: FullNamePath$ErrorLast__dosmaperr
String ID:
API String ID: 1391015842-0
Opcode ID: 90e4d6648fc292c6adda60bc9c4e5eb636eca80de76eef2c0520991c5c898f50
Instruction ID: 0e57736f2a789c9ae85077acfde8ab3c1f232b62a9d504740082c5e8eef6d573
Opcode Fuzzy Hash: 90e4d6648fc292c6adda60bc9c4e5eb636eca80de76eef2c0520991c5c898f50
Instruction Fuzzy Hash: D8F03136300206AFDF316FA9D814E577BE9EF44670710C869F595C6414DB32E810E750

Uniqueness

Uniqueness Score: -1.00%

Function 010AA80A Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,010A30B7,00000000,00000001,?,?,?,0109558B,?,00000000,00000000), ref: 010AA821
GetLastError.KERNEL32(?,010A30B7,00000000,00000001,?,?,?,0109558B,?,00000000,00000000,?,?,?,01094ED1,?), ref: 010AA82D

Part of subcall function 010AA880: CloseHandle.KERNEL32(FFFFFFFE,010AA83D,?,010A30B7,00000000,00000001,?,?,?,0109558B,?,00000000,00000000,?,?), ref: 010AA890

___initconout.LIBCMT ref: 010AA83D

Part of subcall function 010AA85F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,010AA7FB,010A30A4,?,?,0109558B,?,00000000,00000000,?), ref: 010AA872

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,010A30B7,00000000,00000001,?,?,?,0109558B,?,00000000,00000000,?), ref: 010AA852

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 2d2e2eee5381d6256d07bd61bdee65133f5109e4a2eea6617f30a06fdfafdd00
Instruction ID: 3dd9568901a43fc0fcfe5807ec1c0e9f386c6ee4257bd7599d32a17d6c1ad37f
Opcode Fuzzy Hash: 2d2e2eee5381d6256d07bd61bdee65133f5109e4a2eea6617f30a06fdfafdd00
Instruction Fuzzy Hash: A0F01C36601119BBCF622FD5DC089993FA6FB097A0F454114FF8986164CA768820EB90

Uniqueness

Uniqueness Score: -1.00%

Function 010817A7 Relevance: 6.0, APIs: 4, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,0108170C,00000064), ref: 010817CA
LeaveCriticalSection.KERNEL32(010E3D70,?,?,0108170C,00000064,?,?,?,01065379,010F0438,00000000,?,?,?,?,010650F7), ref: 010817D4
WaitForSingleObjectEx.KERNEL32(?,00000000,?,0108170C,00000064,?,?,?,01065379,010F0438,00000000,?,?,?,?,010650F7), ref: 010817E5
EnterCriticalSection.KERNEL32(010E3D70,?,0108170C,00000064,?,?,?,01065379,010F0438,00000000,?,?,?,?,010650F7,00000000), ref: 010817EC

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: 1615acf4414aee1fb83f92749f35756d826fd47257180a11d7c7e92291b8c20b
Instruction ID: d269dadb5ea9126d6f64ca6d36f1973b53249eb6495d39142b425934b5d4ae4d
Opcode Fuzzy Hash: 1615acf4414aee1fb83f92749f35756d826fd47257180a11d7c7e92291b8c20b
Instruction Fuzzy Hash: 2CE09232509128BFC6313B5AFC09A9E3FB4BF05A51B050055F9C95F1148B7768518BD5

Uniqueness

Uniqueness Score: -1.00%

Function 010401C0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 371COMMON

Download Yara Rule

Strings

tracing/main_trace_log, xrefs: 0104066D

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID:
String ID: tracing/main_trace_log
API String ID: 0-566173763
Opcode ID: 2317a6d8ea30fa2422c2506904a4cf555132308c98f17db433aacf5bd7b9e631
Instruction ID: 60f864908943474db37fb1079821021204e8d01eb1709b0860e98df5a28a6181
Opcode Fuzzy Hash: 2317a6d8ea30fa2422c2506904a4cf555132308c98f17db433aacf5bd7b9e631
Instruction Fuzzy Hash: DCD1F5F1E007129BEB20AB24D884BEEB7A4BF94214F190668EEC567344DB31F951CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0109E927 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

Part of subcall function 0109A90A: GetLastError.KERNEL32(?,?,0108922D,?,?,?,?,01092CDC,?,?,?,?), ref: 0109A90E
Part of subcall function 0109A90A: SetLastError.KERNEL32(00000000,?,?), ref: 0109A9B0

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,0108EA7C,?,?,?,00000055,?,-00000050,?,?,?), ref: 0109E9E6
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,0108EA7C,?,?,?,00000055,?,-00000050,?,?), ref: 0109EA1D

Strings

utf8, xrefs: 0109EAEF

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: 796b5c249f9cf3c9b19465507cffd5dc83ba66e0d728adfb3c1db4d08b595203
Instruction ID: 24a3f6ac5dacab0d7b78e4178f025dc541460048c98b1dbc6a5eff9f9fbc3bd0
Opcode Fuzzy Hash: 796b5c249f9cf3c9b19465507cffd5dc83ba66e0d728adfb3c1db4d08b595203
Instruction Fuzzy Hash: 8D511831604302AAEF65EB79CC65BBB77E8FF15710F040499E6C6DB181E670ED40E6A1

Uniqueness

Uniqueness Score: -1.00%

Function 0105C430 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?), ref: 0105C456
ReleaseSRWLockExclusive.KERNEL32(?), ref: 0105C549

Part of subcall function 0105C5A0: TryAcquireSRWLockExclusive.KERNEL32(010F3EE0,00000000,FBE85001,0000000A,0CFC9968,0105F533,010814B2), ref: 0105C5BC
Part of subcall function 0105C5A0: AcquireSRWLockExclusive.KERNEL32(010F3EE0), ref: 0105C5ED

Strings

first, xrefs: 0105C577

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: first
API String ID: 1678258262-2456940119
Opcode ID: 427d370ea21e2046e262e3eab24d6cd04031b9c9c232587aca48cc55cf0a18d1
Instruction ID: 464e93e462839141891708a559a487fceb370fcd292fe4d1019ad9cf5a6335a9
Opcode Fuzzy Hash: 427d370ea21e2046e262e3eab24d6cd04031b9c9c232587aca48cc55cf0a18d1
Instruction Fuzzy Hash: A8312B316003028FE390DF6DC844BA7B7E9AFD8364F1885B8EDD98B255EB759582CB41

Uniqueness

Uniqueness Score: -1.00%

Function 01067820 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 01067988
__Init_thread_header.LIBCMT ref: 010679CA

Strings

$di, xrefs: 010678B0

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: CurrentInit_thread_headerProcess
String ID: $di
API String ID: 3343153627-4126818417
Opcode ID: 3cd99be69eb0ae4175c3f029636e226e85413a47ad36e62921e0d9792a3b8ff4
Instruction ID: 5a197985165b97699545c0592470c06598e6c7cf1dcbc80617b47a75df297547
Opcode Fuzzy Hash: 3cd99be69eb0ae4175c3f029636e226e85413a47ad36e62921e0d9792a3b8ff4
Instruction Fuzzy Hash: F341A172D103898AEB20CF58DC41BF877B5ABD9314F10829DE9D826242DBB91A84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 010995A8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0109981F

Strings

csm, xrefs: 01099841
csm, xrefs: 010998B2

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 9d991c2dfcd8aeca9219230f21bc7af241cf4e0f13784f36a1b704eb0e0ae589
Instruction ID: 216d4a4fa7e4c6a84007362afbe5daa2305176cbbaa8ebd9f5ee8919d68f84af
Opcode Fuzzy Hash: 9d991c2dfcd8aeca9219230f21bc7af241cf4e0f13784f36a1b704eb0e0ae589
Instruction Fuzzy Hash: 8B31B23250421ADBDF368F99C8549AB7BA5FF0831DB08459EF9D44D222C333D9A1EB91

Uniqueness

Uniqueness Score: -1.00%

Function 010465D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000004,00000000,?,?,?,00000001), ref: 0104663C

Strings

ReadValue, xrefs: 0104660E
..\..\base\win\registry.cc, xrefs: 01046609

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: QueryValue
String ID: ..\..\base\win\registry.cc$ReadValue
API String ID: 3660427363-2708835790
Opcode ID: b270a900ec623eda6365b45993311b3a2ad0f181d65a0363fb467117c7a267f7
Instruction ID: 597c60f329b99d8286d35b412c275f43cb490d687f72f7ee4e92c09449cbb419
Opcode Fuzzy Hash: b270a900ec623eda6365b45993311b3a2ad0f181d65a0363fb467117c7a267f7
Instruction Fuzzy Hash: D911A2B1E00219ABDF11DF98CC90EEFB7B8EB49768F004229F9517B280D7715904CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010783E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

EventUnregister.ADVAPI32(?,?), ref: 01078405

Strings

Provider unregistration failure, xrefs: 0107843D
..\..\base\trace_event\trace_logging_minimal_win.cc, xrefs: 0107842B

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: EventUnregister
String ID: ..\..\base\trace_event\trace_logging_minimal_win.cc$Provider unregistration failure
API String ID: 1359036815-2616656650
Opcode ID: 9aa9d7f8a0e71a86cd70a4548a7b2a03277efabbb92efca1ee7dbbadb747e918
Instruction ID: 6d0aa12757a99856edfcb23704c655d98a48cb90195c5e419409d82586377b4f
Opcode Fuzzy Hash: 9aa9d7f8a0e71a86cd70a4548a7b2a03277efabbb92efca1ee7dbbadb747e918
Instruction Fuzzy Hash: 72115B70F003042BDB709F65D809BEB73E5ABD5300F00846DE9C59B385EEB59905C791

Uniqueness

Uniqueness Score: -1.00%

Function 01081600 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,010F3EE8,0105F56F,01081547,0105F567,00000008), ref: 01081622
SystemFunction036.ADVAPI32(5004C483,0BE85756), ref: 01081635

Strings

advapi32.dll, xrefs: 0108161D

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: Function036LibraryLoadSystem
String ID: advapi32.dll
API String ID: 2636843464-4050573280
Opcode ID: a500d8d8191cf91b5a430c70c2f6986af720f167cd50e2d5f2d94df31f318f70
Instruction ID: 4edc389a7057cbca582f0098dc9e797f85e079489fb5e4d1256262b017456ed7
Opcode Fuzzy Hash: a500d8d8191cf91b5a430c70c2f6986af720f167cd50e2d5f2d94df31f318f70
Instruction Fuzzy Hash: 11E0D831905318BEDB322A189901B953B856F15B64F190150AEE46E68497B19462C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 010650B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 010650BE
GetProcAddress.KERNEL32(00000000,GetHandleVerifier), ref: 010650CA

Strings

GetHandleVerifier, xrefs: 010650C4

Memory Dump Source

Source File: 00000003.00000002.621920951.0000000000FE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true

Associated: 00000003.00000002.621907280.0000000000FE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010B5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622502489.00000000010E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.622508451.00000000010E1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623305563.00000000010F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.623389712.00000000010F6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_fe0000_identity_helper.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetHandleVerifier
API String ID: 1646373207-1090674830
Opcode ID: 53cf9f07905d4877858f1e516f8e06bfa95782916a43de3eb45c0f3122bc3217
Instruction ID: 4039958bd49c5dfe3b8a8806ec9789a048441047ea9be8b28da57a52df94fcce
Opcode Fuzzy Hash: 53cf9f07905d4877858f1e516f8e06bfa95782916a43de3eb45c0f3122bc3217
Instruction Fuzzy Hash: 72D05E3028530AA7F67076A5AC1AF25339C7714B86F801048FACA99489CFA9E0008792

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: identity_helper.exePID: 5956, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	8.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	46
Total number of Limit Nodes:	4

Executed Functions

Function 07367220 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.627472421.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab64c9b23b41318ae456eb59563dc5929c9c49555da3eb6bd615f1b9ad5c725
Instruction ID: 2c58336213c41909f0ce482c66eb3169b6f0d087d03513e1f62b266688856005
Opcode Fuzzy Hash: 6ab64c9b23b41318ae456eb59563dc5929c9c49555da3eb6bd615f1b9ad5c725
Instruction Fuzzy Hash: EB41FB74E01208DFDB04DFA9D8856DEFBB2FF88314F10846AD818A7355DB319942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07368E75 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 07368ED8
GetCurrentThread.KERNEL32 ref: 07368F15
GetCurrentProcess.KERNEL32 ref: 07368F52
GetCurrentThreadId.KERNEL32 ref: 07368FAB

Memory Dump Source

Source File: 00000004.00000002.627472421.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_identity_helper.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c531e3ab91dbe5126c60c3d22fc7370efcc687214b4dce3c05cca90d5bc647c0
Instruction ID: 0866da5d0b85ee4972ff59720519bba741335fdee55d0bd9fb320acc55d0e8b8
Opcode Fuzzy Hash: c531e3ab91dbe5126c60c3d22fc7370efcc687214b4dce3c05cca90d5bc647c0
Instruction Fuzzy Hash: 1C5155B89002498FEB14CFAAD9487DEBBF1AF88304F20C859E449A7351D7795885CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07368E78 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 07368ED8
GetCurrentThread.KERNEL32 ref: 07368F15
GetCurrentProcess.KERNEL32 ref: 07368F52
GetCurrentThreadId.KERNEL32 ref: 07368FAB

Memory Dump Source

Source File: 00000004.00000002.627472421.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_identity_helper.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: bc9e7ca123f7d9078f6e350d0118fadb464386e6854768427874d8d5a260981d
Instruction ID: 6d877b3241f73927f747debc7cf2914ede8bf4a5f29fe034a666ce4a7424d237
Opcode Fuzzy Hash: bc9e7ca123f7d9078f6e350d0118fadb464386e6854768427874d8d5a260981d
Instruction Fuzzy Hash: 8C5164B89002498FEB14CFAAD9487DEBBF5FB88304F20C859E449A7351D7795884CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07369098 Relevance: 1.6, APIs: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0736916B

Memory Dump Source

Source File: 00000004.00000002.627472421.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_identity_helper.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a76a3fe548968550d3c162d512dd35ea43a2ddb3fa82cc842c37fd56231a164b
Instruction ID: bde51f74b2b1855fa431de4bab4b9aa2a69288c01942469009d35dd634018d7e
Opcode Fuzzy Hash: a76a3fe548968550d3c162d512dd35ea43a2ddb3fa82cc842c37fd56231a164b
Instruction Fuzzy Hash: FE4176B9D002599FCF00CFA9D984ADEBBF5BB19314F24906AE818BB310D335A955CF94

Uniqueness

Uniqueness Score: -1.00%

Function 073690A0 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0736916B

Memory Dump Source

Source File: 00000004.00000002.627472421.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_identity_helper.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a8857f2339babe0435548d09b343dff890bf9f522c086ddc2ac4322e7d194f8d
Instruction ID: 870856298c407e3b9090e4b407e4483bd49a68a913b893a441a778b51b13605f
Opcode Fuzzy Hash: a8857f2339babe0435548d09b343dff890bf9f522c086ddc2ac4322e7d194f8d
Instruction Fuzzy Hash: F44166B9D002589FCF00CFA9D984ADEBBF5BB09310F24906AE818BB310D335A955CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0736D118 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0736D18D

Memory Dump Source

Source File: 00000004.00000002.627472421.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7360000_identity_helper.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: a8891c72cf36af8454a7b85b38c72414f626d18b9e93cabfcdcf37092c2310a7
Instruction ID: 7ac9817ecc28cee519e6ad8f48dc21a9f3e214a7adcd6d064355adcb08e6f867
Opcode Fuzzy Hash: a8891c72cf36af8454a7b85b38c72414f626d18b9e93cabfcdcf37092c2310a7
Instruction Fuzzy Hash: C721D5B59103898FDB10CFA9C4057EEBFF4EB09314F148459D898A7242D778A509CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 051CD508 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.623579264.00000000051CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 051CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_51cd000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc4293ded5816f7a70578939b19c5cbb76c27d42b7c6d63f842b4d859c30a55
Instruction ID: f546fab44a55123562e9b9aceec884fbded2a4037fc0849e94d47bbedaa6e02e
Opcode Fuzzy Hash: 7fc4293ded5816f7a70578939b19c5cbb76c27d42b7c6d63f842b4d859c30a55
Instruction Fuzzy Hash: A221A1755042849FDB15DF18E9C0B26BF76FBA8318F2485BDE8054A246C337D856CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 051DD0DC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.623639665.00000000051DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 051DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_51dd000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe8a75387b63692c47d30453f1c6944c66afb726783b41a2f92cc30458ab90b
Instruction ID: 16da44894b5957573e9c67065576252ab6dfafabcdcccd31f8617034f4520c8c
Opcode Fuzzy Hash: 8fe8a75387b63692c47d30453f1c6944c66afb726783b41a2f92cc30458ab90b
Instruction Fuzzy Hash: CF21B075604244EFDB15DF28E9C0B26FBA6FB84314F24C669D8094B256C33AD846CB72

Uniqueness

Uniqueness Score: -1.00%

Function 051DD01C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.623639665.00000000051DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 051DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_51dd000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bf83f67a05e27a0230c4f4d02de6bb97634e20e5f4f3b314f702678066e7fa8
Instruction ID: 2c4d3c813ac168d61803b25a0b74bf3b93317a8e505821ae3aac6603eb5ac89c
Opcode Fuzzy Hash: 7bf83f67a05e27a0230c4f4d02de6bb97634e20e5f4f3b314f702678066e7fa8
Instruction Fuzzy Hash: 1911E6B15443849FDB25DF28E9C4F26FBA6FBC4314F648A6DD4494B241C33AD446C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 051CD503 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.623579264.00000000051CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 051CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_51cd000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f03eb94b942ea62260076c27dc01dd3b7ee397cc21a262978773600340dc3
Instruction ID: 0a0d6897a562e261c462023eb26ce9fd852c2991456b504d372e532611ddc139
Opcode Fuzzy Hash: 3d9f03eb94b942ea62260076c27dc01dd3b7ee397cc21a262978773600340dc3
Instruction Fuzzy Hash: 8511D376504280DFCB12CF14D9C4B26BF72FB94324F24C6ADD8494B656C33AD456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 051C3006 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.623546156.00000000051C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_51c3000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecfe6a19c42a1350d980cecc1f201fe3aaa31520430af9510adc3fcfef10d6cb
Instruction ID: 68e188a479adc95129a7c2cdaa1984720fdee945c494edec163deb5f74ed7af4
Opcode Fuzzy Hash: ecfe6a19c42a1350d980cecc1f201fe3aaa31520430af9510adc3fcfef10d6cb
Instruction Fuzzy Hash: 05116D761487C09FD712CF15C880B62BFB4EB56614F1988DED9888F692C32D9845CB72

Uniqueness

Uniqueness Score: -1.00%

Function 051C301C Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.623546156.00000000051C3000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_51c3000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a93a179a7349813d1ce5bde43a9497d3e2d4ce3cebddebb0392afd0d241834
Instruction ID: ece1b870919deefba8e475fa692cd81afe32b03efef87ea37e1c2e21ee3f229a
Opcode Fuzzy Hash: c8a93a179a7349813d1ce5bde43a9497d3e2d4ce3cebddebb0392afd0d241834
Instruction Fuzzy Hash: 0411C676104684DFE724CF5AC880B66FFA9FB64724F14C89EE9495B601C33EA854CB71

Uniqueness

Uniqueness Score: -1.00%

Function 051DD0D7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.623639665.00000000051DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 051DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_51dd000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a88321ddf0ee8d9f18d4ea175bda8c6f0353f81c8d6f2df9b97beb9f48423345
Instruction ID: db5dee8f0725499c642f4fd1bfbf89aa767ea8c48f28f82d4e15a1d9589b6014
Opcode Fuzzy Hash: a88321ddf0ee8d9f18d4ea175bda8c6f0353f81c8d6f2df9b97beb9f48423345
Instruction Fuzzy Hash: FA118B75504280DFDB11CF14E9C4B25FBA2FB84314F28C6ADD8494B656C33AD44ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 051DD006 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.623639665.00000000051DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 051DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_51dd000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7fb63cb989930efde9e69150da000c528cb93922437e6f2d114c3f8b696c1a6
Instruction ID: ee0da364027fc473a4ba89164425491e1b4e1290099ea1da09e2eaf1854795d8
Opcode Fuzzy Hash: c7fb63cb989930efde9e69150da000c528cb93922437e6f2d114c3f8b696c1a6
Instruction Fuzzy Hash: 701177715097C08FDB12DF24D994B15BF71FB85214F2586EEC4858B592C33AD44ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 05A10690 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.627244743.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5a10000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ad93562b8ae1aa2ec8db17f4efcf3c6d36c0892927b32011c3bb4d50a2d0c62
Instruction ID: dc0cda61337b3c8614d0687aceaa2a3ad7cb99549ca42b80c628ae9acd070b5e
Opcode Fuzzy Hash: 9ad93562b8ae1aa2ec8db17f4efcf3c6d36c0892927b32011c3bb4d50a2d0c62
Instruction Fuzzy Hash: E8F06D7490A388AFCB41DBA8EC55A9D7FB4AF4A300F1541D6E844D73A2D2349A04CB65

Uniqueness

Uniqueness Score: -1.00%

Function 05A10874 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.627244743.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5a10000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa5711f397ea4c31c629116d55c52f296e914ddb0da11a9637da51db7c8b633e
Instruction ID: 393807d0824d9f7d8219def59136828b7f11304c9434e12ca2e18aee2b8bd14f
Opcode Fuzzy Hash: aa5711f397ea4c31c629116d55c52f296e914ddb0da11a9637da51db7c8b633e
Instruction Fuzzy Hash: 4DF04974909388DFCB45CFA8E849A9E7FB0FB0A300F1580EAD840D73A2D6349A44CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05A10F30 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.627244743.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5a10000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3785a6ca33c706deaffc86211c1fae4f6ee8fb276858c60ff5c0ec007210645d
Instruction ID: 17329d2e6381edea81facb32a4164e80c1030b82dae3dbe08a6e8574e52e086b
Opcode Fuzzy Hash: 3785a6ca33c706deaffc86211c1fae4f6ee8fb276858c60ff5c0ec007210645d
Instruction Fuzzy Hash: 21F0127140E3849FC7068774AC2575E7F74AF43305F1941DAD48097293C6345A58CB66

Uniqueness

Uniqueness Score: -1.00%

Function 05A106E8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.627244743.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5a10000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54b5173183fb155ab52580e09aaf11be7912066fd92d374afbd1fb17cb7f3c15
Instruction ID: 44bc9e2b0da654945d71f9374a8d2f8f8ba4cd669399c965d19e227a56fad046
Opcode Fuzzy Hash: 54b5173183fb155ab52580e09aaf11be7912066fd92d374afbd1fb17cb7f3c15
Instruction Fuzzy Hash: 7CE06D6140E3848FC7039BB09A257583F30EF43200B1942DBC444CB192DA341D08D72A

Uniqueness

Uniqueness Score: -1.00%

Function 05A106B0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.627244743.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5a10000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2800cef962f53316167978f98e310e779e1e92c60a200207eae0f05494a7e6b
Instruction ID: a45d6fbe8c1c6342c97fe11f4a314d9fab938bc9e382cc3c9aec0d1519b8c914
Opcode Fuzzy Hash: c2800cef962f53316167978f98e310e779e1e92c60a200207eae0f05494a7e6b
Instruction Fuzzy Hash: 72E0E574D05208AFCB40DFA9E54569DBFF0FF48300F2081EAD81497360D6749A40DF54

Uniqueness

Uniqueness Score: -1.00%

Function 05A10890 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.627244743.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5a10000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61daa327766e50aec72e6360d2fd608e7de8176a6ec37b54550c43fb041f79d6
Instruction ID: e0c1841124659d4cb97046d2f2605fa89706093c965662a017511408953ea3e0
Opcode Fuzzy Hash: 61daa327766e50aec72e6360d2fd608e7de8176a6ec37b54550c43fb041f79d6
Instruction Fuzzy Hash: 13E0E574E15208EFCB44DFA8E448A9DBBF0FB48300F2081A9D81497350D7319A40CF95

Uniqueness

Uniqueness Score: -1.00%

Function 05A10F50 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.627244743.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5a10000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec908109a70349227f1be0a6733cb90d64b83e9087f303bfadae9d424ddfa48
Instruction ID: 4730203046693a069b34a71cb8064d026d70522d70836eff1496dc1de12fc948
Opcode Fuzzy Hash: fec908109a70349227f1be0a6733cb90d64b83e9087f303bfadae9d424ddfa48
Instruction Fuzzy Hash: BBD017B080A2189BCB059BB5A41666DBFB4BB42301F6041A9D80426380CB711A94DA99

Uniqueness

Uniqueness Score: -1.00%

Function 05A10708 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.627244743.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5a10000_identity_helper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 311ebebc3db507f63185423cccd44d43f80a5f2c242a56f6a4749ee21cad04fe
Instruction ID: ea0a37eaff4eeb480cf8eba9729eb958360313ef9d0c379a4907080840207556
Opcode Fuzzy Hash: 311ebebc3db507f63185423cccd44d43f80a5f2c242a56f6a4749ee21cad04fe
Instruction Fuzzy Hash: D9C0127051610C9BCF04EBE9E405B5E7B78FB01314F1002ADD80413280EF711D40DA99

Uniqueness

Uniqueness Score: -1.00%

Source: Traffic	Snort IDS: 2849814 ETPRO MALWARE TakeMyFile User-Agent 192.168.2.3:49698 -> 54.198.235.9:80
Source: Traffic	Snort IDS: 2849813 ETPRO MALWARE TakeMyFile Installer Checkin 192.168.2.3:49698 -> 54.198.235.9:80

Source: shiED5F.tmp.2.dr	String found in binary or memory: http://.css
Source: shiED5F.tmp.2.dr	String found in binary or memory: http://.jpg
Source: identity_helper.exe, 00000003.00000002.627526421.00000000074CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://20.165.170.228
Source: identity_helper.exe, 00000003.00000002.627526421.00000000074CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://20.165.170.228/MARA01/index.php
Source: identity_helper.exe, 00000003.00000002.627526421.00000000074CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://20.165.170.228/MARA01/index.php?VS=MARA01&PL=NAO
Source: identity_helper.exe, 00000003.00000002.627526421.00000000074CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://20.165.170.2284
Source: Fatrr_UewhcWF.msi, MSIEC77.tmp.1.dr, MSI2BD9.tmp.1.dr, MSIED15.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr, MSIEC76.tmp.1.dr, MSIF1FA.tmp.1.dr, MSIECE5.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Fatrr_UewhcWF.msi, MSIEC77.tmp.1.dr, MSI2BD9.tmp.1.dr, MSIED15.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr, MSIEC76.tmp.1.dr, MSIF1FA.tmp.1.dr, MSIECE5.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Fatrr_UewhcWF.msi, MSI2BD9.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr	String found in binary or memory: http://collect.installeranalytics.com
Source: Fatrr_UewhcWF.msi, MSIEC77.tmp.1.dr, MSI2BD9.tmp.1.dr, MSIED15.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr, MSIEC76.tmp.1.dr, MSIF1FA.tmp.1.dr, MSIECE5.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Fatrr_UewhcWF.msi, MSIEC77.tmp.1.dr, MSI2BD9.tmp.1.dr, MSIED15.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr, MSIEC76.tmp.1.dr, MSIF1FA.tmp.1.dr, MSIECE5.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Fatrr_UewhcWF.msi, MSIEC77.tmp.1.dr, MSI2BD9.tmp.1.dr, MSIED15.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr, MSIEC76.tmp.1.dr, MSIF1FA.tmp.1.dr, MSIECE5.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Fatrr_UewhcWF.msi, MSIEC77.tmp.1.dr, MSI2BD9.tmp.1.dr, MSIED15.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr, MSIEC76.tmp.1.dr, MSIF1FA.tmp.1.dr, MSIECE5.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: shiED5F.tmp.2.dr	String found in binary or memory: http://html4/loose.dtd
Source: Fatrr_UewhcWF.msi, MSIEC77.tmp.1.dr, MSI2BD9.tmp.1.dr, MSIED15.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr, MSIEC76.tmp.1.dr, MSIF1FA.tmp.1.dr, MSIECE5.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Fatrr_UewhcWF.msi, MSIEC77.tmp.1.dr, MSI2BD9.tmp.1.dr, MSIED15.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr, MSIEC76.tmp.1.dr, MSIF1FA.tmp.1.dr, MSIECE5.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: identity_helper.exe, 00000003.00000002.627526421.00000000074A1000.00000004.00000800.00020000.00000000.sdmp, identity_helper.exe, 00000004.00000002.627493890.0000000007381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Fatrr_UewhcWF.msi, MSIEC77.tmp.1.dr, MSI2BD9.tmp.1.dr, MSIED15.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr, MSIEC76.tmp.1.dr, MSIF1FA.tmp.1.dr, MSIECE5.tmp.1.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: Fatrr_UewhcWF.msi, MSIEC77.tmp.1.dr, MSI2BD9.tmp.1.dr, MSIED15.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr, MSIEC76.tmp.1.dr, MSIF1FA.tmp.1.dr, MSIECE5.tmp.1.dr	String found in binary or memory: http://t2.symcb.com0
Source: Fatrr_UewhcWF.msi, MSIEC77.tmp.1.dr, MSI2BD9.tmp.1.dr, MSIED15.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr, MSIEC76.tmp.1.dr, MSIF1FA.tmp.1.dr, MSIECE5.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: Fatrr_UewhcWF.msi, MSIEC77.tmp.1.dr, MSI2BD9.tmp.1.dr, MSIED15.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr, MSIEC76.tmp.1.dr, MSIF1FA.tmp.1.dr, MSIECE5.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: Fatrr_UewhcWF.msi, MSIEC77.tmp.1.dr, MSI2BD9.tmp.1.dr, MSIED15.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr, MSIEC76.tmp.1.dr, MSIF1FA.tmp.1.dr, MSIECE5.tmp.1.dr	String found in binary or memory: http://tl.symcd.com0&
Source: Fatrr_UewhcWF.msi, MSIEC77.tmp.1.dr, MSI2BD9.tmp.1.dr, MSIED15.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr, MSIEC76.tmp.1.dr, MSIF1FA.tmp.1.dr, MSIECE5.tmp.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: shiED5F.tmp.2.dr	String found in binary or memory: https://HTTP/1.1
Source: identity_helper.exe, 00000003.00000002.627526421.00000000075E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://amxx1515cabreun23.asxo
Source: identity_helper.exe, 00000003.00000002.627526421.00000000075E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://amxx1515cabreun23.asxo/
Source: identity_helper.exe, 00000003.00000002.627526421.00000000075E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://amxx1515cabreun23.asxo4
Source: Fatrr_UewhcWF.msi, MSI2BD9.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr	String found in binary or memory: https://collect.installeranalytics.com
Source: Fatrr_UewhcWF.msi, MSI2BD9.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr	String found in binary or memory: https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic
Source: msiexec.exe	String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/brrrrvaila.appspot.com/o/mar
Source: identity_helper.exe, 00000003.00000000.391646114.00000000010BD000.00000002.00000001.01000000.00000003.sdmp, identity_helper.exe, 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmp, identity_helper.exe, 00000004.00000002.622394030.00000000010BD000.00000002.00000001.01000000.00000003.sdmp, identity_helper.exe, 00000004.00000000.408427765.00000000010BD000.00000002.00000001.01000000.00000003.sdmp, identity_helper.exe.2.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
Source: identity_helper.exe, 00000003.00000000.391646114.00000000010BD000.00000002.00000001.01000000.00000003.sdmp, identity_helper.exe, 00000003.00000002.622419330.00000000010BD000.00000002.00000001.01000000.00000003.sdmp, identity_helper.exe, 00000004.00000002.622394030.00000000010BD000.00000002.00000001.01000000.00000003.sdmp, identity_helper.exe, 00000004.00000000.408427765.00000000010BD000.00000002.00000001.01000000.00000003.sdmp, identity_helper.exe.2.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
Source: Fatrr_UewhcWF.msi, MSIEC77.tmp.1.dr, MSI2BD9.tmp.1.dr, MSIED15.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr, MSIEC76.tmp.1.dr, MSIF1FA.tmp.1.dr, MSIECE5.tmp.1.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: Fatrr_UewhcWF.msi, MSIEC77.tmp.1.dr, MSI2BD9.tmp.1.dr, MSIED15.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr, MSIEC76.tmp.1.dr, MSIF1FA.tmp.1.dr, MSIECE5.tmp.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Fatrr_UewhcWF.msi, MSIEC77.tmp.1.dr, MSI2BD9.tmp.1.dr, MSIED15.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr, MSIEC76.tmp.1.dr, MSIF1FA.tmp.1.dr, MSIECE5.tmp.1.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: Fatrr_UewhcWF.msi, MSIEC77.tmp.1.dr, MSI2BD9.tmp.1.dr, MSIED15.tmp.1.dr, MSIEB4C.tmp.1.dr, 48e8fa.msi.1.dr, MSIF268.tmp.1.dr, MSIF034.tmp.1.dr, MSIEFD5.tmp.1.dr, MSIEC76.tmp.1.dr, MSIF1FA.tmp.1.dr, MSIECE5.tmp.1.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 20.165.170.228
Source: unknown	TCP traffic detected without corresponding DNS query: 20.165.170.228
Source: unknown	TCP traffic detected without corresponding DNS query: 20.165.170.228
Source: unknown	TCP traffic detected without corresponding DNS query: 20.165.170.228
Source: unknown	TCP traffic detected without corresponding DNS query: 20.165.170.228

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Fatrr_UewhcWF.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Documents\OgtQTC.zip

C:\Users\Public\Documents\identity_helper.exe

C:\Users\Public\Documents\msedge_elf.dll

C:\Users\user\AppData\Local\AdvinstAnalytics\649abc180e6ce9401d6e81cf\7.8.6.7\tracking.ini

C:\Users\user\AppData\Local\AdvinstAnalytics\649abc180e6ce9401d6e81cf\7.8.6.7\{FA015603-7D74-4142-8F3D-91E0218EBBFB}.session

C:\Users\user\AppData\Local\Temp\shiED5F.tmp

C:\Users\user\AppData\Local\Temp\shiEE2B.tmp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\identity_helper.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\zino.ps1

C:\Windows\Installer\48e8fa.msi

C:\Windows\Installer\MSI2BD9.tmp

C:\Windows\Installer\MSIEB4C.tmp

C:\Windows\Installer\MSIEC76.tmp

C:\Windows\Installer\MSIEC77.tmp

C:\Windows\Installer\MSIECE5.tmp

C:\Windows\Installer\MSIED15.tmp

C:\Windows\Installer\MSIEFD5.tmp

Windows Analysis Report
Fatrr_UewhcWF.msi

Function 01069290 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 389
COMMON

Function 01068830 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 366
COMMON

Function 01073E90 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 574
COMMON

Function 0106A330 Relevance: 6.6, APIs: 4, Instructions: 560
COMMON

Function 01075A70 Relevance: 37.7, APIs: 30, Instructions: 171
sleepmemoryCOMMON

Function 01076160 Relevance: 12.2, APIs: 1, Strings: 7, Instructions: 193
COMMON

Function 01075CE0 Relevance: 10.2, APIs: 8, Instructions: 203
COMMON

Function 01075FD0 Relevance: 9.2, APIs: 6, Instructions: 208
COMMON

Function 01075DA0 Relevance: 7.8, APIs: 6, Instructions: 250
COMMON

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre